CISOs and hackers: An unlikely romance

CISOs and hackers: An unlikely romance

The stereotypes often plaguing the word ‘hacker’ led to an image of public enemy number one. But hackers are a force for good, with many CISOs working alongside them for greater security resilience. Chris Evans, Chief Hacking Officer and CISO, HackerOne, tells us how CISOs and hackers can work together to improve security strategies.

Chris Evans, Chief Hacking Officer and CISO, HackerOne

The word ‘hacker’ originally referred to a skilled or creative computer technologist. Over time, the meaning became distorted by mainstream discourse to have negative connotations. But the word is in the process of being reclaimed as a positive term. Perception is catching up with reality, acknowledging that hackers are a force for good. Many are working alongside CISOs to improve cybersecurity and keep malicious actors at bay continuously.

Hackers are valuable resources for organisations, supporting an essential part of a cybersecurity strategy in a growing industry constantly looking for diverse talent.

Working as a hacker doesn’t always require a traditional educational background or security certifications, but it does require a well-developed sense of curiosity and a lot of tenacity. It can be an attractive career choice for talented individuals who don’t have the usual set of security qualifications.

How to build – and retain – an effective security team

Over the years, I’ve learned that a successful team thrives on diversity, talent, and experience, but not necessarily qualifications. Therefore, it’s important to set out a recruitment strategy that doesn’t filter out candidates based on the wrong criteria. Otherwise, it risks excluding those with practical skills who are enthusiastic to learn and others who simply cannot afford the expense of certifications. Or, like me, they changed their career paths. Instead, devise practical challenges and tests to see if individuals have potential. Then, you can work out who is the best fit, whether the candidate has a first-class degree or is a smart amateur.

Also, embrace variety across all manner of personal characteristics to reflect the real world of hacking. Include differences in gender, education, ethnicity, religion, social background and ways of thinking. Encouraging diversity within teams is important to foster creative problem-solving, which delivers the most effective results. Take advantage of expertise across the global workplace, as hacking is well-suited to being remote. It again adds new perspectives and different approaches to finding solutions.

Once the team is in place, the next challenge is retaining them and ensuring they stay mentally fit and healthy. Burnout is an ongoing concern. Cybersecurity is a high-pressure environment, which is part of its attraction but also its downside. There’s always an urgent deadline to meet, and making a mistake could be damaging for an employer and highly stressful for the employee who made it.

Look out for early signs of fatigue and be proactive if there’s any hint of a problem. This isn’t easy with a remote workforce, so make sure there are plenty of opportunities for staff to reach out to team managers or HR if they need help. Let everyone know that you advocate a healthy work/life balance, allowing flexibility for well-being and family time. Many organisations employ a blame culture around security, and this is a highly stressful environment for security teams.

CISOs, in particular, shoulder huge responsibility when it comes to incidents. There is more scrutiny from the board when it comes to reviewing the proactive security measures in place to prevent embarrassing security incidents. CISOs are beginning to be considered negligent if they don’t embrace the wider hacking community and accept third-party reports of damaging incidents. Collaborating with a wider network of experienced security researchers looking out for the organisation also helps relieve pressure on security teams.

The external factor

As we know, cybercriminals will keep refining their attack methods, taking advantage of the latest tools and AI to facilitate new ways of bypassing security defences. However, attackers still rely on human creativity to devise and perfect their attacks. Even with a highly effective, established internal security team, it still pays to bring in outside human expertise with a hacker mindset to augment defences. Ethical hacking platforms, along with bug bounty programs, can provide another layer of independent, rigorous testing. This is proven to uncover serious vulnerabilities missed by tools and other teams – 96% of our customers tell us their organisations are better positioned to resist cyberattacks by accepting vulnerability reports from third parties. In addition, 70% say hacker efforts have helped them avoid a significant security incident.

Taking a collaborative approach to security that spans internal and external teams will strengthen and broaden cyber defences to help ensure organisations stay one step ahead of cybercriminals. So, while it might seem an unlikely marriage, there’s plenty of evidence to suggest the relationship between hackers and CISOs is more than a passing romance.

Browse our latest issue

Intelligent CISO

View Magazine Archive