This article was originally published in the Union Leader.
By David Gerry, CEO, Bugcrowd.
Addressing the cybersecurity skills gap
Cybersecurity has a problem: The attack surface is expanding faster than companies can secure it. Innovations with AI and in the cloud create brilliant opportunities for organizations to be more dynamic and efficient, but they also increase the size of the threat landscape. Unfortunately, cybercriminals and attackers are getting better at what they do, and even the biggest, most sophisticated security teams can’t keep up. It’s a numbers game; all it takes is one hidden vulnerability in the peripheral of the attack surface to turn into the next big breach.
When you combine the expanding attack surface, constrained security budgets, and the fact that organizations are competing for a limited pool of qualified talent to fill roles, the situation certainly feels dire. Instead of relying on traditional methods like talent acquisition, thousands of organizations are turning to an unexpected ally: hackers.
Or more specifically, the ethical hacking community. Across the globe, there are hundreds of thousands of ethical hackers who have different specialities from industry to technology to tooling. These hackers search for hidden vulnerabilities and report them back to organizations, in return for a financial reward based on the severity of the finding. In the industry, this is called a bug bounty program. All of this happens before attackers have a chance to find and exploit these vulnerabilities.
The ethical hacker community is young and hungry for opportunity. 90% are Gen-Z or millennials and 64% perform their security research in the evenings and weekends outside of a regular full-time security job. This means that when organizations partner with hackers, they are getting highly-skilled cybersecurity talent to act as an extension of their team. Although 73% of hackers have graduated from college, the vast majority of them learn hacking skills via online resources and self-study. This DIY-spirit is deeply ingrained in hacker culture; the self-starter attitude and insatiable curiosity is part of what makes these security researchers such invaluable partners.
Working with hackers turns traditional cybersecurity talent recruitment on its head, but it’s not just a win for organizations. The money hackers make from this important work can quite literally be life changing. Over the years, I’ve heard countless inspirational stories about the impact of bug bounty work. One hacker went from experiencing homelessness to buying a house, another bought his parents’ a car, and many were able to quit their full-time jobs and turn their “side-hustle” into their dream career.
Developing and investing in the hacker community couldn’t be more important to sustaining this unique channel of cybersecurity talent. There are so many amazing organizations out there that aid in this work, such as Girls Who Code and even local university clubs like the University of New Hampshire Cybersecurity Club.
At Bugcrowd, we aid this work through Bugcrowd University, which publishes educational content for all experience levels for hackers to develop their skill sets. We also host live hacking events and Capture the Flag (CTF) events for the community to network and learn from each other. We facilitate mentorship opportunities for aspiring hackers and bring educational workshops to college campuses. These development opportunities aren’t just an investment in hackers; they’re an investment in a more secure world.
I’m incredibly proud to be part of a system that unlocks the creativity and ingenuity of the masses to solve nuanced problems. I find the lessons learned from the innovative approach of a bug bounty program are applicable far and wide. Every industry is experiencing massive shifts in today’s technology-forward landscape. Innovation moves quickly. As leaders, we must rethink the traditional formulas around talent recruitment and workforce development in order to keep up. When we think outside of the box and look to unexpected sources, we create an increased talent pool with diverse backgrounds, skills, and approaches.
About the author
Dave Gerry, CEO at Bugcrowd, is a cybersecurity thought leader with a wealth of experience in application security.
With nearly a decade entrenched in the application security market, Dave has occupied leadership roles in renowned cybersecurity firms such as WhiteHat Security, Veracode, Sumo Logic, and The Herjavec Group. His leadership has been consistently acknowledged in both the cybersecurity and business communities, earning him prestigious accolades such as the CyberScoop 50 Awards, Cybersecurity Excellence Awards, and Cyber Defense Magazine’s Global InfoSec Awards.
Dave’s academic credentials include an MBA from Suffolk University and a BA from Merrimack College. Dave lives with his family in southern New Hampshire.
Bugcrowd is the leading crowdsourced security platform, with offices in San Francisco, California and Bedford, New Hampshire. For more information about Bugcrowd, visit www.bugcrowd.com.