“Better” – the theme that permeated San Francisco last week at RSA! But what does “Better” really mean and is it good enough? At the Synack Studio for Crowdsourced Security, we hosted hundreds of businesses and security leaders for fresh, pragmatic conversations about security, with actionable insights that you couldn’t find on the RSA stage. With our prime location just across the street from Moscone, the Synack CISO Lounge was buzzing with conversations about, reactions to, and reflections on the content of the week. At the top of everyone’s minds was Trust by design. Starting at the asset level, organizations are integrating security into their product development lifecycle to build products that consumers can actually trust. To build trust, G2000 companies, emerging high-growth companies, and government agencies are turning to crowdsourced security testing. By seamlessly integrating the best human security researchers and AI technology, Synack’s crowdsourced security testing platform provides the talent and scale that security teams don’t have the resources for in house. From Synack’s CISO Lounge to our nine events, here were the 3 major takeaways from the week that our crowd cared most about (because we believe in crowdsourcing everything from our security vulnerabilities to our RSA highlights!):
1) Consumers Want More Transparency
Consumers are becoming more sophisticated and in turn are seeking more transparency and security around the data they share with businesses. During our Executive Lunch: Rebuilding Trust moderated by David Demarest (Founder, AspenLine Reputation Strategies; previously White House Communications Director for George H. W. Bush)) and panelists: Amit Elazari (Global Cybersecurity Policy at Intel Corporation, Lecturer, UC Berkeley School of Information (MICS)), David Cohen (Shareholder, Brownstein Hyatt Farber Schreck and former Chief Administrative Officer, CLEAR), and Jay Kaplan (Co-Founder and CEO, Synack), there was unanimous agreement that consumers are the driving force behind new security & privacy regulations and standards. Consumers’ trust in brands is grounded in their belief that the organization is keeping their data, information and activity secure. Consumers are frustrated with the misuse of their personal data and they want more transparency around who is collecting and how data is being used. One panelist believes we need to utilize innovation to empower consumer and business decision making when it comes to data and privacy.
To help standardize these practices, consumers are demanding new regulations, such as the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA). Regulation like GDPR and CCPA are likely the first of more to come. In response, trusted consumer ratings services, like Consumer Reports, are integrating security as a criterion in their ratings. As a trusted business you want to be spending time ensuring your customer data is safe and secure, as well as compliant. Synack customers use crowdsourced penetration testing to achieve compliance (e.g., PCI, NIST 800-53, OWASP) but also achieve a higher level of security by minimizing vulnerability risk. Jay Kaplan commented that “Trust takes time, when you have a quantifiable measure you can then start to improve. If they don’t have a way to measure, regulation and enforcers have no way to do their job.”
2) CISOs Need Better Ways to Quantify and Measure the ROI of their Security Investments
With over 3,000 security vendors out there and over $114B spent on security products and services, CISOs need a better way to present the ROI of their security programs to their boards and executive teams. During our CISO Panel: Trust in Practice, Sean Sposito (Sr. Security Industry Analyst, Javelin Strategy & Research), Kevin Fielder (CISO, Just Eat), Tim Dawson (Cyber CTO & Acting CISO, HSBC), and Steve Ward (CISO, Home Depot) shared that their boards don’t want to talk about security, they want to understand security risk as it relates to business risk. CISOs primary focus should be on measuring and understanding how their programs are reducing the security risk in their organizations and framing security in terms of ROI. The panelists agreed that a continuous security model has allowed them to transition from a mindset of increasing security to a mindset focused on reducing risk. Synack has seen similar success with organizations that conduct security testing continuously. The organizations that practice continuous testing of their assets have a 43% higher Attacker Resistance Scores on average than those who test on a point-in-time basis.
3) Adopting a Continuous Security Lifestyle Gets Your Brand to Trust (But It Takes Time)
In order to see the ROI on your security investments improve, you need to “shift security left” in the Software Development Life Cycle (SDLC). This means integrating security into the development lifecycle from the onset of product development and moving security testing from a point-in-time to a continuous cadence. Kevin Fielder, CISO at Just Eat, has adopted this integrated approach within his organization and believes this reduces overall risk and limits operational downtime for severe issues by addressing the issues before they are introduced into the production environment. During our panel with CISOs from financial services, eCommerce, and retail, these industry leaders all agreed that building security into the SDLC was going to be integral to their ability to maintain their brand as trusted leaders in the industry. To ship secure, trusted products, development teams need more intelligent testing that keeps pace. Synack’s scalable, on-demand penetration testing enables security and development teams to utilize real-time intelligence and analytics to help your teams remediate vulnerabilities, prioritize critical assets, and manage your risk all before you ship new products. However, building trust takes time. Among Synack clients, we measure up to 200% higher Attacker Resistance Scores among those organizations that work to improve their attacker resistance for 2+ years vs. <1 year.