Tarah Wheeler, whom Symantec recently hired as principal security advocate and senior director of engineering for its Website Security team, is already making her presence felt, reportedly pledging to foster ties with the independent hacker community for inspiration and ideas.
“I'm joining to talk to the independent hacker community and find crazy and interesting research that isn't showing up on the corporate radar,” Wheeler told The Register in a recent report that referred to her position as for all intents and purposes a “cybersecurity czar.”
The CEO and co-founder of HR Automation software firm Fizzmint, whose LinkedIn profile includes special skills in “Supervillainy,” is no stranger to the concept of leveraging expertise from outside resources, having founded Red Queen Technologies, a service that outsources web development for up-and-coming, budget-conscious website operators.
The corporate IT strategy of actively engaging hackers is not without its detractors. Some experts believe the risk is too great, especially as one negotiates the slippery slope from white hats to gray hats to black hats.
But the consensus among multiple experts who spoke with SCMagazine.com, was that the strategy makes perfect sense for Symantec, especially in light of the staggering workforce shortage within the cybersecurity industry.
“Our industry has 1 million cybersecurity job openings in 2016, and that is expected to rise to 1.5 million by 2019. There's practically a zero percent unemployment rate within the top 10 percent of cyber professionals,” said Steve Morgan, founder and CEO of research market and intelligence firm Cybersecurity Ventures, in an email interview with SCMagazine.com. “I think Symantec is on the right track if they have very specific internal criteria they use to determine which hackers can and which hackers cannot engage with them. The talent pool within the gray and black hat community is too great to unilaterally dismiss as unsuitable to work with.”
Companies looking to become more creative, aggressive and proactive in their network defenses may also have reason to strengthen ties with hackers. Nathaniel Gleicher, head of cybersecurity strategy at the network security firm Illumio, told SCMagazine.com that as attackers – especially nation-state threat groups – continue to raise the bar with new sophisticated offensive threats, network defenders keep playing at a disadvantage. But by turning to the hacker community, companies may finally be able to “drive serious innovation on defense in the same way that the last decade has seen serious innovation on offense,” said Gleicher, the former director for cybersecurity policy at the White House's National Security Council.
Bug bounty platform provider HackerOne has built an entire business around the interaction between security-minded organizations and the hackers who responsibly disclose vulnerabilities in their products and websites. According to the company, its 2016 Hack the Pentagon bug bounty pilot program – coordinated with the U.S. Department of Defense – resolved 138 vulnerabilities over the course of a 24 days, but at only around 1 percent of the cost of a typical government contract.
"Traditional security best practices are not enough, and organizations need to have the mindset that there is always something that will be missed. The companies that are absent from the breach headlines are the ones that are working closely with the hacker community to see where they are most vulnerable,” said Michiel Prins, co-founder of HackerOne, in an interview with SCMagazine.com.
Of course, this does not mean companies shouldn't employ common sense or set sensible policies when interacting with hackers. “If Symantec hires the wrong hackers, it can cause irreparable reputational damage, so much so that it could have a material, adverse effect on its stock. They could in fact be hacking themselves,” said Morgan. “On the other hand, with the right people, Symantec can build an elite cyber core of engineers.”
Morgan recommended that companies seek out only those gray and black hats whose actions indicate that they are now well-intentioned and reformed. “If someone intentionally hacked into a company and stole confidential data from a corporation or government agency recently, and sold that data in the dark web underground, I'd probably hesitate” engaging with them, he explained.
As for Wheeler, Morgan praised the hire. “Symantec is tapping someone who is well respected and connected into the hacker community, and she has deep domain experience across the key security sectors where the company is looking for people. I believe this will help overcome the stigma associated with Symantec as a big software company, as opposed to a hot cyber company,” he said.
Prior to Fizzmint and Red Queen, Wheeler – author of the new book Women in Tech – spearheaded projects at Microsoft Game Studios and architected systems at encrypted communications firm Silent Circle.
“We're thrilled to have Tarah join us…at Symantec,” said Roxane Divol, SVP and GM of Website Security at Symantec, in comments emailed to SCMagazine.com. “Her passion for security and unique blend of development and domain expertise is a huge asset that will help inform our strategy and system architecture, and will play a critical role in influencing our roadmaps as champions of encrypting the entire web and setting a high bar industry-wide.”
Per Symantec policy, Wheeler declined to participate in this article.