By: Rena Chua, Bug Bounty Advisor at HackerOne
Remember those days, pre-pandemic, when you thought your security scope was complex? But now, with employees working from home, new video and collaboration apps being rolled into daily workflows, and less physical oversight of devices and access, it seems like we’re all longing for the seemingly airtight security of 2019, right?
For many organisations, it may seem that the COVID-19 crisis has put security risk into overdrive, but much of that risk has actually been on the rise as businesses have gradually shifted towards digital services and cloud-based systems. The pandemic has only sped up that technology transformation. Here’s a simpler way to look at it – before the pandemic, businesses were undergoing digital transformation at their own pace; now, the pandemic has forced businesses to speed up their digital transformations in order to create new online revenue channels. This was noted by a recent COVID-19 Market Impact Study published by industry research firm IDC, which found that 56% of organisations are currently “scaling up their online presence” in search of new revenue as a result of COVID-19.
Naturally, with digital transformation comes an ever-expanding technology landscape, which in turn adds additional threat vectors for possible exploitation. Externally, customers and partners want easier, faster, more modern ways to work with your company, which exposes an organisation’s brand and business to even more potential risks. Internally, employees are increasingly relying on using their own devices and applications, also opening up an organisation to additional risk. As a result, security teams are asked to protect a growing attack surface but with often fewer resources, and they must do it faster and more effectively. However, using the same old methods, processes, and tools is clearly not going to maintain pace with this ever-expanding need. But remember, this is just within the context of digital transformation before COVID-19.
Attack Surface Up, Resources Down
Imagine that level of risk exposure getting much worse as organisations are asked to speed up their digital transformation projects because of COVID-19. Projects that used to take 6 -12 months or longer to complete are now being fast-tracked in a matter of weeks. If security cannot scale with this pace of development, then additional risk is introduced. No organisation can afford the impact of a serious security incident happening during an already turbulent time.
Unfortunately, the pandemic has forced organisations to deal with shrinking budgets, streamlined teams, and dwindling resources. In May, research firm Gartner recently found that nearly two-thirds of companies are making “significant cuts” this year due to COVID-19. And while experts suggest ways to deal with those cuts, doing more with less will be the new normal for the foreseeable future.
Security teams are now faced with two options: maintain the status quo while struggling to keep up with threats or fundamentally shift how they think about security. Vendor consolidation is one way in which security teams have been coping. But simply slashing apps and services based on cost isn’t always the best solution. A better approach is to look at the problem more pragmatically by starting with an evaluation of the existing security stack first and then taking steps towards balancing security needs with the benefits of each app.
Here are some best practices that I recommend if your security team is considering cost cutting and vendor consolidation:
Optimise Your Security Stack
First, you may be paying for some tools that return little value or are rarely used — both in security and across your entire organisation. Consolidation across your business reduces the threat surface and saves money. In fact, McKinsey says up to “30% of IT spend can be saved” by, among other things, “decommissioning applications with little usage”.
That same concept can be applied to your security toolbox as well. Using a suite of fragmented security vendors actually limits an organisation’s ability to scale security and you end up paying full price for many different solutions that could be accomplished more efficiently with fewer solutions. It’s been reported that mid-sized businesses use up to 60 security tools, while larger enterprises can have well over 100 security tools deployed. While overlap is more than likely, gaps are still inevitable with the ever-evolving attack surface.
Each point solution adds cost, but also consumes security resources to manage. Moreover, overspending on a patchwork of different solutions reduces available budget for more critical security priorities. The end goal of consolidation is to increase effectiveness while reducing both spend and the number of solutions. The only way to reach this goal is by working with favoured vendors to expand their services and solutions within your security apparatus. Better yet, replace multiple existing solutions with a single, more modern, more impactful solution.
Achieve Greater Value with Fewer Vendors
Consolidation can save money, reduce complexity, and open up new areas of benefit and efficiency. It’s a trend many security teams are taking advantage of as they experience the double-whammy of budget pressure and an increasing threat surface as a result of digital transformation and the pandemic’s impact on IT and Security projects.
However, reducing the number of point solutions isn’t a solution in and of itself. Those systems were considered necessary by your team at some point, so while eliminating them takes away a resource and budget burden, it does open up the possibility of some things slipping through the cracks.
Every tool and its benefits should align with a significant risk in the security framework. Furthermore, each tool should reduce overall risk, show a quantifiable reduction of risk, and be capable of sustaining that risk reduction. If you already have a trusted security vendor, start working with them to evaluate how their other solutions and services can help you improve your security and reduce risk. You may find that you can eliminate several other tools and vendors while also getting more insights that help you save time and money. Greater efficiencies can be realised when organisations shift towards platform-centric solutions, with access to multiple tools as opposed to a single tool.
A Perfect Example: Application Security Testing
One area that is ripe for vendor consolidation is application security testing. Most organisations end up spending too much on security testing by utilising a confusing array of security vendors. In the world of security testing, it is best to work with one vendor to address an organisation’s security testing and compliance needs and to simplify vulnerability management. This will help reduce total security spend and help you do more with less vendors.
Hacker-powered security testing allows organisations to address all of their security testing and compliance needs with one vendor. Hacker-powered security programs and services such as bug bounty programs, hacker-powered pentests, and vulnerability disclosure utilise the global hacker (or security researcher) community to find unknown security vulnerabilities and reduce cyber risk. In all of the above programs and services, talented hackers work to identify vulnerabilities before they can be exploited by criminals. It’s a fast, structured, and proven model for crowdsourcing the right expertise, applying it when and where you need it, and paying only for results.
Many organisations who are looking for continuous security testing will choose to run a bug bounty program. Bug bounty programs are inherently designed to maximise attack surface coverage while minimising costs, since it is based on a pay per results model. With HackerOne’s community of over 800,000 security researchers, an organisation’s bug bounty program will never be resource constrained. Bug bounty spend is dependent on the results that are uncovered (pay per results model), so the program addresses a vast landscape at a reasonable cost. Plus, the results are better as hackers add diversity of approach, specialised skills, and wider experience — all resulting in faster discovery of security gaps.
The key benefit of hacker-powered security is that it also allows security teams to consolidate application security testing down to one vendor to reduce time spent on vendor management and also integrate with existing systems and processes to minimise operational overhead. For example, while a bug bounty program can cover unlimited resources, there may be a time when your organisation needs to spin up a penetration test on demand. A vendor like HackerOne can also provide penetration testing services, eliminating the need to work with two different vendors – one for continuous testing and another for penetration testing. If an organisation is worried about security gaps, they can also extend security coverage by pairing their bug bounty program with a Vulnerability Disclosure Program (VDP). VDPs provide organisations a cost-effective approach to harden the entire attack surface by reducing risk without additional resources. The other side of the equation is that hacker-powered security also provides insights into an organisation’s overall security posture that can help security teams allocate spending depending on where vulnerabilities are uncovered.
By placing greater emphasis on vendors that can address multiple security concerns, organisations can reduce costs while improving their security posture. Hacker-powered security is just one way in which organisations are improving their security posture while cutting down on cost and vendor noise. HackerOne’s hacker-powered portfolio provides Global 2000 organisations a complete method for discovering, managing and remediating vulnerabilities.