HackerOne

What HackerOne Customers Can Tell You About Securing Organizational Buy-In for Ethical Hackers

Fist bump with ethical hackers

HackerOne’s Security@ Global Tour series of events gives you direct access to some of our top hackers and customers. Delegates have the opportunity to ask any question about both sides of the relationship. 

In this series of blogs, we will learn from bug bounty and pentest customers from a variety of industries how they secure organizational buy-in for their programs, navigate vulnerability remediation conversations with asset owners, share their best practices for engaging with hackers, and measure success.

Securing Organizational Buy-in For Ethical Hackers

CISOs and other security leaders are challenged to demonstrate the benefits of working with ethical hackers and secure budget and buy-in for their bug bounty programs. Here’s how some HackerOne customers approach their stakeholders about the impact of ethical hackers for security.

“When presenting to any stakeholder about a bug bounty program, you want to emphasize the benefits; show development from where we were a year ago to today and in a year’s time. You want to make the topic understandable and recognize that for them it’s a small piece of a much bigger business story, so give them information they can understand, put in context, easily pass on and explain themselves.”
— Dominik Koehler, Senior Application Security Specialist, KONE

“The security industry invents so many fake processes and misconceptions. We tell ourselves that industry certifications and cybersecurity laws can solve security, but when have certifications ever stopped incidents? Hackers are really special; if you want to catch an attacker, you need to think like an attacker, and attackers don’t think about the papers you have. When it comes to real breaches and attacks, I use real vulnerabilities to show impact.” 
— Alexander Korotkov, a CISO from a global SaaS provider

“I don’t have to convince engineers because our customers do that for me. They have requirements and expectations about vulnerability management that we have to fulfill regardless."
— Alexander Korotkov, a CISO from a global SaaS provider

“Bug bounty—a situation in which you engage directly with members of the public about security and give them money—is quite an unusual function of security. Therefore, it’s crucial to build organizational confidence in a program and get people comfortable with the process, knowing that when they hit that bounty button, it will act as they expect.”
— Matthew Copperwaite, Senior Cyber Security Engineer, Financial Times

“The best time to plant a tree is thirty years ago and the second best time is today. There’s never a better time to reduce risk exposure for your customers. I wish we’d done bug bounty even earlier. Although it’s unnatural to ask people to break things you really care about, it’s the right thing to do—don’t pretend you can do a better job internally.” 
Dmitri Lerko, Head of Engineering, loveholidays 

To gain more insights like these firsthand, check out the next stops on the Security@ Global Tour. If you're interested in learning more about how to secure organization buy-in for ethical hackers, contact the experts at HackerOne today.

The Ultimate Guide to Managing Ethical and Security Risks in AI

AI Ebook