The need for cybersecurity has grown exponentially, which has been a boost for providers such as Bugcrowd. Bugcrowd was the first of what is now a number of firms who engage crowds of “ethical hackers” on a freelance/gig economy basis. The key aim through crowdsourcing cybersecurity expertise, using ethical hackers, is to identify clients’ IT system weaknesses on an on-demand basis before any malevolent hackers find them.
The reason is of course that the Covid-pandemic forced remote working upon many people who have been connecting to company files and data, and video conferencing with colleagues and clients, on domestic broadband connections which are less secure than in the office. Cybercriminals recognize that many data security measures are insufficiently robust, and “script kiddies” (junior hackers with less technical skills) are finding many opportunities to improve their skills by testing out cyberattack packages on a variety of organizations.
We were fortunate that Casey Ellis, Bugcrowd’s Australian founder and current Chairman/CTO, was able to find time to field some questions for us.
Bugcrowd pioneered crowdsourcing cybersecurity. Could you briefly explain how it operates? And what did you see first in the power of using a crowd that others did not?
The Bugcrowd platform connects the extraordinary but latent potential of the global community of ethical hackers operating in good faith with the unmet and growing demands of cybersecurity.
We’re best known for bug bounties, but this only really scratches the surface. We connect our customers and the crowd via our platform for a spectrum of different use-cases, ranging from bug bounty and vulnerability disclosure programs to penetration testing and attack surface management. Under the hood, this is powered by sophisticated use of data to understand the supply-side and the targets to create the perfect match and workflows that sit on top to fit the customer use-case.
A good illustration of this is the work we’ve done with the US Air Force, including source code analysis, social engineering, and cloud configuration testing… Not the kinds of activities you’d typically expect when you hear someone say “bug bounty”!
I grew up in the hacker community and knew that we’d been at the table for decades wanting to help but were typically presumed to be criminals… so we never got an invite. When I saw first-hand the impact of the skills shortage in the traditional labor market and the ineffectiveness of conventional tools and automation, I knew there was enormous potential and benefit in “plugging the community [of ethical hackers] into those who need their skills” through crowdsourcing cybersecurity solutions.
Are there typical characteristics or demographics of “ethical hackers”?
I often describe my version of this as “really enjoying thinking like a criminal, but also having a core conviction not to cause harm.”
Bugcrowd released the “Inside The Mind Of A Hacker” report to dig into and demystify this question… Who are hackers? Practically, we are ordinary people with a passion for technology, a desire to find the undocumented edge cases, and the recognition of the value of our skills.
What are the key benefits for your crowd, the “ethical hackers” who work with/through Bugcrowd? And how about the benefits for client companies?
Vulnerabilities are interesting – they are critical and often precious, but no one likes having their baby called ugly. Ethical hackers and organizations are two groups who need to be able to talk regularly, but at this point have 40 years of history that suggest they haven’t figured out how to get along yet. Bugcrowd facilitates that conversation, aligns expectations, provides workflows and data to support the value of a report and the actions which may be required. Ultimately all of this exists to reduce risk, make users safer, and ensure hackers get paid for their contribution.
For companies, crowdsourcing cybersecurity amounts to radically improved awareness of their real-world risk, which converts into better ROI on defensive and remediation spend. CISOs struggle with managing the skills gap, having contextual visibility on their risk-posture, and generally being in a position to outsmart the enemy. Bugcrowd delivers an army of allies [ethical hackers] to counter an army of adversaries.
Bugcrowd targets business clients. Have you prioritised any particular industries or business sectors as a more successful entry point?
Early on, our first objective was to see the concept of proactively engaging the whitehat hacker community “jump the tracks” from being an innovative tech company thing to an idea with established relevance to the entire market. Organizations like the US Department of Defense and Western Union – both large, old, and established entities – made a massive impact in validating the model when they became early adopters.
Where are you taking Bugcrowd next, and what are the biggest challenges in expanding Bugcrowd on a global scale?
