Beiersdorf’s cybersecurity team is always thinking about the best ways to secure their public-facing assets. As their digital footprint increases, they add new processes and systems to align with cybersecurity best practices and look for new ways to arm their internal teams with insights and data to help harden their attack surface.
After a year of running a private Vulnerability Disclosure Program (VDP), Beiersdorf is announcing the launch of its public VDP. HackerOne met with Kai Widua, Chief Information Security Officer (CISO) at Beiersdorf, to learn about the challenges they face in retail security.
Read on to hear Kai’s thoughts on how HackerOne helps Beiersdorf be proactive about cybersecurity and his advice on starting a VDP and taking it public.
Tell us who you are.
I’m Kai Widua, CISO at Beiersdorf. I’m responsible for the Information Security in Beiersdorf globally. In this role, I deal with proactive and detective requirements to protect customer, affiliate, and employee data in cyberspace.
Tell us a bit about Beiersdorf and the cybersecurity challenges you face.
Beiersdorf started to leverage the potential of cloud computing services before many other organizations. We have a standardized, centralized, managed IT program with many partners and systems integrated into our digital life, which increases our digital footprint and creates a broad attack surface. The adaption of implemented security policies and controls is a challenge, as we work to ensure information security is an enabler and not a “hinderer.”
How does your security team operate?
The digital experts in the DevOps teams are challenged to use an agile approach to increase development speed and shorten release cycles while also fulfilling security requirements and maintaining code hygiene. Beiersdorf’s cybersecurity department is responsible for the consultant and gatekeeper roles to help us close potential gaps in our attack surface by informing other departments about potential risks, new attack vectors, and techniques to minimize overall organizational risk.
What made you decide to launch a public VDP?
Our Web Development Team has a tough job, and they do it very well. As an additional layer of defense, we decided to use the global knowledge of ethical hackers via a VDP, so we could be informed even when it is actually too late (meaning a vulnerability is published) but still early enough to identify and remediate the vulnerability before a malicious actor might find it.
How does a VDP help proactively prevent issues?
By adding a VDP, we not only support our Web Development Team’s tremendous efforts, but we also take proactive steps to minimize our risk. The VDP allows global security experts to review our public assets and give us deeper knowledge of our attack surface, which we can use to better inform our team and create more robust defenses via internal processes.
How does digital transformation drive your cybersecurity strategy?
Digital transformation certainly speeds up deployments, but it also increases the number of systems and sources we use. Minimum viable products (MVPs) are a specific lever to speed up time-to-market but can threaten the needed protection level. A VDP is a perfect and obligatory complement to our digital transformation journey, giving us an additional layer of defense.
What happens after a hacker finds a bug?
We see a lot of commodity attacks against our systems. But sometimes, we see very creative ways hackers have tricked our system landscape. This is a valuable source of intelligence apart from OWASP or other frameworks. These unusual findings make the difference for our DevOps teams and can be adapted to all other systems we operate.
What advice would you give to other CISOs planning to start a VDP?
Start small. Get yourself and the teams familiar with how researchers approach the program and the triage process. This will support the ramp-up and ensure you’re going as fast as you can adequately manage. We had an excellent learning experience with our private program, which helped us be confident and prepared before going public.
Click here for more information about Vulnerability Disclosure Programs.