Technology has now enveloped companies that may not have previously considered themselves to be “tech companies” – industries like food, retail, healthcare and even the government are having to make the transition. With this mass migration from business in brick-and-mortar to the ‘wild’ World Wide Web, there are bound to be some growing pains.
Today, cybersecurity is the new black. Security incidents have become one of the unfortunate realities of business, and there is a heightened sense of awareness that pervades both businesses and consumers daily. As security veterans, we have learned a lot over the years and have wisdom to share that can help others learn from our mistakes.
Give Them a Door to Knock On
Engaging with the external security community is crucial, as they are often the first ones to identify a critical vulnerability or an exploit. One of the simplest ways a company can open the door is to implement a method for security researchers to report vulnerabilities. This is something that even larger technology companies have only recently started to master and organizations like HackerOne for vulnerability reporting, or BugCrowd for crowd-sourced penetration testing are great places to start.
Companies like this empower researchers to showcase skills and get well-deserved credit. It provides a standardized platform for receiving important information and allows organizations to reward researchers for well-written, valid bug reports.
Talk It Out
Like any relationship, communication is key. Researchers are motivated by the desire to make systems both better and more secure for customers; when researchers report information to vendors, they do so because they are passionate about the work they are submitting.
We’ve always found that recognizing this effort and understanding the researchers’ point of view increases the likelihood that both parties will find an overall solution. When this communication continues over the phone, or better yet, talking in person, the relationship is stronger in the long run and more likely to last well into the future.
It Takes a Village
Treat the rest of your company like an extension of your security team. At Adobe, we have a martial arts belt-style certification program that product engineering groups have really embraced. It has allowed us to actively heighten the security IQ of the employee base as a whole. We’ve leveraged this to build up both our internal security community and our security culture at large.
It’s great to have a central security team made up of subject matter experts – but that only scales so far. Having thousands of employees who can champion security during their daily activities is a great way to keep up and make meaningful progress.
Sharing is Caring
Looking back to 10 years ago it was very simple: you generally didn’t talk to your partners or competitors – and if you did, you made sure to act like everything was perfectly under control. Fast forward to today and there is realistic collaboration on real-world problems between vendors who work together as partners. Take advantage of this new-age information exchange!
For example, Adobe has worked with other vendors on security projects over the years. Even though we sometimes compete in the marketplace in various ways, we put aside our business bias and acknowledge that the best way to make progress on security challenges is to pool resources and work together. Consider getting involved with non-profit organizations that unite experts and share security best practices, like SAFECode. These experts work together to reduce software vulnerabilities, improve resistance to attacks and help protect supply chain integrity within an organization.
Grill Your Partners
Pick your partners’ brains! We’ve found that chatting with our partners and vendors can unearth some surprisingly great intelligence. Ask partners what their customers’ concerns are and find out what issues are trending within the security ecosystem as a whole. This will help you identify if your company or customers have similar issues or concerns and if you have the right solutions available to address those issues, plus you can determine if you’re applying those solutions in the right way.
You might have noticed a running theme – communication, communication, communication. It used to be that the security community functioned in silos – there was competition between groups and little to no mutual understanding. Today, there is an unprecedented level of cooperation around security, and as a result, there is greater understanding and education across the board.
For security rookies this is a gift. As long as we continue this extended dialogue and share information with one another, we can all be better at our jobs – and help make everyone else safer because of it.