Bugcrowd is well and truly “out of the garage” as a crowdsourcing cybersecurity startup. In 2017, we hired Ashish Gupta as CEO, and I moved into the Chairman/CTO role. The addition of folks like Mark Milani, David Castignola, and Sammie Walker have brought an incredible maturation and acceleration to the business. Our primary goal is to continue to connect the potential in the ethical hacker community with the demand of the market through our platform, to solve as many cybersecurity problems as we can – and there is no shortage of cybersecurity problems to solve.
I’d say the biggest challenge in global expansion is timezone management, followed closely by cross-cultural communication. Time zone-related challenges can be overcome by prioritizing autonomy, clear vision, and goal-oriented project management, all of which lend themselves to a more asynchronous working model. The primary mitigation for cross-cultural considerations is to reinforce inclusion and empathy continuously.
“Respect is Key” is one of Bugcrowd’s key principles and has been since 2015. Our experiences in dealing with some of these difficulties with security experts from all around the world is why it’s there.
You describe your working style as the classic Australian “solve it with whatever is within arm’s reach” approach to value-discovery and creation. How does that differ to your experience of now living and working in California?
I think there are people worldwide who operate with this kind of mental model; it’s just the default in Australia. People get trained in different modes of problem-solving. The combination of remoteness, scarcity, and a hostile environment is clearly reflected in how innovative the Australian “default problem-solving mode” tends to be.
I want to be careful not to characterize the opposite as “lazy” because that is overly reductive, understanding how to partner with and exploit abundance is very much a skill too. I surrounded myself with mentors to learn this when I first arrived in California because, on the flip side of the coin, this isn’t something that Australian’s tend to learn natively.
You are a passionate believer in the pursuit of potential. Are current formal education practices up to the task of helping each individual to maximize their potential and prospects, or maybe what else should today’s students try to learn outside of formal education to equip themselves better for the future ?
I’ll caveat this answer by saying that – while both of my parents are academics, my work cited and included in Ivy-league papers, and I’ve lectured in universities and colleges for the past six years or more – I’ve completed a total of six weeks of a degree myself. Formal education is critically important, but I’m proof that it isn’t the only Road to Rome.
The pressure to force students through University as “the thing which must be done next” holds many other things back. Many of our educational models are still a product of the first Industrial Revolution. The design applied at that time didn’t have a concept of free-thinking, entrepreneurship, or the pursuit of potential.
I think students should learn to think about their future and critically apply self-awareness to reevaluate what experiences, learnings, degrees, mentors, and all the rest might be most beneficial for them as they apprehend their future. Maybe traditional education is the best path – many have been through it and gone on to have a tremendous impact – it’s about understanding what’s the best fit for you.
As an investor in Australasian startups, what are the key factors you look for in company founders?
Is the market attractive? This is partly to do with my own knowledge of the domain, but also has a lot to do with the founder’s view of the problem they are trying to solve. Is it iterative, or transformative? I’ll lean in on the latter.
Is the drive there? My favorite definition of a founder is “someone who gets irrationally pissed off about a problem they think they can solve.” Founding a company and attacking a problem space is usually a pretty rational decision. Still, there needs to be a deep conviction about the fact that “this problem should no longer exist” that can end up looking to most people like an irrational point of view. Those are powerful and quite rare.
Can the founders execute? Here, it’s partly about domain expertise and experience and partly about the emotional intelligence of the founder and the ability for that to convert in humility in execution. When I say humility, I don’t mean the false “I’m not very good at anything” humility kind; I’m talking about the “I’ll take you to the mat on these three things and probably win, but I’m going to need help with the rest of it” kind.
To close, what do you miss most about Sydney?
Sydney is simply a beautiful city – it’s where I grew up, and it’s where my family is. When I have moments of missing it, I’m usually thinking about the beach and the trees and the sandstone – things I grew up in within my environment. I’ve come to believe that everywhere in the world has its strengths AND it’s weaknesses, Sydney and San Francisco included. “Home” is ultimately where my immediate family and the slightly more secure wi-fi is… but Sydney will always have a special place as my “biological home”.