Bugcrowd recently released the seventh edition of our annual flagship report, Inside the Mind of a Hacker. This report explores trends in ethical hacking, the motivations behind these hackers, and how organizations are leveraging the hacking community to elevate their security posture. This year’s edition takes a special look at the ways cybersecurity is changing as a result of the mainstream adoption of generative AI. As a part of this exploration, we interviewed Nick McKenzie, CISO at Bugcrowd. We’ve included a snippet of that interview in this blog post. Download the report here to learn more about how hackers are using AI technologies to increase the value of their work.
Tell us a little bit about yourself.
I’ve been in the cybersecurity industry for almost 25 years, and I’ve seen a shocking amount of change. Before Bugcrowd, I served as executive general manager and CSO at National Australia Bank (NAB), one of Australia’s four largest financial institutions. At NAB, I was responsible for overseeing the enterprise security portfolio, which included cyber, physical security, investigations, and operational fraud capabilities to protect customers and employees, support business growth, and enable an operationally resilient bank.
I currently serve as an advisory board member for Google, Amazon Web Services, Netskope, and Digital Shadows.
What are the most demanding challenges that CISOs are currently facing in their roles?
CISOs juggle multiple responsibilities, including maintaining a secure foundation and protecting against ever-evolving threats while trying to attract top talent in a highly competitive environment. CISOs must strike a balance between enabling business agility and providing robust protection—all while navigating the intricacies of country-specific technologies and cyber regulations.
How should CISOs approach working with hackers and implementing crowdsourced security?
By leveraging a select number of curated hackers with small-scope proof of value (POV), CISOs can safely and effectively mitigate the perceived risk of crowdsourced security. Running this POV gives a CISO’s team familiarity with the platform, triage services, and customer success capabilities. As CISOs become more accustomed to the crowdsourced model, they are likely to go wider and deeper—sometimes straight to a public program to glean the ultimate benefits from a bigger, more diverse community of hackers.
In my personal view, the adoption of crowdsourced security does not increase operational risk; instead, it only decreases risk, as it enables the earlier identification of vulnerabilities harvested by experts in the security community before attackers can discover and exploit them.
In the age of AI, could generative technologies outpace an organization’s ability to establish effective cybersecurity measures?
AI has progressed to the point where it is being used to both weaponize and circumvent traditional controls in organizations’ defenses. For example, more advanced malware, phishing campaigns, deep fakes, and voice cloning are continually being developed.
As AI advances, CISOs must adapt existing security measures—or introduce new ones—to counter the increasingly sophisticated threats posed by generative technologies.
Given the potential misuse of generative AI by cybercriminals, should there be stricter regulations on its development and use by hackers, or would that hinder innovation?
Imposing restrictions on the use of generative AI for the hacking community would hinder creativity and create the opposite intended effect. Regulations should be put in place across industries and organizations; rather than restricted to hackers.
How can CISOs strike a balance between enjoying the benefits of generative AI and ensuring they don’t inadvertently contribute to the rise of more sophisticated cyberattacks?
CISOs must be aware of the duality of generative AI to both benefit from it and prevent its misuse by attackers or employers. Ultimately, it’s a tug of war between threat actors and defenders, who are constantly trying to evolve with the use of AI to outsmart each other.
Could an increased reliance on generative AI displace human intelligence and diminish the value of hackers?
Generative AI will certainly help with speed and accuracy in vulnerability analysis, but it cannot replace the creativity and diverse perspectives of human hackers. Hackers spend long, arduous hours deconstructing a complex problem or unveiling an abstract vulnerability; presently, this is something that modern AI systems struggle with.
Considering recent economic headwinds, what suggestions can you give to fellow CISOs who want to increase the ROI from security programs without significantly increasing their budgets?
CISOs should consider investing in newer frameworks and products such as bug bounty programs or penetration testing as a service, which improve time-to-remediation (TTR), digitize the experience end to end, and deliver continuous outcomes across an evolving attack surface.
What do you predict the next two years of crowdsourced security will look like, and how is Bugcrowd planning to give hackers and customers the best experience?
In the next two years, crowdsourced security will become the preferred model for continuous assurance, incorporating generative AI to improve customer experiences—through things like improved triage and increased integration capabilities—and eventually expand the usage of hacker data.