Keen to pick the brains of Synack’s Jay Kaplan, G3 interviewed the cyber security expert about his company’s drive towards pro-active cybersecurity and the need to fully understand a key ingredient in Synack’s armoury – crowdsourced security
Are we paranoid enough about cyber security?
No. Cyber security is the 21st century’s biggest business risk – we need to treat it at such. However, I always encourage businesses to avoid buying into the doomsday attitude that sometimes surrounds cyber breaches in the media. Instead, adopt a pragmatic approach to managing and minimising cyber risk. The security industry is evolving and reinventing security defences – organisations can get a handle on cyber security, but it will require a continuous, concerted effort.
Is a data/security breach inevitable?
Yes. We cannot 100 per cent eliminate the risk of a breach. Today’s adversary is sophisticated, with an abundance of data and tools at its disposal. However, we can reduce the likelihood of a breach by a) increasing attacker resistance of digital assets, b) taking steps to decrease the impact by limiting the scope of high value targets online, and c) being prepared to respond, forensically and through a strategic communications plan, if and when one does occur.
What is crowdsourced security?
Crowdsourced security is a modern approach to more effective, efficient security. Modern security teams’ biggest challenge is scale – security talent is in short supply, with estimates totalling 3.5 million unfilled cyber positions by 2021. Rather than spending cycles seeking out talent that simply does not exist, enterprises are making crowdsourcing the solution. Gartner estimates that >50 per cent of enterprises will use crowdsourcing and related automation technologies by 2022.
Crowdsourced security harnesses a diverse pool of talent to look for vulnerabilities in a system. Most crowdsourced security programs incentivise this crowd of security researchers (aka ethical hackers) to hunt for vulnerabilities by paying them for what they find (a “bounty”). This motivates them to provide a more rigorous test than you would get from a consultant that you pay time and materials.
Synack’s crowdsourced penetration testing platform scales a crowd with proprietary automation technology and data science to help customers find and fix vulnerabilities, get more secure through new insights, and achieve compliance (e.g., PCI, NIST) for auditors.
Value centre versus cost burden – how do you quantify security cost when the best outcome is that nothing happens?
Up to $5.2 trillion in global value is at risk of cybercrime within the next five years – but global spending on information security and risk management is only expected to reach $188.4 billion by 2023. We have a mismatch between the global security risk and global security investment.
The best security leaders enable the business and build a brand. Every business’s brand makes a promise to its customers. To uphold that promise, customers have to be able to trust that a brand will deliver, whether that means making online gaming available without disruption or providing a consistently positive casino experience. To do this, security must be built into a business by design to ensure service availability, customer data protection, and transactional integrity.
Good security doesn’t mean that nothing happens – it means that the business happens, without interruption.
Certain industries are better protected than others. Which are the best and worst offenders and why?
Synack releases an annual Trust Report, using our proprietary database of thousands of crowdsourced penetration tests, that analyses and scores how resistant industries are to attack. Financial Services and Manufacturing & Critical Infrastructure lead the pack as two of the most trusted industries. Both of these industries have been a big target of cyber criminals due to the value of their financial assets and IP. As a result, they have had to take a proactive approach to finding security vulnerabilities, remediating them, and integrating security into their development cycles.
On the other hand, industries like e-Commerce that are undergoing massive digital transformation are lagging. Anytime there is digitisation and new digital assets come online, there is greater risk of vulnerabilities and breaches. The Entertainment and Gaming industry is in the same boat, with an average Attacker Resistance Score falling slightly under the overall average of 57, on a 0-100 scale (where 0 is least resistant and 100 is most resistant).
Why should businesses trust Synack? It’s full of hackers…
Your business is already being hacked. Why wouldn’t you partner with a network of hackers that want to help you get more secure, rather than let the bad guys steal from you?
The concept of ethical hacking is not actually new. Synack differentiates ourselves by prioritising trust and building features into our crowdsourced penetration testing platform. Our platform provides full transparency, auditability, and control to our customers. We also vet every ethical hacker that comes onto our platform for both integrity and skill – we have a very elite Synack Red Team with a competitive 12 per cent acceptance rate.
Why choose continuous penetration testing as opposed to point-in-time? Continuous sounds more expensive…
The dynamism of modern digital environments means that we simply cannot limit testing to a point-in-time basis anymore. Development organisations are building and releasing codes multiple times a day! If we only test annually or quarterly, think about how many changes and potential vulnerabilities could emerge between tests. Our data show that organisations that practice continuous crowdsourced penetration testing are over 40 per cent more resistant to cyber attacks than organisations who rely on point-in-time security tests.
How do you make security core to the brand?
It starts with mutual understanding. Business leaders need to understand both the risk and opportunity of security, and security leaders need to understand how they can enable the business. Executives have to make security a priority and build a continuous security lifestyle into the culture of an organisation.
What presents the biggest vulnerability, people or technology?
People. Ultimately, people build technology, and humans are prone to errors every once in a while (even if we don’t like to admit it). That’s why third-party testing, using a crowdsourced approach is so critical – if we grade our own tests, we will always give ourselves an A. To get more secure, we need a diversity of skill sets looking for vulnerabilities from different perspectives. Often times, the most damaging vulnerability is a simple error or logic flaw that goes unnoticed. A creative adversary will find that. That’s why we need equally creative defenses. And that’s also why humans could never be replaced by a tech-only security solution. The best defensive solution leverages both human and machine to get both creativity from the human mind and scale from a machine.
What’s the percentage of breaches that aren’t made public, where payment is made? And is this a viable strategy?
Increasing regulation around security breaches compel organisations to disclose a breach. Because security is core to trust, disclosing a breach is an important step towards upholding trust with customers and stakeholders. With that said many cyber security breaches, especially at smaller companies and in industries that are less regulated, continue to go unreported due to fear of business impact.
Finally, do companies only take security seriously once they’ve been breached?
It shouldn’t take a breach for a company to take security seriously – security is invaluable. Our data show that organisations that have utilised crowdsourced penetration testing for two or more years are up to 2x stronger against cyber attacks than those that do not perform crowdsourced testing or have done so for less than a year. Yes, there are a multitude of costs that result from a breach, including legal fees, incident response, public relations, etc. However, the value of security isn’t just the absence of cost – it’s also the additional brand value that results from customer trust in the business’s ability to operate reliably and with integrity. This is the value of proactive security.