Founder/Chairman/CTO in Telecommunication3 years ago
We've seen companies that use bug bounty programs plug those results directly into board-level reporting around overall resilience. Atlassian offers the highest level incentive to the crowd and then the velocity of critical issues coming through serves as a proxy indicator of the cost to attack the company overall, which is a fascinating way of doing it. That gives you some metric to at least tell you where you are at a particular point in time. And more importantly for the CISO, when it comes to budget, you can trend it. You can talk about the direct improvements that you've made that have been a product of whatever you've done from a program standpoint. Not many organizations are doing that. Most of our industry's defined by nothing happening if we're doing it right, so it's a good thing to be able to go back and show some positive feedback based on your efforts to be more secure, wherever you can get your hands on that.
Then you can say, “We had this many events, we blocked this many attacks, and we pushed this many different things.” Trailing indicators are traditionally what CISOs will try to distill and surface up to the board. But it's the leading indicators that you want to look for. And if they have a dollar sign attached it's even better, because boards know how to pay attention to dollar signs. In the absence of that metric, the only time a company's ever going to say, “We should have spent more money on securities,” is after they have been hacked. That's not a conversation that you hear proactively. It usually takes place after something bad has happened, so how can you flip that narrative and have it become a part of how the business thinks about risk management and how it deploys capital overall?
Content you might like
How often does your organization conduct Penetration Testing?
We've seen companies that use bug bounty programs plug those results directly into board-level reporting around overall resilience. Atlassian offers the highest level incentive to the crowd and then the velocity of critical issues coming through serves as a proxy indicator of the cost to attack the company overall, which is a fascinating way of doing it. That gives you some metric to at least tell you where you are at a particular point in time. And more importantly for the CISO, when it comes to budget, you can trend it. You can talk about the direct improvements that you've made that have been a product of whatever you've done from a program standpoint. Not many organizations are doing that. Most of our industry's defined by nothing happening if we're doing it right, so it's a good thing to be able to go back and show some positive feedback based on your efforts to be more secure, wherever you can get your hands on that.
Then you can say, “We had this many events, we blocked this many attacks, and we pushed this many different things.” Trailing indicators are traditionally what CISOs will try to distill and surface up to the board. But it's the leading indicators that you want to look for. And if they have a dollar sign attached it's even better, because boards know how to pay attention to dollar signs. In the absence of that metric, the only time a company's ever going to say, “We should have spent more money on securities,” is after they have been hacked. That's not a conversation that you hear proactively. It usually takes place after something bad has happened, so how can you flip that narrative and have it become a part of how the business thinks about risk management and how it deploys capital overall?