Bishop Fox's Vincent Liu sat down recently with Mårten Mickos, CEO of the popular bug bounty platform HackerOne. In a wide-ranging conversation, Mickos shared his views about the changing face and reach of bug bounties, and what it takes to be a leader in the security industry today. We excerpt highlights below. You can read the full text here.
Fifth in a series of interviews with cybersecurity experts by cybersecurity experts.
Vincent Liu: Vulnerability disclosure [is] something that has grown organically over time. The community determined the social norms. How do you make security something that everyone can grasp?
Mårten Mickos: First, I sense orthodoxy in complex terminology. In the database industry [where I got my start], they developed complex words for everything because it was a small, tightly knit group. In the security space, it was similar. But then we thought, we need to bring the benefits of this to everybody. We needed bug bounty programs to be so easy to understand and to consume that any company could do it. And of course, it is demanding. You must commit to it; you must know what you are doing. There is a necessary skill level, but you don't have to overcomplicate it. You should simplify it.
VL: Something that really stuck with me was that you expanded your team to not just people from the security industry but people from other disciplines. What's your philosophy behind that?
MM: This idea of inclusiveness is something I learned and practiced while working at MySQL years ago. We decided early on that our mission was to make this superior database technology available and affordable for all — people who were in the industry as well as people who were not in the industry. We wanted to give it to everybody. When I came aboard to HackerOne, I had a similar thought. Security experts over the years had created this amazing concept of vulnerability disclosure, which as you know evolved into bug bounty. But it was still being kept as a secret practice among a select few, the "elite." Not many organizations were bothering with bug bounties. I think we are still finding new areas where there's unnecessary complexity or seclusion, where people are holding on to things very tight. They say, "Only invited people can come. And you can only come if you speak this language, if you've been in the industry for 20 years, if you’re cynical." We want to break that perception. This is largely why we've been so open to inviting people from other industries to join HackerOne. It's reflective of both our platform and our culture.
VL: Are there any other orthodoxies that could use some updating?
MM: Another would be visual appearance. We introduced pink into our color palette last year. We wanted to bring in something that would be unusual and maybe shocking. We've also decided at HackerOne not to be cynical. We don't talk about how security is a problem. People know that the sky is falling. But instead of dwelling on that, let's look at the constructive things we can do.
VL: How do you envision the impact of bug bounty on the entire security landscape?
MM: Let's say you get hacked. Then, the government presses charges against the hackers, and you start a bug bounty program to make sure you know about vulnerabilities before they're exploited. Alternatively, you can start the bug bounty program and save yourself from any pain and humiliation in the first place. There is no perfect solution, though. We can never reach 100% perfection, but bug bounty programs are the most powerful way of preventing cybercrime.
VL: Do you think there will ever be a backlash against a bug bounty? What about from malicious hackers?
MM: If you have no detractors, you are not making an impact. We will have situations where a malicious hacker will do something. As a vendor, we must be careful how we handle such issues. We need to keep our database secure. We follow up with our hackers and take disciplinary action if they are meandering from the rules.
On leadership: A leader needs to bring to the organization a certain level of confidence and stability in the face of fluctuating realities. A leader must lend confidence and balance to the situation. In security, there's so many possible threats. Leadership must provide that environment of stability, of confidence, of acceptance. People will know that even when they make a mistake, they are still accepted, no matter what.
Advice lines: As far as resources, I'd choose Ryan McGeehan’s blog. He's a security expert with clear ideas. As far as challenges, security is so important that you can't delegate it to one person ... [and] make sure there is security in everything. We often sacrificed security for ease of use. Ease of use is important, but security is more so. Then, there is the problem every CEO faces, which is that of priorities.... I say start small. Embed a little bit of security in everything you do.
Transparency versus paranoia: [At] HackerOne, we stand for inclusion, collaboration, and power. And that is a more prominent presence than paranoia. We default to disclosure. Many times, we share things that another company would keep in the C-suite. Growing up in Scandinavia, which is ostensibly the most open society, and working in open source for 15 years, made me comfortable with transparency. And I believe transparency is the only way for society to thrive.
Bio: Mårten Mickos is the CEO of bug bounty and vulnerability coordination platform HackerOne, Inc. Previously, Mickos was the CEO of Eucalyptus Systems, acquired by Hewlett-Packard, where he was the head of the cloud business. He was the MySQL AB CEO from 2001 to 2008 and a board member of Nokia from 2012 to 2015. Marten is a thought leader on leadership and disruptive business models.
- How 'Security Scorecards' Advance Security, Reduce Risk
- Security Leadership & The Art Of Decision Making
- How 'Agile' Changed Security At Dun & Bradstreet