Man & Machine: Why Security Needs a Human Touch

There’s an old saying in information security: Corporate networks and infrastructure should look a lot like an M&M: With a hard, crunchy outside and a soft, chewy center.

For some time, large organizations have operated under the premise that if the perimeter is well defended, there isn’t much that needs to be done to protect data and assets on the interior. Protection methods such as signature-based firewalls, intrusion-prevention systems and Web gateways have been relied on to keep the “bad guys” out. With 2013 and 2014 rapidly turning out to be epic years for data breaches — post-Target, Neiman Marcus, Adobe, Evernote, eBay and a slew of others — it’s clear that the hard outside isn’t all that it’s been cracked up to be.

One thing these high-profile breaches have proven is that today’s most commonly chosen protection methods are not keeping up with the ever-advancing hackers around the globe. That’s not to say, though, that large organizations aren’t shelling out the cash in the hope of protecting themselves. Gartner is predicting that corporate spending across the world for a broad swath of security services will climb from about $35 billion today to $49 billion in three years. Yet, time and time again, breaches and investigations have proven that attackers are able to skirt defenses put into place by top-selling security tools.

Over the past few years, we have started to see a mentality shift away from defending the perimeter to keeping a better eye on the internal assets. That basic M&M principle is now more like a peanut M&M — hard on the outside, a bit of softness, and an even harder core. There is no shortage of security startups keeping an eye on internal assets; analytics that drive on the heels of network and endpoint data to spot anomalies have become a big trend moving the industry in the right direction.

Even with all of the technology protecting the perimeter, and the advent of new solutions monitoring the internals, we’ve seen a massive migration to the cloud combined with the introduction of mobile and other corporate interconnected devices. The notion of a defined network has gotten a whole lot fuzzier, making protection and detection harder than ever.

One thing is clear: The enterprise has gotten so complex that the tools of the past and the technology of the future will never fully safeguard everything. Complexity introduces variability into the equation, making automated technology extremely difficult, if not impossible, to rely on alone.

So, what’s the solution? How does an enterprise protect itself against today’s advanced threats? In today’s world, a human-powered solution is an integral part of any holistic security program. It only takes a single security flaw to translate into a massive data breach, and it only takes a single human to identify what that flaw is. Organizations cannot rely solely on automation.

No computerized form of cyber security protection is going to fully protect the enterprise. We have to think like hackers, respond like hackers and analyze like hackers to uncover potential gaps or holes in the protection of network elements and applications.

At the same time, a single security expert can’t be relied on to unearth every security flaw in a particular environment. Plus, since corporate applications are constantly changing, performing these assessments at a single point in time doesn’t make sense. As such, we must look to new models and solutions that enable enterprises to scale security assessment resources and leverage them on a continuous basis while maintaining control.

Organizations like PayPal, Facebook and Google have come to this realization, and have introduced vulnerability disclosure programs into the mix — paying scalable security talent worldwide to uncover problems. The issue: Running such programs is complex; it introduces a multitude of inherent challenges including management inefficiencies, staffing challenges and extra cost; and it isn’t the core competency of any internal security team.

Today, some companies offer a solution to this problem by leveraging crowd security intelligence to protect the broader enterprise without the pain experienced by internally managed bug-bounty program trailblazers. The ideal crowd security company can gather the most highly qualified, current and relevant resources who understand the hacker mindset, but use it for good to secure the enterprise. At the same time, a trustworthy vetting process and technological controls are essential in enabling even more conservative organizations to leverage a global talent base of researchers.

Crowd security intelligence platforms are unique in their ability to incentivize researchers through a meritocracy. The best researchers find more complex vulnerabilities, and are paid appropriately through the SaaS (Security-as-a-Service) model, with larger bounties. A successful platform can evoke elements of gamification and competition alongside monetary incentives to foster a community of security experts that is both skilled and motivated.

Crowd security intelligence has the potential to change the global security landscape by providing businesses with personalized safeguarding from a diverse array of experts. Today’s rising security startups abstract this process in order to allow smaller businesses to take advantage of the same tactics that PayPal, Facebook and Google have used. While threats constantly evolve, responding with a similarly evolving human security force is the most effective means of universally decreasing vulnerability.

Enterprises need to be able to spot vulnerabilities before they become the next news headline, and the only way to do this is with both machine and man.

A former NSA agent, Jay Kaplan is CEO and co-founder (with Mark Kuhr) of Silicon Valley-based cyber security startup Synack, a company that sources global expert security talent and incentivizes them through bounties to discover vulnerabilities in enterprise applications. Reach him @JayKaplan.

This article originally appeared on Recode.net.