Transparency across the cyber community can be a benefit to all organizations looking to improve their cybersecurity practices, according to a recent panel of Intel security leaders. As organizations look to connect previously siloed internal departments, they should also consider reaching outside of their business to best secure their technology.
Suzy Greenberg, Vice President of Communications and Incident Response moderated a conversation about resilience and prevention in cybersecurity between Maggie Jauregui, Offensive Security Researcher; Katie Noble, Director of Intel's Product Security Incident Response Team (PSIRT) and Bug Bounty; and Amit Elazari, Director of Global Cybersecurity Policy.
Proactive and reactive approaches to transparency
Transparency involves bringing siloed sections of the security industry together for the larger goal of securing technology. Noble noted that bringing security researchers from all sides of the cyber community into the conversation can offer new perspectives on vulnerabilities. She expanded, "When I say security researchers, I don't just mean professional security researchers... [I mean] all the way to hackers in questionable places, doing questionable things. I don't care what someone's motivation is, I care about the technology and securing the technology."
When it comes to transparency, implementing vulnerability disclosure and bug bounty programs is a helpful starting point for cybersecurity teams. Jauregui highlighted the cultural shift that these programs bring about, saying, "We've changed from 'You hacked me — you're going to jail!' to 'You hacked me — let's work together, I will hire you." She says this outreach to cyber experts on all sides of the community leads to tighter defense for organizations.
Elazari underlined the uptick in attention on transparency and collaboration from policymakers around the globe. "This concept of being able to receive reports from external researchers and handling it internally... is a fundamental security capability." She noted that the fear of legal risk prevents cooperation in vulnerability disclosures and bug bounty programs, but this risk perception is rapidly shifting. The recent increase in federal cybersecurity policy may have an encouraging effect on organizations and individuals who were previously reluctant to disclose known vulnerabilities.
Foregrounding inclusion in cybersecurity
Another area where transparency can benefit the cybersecurity industry is in gender parity. Elazari, Greenberg, Jauregui and Noble all touched on inclusion and diversity in the cybersecurity field, in which women only make up 24% of the workforce.
Shifting the narrative around cybersecurity as a purely technical field could make the industry most enticing to women, according to Jauregui. Speaking from her experience as an innovator in using a system's physical properties against itself, she said, "If you are a creative person, if you like arts and crafts, if you're good at attention to detail, which I think a lot of women are, then maybe you'd like hardware security, and you haven't even thought about it."
The panelists also discussed the concepts of mentorship and sponsorship. While all panelists had encouraging mentors of different genders, they also underlined the importance of sponsoring women in cybersecurity. According to Greenberg, sponsorship is "advocating for someone when they're not in the room.... If there's a discussion around capabilities, opportunities, [then] there's someone in the room that is speaking on your behalf when you're not there to advocate for you." The shift from mentorship to sponsorship can create a generation of cyber professionals that are empowered as leaders, not only mentees.
The advocacy involved in sponsorship can be even more effective at an organizational level, according to Elazari. From setting inclusion quotas to promote diverse perspectives within an organization to ensuring fair salaries and opportunities for women on an institutional level, enterprise organizations can ingrain inclusion into workplace culture.