Interview with Stijn Jans of Intigriti
The modern workplace requires proactive cybersecurity | Part 1
Cybersecurity has been a hot topic this month on social media. That is because, since a few years, October is the European Cybersecurity Month (ECSM). But also because cybersecurity risks are a reality that organizations can no longer look away from. As a matter of fact, at Xylos we believe the exact opposite. To have a successful cybersecurity policy, it is important to search and aim for the danger and stare it right in the eye. That may sound contradicting at first read, but we assure you it will make complete sense after this two part blog series. For part one, we sat down with Stijn Jans, founder and CEO of Intigriti: an international security platform that connects companies with ethical hackers. Stijn shares our view on how proactive cybersecurity is becoming ever more crucial.
How would you explain our common position on proactive cybersecurity? Why are firewalls, password policies, antivirus- and anti-malware software not enough, so to speak?
Stijn: Let’s be clear. All of these security tools are useful and necessary. They focus on what can be done internally to protect your organization to mitigate harm. Most of them are also reactive as opposed to proactive. In other words, they defend against attacks from outside that have already occurred.
However, organizations today reside in a climate of digitization. Everyone has been discovering the potential power of a digital workplace and maybe for the first time ever, there’s a real opportunity for companies to be truly agile, that buzzword we all crave to describe our own work environment with. So, what organizations and their IT-staff have been confronted with, wittingly or unwittingly, are very fast changes and a very substantial increase of digital assets. That requires a more proactive approach to cybersecurity.
Can you give an example, out of the blue?
Stijn: Sure… Imagine for example that as an IT-employee you are responsible for an application, allowing authorized colleagues to look into contract documents. If you keep adding new features to that application at a fast pace, to make it even more practical and let your colleagues be more productive, you are potentially exposing your company to new risks because the application has changed. The question you need to ask yourself as a company is: “are we monitoring all these changes, all these digital assets?” Because if you are not…
…it can quickly lead to trouble.
Stijn: That’s right. PII-leakage, PR-damage, financial damage… I think we have seen countless examples of this in the last two years. So what we preach at Intigriti to other companies is: constantly, proactively test yourself. And one way to do so, is using ethical hacking.
Can you briefly explain ethical hacking in laymen’s terms? ‘Hacking’ doesn’t sound so good, does it?
Stijn (chuckles): It’s funny you should say that. It’s true that the term ‘hacking’ has a very negative connotation, hence the word ‘ethical’ we tend to place in front of it in this context. But actually, ‘hacking’ in the first place actually stands for ‘thinking out of the box’ or ‘finding creative ways to work around a problem’. So, ‘ethical hacking’ in this context really means putting your security to the test in a creative, virtuous manner.
Are there different types of ethical hacking?
Stijn: Yes, there are a variety of models. One that is commonly known is ‘pen testing’ or ‘penetration testing’. That is basically when your organization calls on a consultant agency to execute a security test within a certain scope and time. After that, you get a report that points out all your vulnerabilities within the predefined scope. You can then go ahead and try to solve these issues before they become a real problem. Another way is to call on an entire community of ethical hackers to test around. Here, you can decide to use a paid model or not…
I have the feeling that many organizations might not feel comfortable exposing their IT security to a community of hackers, though. Or how should I see this?
Stijn: Look at it this way: whether you invite them over or not, malicious hackers are going to lurk around your digital environment anyway. It used to be that at the end of every work day, a company would close its doors and windows. A criminal would already have to be a bold and well-organized burglar to cause you damage. Now, those doors and windows are also virtual, and criminals try to sneak in 24/7. By involving the ethical hackers to research your vulnerability – you stay one or a few steps ahead of the malicious ones. It’s basically a neighborhood watch-method.
Makes sense. So you were saying there’s a paid and an unpaid model.
Stijn: Yes, in any case when you call on a hacker community it’s important to create a good policy. The unpaid model, or what you could call the ‘see something, say something’-approach, is where you publish guidelines on your own website for ethical hackers on how to go about informing you, when they find a vulnerability. Thanks to a good policy, you make sure that the right information gets to the right person in your company – which is also important. If you want to boost the ethical hacker community to test your security really very actively, you can add incentives for finding and correctly reporting vulnerabilities, and thus create a paid model. You could call that the ‘search something’-approach. At Intigriti we enable that approach via our platform. It creates an authenticated and safe framework for you – and for the competent hackers themselves – to really put your security to the test, resulting in a highly effective, responsible disclosure program.
Interesting. It sounds like such a platform makes responsible disclosure programs more accessible for companies whose core activity isn’t necessarily an online service. Not every organization is Facebook or Amazon…
Stijn: That’s right. And again, I urge any organization with digital assets today to be proactive about their cybersecurity. Setting up a responsible disclosure program, in my view, is an absolute minimum. For your readers that have no clue where to start, I recommend checking the CCB-website. They even have a downloadable vulnerability disclosure policy template.
I am sure our readers appreciate that, and so do we. Thank you for this interview, Stijn!
Stijn: With pleasure. thank you.
That’s it for part one. In our next interview, we will focus on the end user angle of proactive security. Stay tuned!