**Update** We're excited to announce that Security@ 2020 is going virtual. Register now.
Phil Venables, senior advisor and board director at Goldman Sachs, has seen more than his share of highs and lows in the security world. The former Goldman Sachs CISO has held senior-level information security roles at Deutsche Bank, Standard Chartered Bank, and Barclays Bank over the past 25-plus years -- which was why we were so thrilled when Phil shared his insights at our annual Security@ 2019 conference.
Here’s what Phil had to say with key takeaways and timestamps to help you follow along!
Key timestamps and highlights:
0:33 - The power of the hacking community. Go beyond boutique third-party testing vendors and scanners.
2:22 - The importance of interacting with the hacking community. How do we interact in a fast an timely way with people that want to notify us about something?
3:44 - Getting buy-in from the c-level. Finding and fixing vulnerabilities was intuitive, but the most difficult part is logistics.
5:36 - The crawl, walk, run approach. There's a slow and steady approach. Launch a private program and then switch to a public program. Do it methodically.
6:18 - Is the risk mitigation working with hackers offset by new risks? The quicker you know about them, the faster the risk is reduced.
7:05 - The collective armory of defense. You don't want to assume that you will find all of the vulnerabilities. Therefore, you need this approach.
9:31 - Security as a game of speed. The most successful organizations find risk, fix risk, and make that cycle as fast as possible.
10:13 - How many more surfaces are exposed today versus five years ago? Every organization has become a digital business. Everybody has more complex and extended supply chains.
15:30 - Advice for management for those who haven't begun their journey yet. If you don't have an organization that fundamentally believes that your best knowing these things, then you probably need to do that education first.
16:58 - What problems will you likely find with hackers as opposed to a penetration test? The community sees so many different flavors of implementation of open source packages and vendor packages that they get to see the seams between all of these things more than targeted pen tests.
19:56 - Security as a board-level and CEO issue. Cyber is not the only technology risk there is. It's not just about vulnerability reduction but about constantly improving your process of software delivery.
23:14 - What's the most underutilized security approach? People underestimate the value and need for continuous controls monitoring.
33:21 - How do you communicate risk to the board of directors? Answer these questions: What's my most critical assets and business processes? What are the risks to those? What controls mitigate those risk and are those controls working effectively?
Getting Started with the Hacker Community
In the early days of information security, incoming vulnerability reports were met with confusion. Processes weren’t in place to handle these friendly notifications, and even the notification process itself was obscure. This set off a lightbulb for Phil: the only way to harness the power of these insights was by working with the hacker community.
“We should have a means by which people can notify us,” Phil recalled thinking. But just a notification mechanism wasn’t enough. An incoming vulnerability report would set off an entire machine of effort and response, which few organizations were ready to handle. That eventually evolved into his team starting to think about the logistics of handling incoming reports, and then determining how they would be managed internally, how the interaction with the hacker would be managed, how engineering would be involved, and more.
“When people see a flaw in what you’re doing, most people actually want to tell you,” Phil said. Pointing to the lack of simple communication basics, Phil added that most hackers “just want acknowledgement” that their message was received.
“When you don’t have a means to interact, that’s when you get tension.”
As Phil began building a process for handling incoming reports, he started expanding his use of hacker-powered security. Over the next 18 to 24 months, they moved from easing notifications to private bug bounty programs and eventually to public programs.
Building a Security-Aware Organization
Security awareness is critical for any organization of any size. As the saying goes, security is everyone’s job. But instilling a sense of security takes work and it takes communication. When communicating up to the leadership team, their familiarity with technology can help you frame the conversation. It’s also important to help leadership understand how hacker-powered security works and why visibility and transparency are better than the alternatives.
Ignoring the gaps isn’t a solution, Phil says, and you might need to convince leadership that you can reduce risk simply by knowing that bugs exist. That’s a fundamental benefit of working with the hacker community. “If you don’t know about (the bugs), the risk hasn’t changed,” he added.
A Holistic Strategy Around Security Efforts
Phil also recommended explaining and justifying your security efforts around benefits rather than specific bugs or issues resolved. What is your team learning? How has engaging the hacker community helped? Where has it helped improve processes? How has your security and development team structures changed because of working with the community?
The Benefits of Hacker-Powered Security
Phil emphasized how hackers empower businesses to scale their security infrastructure. Hacker-powered security allows customized testing to fit the needs of any security team at any stage of the SDLC. So small startups can add hacker-powered security from day one, or large organizations can bring hackers in where it best fits. The goal is to avoid breaches that could derail deals, impact customers, and affect partners, which would all eventually impact revenues. That’s what can really help to get executives on board with the benefits of hacker-powered security.
Security as a Game of Speed
Once leadership understands the breadth of benefits from hacker-powered security, then you can start to include more areas of your organization into the conversations. From there, Phil says it’s all about speed and showing results.
“Everything is a game of speed,” he added, and your goal is to make the security cycle as fast as possible. “All software has some degree of bugs. The quicker we can find and fix them is an approach that is intuitive and obvious to everyone.”
The Collective Armory of Defense to Third and Fouth-Party Systems
Hackers are an important part of every organization’s security apparatus, but they aren’t the only part. “This is but one very important piece of the collective armory of defense,” Phil said. In the future, he predicts that we’ll see the “opportunity for these types of community approaches to go even broader.”
When looking to the future, Phil sees hacker-powered security playing a central role in the interconnectedness of software and organizations. As more companies connect their systems with customer and supplier and partner systems, their security scopes increase accordingly. That extends the conversation beyond just your third-party systems and into what Phil terms fourth-party systems.
The Bottom Line: Hacker-Powered Security Works
Going even further, Phil talked about the common discovery of vulnerabilities exposed by an organization’s implementation of third-party apps. While individual vulnerabilities may have been caused by the organization themselves, there may also be underlying risks in the third-party apps themselves. Phil says he sees an opportunity for hackers to dig deeper into those bugs for a larger potential reward, since a solution would reduce the risk for everyone who uses the technology.
Phil also says he expects the value of hackers and their efforts to continue to grow, especially as more hackers gain a greater understanding of organizational complexities and processes. He mentions seeing a higher level of engineering professionalism, and more familiarity with the intricacies of enterprise logistics, processes, and internal workings.
Ultimately, however, Phil says that hacker-powered security is a helpful tool in reducing risk and improving security, but it’s mostly about transparency. If you don’t know a bug exists, you can’t fix it. If your organization isn’t on board with that, your work is cut out for you.
“If you don’t have an organization that fundamentally believes you’re best knowing (about security gaps), then you probably need to do that education first.”