Security is something that we all crave. Professionally being able to protect assets and ideas is paramount to a successful business.

It is also a topic that has continued to make headlines over the past year and will doubtless be a topic that we are all talking about in boardrooms, seminars and golf courses in years to come.

The most recent reports to feature on TBT include the vulnerability of Microsoft Office and the under spend of up to half of businesses on the protection of their digital infrastructure.

“I think the biggest challenge is that there is just too much going on” said Marc Rogers, Okta vice president of cyber security. “There isn't a day that goes past without some kind of breach.

The public at large are suffering from breach fatigue. When you heard about a major company being breached a few years ago, it was a big deal. Now it's, yep, another company got popped.

That's hard as it makes it very difficult to teach people about what they need to do because it's going on all the time and they think why bother?

But the reality is, a lot of cyber security can be solved with some very simple rules and practice and, if people keep good security hygiene personally and if enterprises keep good security hygiene on their side, you will solve a good 50 or 60 percent of the problems that are out there.”

Aside from his job role, there is more reason than most to heed Rogers words. The Okta VP of cyber security has previously held positions at Vodafone but also has history as a hacker.

No need to light any torches and grab the pitchforks to carry him away though, Rogers is what is known as a White Hacker, hacking into systems and exposing flaws for the greater good. Starting over 30 years ago in the 1980s, Rogers now notifies any company where he finds a weakness.

WHITER THAN WHITE

“My background is that I'm a hacker at heart, my passion is breaking as many things as possible and finding out ways to fix them.

Today, I'm a white hacker, which means I hack ethically. I break things for good, I don't break things for bad and I break things with fixing them in mind.

So, if I find a vulnerability, I also look for how that vulnerability can be addressed and then I work with the company that owns the product and guide them towards producing a more secure version.”

Rogers pointed to a specific example of his work with high profile electric car manufacturer Tesla on its ‘Model S’ car.

“If you look at the ‘white hat’ hackers out there and the stuff groups like ‘I am the cavalry’ are doing, there are white hacking groups who work on things like biomedical devices or the aerospace industry, I myself have been working on automotive.

I've been working on hacking a number of other vehicles and for a while I hacked the Tesla Model S. In all the cases these are people who are doing it to improve security. So, the more we move in that direction, the better for everyone.

I'm passionate about breaking things but I'm equally passionate about getting them fixed, I really love to see the whole cycle. For example, when I hacked the Tesla Model S, it took me a number of years to disclose the vulnerabilities, work with Tesla, get the patches and so when we announced the vulnerabilities, they were already fixed. For me, that was a huge win.”

The approach, more commonly known as employing a bug bounty, is a new concept hitting the security industry which challenges hackers to attack a company with the promise of a pay out if any vulnerabilities are found.

RISKY BUSINESS

Such an approach may seem clever on the face of it, turning those attacking a company into those defending it, however the perception of hackers on the whole will prick the ears of managing directors and CEOs as something that may well come around to bite them.

“At the end of the day, what are the bad guys doing this for in most cases? They're doing it for money” said Rogers.

“Actually, the vast majority of hackers out there, given an opportunity, would prefer to find and submit a bug and collect money, do it ethically, gain kudos, and be known as someone who's doing responsible hacking.

Quite a significant number of hackers would prefer to go down that route than the slightly shady route of, ‘okay, you find a bug in this platform. Well, now you got two choices. You either break into the platform and do something, which may or may not pay off at all, or you sell it to a shady bug broker who may want to use it or sell it to a government’.

But these are illegal things and if you get caught, you're going to be in trouble. Whereas if you go down the path of ethically hacking, finding bugs and selling them to these intermediary companies, for good, you're operating on the right side of the law.”

However, despite the advantages for both the hacker and the hacked, Rogers warned that systems and checks should be put in place to get the most from such an approach; starting with a budget.

“You absolutely have to have a pot of cash because for every bug that someone finds, you're going to have to pay out.

The other challenges, you have to shore up your own internal processes. If your software development lifecycle is weak, and you're not finding the low hanging fruit, you're not closing off the bugs that you should easily be able to find, either through automated processes or just through good programmatic hygiene, you're going to be paying out money for things that you shouldn't be paying out money for, and your budget is going to blow straight away. If you get rid of the low hanging fruit you make sure people are looking for other, more serious things that you didn't find.

In terms of the risk, actually with bug bounties if they're done well are lower risk, because the reality is, the bad guys are still trying to break into your platform whether or not there's a bug bounty, there are people trying to break it. What about bounty does is it puts constraints around it.

It says, ‘you're not allowed to go after these assets, these are the rules you're supposed to follow. You're not allowed to launch denial of service attacks, you’re not allowed to do destructive attacks, you're not allowed to steal personal information if you gain access to stuff’ so anyone who wants a pay out has to follow the rules and that makes it safer.”

When it comes to policy however, Rogers believes the vast majority of threats can be mitigated through simple, common systems and procedures.

KEEP IT SIMPLE

“Every company has its own threat model, every company has its own challenges, both financial and personnel but there are some truisms. One truism is, if you look at the corpus of knowledge about cybersecurity, about 70 to 80 percent of it applies to everything.

Whether you're building an IoT device, whether you're building a car, whether you're building a computer system, whether you're growing a telephone network, a big chunk of that noise applies to you and if you use some of that those basic recommendations you rule out, most of the basic hacks.

The next layer up tends to be stuff that's more specific. IoT has some very specific things that you need to consider to make it secure. A car has some specific things you need to consider to make it secure. But just because you don't know what to do with that small bit, just because there isn't a standard that matches the thing you're building, that doesn't mean you should say, well, that means I can't do security.

No, you should go after the bit that you can do, the easy bit, get that hygiene done then build the rest of the security as when you can.

You'd be surprised at how well you can design security if you follow a model like that. Security doesn't have to be hard. In fact, one of the biggest problems I think, with cyber security is a lot of people overcomplicate it and they think that they have to put in all this extra effort and hire all these extra people. It's not true.

A small company can do really well by just appointing one person who may have another task like a lead engineer and say, ‘you also have the responsibility for security until we expand big enough to hire dedicated people’.

So long as there is someone who's responsible, who looks at those hygiene things, make sure that kind of stuff is done, gets information about what brand of software they’re using or a vulnerability that has been announced and what they need to do about it, you're already ahead of the game.

Then as you grow, you can start building a dedicated security resource and scale it appropriately. There are also resources out there you can use, like virtual CSOs [Chief Security Officers], like virtual security operations centres, like managed security companies. All of these things can also be leveraged to provide an excellent level of security.”