Mikhail Sosonkin, a Russian hacker and security specialist told a panel at Money 20/20 that most hackers don’t want to work for banks.
“A lot of hackers tend to have the mentality of wanting their own freedom. They want to have this uncontrolled aspect in their work and to be able to make their decisions themselves. If you work in a big corporate environment it’s hard to do that,” he said.
Banks use hackers to test security systems and attempt to find bugs or flaws in the organisation's IT infrastructure. Gaining greater knowledge of the security ecosystem is crucial, according to Marten Mickos, CEO of HackerOne - even if it may seem firms could be assigning funds haphazardly.
“10 years ago you could ask, why did people spend so much money on marketing although half of it was wasted? It was because they had no idea which part of their budget was useful and which wasn’t, and that is still the case in cybersecurity.”
“In many places you buy products, you have no idea whether they are helping you but you are so concerned about the threat that you could never say 'no' to the sales guy,” said Mickos.
Jay Kaplan, CEO and co-founder of Synack, a provider of crowdsourced security testing, discussed the difficulties that banks are having in finding and keeping effective hackers.
“Developers participate in these security programs, and they are people that probably wouldn’t be that exposed to security, but ultimately, they are the most important people in this strategy, because they are the ones who are inserting buttons into the code in the first place.
“It’s so hard to find these people. It’s so hard to recruit them, let alone retain them. I know the banks are really struggling, they find that they are paying a tonne of money, but even the money isn’t enough yet,” said Kaplan.
Karl Schimmeck, executive director, global head of vulnerability management at Morgan Stanley added that there are concerns about the lack of an adequate talent pool of hackers emerging, and the need to collaborate.
“We want to work together because there are not enough resources out there, there are not enough smart people. We are trying to leverage them as much and as broadly as possible, and share as much as possible,” said Schimmeck.
Philip Martin, vice president of security at Coinbase, said he believes the industry needs to be honest with themselves as to what its strengths are and where those strengths lie.
“I have a belief that is counter to a lot of people in this industry that is moving more towards AI and machine learning. There are a set of things that computers are good at, and then there are a set of things that humans are good at, and they are not the same things.”
For Mickos, the real approach to cybersecurity is to understand that not everyone will be breached or attacked, but everybody is at risk.
“You need to look at it as a risk management function. You’re never at 0 percent, but you get closer and closer to 0 percent, and that is how you get over it and start learning about the real attacks, then you can invite external hackers to hack you and tell you how they did it,” said Mickos.
“You cannot be fully impenetrable. There is no such thing, but you can reduce the risk of cybersecurity."