Unlocking the ingenuity of the crowd: Winning the war on cybercrime
Instead of reaping the benefits of technology, organisations are reeling from the costs.
This is not how it was meant to be.
Enterprises invested in IT in the belief that it could transform their relationships with customers, their supply chains and their business agility. In the past 12 months we've also seen growing excitement about how AI could increase the transformative power of IT. However, the rising cost of defending enterprises against cybercrime casts a dark shadow over this world of possibilities.
So for many enterprises, security has become the top priority and digital transformation has been pushed to second place. It's not hard to see why.
Organisations are putting more of their resources into defending their businesses than growing them. Although IT spending is rising fast, spending on cybersecurity is rising faster.
According to Gartner, total global IT spend in 2024 will nudge $5 trillion, up by 6.8% from 2023. The same source estimates 2024 cybersecurity spending will reach $215 billion, a 14.3% increase from the previous year.
Spending on cybersecurity is only a fraction of the global cost of cybercrime, estimated by researcher Cybersecurity Ventures at $9.5 trillion in 2024. That's nearly twice the global annual expenditure on IT.
If cybercrime were an economy, it would be the third largest in the world after the US and China.
Traditional defence is not working
As long as we continue to wage war on cybercriminals in the traditional way we will continue to lose.
Attackers are numerous and well-organised. They are not lone operators huddled over computers in a dingy basement. They have offices, management and strategies just like legitimate businesses. They have sophisticated IT, and they are highly motivated by the scale of the potential rewards. Crime is their core business.
In contrast, defenders are unwilling conscripts in a war they would prefer not to fight. Moreover, they are fighting back alone, with each enterprise hiring as many cybersecurity experts as they can afford. That's if they can find them.
There is a growing skills shortage in cybersecurity with an estimated 4 million roles unfilled, according to ISC2's 2023 Cybersecurity Workforce Study. That number is steadily rising, partly because supply cannot keep pace with demand and partly because jobs in cybersecurity are increasingly stressful and repetitive. The ISC2 study blamed burnout and falling job satisfaction for high levels of turnover in the cybersecurity workforce.
This war is also fundamentally unequal—defenders must be right 100% of the time, but attackers only have to be right once. This asymmetry helps explain why working in cybersecurity has become a thankless occupation.
Turning the tide
So how can we turn the tide? Cybercrime will never be eliminated but how can we reduce its impact?
The only logical solution is to address the imbalance between attackers and defenders, which is caused by the following factors:
- Organisation—Criminals are well-organised and highly focused. Crime is their core business. Defenders therefore need to be better organised without getting distracted, even if fighting crime is not their core business.
- Motivation—Crime pays very well. The rewards for a criminal are many times more than a cybersecurity professional can make in a year.
- Job satisfaction—We don't have much data on whether criminal hackers are happy in their work, but we do know that many of the good guys are not. This needs to change.
- Skills—Even if enterprises could afford all the professionals they need, there aren't enough cybersecurity experts to go around. How do we make better use of the ones we have?
- The hundred-to-one-rule—The attackers will always enjoy this advantage, but is there anything we can do to balance the scales?
- Technology—Both sides will always have access to the same technology. The question is whether the defenders can make better weapons or become smarter about using them.
Crowdsourced return on investment
Crowdsourced security offers the best hope of a solution to these problems. First, crowdsourced security makes a wider talent pool available to more enterprises. Enterprises can get all the skills they need and pay only for what they use.
Second, bug bounty and vulnerability disclosure programmes shift the needle on motivation and job satisfaction. Paying ethical hackers to find vulnerabilities means talented people can make a good living—not one as lucrative as their criminal counterparts, perhaps, but high paying by most standards. Millionaire ethical hackers are not unusual. Additionally, ethical hackers avoid the moral hazards of crime and the risk of jail time. It's a reasonable assumption that they sleep better.
Third, the pay-by-results economics of crowdsourced security is attractive to customers, who no longer need to worry about putting all the security skills they need on the payroll. Return on investment (ROI) is easier to calculate too. Organisations are no longer counting the cost of breaches but calculating the savings from the potential disasters they averted.
A 2024 study commissioned by Bugcrowd and conducted by Forrester Research on the total economic impact of bug bounty, identified the following benefits:
- A 268% ROI and $1.43M net present value over three years
- Improved security operations efficiency and cost savings from not having to hire two full-time employees (FTE)
- A 60% saving in traditional penetration test costs
- Reduced risk of a material breach by up to 30%
- Reduced cybersecurity insurance premium costs by 9%.
The right stuff
The superpower of crowdsourcing is that it taps into the human motivation to do the right thing. Ethical hackers are of course driven by rewards, but not all of these are material rewards. A survey of 1000 ethical hackers published in 2023 found that 75% identified non-financial factors as their main motivators to hack, while 87% said they believed it was more important to report a critical vulnerability than to make money from it.
Of course, organisations will continue to employ security operations teams and developers to build the services they need. The difference is that those teams will have access to more skills, better intelligence and earlier warning of issues.
The crucial transformation that the cybersecurity industry and all those involved in securing digital assets must make is to change from a reactive approach to a proactive one.
Penetration testing services designed to discover weaknesses in systems before an attacker finds them are not new, but traditionally they have been hard to organise. They required long project cycles and significant management overhead for the customer, which disincentivised frequent testing.
Crowdsourcing platforms, which significantly reduce bureaucratic red tape, mean that we are seeing pentesting evolve from an occasional, point-in-time service to a continuous process much better suited to the constantly evolving nature of modern enterprise software.
Could AI finally level the playing field?
What about the impact of AI? The obvious conclusion—and the one most observers are jumping to—is that AI will make a big difference in the volume of attacks but little difference in the balance of power between attackers and defenders. AI will make it easier to attack and possibly lower the barrier to entry for less skilled criminals, but of course it will also arm the defenders with more efficient tools.
So what do the ethical hackers think? Almost all the respondents to the survey mentioned earlier said that they were using or would soon be using AI in their work (94%). Most (72%) do not believe AI will ever replicate their human creativity and even more (91%) believe it will have a positive impact, increasing the value of ethical hacking.
Is this optimism justified? We'll see, but the smart money should be on the ethical hackers' view that AI will ultimately be more valuable as a defensive tool than an attack weapon. Why? Because it will be used to attack harder by attackers but to defend smarter by defenders.
The bad guys will use AI to increase the volume of attacks while ethical hackers focus on the ingenuity of defence. The third element in this equation is the use of AI in crowdsourcing platforms to marshal resources and manage bug bounty and vulnerability disclosure programmes more efficiently. If everyone has the same weapons, the better organised side will eventually gain the upper hand.
Transforming security mindsets
There's no doubt that AI will be a major disruptor, but technology change is not the critical factor. The key is mentality change, specifically the way that crowdsourcing can change customers' attitudes to security.
"As a global leader in enterprise cloud applications and business AI, SAP prioritises the security of our customers' data and operates a comprehensive security strategy across the enterprise to ensure secure and reliable solutions. SAP's Bug Bounty Program helps us understand the hacker's perspective and has brought new ideas around testing to our security team," Stuart Short, a product security expert at SAP.
The best form of defence is not attack but the attack-proofness that comes from secure-by-design development.
Mob versus well-drilled army
The keyword in considering how crowdsourced security can be used to fight back against the criminals is "managed". While bug bounty, vulnerability disclosure and pentesting have been used for years, the magic ingredient is the intelligence associated with the platforms that deliver these services. These platforms can shorten the lead-time to set up and launch a standardised pen test, for example. They use algorithms to prioritise the results of a vulnerability disclosure programme and enable faster remediation. Or, as SAP found, the insights from these programmes can be used to rethink the development process.
The crowd is an amazing resource, but only when you manage it. It's the difference between a mob and a well-drilled army. In an otherwise unequal contest with the bad guys, it's the willingness of the good guys to work together and their ability to create better organisational tools underpinned with better intelligence that will shift the balance of power in the right direction.