Reducing risk is the fundamental reason organizations invest in cybersecurity. The threat landscape grows and evolves, creating the need for a proactive, continual approach to building and protecting your security posture. Even with expanding budgets, the number of organizations reporting serious cyber incidents and data breaches is rising.

Vulnerabilities Leave the Door Open to Malicious Actors

Exploiting known vulnerabilities is among the top vectors for cyber attacks. A Ponemon Institute study found that 60% of breaches can be traced to an unpatched vulnerability—specifically, a known vulnerability registered in the CVE database.

In a recent joint workshop, Mike Wilkes, CISO of Security Scorecard—a HackerOne partner and cybersecurity ratings industry leader—joined Alex Rice, HackerOne co-founder and CTO, to explore how vulnerability intelligence combined with cybersecurity ratings help organizations build a resilient security posture. These security leaders discussed how to combine findings from hacker-powered security with continuous external cyber monitoring to more effectively reduce cyber risk. 

Vulnerability Intelligence

Two key elements of hacker-powered security are bug bounty programs and Vulnerability Disclosure Programs (VDPs). Hacker-powered security invites ethical hackers to search for hard-to-find and new vulnerabilities that automated tools can miss. 

Bug bounty programs post a reward structure for reported vulnerabilities based on the potential negative impact. Many leading organizations use bug bounty programs to identify unknown security vulnerabilities that malicious actors might exploit. Some of the most prominent bug bounty programs are run by HackerOne on behalf of the U.S. Department of Defense, Verizon, and IBM.

A VDP is a “see something, say something” approach to hacker-powered security, allowing hackers to search for vulnerabilities without incentivizing them. In recent years, regulatory compliance frameworks like NIST 800-53 increasingly require VDPs. President Biden’s Executive Order on Improving the Nation’s Cybersecurity also includes VDPs.

Taken together, the findings from bug bounty programs and VDPs become a wealth of vulnerability intelligence ready to enrich a cybersecurity rating. 

Cybersecurity Ratings

Continuous external cyber monitoring plays an essential role in risk-based security, which until recently was used only by the most well-funded organizations due to complexity and cost.  SecurityScorecard has innovated cyber monitoring with automation and machine learning to create broadly accessible cybersecurity ratings. By determining a cybersecurity rating based on risk propensity across their entire external attack surface, organizations can show their security posture over time.

By studying hundreds of indicators across ten categories, SecurityScorecard distills an organization’s cyber readiness into an A through F grade, which correlates directly with the likelihood of a real-world breach. An organization with a D grade is seven times more likely to be breached than one with an A grade.

Security ratings assess cyber readiness and manage cyber risk, determine risks associated with the software supply chain, and—for organizations with high ratings— can lower cyber insurance costs.

Joining Forces to Reduce Risk

The combination of VDPs, bug bounty programs, and external cyber monitoring targets vulnerabilities with a two-pronged approach:

  1. External cyber monitoring finds known vulnerabilities and security issues across an organization’s entire external attack surface.
  2. VDPs and bug bounty programs find unknown vulnerabilities that are visible and exploitable by external hackers.

By systematically finding and resolving these vulnerabilities, organizations can significantly reduce their risk of being breached.

Seeing the Whole Picture

During the workshop, Mike Wilkes and Alex Rice discussed more advantages of combining VDPs, bug bounty programs, and continuous external cyber monitoring, including the impact it can have on reducing risk, preventing breaches, and vetting third parties.

Watch the recorded workshop to learn:

  • Why more and more organizations are adopting VDPs and bug bounty programs
  • How the evolving cyber rating landscape will change risk management
  • Why cyber ratings are crucial for third-party risk management
  • The difference between leading and lagging security indicators and why leading indicators are more valuable for tracking and controlling risk
  • Why both positive and negative security indicators are important when assessing an organization’s security posture

Viewers also get a look at HackerOne’s cyber rating and scorecard and see how hacker-powered indicators and insights will integrate with SecurityScorecard’s cyber rating platform. Watch the workshop here.

Posted by Charlie