HackerOne CISO: ‘Hackers need a seat at the table’

22 Apr 2022

Chris Evans. Image: HackerOne

HackerOne’s Chris Evans says companies that don’t partner with hackers are increasingly seen to be ‘lagging behind’ in cybersecurity.

Chris Evans is the CISO and chief hacking officer at HackerOne, a California-headquartered bug bounty platform that connects businesses with penetration testers and cybersecurity researchers.

Evans is the first person to take up the dual role at the company, following previous experience in leading security roles at Google, Tesla and Dropbox.

In his current role, Evans collaborates with the ethical hacking community and delivers their point of view to the executive board.

“It’s an opportunity to give hackers a seat at the table,” he told SiliconRepublic.com. “I also advise and support businesses with best practices for partnering with the ethical hacking community, and I have the responsibility of developing the next generation of hackers.”

Another element of his role is supporting HackerOne’s expansion of security intelligence tools and communicating valuable insights from the hacker community.

‘Hackers are no longer seen as villains’

What are some of the biggest challenges you’re facing in the current IT landscape?

One of the biggest challenges that we’re hearing from our customers across the world is the growing threat of ransomware and cyberattacks becoming more sophisticated – and there’s no sign of threats slowing down any time soon.

After observing recent cyberattacks that are becoming more calculated and widespread, businesses are paying more attention to bolstering their resistance to attacks. Customers want to understand where their security gaps are and to quickly close them down.

When you have many criminals coming at you, the only defence is to partner with an even larger number of friendly hackers. Take the recent Log4Shell issue, for example. When the vulnerability was discovered, it was not a happy day to be on a security team, but it went a lot better for companies connected to the hacking community.

Hackers immediately began to submit thousands of valid Log4Shell issues, and at HackerOne we looked at the data across our platform and identified the hackers who were working hard to find vulnerabilities. Then, we worked with our customers to make sure that they had access to these amazing security experts.

As a result, HackerOne customers got near real-time data on their Log4Shell exposure, which guided and accelerated remediation efforts. I do believe that breaches were prevented as a result.

What are your thoughts on digital transformation?

We have seen a significant increase in digital transformation projects in recent years, in part largely driven by the pandemic as organisations looked to continue business.

Digital transformation expands the potential for vulnerabilities that, if not addressed, can leave organisations vulnerable to cybercriminals.

In fact, HackerOne asked CISOs, CIOs and CTOs about the impact of rapid digitalisation and the results showed that well over half of C-suite executives (64pc) believe that their organisation is more likely to experience a data breach because of the rapid pace of digital transformation.

At HackerOne, we work with an amazing, diverse and talented hacker community. No matter what new technologies businesses are adopting, the hacker community has specialised knowledge on how to use it safely and securely and are more than willing to lend a helping hand.

What big tech trends do you believe are changing the world?

Personally, I am very excited to see more organisations, particularly those on the more conservative side, partner with hackers to drive cybersecurity improvements. We’re seeing some of our largest customer base growth in the government and financial sectors.

Worldwide departments of defence and banks are successfully partnering with hackers and if they can do it, anyone can do it. In fact, companies that don’t partner with hackers are increasingly seen to be lagging behind in their cybersecurity posture.

I’m happy that general attitudes towards hackers are becoming more positive, which is amazing to see. Hackers are no longer seen as villains. In fact, they are heroic in protecting businesses and the general public from malicious actors in our digital-first world and helping the internet to become a safer place.

How can we address the security challenges currently facing your industry?

The best way to address security challenges is together. Whether this is achieved by companies sharing information, governments helping vulnerable sectors or companies partnering with friendly hackers – collaboration is what will keep us ahead of the criminals.

The ethical hacking community is awesome because they can find a critical vulnerability that has the potential to affect thousands, sometimes millions, of individuals. Once found, hackers then spread the word about the vulnerability, paying it forward and contributing towards making the internet a safer place for all.

However, what I would also love to see more as an industry is creating a culture that’s built on transparency, and it is this culture that is absolutely key when addressing the many security challenges that currently exist.

We can really help each other by openly sharing information. Security success is only possible with collaboration, and openness on security flaws can only result in positive change.

It’s time that we squash the myth that business will be affected if people discover security flaws – everyone has security flaws. In fact, the security leaders are increasingly seen as the mature companies that are open about security flaws and transparently contribute to broader security discourse.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.