Nick McKenzie joined Aussie-founded San Francisco-based Bugcrowd three years ago from the National Bank of Australia, where he was responsible for overseeing the financial institution’s enterprise security portfolio.
McKenzie has also held IT risk and cybersecurity leadership roles at Standard Chartered Bank, JP Morgan, and UBS.
Bugcrowd offers a crowdsourced security platform that connects companies with ethical hackers to help identify and fix potential security risks. The cyber firm’s customers range from Tesla and T-Mobile to the National Bank of Australia and the US Government.
The Australian, who currently serves as an advisory board member for Google, AWS and risk software firm Digital Shadows—is also the author of a new report, Inside the mind of a CISOs, based on interviews with 200 CISOs.
Can you describe Bugcrowd’s business model and platform?
We’re a SaaS platform that effectively hosts 800,000 vetted ethical hackers and we go to enterprises and leverage that from a crowd perspective and give that to a customer. The hackers on our platform must effectively find and prove that a vulnerability exists within a customer’s organisation in their own time to claim their reward – the ‘bug bounty’.
How that works in practice is that a customer pays a platform fee, and they give us a pool of money that we set aside as the bounty. Hackers compete, but they also sometimes collaborate. We require solid proof of a vulnerability—a proof of concept—not just a wishy-washy risk assessment report. Then we pass that information on to the customers.
How do you screen your hackers?
We do the screening and background checking of the researchers/ hackers in the platform. There’s also some gamification involved. And that’s not just the money but incentives to encourage them to try harder. And if they climb up the ladder, they get access to more customers along the way. This builds up trust and incentives for both them and our customers who want to access the best hackers
How do the security challenges at Bugcrowd differ from those of working in a bank?
Different threat actors are involved, but the concepts are the same. The threat actors that target banks are financially motivated, there’s a lot of fraud and trying to get to the data within the bank to exfiltrate.
At Bugcrowd, the data we hold is critical vulnerability information on some top enterprises, banks and government agencies, so we get every kind of threat actor – from the script kiddies through to the big Chinese and Korean threat actors that are trying to get what we have just because it’s so juicy and important.
What are CISOs’ main priorities?
Every CISO is different depending on the business that they operate in. It’s purely driven by the business. You might talk to a CISO at a bank whose top priority is to appease a financial regulator, on certain controls. Then you might talk to a tech CISO who effectively wants Bugcrowd to come in and smash away at their technology to find vulnerabilities.
Are there any commonalities if you start to look across organisations?
Supply chain security is a big one. The issue for CISOs is that when a business decides to outsource a service to a third or fourth party, what they can’t do is outsource the risk. That still lies with the business. Unfortunately for CISOs, the business decisions to go with the vendor will ultimately impact them as well. How can they push controls across the supply chain to ensure a minimum baseline level of compliance?
And then there’s the third-party assurance process which, to me, is defunct and backwards – it often involves sending someone out to a third party and getting them to fill in a data sheet and tick a box—this part of the process needs a real revamp.
Another theme across CISOs is the uptake of AI within organisations. When the business chooses to imbue AI within their own business process – whether it be a chatbot or another digital endeavour—I think the pace of adoption is consistently outstripping the pace with which the security people need to check for bias or vulnerabilities. You get a clash of business prioritisation with CIOs keen to get things to market, and CISOs asking people to slow down.
How can businesses innovate safely with AI?
It boils down to the business prioritisation and internal risk management that senior business leaders need to carry out.
What else might we find inside the mind of a CISO?
My report notes that it’s changing. You get the usual answers: to protect data, systems, infrastructure, to stop breaches, to balance risk against business objectives etc. These all score roughly about 20% each. But then out of nowhere, scoring over 30% was “building a secure brand for competitive advantage.” To me, that means security today is being seen as a trust enabler from a commercial perspective. It’s effectively becoming a digital currency. I was amazed at how high that scored.
How do you take your coffee?
I drink a lot of coffee. An iced Americano or an iced long black with a bit of MCT oil for an energy boost, to keep the fasting going. Either that or an espresso. I’ve got rid of the milk. I’m trying to lead a healthier lifestyle.
What was the last piece of tech you bought for personal use?
To decompress I have a little mobile personal gaming machine called a Rog Ally which is like the Switch but newer and can handle more intensive games.
Subscribe to our Editor's weekly newsletter
Share
