The cyberthreat landscape has been in a state of constant flux because of the converging trends of cloud migration, mobility, hybrid work, IoT, and M&A activity. With so many variables in play, malicious hackers have become more aggressive in their drive to identify and attack vulnerable targets.
The current cost of a breach for a U.S. company runs at $4.35 million on average, according to a recent report by IBM and Ponemon Institute. In this high-stakes environment, security teams should adopt a more active security approach to keep pace with the bad guys. Yet many organizations still take a passive approach by depending on reactive tools such as checklists, automated scanning, and periodic penetration tests. These tools are important to maintain a solid security posture, but they are no longer good enough to fully protect large organizations.
The path to a more proactive security posture requires the pursuit of six essential goals. Combining these ideas can create a powerful multi-layered defense to better secure an organization’s infrastructure, devices, and data:
- Adopt a proactive mindset.
Take a proactive mindset to recognize the dangers of unknown threats that lurk beyond the surfaces of known threats. Forty percent of an organization’s attack surfaces remain unknown today, according to findings by the Enterprise Strategy Group. And hackers launch some 300,000 new malware programs each day, according to TechJury. These threats include viruses, adware, Trojans, and keyloggers – all with the singular purpose of stealing people’s data.
By being proactive, it becomes much easier to prioritize and predict risk because the team has a better understanding of its attack surface and flaws. Proactive security tactics include managed bug bounty programs; gamified/incentivized penetration testing as a service; threat modeling; attack surface management and risk analysis; and red, blue, and purple team exercises.
- Foster connections between builders and breakers.
For decades, large companies have sought to bolster security by staging competitions between blue team practitioners who construct defenses (builders), and red teams that aim to crack those defenses using the tactics of real-world adversaries (breakers).
In recent years, some security organizations have bridged the blue-red divide by adding a purple team to the mix. With skills in both defensive and offensive cybersecurity techniques, purple teams help all the teams work more collaboratively to develop better security responses.
Think of purple teams as a continuous, two-way learning process that bridges the blue and ted teams—not necessarily as a separate group of people. For example, the purple team may help the blue team design a more sophisticated network defense strategy based on specific knowledge about end points and firewalls, or help the blue team understand how a red team would attack the existing environment.
- Engage with the right crowd, not just any crowd.
The ultimate example of making connections between builders and breakers is to create relationships with the global community of security researchers and ethical hackers. This kind of proactive crowdsourced security offers access to diverse thinkers who can help anticipate attack vectors that are overlooked by more reactive approaches. However, this crowdsourced approach to security can only scale up efficiently if the right trusted researchers are matched to the security team’s goals, environment, use cases, and timing needs.
- Shift left toward the software development lifecycle.
Shift left has become an essential part of the DevSecOps methodology, which closely aligns developers with security teams for sustained cybersecurity. Taking a proactive approach to cybersecurity stands as a critical enabler for shift left remediation, shorthand for bringing application security testing into the development lifecycle as early in the cycle as possible.
Ideally, that testing either gets done continuously or in staggered intervals at strategic points in the cycle, to ensure that products and APIs are thoroughly tested, and discovered vulnerabilities are remediated, before they ship. Adding continuous testing post-deployment—both passive (vulnerability disclosure programs) and proactive (bug bounty programs)—is another best practice that contributes to an airtight approach to proactive cybersecurity.
- Take a platform approach.
Security leaders should also extend crowdsourced security beyond bug bounties to other cybersecurity solutions including penetration testing and attack surface management. To get there, proactive crowdsourced security requires a multi-solution SaaS platform that can orchestrate data, technology, and human intelligence. An integrated platform gives security teams collective knowledge about all their assets, targets, vulnerabilities, environments, and remediation steps.
Organizations need to take a proactive strategy to security. Being proactive means applying the contextual intelligence of an integrated platform to achieve better, faster security outcomes. And by tapping into the vast crowdsourced power of the global researcher community, security teams can quickly find and patch hidden vulnerabilities before the bad actors strike.
- Plug the talent gap in a down economy.
Finally, as security budgets come under greater stress, it’s become harder for companies to find enough good people. Hiring in the cybersecurity industry remains a top concern for both the public and private sector. Public sector agencies are especially challenged to keep up with the pay compensation and equity packages offered by private sector firms for the same pool of candidates.
Based on the weakening economy, security leaders will need to develop contingency plans for how to attract and retain quality talent with a recession and industry layoffs looming. Some helpful recommendations include investing in work-based training via volunteer clinics, apprenticeship programs, and increased flexibility around hiring authority and pay ranges to better compete for talent.
Many refer to the challenge of hiring cybersecurity as a talent gap. However, organizations can overcome this by recruiting and educating employees from diverse backgrounds. Start by engaging with crowdsourced security researchers from around the world. The power of the crowd can offer an economical, on-demand approach to augment security teams with the necessary skills and expertise.
The true value of crowdsourcing requires the ability to find and develop these new sources of talent. While degrees in computer science and related technical fields are nice to have, almost anyone can become successful in a cybersecurity role with the right mentors, assistance, and on-the-job training.
Dave Gerry, chief executive officer, Bugcrowd