HackerOne published the results of its new study, which reveals that half of the organizations surveyed experienced increased cybersecurity vulnerabilities in the last year as they faced security budget cuts and layoffs. HackerOne is the world’s biggest ethical hacker community.
TechRepublic attended a recent HackerOne event where executives from the company, as well as ethical hackers and leaders from GitLab and Sumo Logic, debated the economic impacts of cybersecurity. Experts at the event revealed the steps some companies are taking to do more with less, highlighting the critical role that DevSecOps, machine learning and artificial intelligence can play during the economic downturn.
Security budget cuts and layoffs without a plan are a serious mistake
HackerOne’s survey shows that economic reductions, such as budget cuts, layoffs and freezing new hires and investments, related to security are negatively impacting the ability to manage cybersecurity efficiently for 75% of the companies surveyed. However, reducing cybersecurity investments due to economic downturns can have devastating consequences in the long run for companies.
Cybercrime increases during recessions and crises, as the FBI reports for 2008 and the pandemic reveal, respectively. By 2023, the average cost of a data breach has risen to an all-time high of more than $5 million, Acronis says. Additionally, compliance risks are rising with the ever-evolving regulatory landscape.
“Whenever there are times of high anxiety, such as an economic downturn coming off of a pandemic, bad actors are at their best,” George Gerchow, chief security officer and senior vice president of IT at Sumo Logic, said during a roundtable at the HackerOne event.
“I’ve seen a few companies impacted by tightening of the budget strings, but I can tell you that at Sumo, it hasn’t happened. We’re probably investing more heavily than we ever have. I think it’s a real mistake when companies start cutting back on their budget around cybersecurity, especially during these times.”
THIS: Year-round IT budget template (TechRepublic Premium)
GitLab’s recent report reveals that 85% of security leaders surveyed say they have the same or less budget than in 2022.
“Organizations globally are seeking out ways to do more with less,” David DeSanto, chief product officer at GitLab, said.
Mark Loveless, staff security engineer at GitLab, explained that the company was affected by the economic slowdown and made adjustments, strengthening their focus on DevSecOps.
“We are using our software to write out software,” Loveless said.
“A lot of what we do is to try to speed things up and make things more efficient and that’s helped,” Loveless added.
Reflecting on whether budget cuts were a good plan, Loveless used a bank analogy.
“If you’re going to cut personnel of the bank, do you want to cut all the guards that are guarding the vault? Probably not.”
Ethical hackers and bug bounty hunters Herane Malhotra, a brand ambassador for HackerOne, and Joseph (who didn’t provide his last name) said that from their side, the impact has been low, as they are still very much engaging with many companies. Malhotra added that, driven by the challenging economy, many businesses are migrating online, and employees are accessing applications and companies’ infrastructure using public networks or other insecure means.
“There’s a need for cybersecurity to grow there,” Malhotra said.
The HackerOne report reveals that, although 84% of companies saw an increase in vulnerabilities and are concerned about financial and reputational damages from breaches, they still plan to, or have already, conducted layoffs and budget cuts that affect security teams.
In the last year, 39% of companies have made security headcount cuts, and 40% plan to make them in the next 12 months, according to the HackerOne survey. Gerchow explained that these actions have direct and indirect consequences, which are often overlooked.
Gerchow said that while many companies didn’t necessarily do layoffs, they have frozen headcounts despite having plans to increase the security departments due to workload demands. Security teams are then forced to take on the increased load and this, in turn, will affect performance and efficiency and can trigger burnout. Ethical hackers added that the lack of security staff could present an opportunity for bad actors to find new vulnerabilities in systems that are less guarded.
Security trends: AI, ML, DevSecOps, bug bounties
The economic landscape, budget cuts and layoffs are leading many in the cybersecurity industry to explore trends that include DevSecOps, artificial intelligence, machine learning, automation, bug bounty programs and consolidating security solutions.
With DevSecOps, companies are realizing the strong connection between software development, security and operations, and incorporating security earlier in the software development lifecycle or shifting left. This strategy enables development, security and operations teams to work collaboratively instead of in silos.
GitLab’s survey reveals that this shift in DevSecOps is increasing, with 38% of security professionals reporting being part of a cross-functional team focused on security, up from 29% in 2022.
THIS: Top certifications for DevOps engineers (TechRepublic)
AI and ML
The GitLab survey also shows that leading businesses are turning to AI and ML to increase performance and efficiency in the software lifecycle.
AI and ML have become critical components of DevSecOps workflows. Sixty-five percent of developers are using AI-ML in testing efforts — or will be in the next three years — and 62% are using the tech to check code, according to GitLab’s survey.
This integration approach is far from being embraced by all companies and is leading to unnecessary costs. One-third of organizations admit they waste money due to inefficiencies in their tech stack and software development life cycle security process, the HackerOne survey reveals.
The number of cybersecurity companies offering AI and consolidation continues to rise. Some of the top recognized vendors and solutions include CrowdStrike’s Falcon Complete MDR, Tessian’s Advanced Threat Protection, Palo Alto Networks’ Cloud Security Automation and Darktrace’s PREVENT, DETECT & RESPOND and HEAL.
THIS: DevSecOps: AI is reshaping developer roles, but it’s not all smooth sailing (TechRepublic)
AI and ML enable companies to augment their resources, increase performance and strengthen security. Automation tools and consolidation also cut costs while freeing teams to focus on mission-critical responsibilities.
Leaders recognize that cybersecurity professionals, experts and ethical hackers are in high demand. Security teams are the ones discovering higher-risk vulnerabilities, responding, shutting down attacks and conducting investigations. They fill in the gaps that automation leaves behind and leverage innovative technology like AI as a tool and not a replacement.
Bug bounty programs and penetration testing
Another area where security experts are beginning to leverage AI and new technologies like ChatGPT is in bug bounty programs and penetration testing.
“The whole idea of running a bug bounty program helps immensely,” Gerchow said.
“Some companies don’t understand that the payoff isn’t immediate, but you’re coming out with a safer code,” Gerchow added.
It’s also cheaper for companies to run bug bounty programs than to employ in-house security teams solely dedicated to finding weak points.
THIS: The All-in-One Ethical Hacking & Penetration Testing Bundle (TechRepublic Academy)
All experts at the HackerOne roundtable agreed that AI and tools like ChatGPT models are game changers, but they also recognized that the industry is only beginning to uncover their potential.
According to the HackerOne report, 37% of companies surveyed assure AI can be “somewhat relied upon.”
Consolidation of security solutions
The US government and public sector are also being affected, with many respondents to GitLab’s survey saying they are deploying software slower or at the same rate as last year. Even at the federal, government, aerospace and defense levels, more than half want to strengthen and consolidate their toolchain.
Consolidation of security services and vendors is another tactic that appeals to companies looking to reduce budgets. For example, companies like Check Point Software Technologies, leveraging AI cloud-based threat intelligence and automation, recently introduced Infinity Global Services, an end-to-end solution.
“Customers are looking to consolidate and simplify their cybersecurity solutions,” Paul Solomon, Managed Cyber Services, Softcat, partner of Check Point, said.
In cybersecurity, flexibility is critical
In the cybersecurity industry, one thing is clear: Slashing your own security budget without a plan, or neglecting new tools and strategies like DevSecOps, AI, automation and bug bounty programs is a severe risk in 2023.