07 November 2018

Financial Services’ New Industry Best Practice

Anne-Marie Chun

“Crowdsourced security testing is becoming the new industry best practice for how penetration testing is conducted in Financial Services.” – Jay Kaplan, CEO & Co-Founder, Synack

Beyond Bug Bounty: Crowdsourcing Ethical Hackers

Money20/20 2018

  • Karl Schimmeck, Executive Director, Vulnerability Management, Morgan Stanley
  • Jay Kaplan, CEO & Co-Founder, Synack
  • Mikhail Sosonkin, Synack Red Team Member
  • Moderator: Sean Sposito, Analyst, Fraud & Security, Javelin Strategy & Research

Penetration testing is not a new concept – and that’s the problem, especially for financial institutions working to protect their financial assets and customer data in a modern, digital economy.

Banks, credit card companies, digital currency exchanges, and other financial institutions from the Fortune 500 to early stage companies are turning to crowdsourced security to get beyond penetration testing and achieve both real security and compliance.

Karl Schimmeck, Executive Director, Global Head of Vulnerability Management at Morgan Stanley, recently took the stage with Jay Kaplan, CEO & Co-Founder of Synack, and Mikhail Sosonkin, Synack Red Team member, at leading payments conference Money20/20 to talk about how the industry is conducting more aggressive security testing in a controlled, efficient, results-oriented way.

There’s a culture change in security, according to the panel. Karl explained that ten years ago, early code releases would be really buggy. Luckily, the damages were minimal. “Now we’ve gotten to a point where a higher level of quality for bugs being removed before you release- that’s the standard. And now we want that for security,” says Karl. “We feel this [crowdsourced security] is a model that can give us that leverage.”

However, there’s a balance to be made between control and openness. On the one hand, the standard penetration testing industry lacks “enough smart people,” explained Karl. On the other hand, open bug bounty models create unnecessary risk for companies.

“We’re a regulated entity. We have a responsibility to our clients. With the emergence of companies like Synack, you now are finding that proper balance to where it [crowdsourced security] can be applied in a structured way, with controls in place, with transparency of who is doing the testing, and then we can get the best testers, we can get the most creativity and we can apply them in the most diverse way.” -Karl Schimmeck, Executive Director, Vulnerability Management, Morgan Stanley

Synack’s crowdsourced security platform protects >830 million credit card and payment accounts, >$5.01 trillion in banking assets, and $110 billion in digital payments revenue. We’ve seen the number of engagements we have with financial services companies increase 467% between 2015 and 2017, compared to 63% growth in bug bounty.

Watch the full discussion to learn more.