“The definition of insanity is doing the same thing over and over, and expecting a different result” – Albert Einstein, 1951
“It may sound crazy to try this. But it is also irresponsible not to…” – Bill Gurley, 2015
I am excited to announce our investment in HackerOne, the leading cybersecurity marketplace which connects enterprises and governments to responsible and ethical hackers. Many of the largest Internet companies such as Facebook, Google, and Microsoft learned years ago that in order to protect their sites against attacks, they needed more than firewalls, vulnerability scanners, and security consultants. They needed an army – and they quietly enlisted tens of thousands of developers around the world to openly hack them. The results were astounding – at Facebook alone, public hackers reported more bugs in 48 hours than had previously been discovered by their internal team throughout the entire previous year. After paying out millions of dollars to hackers for successful disclosure, these Internet platforms surprisingly pioneered one of the most provocative and increasingly effective programs in the security industry today: the bug bounty.*
More than $80 billion is spent annually by enterprises and governments to secure their digital assets – this number has grown substantially over the past 10 years, but nonetheless there is increasing frustration that we’ve lost the war on cybercrime. In the past year alone, J.P. Morgan lost consumer data for more than 80 million account holders, Target lost more than 70 million credit and debit card numbers, and the federal government lost over 4 million confidential records of employees with security clearance. Furthermore, more than 80% of all corporations have reported some type of breach, and it seems that every day we learn about yet another important organization that has been compromised in some way. The cybersecurity industry faces a spending paradox that perplexes many leaders sitting in boardrooms today – “If we’re investing more money in security, why aren’t we any more secure?”
There are generally two widely accepted answers to this question:
- Most security solutions protect you from known threats. However, the threats that matter the most are the threats you haven’t seen.
- Security is not a technology problem – it’s a human problem. No amount of software or computing power can fully protect you from the creativity, agility, (and at times stupidity) of mankind.
These issues are not new to the industry, but organizations that are using HackerOne are finally tackling them head on. First, HackerOne helps companies enlist an army of humans into the war on cybercrime. Today, more than 200 organizations have paid out substantial bounties to tens of thousands of responsible hackers, and I expect millions of software developers will ultimately join the fight to protect the Internet. Second, HackerOne’s community is already finding vulnerabilities previously undetected by the most advanced software, making it possible for organizations to see threats before they are exploited. Some surveys report that only 1% of real threats are detected by today’s best security products. HackerOne is finding orders of magnitude more vulnerabilities from their community of hackers, giving organizations a chance to see and fix their problems well advance of a significant attack.
As an entrepreneur, I founded a security company and served with many friends in the war against cybercrime. I am personally thrilled to work with the HackerOne team -- the security industry has always attracted some of the brightest minds in software development, but we’ve fallen behind and need to embrace a completely new approach. We need to enlist a new army to fight this war, and with HackerOne we can build a community to make the Internet a safer place. Should your organization work with hackers? It would be insane not to.
* One of the great testimonials of bug bounties is from Sheryl Sandberg, Chief Operating Officer of Facebook. Click here to see her interview.