Threat Management, Threat Intelligence

Turn cybersecurity into a differentiator

Today’s columnist, Casey Ellis of Bugcrowd, says by going public on SolarWinds, FireEye Mandiant stayed ahead of the conversation. https://www.flickr.com/photos/22201094@N08; https://creativecommons.org/licenses/by/2.0/legalcode

There are numerous enterprise cybersecurity lessons from the last year, but none are more important than the need for a proactive, fully transparent approach to navigating today’s threat landscape.

A great example of an effective cybersecurity strategy are the measures taken leading up to the 2020 U.S. election when federal, state, and local government officials worked with voting machine manufacturers and states to ensure important infrastructure remained secure. Voting machine companies and several states launched initiatives such as vulnerability disclosure programs (VDPs) that offer a secure channel for researchers to report security issues and vulnerabilities to continuously monitor and provide the public with tangible evidence of a strengthened security posture.

Enterprises must recognize that transparency and consumer confidence are fundamental features of the future of the internet and build their cybersecurity programs with this in mind.

Turning avoidance into acceptance

Breaches are going to happen, and vulnerabilities are going to exist that enable a breach. It’s the job of security teams to minimize and delay the impact as much as possible in service of the user and their employer. Companies have to accept that people make mistakes, that the cybercriminals who want to break into their networks are skilled and diverse, and at some point, a breach will likely happen. Accepting this reality allows teams to focus on recovery and how to minimize the consequences for customers.

Without acceptance of the more uncomfortable aspects of the nature of cybersecurity, a culture of avoidance – or worse, whitewashing – can thrive and block any progress towards viewing cybersecurity into a differentiator, and using that drive to pragmatically reduce risk.

Transition to a proactive approach

Security teams often have difficulty positioning its value as a positive versus an “avoided negative.” During the 2020 election, we saw the importance of establishing trust and that and how organizations can lose that trust following a cybersecurity incident if vendors don’t talk about what went wrong and how they will fix it in a way that customers and the public can understand. 

Organizations can no longer operate via “ostrich risk management” — when companies bury their head in the sand and operate on the assumption that if they ignore the things that can go wrong, they will just go away. This often means recognizing that internal security teams need a partner to remain successful and looking to external security researchers to aid in identifying unknown security vulnerabilities and the risks they create.

Being open when vulnerable areas are identified and learning to anticipate security teams can fail will better protect companies and their customers. Vulnerabilities are inherent to digital transformation, and community-led projects such as disclose.io show organizations how they can be transparent about these issues while also showing the public how they are engaging in cybersecurity best practices.

Get comfortable with information sharing

We have to think of cybersecurity as a team sport, especially when it comes to information sharing following a breach. If customers and the public see companies sharing information between themselves and the government, they view that collaboration as a leading indicator of maturity and trustworthiness, and that’s crucial to thriving as a business.

The Biden administration has expanded on the work started by the Cybersecurity and Infrastructure Security Agency (CISA) and Department of Homeland Security (DHS) by exploring new methods for strengthening the reporting relationship between the public and private sector to support earlier threat detection and remediation. Two of the recent major attacks, SolarWinds and Microsoft Exchange, were first discovered by FireEye Mandiant and Microsoft, both of which are private companies. Companies should begin establishing protocols with this in mind to stay ahead of the conversation.

Transform cybersecurity into a market differentiator

Right now, CSOs and CISOs are trying to find a more compelling story to tell the CFO when they’re asking for budget than, “Oh, what if this bad thing happens?” Top management needs to understand that the major breaches we have seen over the last few months have caught the attention of the media, the government, and the broader population. This ushers in a new era of expectations for accountability, and it’s important to align with the executive team.

By shifting the way they look at cybersecurity and adopting the line of thinking outlined in the recommendations above, organizations can find better ways to tie their efforts back to customer retention and growth.

Casey Ellis, founder, CTO and Chairman, Bugcrowd

Casey Ellis

Casey is the Founder and Chief Strategy Officer of Bugcrowd, as well as the co-founder of The disclose.io Project. He is a 20+ year veteran of information security who entered the space from a youth spent inventing things and generally getting technology to misbehave. Prior to Bugcrowd, Casey entered information security as a penetration tester and security researcher, before wearing a variety of hats ranging from solutions architecture and sales to CSO, and finally landing as a career cybersecurity entrepreneur.

Casey pioneered Crowdsourced Security as-a-Service, launching Bugcrowd and its first bug bounty programs in 2012, and co-founded the disclose.io vulnerability disclosure standardization and adoption project in 2014.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds