Five Takeaways from Ohio Secretary of State's VDP Success Story
In an effort to reduce cybersecurity risk, the Ohio Secretary of State became the first Secretary of State to launch its Vulnerability Disclosure Program (VDP) in 2020. To date, the Ohio Secretary of State’s VDP has helped them uncover vulnerabilities and improve the efficacy and efficiency of their internal cybersecurity team.
Recently, Ohio Secretary of State Chief Information Security Officer Jillian Burner, and HackerOne Co-founder and Head of Professional Services, Michiel Prins presented at the 46th annual IACA Conference in Indianapolis to share the benefits of VDPs, lessons learned from Ohio Secretary of State’s program and to advise on easy ways that other agencies can follow Ohio’s lead to continuously improve security and protect constituent data.
Read on to learn the top five insights from Jillian and Michiel’s presentation.
1. A VDP is a must-have first step in cyber defense.
“Cybersecurity is on everyone’s radar, but not everyone knows all the specific details to ensure protection. We know bad actors are constantly looking for cracks in our defenses and applications. That's why it's so important for us to work with ethical hackers. They know what vulnerabilities the bad actors are looking for, and they know how to find them before the bad guys can,” says Jillian.
For Jillian, working with ethical hackers is of utmost importance and helps her team defend against the unknown. With the help of ethical hacker intelligence, she is able to ensure business continuity by safeguarding digital systems, networks, and constituent data, while maintaining the excellent reputation that the agency is known for.
2. A VDP provides continuous watch over digital assets.
In order to stay on the offensive, the Ohio Secretary of State knew that continuous security testing was one of the most important ways to help them keep up with changing security environments and stay ahead of threats. When they came to HackerOne, they were running external scans and receiving a weekly report, but after that, it was up to their small team to figure everything out. They knew they needed a more continuous approach, and they wanted to add human intelligence to their program. With 92% of ethical hackers saying they can find vulnerabilities that scanners cannot, Jillian’s team knew there could be blind spots. They weren’t willing to risk it.
“Implementing the VDP helped us triage and supplemented the internal team we were building. We also knew that the federal government was mandating VDP policies for their agencies, and we wanted to be on the forefront of embracing that security policy for our own constituents,” says Jillian.
The results to date confirm the success of the program. In the three years since the Ohio Secretary of State launched their VDP, ethical hackers have helped identify dozens of valid vulnerabilities, several of which were classified as critical or high.
3. Relationships with ethical hackers bolster your security.
The main goal for Jillian’s team was to get visibility into any potential vulnerability in order to stay ahead of what the bad actors might be doing.
“We know the bad actors constantly scan us, so we also know we need the good guys constantly looking at our environment. The key for us is that it’s from an outside stance, not internal, where resources can get pulled in too many directions.”
Having a formal policy to give ethical hackers a way to contact the right people at the Ohio Secretary of State should they find a vulnerability was the first step. From there, creating a Safe Harbor statement and sharing rules of engagement helped them kick off a seamless integration with the global hacker community. Another benefit of the relationship was that by taking a public, proactive, continuous approach, they were able to build deeper trust with their constituents.
4. Objections might arise - but they can be overcome.
Ohio Secretary of State’s cybersecurity approach establishes a culture of trust and collaboration. Security teams from the public and private sectors have long understood the value ethical hackers can provide, but non-security team members may voice concerns about inviting ethical hackers to test their security. You can overcome these concerns through education, awareness building, and the creation of a detailed strategic plan.
As Jillian says, “We don’t know what we don’t know. Scanners & automation can never provide what human intelligence can. We’re asking researchers to find vulnerabilities that already exist before the bad actors find them. ”
Some of Jillian’s recommendations for gaining internal buy-in and launching a successful program include starting small and growing the program after you understand your organization’s security journey. As your security maturity increases, she recommends moving from a VDP to a bug bounty program in order to bring more attention and increase engagement from ethical hackers. For Jillian, finding a trusted partner like HackerOne allowed her to gain advice from an industry expert and be confident in the success of her program.
There may be some hurdles to overcome, including the procurement process and thresholds, so it’s helpful to understand what those processes are and inform your VDP partner so they can help navigate through the sales process.
It’s also crucial to help non-security team members understand the benefits of engaging ethical hackers by connecting them with other agency leaders like Jillian, whose team is already actively engaging with ethical hackers.
5. Safeguard your digital assets around the clock with ethical hackers
“There’s comfort gained knowing that we have help to find things that are difficult to find and knowing that ethical hackers are supplementing our scanning 24/7. It helps us sleep at night,” says Jillian.
Ohio Secretary of State has seen many benefits to their cybersecurity strategy since implementing their VDP, including seeing improvements to their internal change management processes. They’ve seen good engagements with the hacker community as well.
“The quality exceeded expectations,” says Jillian. “Some of their reports and reproduction steps have helped us do things that would be really difficult otherwise. We have one anchor researcher, in particular, with a lot of knowledge and skills that we don’t have in our office.”
VDPs remain a best practice, with the federal government adopting and mandating them, but Jillian sees them as a no-brainer.
“VDPs add another control to help organizations stay ahead of threats, ensure business continuity and provide reputational defense,“ says Jillian, “The last thing you want to do during an election cycle or filing deadline is to see a vulnerability exploit!”
As the Ohio Secretary of State plans for the future, they look to expand their VDP into a bug bounty program to gain more engagement and attention to their environments. They also plan to continue to improve their internal change management alongside their vulnerability management programs. Ultimately, they look to provide more formalized reporting, with a goal to educate their internal teams and continue to preemptively identify and address vulnerabilities to keep constituent data protected.
Click here to learn more about the Ohio Secretary of State’s VDP
Learn more about Vulnerability Disclosure Process here
See how other state and federal agencies work with ethical hackers here