HackerOne
Vulnerability Management

How Ethical Hackers Are Helping Security Leaders Navigate the Budget Crunch

CISO in an office

CISOs and other security leaders face a host of challenges. From long-term issues like the skills gap and technical debt to more recent developments such as the “resources crunch” created by a difficult economic climate, being responsible for keeping organizations safe is far from an easy job. It’s no surprise that 74% of CISOs have experienced burnout in the past 12 months.

Over the course of a few weeks, we had conversations with 50+ CISOs and security leaders from a wide range of industries, organization sizes, and geographic locations to find out how they balance the resources they have to protect against security threats. During these conversations, we’ve uncovered some essential strategies to help your security team thrive in a challenging economic climate.

A common thread in our discussions with security leaders is their use of ethical hackers to help address strains and challenges in their security programs. From reducing costs to validating security controls, we’ve identified the common ways security leaders work with the global hacker community to achieve their objectives.

Hackers Supplement Internal Teams’ Skills

It’s simply not possible to retain full-time employees with all of the necessary skills to keep your organization safe—and the diverse ethical hacking community is on hand to provide those skills you’re missing.

However, it’s not just about additional testing skills. The security leaders we’ve spoken to recommend going beyond individually reported vulnerabilities and engaging with hackers to learn how they identified and exploited a vulnerability, and therefore how the organization can prevent that vulnerability from recurring.

Over time, these conversations with hackers will help you understand your attack surface more thoroughly, and enable you to identify ways to harden your attack surface against a broad array of threats—whether through human expertise, tools, or process changes.

Address Unidentified Risks and Validate Security

The products, solutions, and infrastructure that make up modern IT environments are complex and interconnected. No matter how good your IT operations, security practices, and CI/CD pipeline are, you can’t anticipate all risks—and the combination of different IT assets inevitably creates a risk profile that is difficult to understand and protect.

To address this, security leaders need a way to uncover unanticipated risks within their IT environments—but this is far from easy, and generally can’t be done exclusively in-house. It’s simply too easy for security teams to overlook risks and threats due to gaps in knowledge, skills, or experience.

Again, the ethical hacking community can help. Having a large, diverse group of security experts continuously evaluating your attack surface dramatically increases the chances of finding unexpected weaknesses, allowing your team to address them before they can be exploited by cybercriminals.

At the same time, hackers provide independent validation of your security maturity. You may have products or controls in place to address a risk, but are they adequately mitigating that risk in the real world? Ethical hackers help validate this through continuous and varied testing, allowing you to proactively tighten or replace controls that aren’t performing adequately.

“We’re stronger together, and no one security team can know enough to be fully effective.”

— Helen Patton, CISO, Cisco Security Business Group 

Do More With Less

Engaging with the ethical hacker community is an easy way to improve security testing coverage while controlling costs and saving time. The breadth of testing skills available is far greater than any security team can retain in-house, or even what can be obtained by engaging with penetration testing providers.

“One thing people don’t consider, including companies that want to sell us pentesting, is the advantage of running everything through one platform. Having one platform for a very wide range of offensive security testing avoids the need to onboard lots of different vendors, platforms, and so on. This creates a significant time and cost saving.”

— George Gerchow, CISO and SVP IT, Sumo Logic

Create Trust With a Vulnerability Disclosure Program (VDP)

Some of the security leaders we’ve spoken to mentioned their initial hesitance to work with hackers for fear of opening up their organization to external eyes. However, after working with the global hacking community, they noted that — far from being dangerous — hacker-driven vulnerability disclosure and bug bounty programs contribute substantially to organizations’ security profiles, and create a higher level of trust with customers and partners.

By inviting expert hackers to scrutinize your asset landscape, you can tighten your security controls and address gaps without having to wait for vulnerabilities to be highlighted by a real-world cyberattack.

Tips on Navigating Budgets — From Security Leaders for Security Leaders

In our conversations with over 50 CISOs and other security leaders, some major themes have emerged when it comes to working through current budget restrictions, including handling talent management, balancing budgets and risk management, and engaging ethical hackers, as we discussed in this blog. 

To learn more about the strategies top security leaders are taking amid economic uncertainty, download our eBook “Navigating the Security Budget Crunch: How Security Leaders Balance Risk and Resilience.”