Security Experts:

Incentivized Cyber Defense: Creating Your Own Cyber "Bounty" Program

As a huge college football fan, I’ve taken notice how highly competitive teams have implemented effective incentive measures to get the most out of their coaching staffs.

For example, if a young quarterback coach is performing well, his contract may include big payouts for things like the overall improvement in the number of touchdowns thrown from year to year. For coaches higher up in the food chain, a head coach may receive many layers of increased compensation that build on one another based on reaching one or more levels of championship such as a conference title or national title.

The reasoning for these programs is quite simple: attract, encourage, reward and retain outstanding performers since their contributions aid the progress of the whole organization toward important objectives.

The best thing? These programs don’t just work for football, they can help any team in a tough, competitive environment get to top-tier performance - and stay there over the long term.

Cybersecurity Management IncentivesIn the late 1990s and early 2000s, my company implemented a similar program for its engineering staff, with the goal of dramatically growing the business in a highly competitive U.S. Intelligence Community engineering services environment. We were heavily incentivized to be innovative, continue to learn and improve and ultimately build better systems for the customer at a faster pace.

In those days, it was a time of big change with the rise of myriad new programming and scripting languages, web and enterprise technologies like web services and message buses, as well as big new approaches such as Service Oriented Architectures (SOA). It was also a time of big concerns with so much new and unproven replacing so many age-old ways of doing things.

In this “watershed moment” IT era, my company’s decision to internally implement an aggressive incentive program to encourage creativity, learning, ingenuity and high job performance from its best people helped the team rally around an objective and very quickly outpace other less agile, less focused competitors amidst very challenging market conditions. In just about two years time, we went from being barely a blip on the radar to realizing a successful acquisition by a major firm for hundreds of millions of dollars.

We’re now seeing a very similar set of environmental conditions in the cybersecurity world.

Today we face a dynamic and unpredictable cyber foe that’s outpacing the abilities of most businesses to defend themselves. Businesses face challenges in hiring the right resources, effectively organizing and managing these resources to address the most critical cyber problems, and in determining the right cyber technical solutions (and then putting them to most appropriate use). And it’s painfully clear that the “old ways” of traditional cyber defense approaches and technologies are little more than speed bumps on the many roads into a business for cybercrime gain.

While there has been much talk about accountability at the highest levels, the fact is that many executives and management teams have yet to get a grip on the effects of cyber on the whole of their operations, and most are not yet developing the right approaches to cyber defense strategy that create long-term resiliency.

In short, the cyber defense vision isn’t clearly defined against the foe, nor are resources being well or appropriately utilized to develop any kind of new foothold or advantage.

Enter the internal cyber defense “bounty” program.

As most of you are well aware, many of the biggest technology and software firms have well-established “bug hunting” bounty programs whereby they essentially outsource some of their security and penetration testing to the entire world. Companies like Facebook and Microsoft pay millions of dollars each year to anyone who identifies, documents and reports a bug or security leak.

There is even a whole new group of cybersecurity startups commercializing this idea by hiring would-be hackers into more acceptable and legitimate pen-testing and consulting roles to offer what is essentially “bounty-as-a-service.”

So why aren't more enterprises across the business landscape taking a similar approach to getting the most out of their very expensive cyber defense resources? Most organizations already have well-defined security and management roles, so why not take the short time needed to craft a program that sets incentivized shared and individual goals for teams and team members?

By creating the proper incentives you can gain any of a long list of immediate and sizeable benefits:

• Improve the acquisition and effective use of the “right tool for the right job” for cybersecurity solutions

• Promote better persistent creativity and ingenuity against the toughest problems

• Create adoption of better cyber situational awareness and intelligence gathering as a side-effect

• Encourage broader, more rapid reporting of problems and would-be issues

• Foster more effective security teamwork and mutual assistance

• Promote responsibility and accountability for security team members through a sense of issue ownership

• Create a culture of active “problem finders” and “solutions seekers” as opposed to those “phoning it in” to maintain status quo

• Speed “time to solution” and incident response activities

• Supports the definition of a clear shared cyber defense vision or set of objectives across a security organization

• Bring management and executive leadership closer together with security operations around measurable, common goals from the top all the way to the bottom of an org chart

• Enable better assessment and evaluation of both human and technical resources as the “cream rises to the top”

• Help retain and improve your security operations and security management staffs

• Directly support the development and planning required for long-term cyber strategy (and resilience)

• Establish a highly-visible, long-term commitment to solid cybersecurity both inside the organization and out

For most companies, just staying “in the game” at all against cybercrime threats is an all-too expensive proposition without much real, visible or measurable ROI. With your own internal cyber bounty program designed to reward your best assets at their positions, you can not only begin to see real results against cyber foes, you can build a team that will compete over the long haul - and ultimately help lower your cyberdefense costs through increased, better efficiency.

view counter
Jason Polancich founder and Chief Architect at SurfWatch Labs. He is a serial entrepreneur focused on solving complex internet security and cyber-defense problems. Prior to founding SurfWatch Labs, Mr. Polancich co-founded Novii Design which was sold to Six3 Systems in 2010. In addition to completing numerous professional engineering and certification programs through the National Cryptologic School, Polancich is a graduate of the University of Alabama, with degrees in English, Political Science and Russian. He is a distinguished graduate of the Defense Language Institute (Arabic) and has completed foreign study programs through Boston University in St. Petersburg, Russia.