Tackling tech sprawl, CISO burnout, NIS 2 now enforceable – OffSec roundup for CISOs

October 18, 2024

Servers with mess of wires plugged in in an example of tech sprawl

We start our latest roundup for CISOs with Forrester advice about making supply chain security, securing business-critical IT assets and tackling tech sprawl your top priorities for 2025.

Budgets up – but modestly

“While security leaders say budgets will increase this year, so will tech sprawl, with software costs doubling up spend on hardware and also outpacing personnel costs,” observes the market research firm in its 2025 Budget Planning Guide For Security And Risk Leaders. VentureBeat has penned a useful summary of the results if you don’t want to trawl the full report. 📰

Also in this roundup (originally published as our CrowdSecWisdom LinkedIn newsletter) ,the 2024 Security Budget Benchmark Report from IANS Research and Artico Search similarly observes increases to cybersecurity budgets, albeit the days of double-digit growth are over and a significant minority of security teams are having to perform increasingly complex jobs with either flat or falling budgets. 📉

Beating CISO burnout

Clearly, handling myriad threats – not to mention the growing compliance burden and spectre of personal liability – in the context of tight budgets makes for a stressful vocation. 😓 It seems appropriate then to bring to your attention a Q&A between Intelligent CIO and Steve Bray, head of Australia & New Zealand for Cloudflare, about the prevalence of CISO burnout, the factors at play and how to protect security executives from mental overload. 🧠🛡️

Malta considers national VDP… while citizen bug reporters await court date

A public consultation has concluded in Malta on a government proposal for a national coordinated vulnerability disclosure policy (VDP). While we must confess to bias insofar as we have a VDP product to pitch, such a policy is surely necessary when you consider the arrest of three computer science students over their reporting (which they assert was in good faith) of a vulnerability in Malta’s largest student application, FreeHour, to the vendor. The university students had asked for a bug bounty reward but were reportedly ‘rewarded’ instead with being strip-searched, having their computer equipment seized and a court date in March 2025 (their lecturer is also being charged as an accomplice). 🚔

NIS 2 Directive has global implications

The consultation ran concurrently with another consultation over Malta’s transposition of the NIS 2 Directive, which has just entered into force. NIS 2 is intended to achieve “a high common level of security of network and information systems across the Union” more effectively than its predecessor from 2016, NIS 1. We’ve just published a NIS 2 explainer explaining why NIS 2 has global implications and ramifications for our area of expertise: security testing and vulnerability management.

Closing holes in open source

In reassuring news about open source security, project maintainers are spending three times as much time on security than they did three years ago and have become less credulous of contributors following the XZ backdoor calamity, according to a report from open source security firm Tidelift. 🔒 Less reassuringly, they remain mostly unpaid and overworked. Moreover, given how discouraging this status quo is, they are ageing as a cohort. 😓

This is precisely why in 2023 the Sovereign Tech Fund launched the Bug Resilience Program, which helps time-poor open source maintainers prevent and patch vulnerabilities through technical debt reduction, secure code audits and Bug Bounty Programs managed by yours truly, YesWeHack. 🛠️ Our army of bug hunters have been entrusted with hardening a number of open source libraries that are benefitting from STF funding, including the near-ubiquitous systemd and Log4j, the site of possibly the most impactful vulnerability of all time, no less. 🐞

Relatedly, Stephanie Domas, CISO of Canonical, the makers of open-source Linux operating system Ubuntu, has written about what the EU’s Cyber Resilience Act means for open source in Forbes.

AI safety and liability

The potential impact of AI in almost every human endeavour is both mind-blowing and unpredictable – and with unpredictability, comes all manner of risk. Organisations should therefore be mindful of the safety and security risks of using AI in any use case, and this includes AI cyber-defense tools – especially now that the US Department of Justice (DoJ) has updated (PDF) aimed at enterprise compliance officers with instructions to start evaluating the potential harms of their AI applications and how to mitigate these risks. Organisations, the rules make clear, will be held accountable for the misdeeds of their AIs. 🤖⚠️

The US DOJ has updated guidelines aimed at enterprise compliance officers with instructions to start evaluating the potential harms of their AI applications (image from Google DeepMind)

Automattic-WP Engine dispute rumbles on

A dispute between Automattic and WP Engine, which has been banned from WordPress.org, has “left “thousands of end-users without security updates and, by extension, millions of internet users exposed to potential hacks”, reported Bleeping Computer. Now The Register reports that “WordPress has banned its user groups from accepting sponsorship from WP Engine” as the multifaceted dispute continues to escalate.

And Eugenio Benincasa, senior researcher in the Cyberdefense Project at the Center for Security Studies (CSS) at ETH Zurich, discussed the outsize influence of Chinese vulnerability researchers and the geopolitical implications in War on the Rocks.

Betting big on Bug Bounty

Our latest customer success story sees the cybersecurity chief of a Swedish betting brand ATG reveal that, through Bug Bounty, they have received “really serious reports we would never get from a traditional pentest”. ATG, which powers Sweden’s horse racing industry, has enjoyed a more-than-satisfactory return on investment, according to Erik Täfvander. In the video interview below, Erik discusses why ATG decided to crowdsource security testing, the process of launching and growing the program, and the benefits and challenges encountered along the way. 🐎🔍

In another new customer video, Guillaume Kermarrec, who oversees L’Oréal’s Bug Bounty Program, discusses the iconic cosmetics brand's preparations and hopes for a live Bug Bounty shortly before the event began during leHACK in Paris, over the summer. 💄 Incidentally, we’ve also previously published a recap of the event on our blog and video highlights of the hacking competition. 🏆

Il primo bug bounty live in Italia

Similarly, we recently held Italy’s first-ever live hacking event, specifically in Rome during Romhack 2024! Watch highlights below from the live Bug Bounty, featuring targets from Ferrero, the Italian sweet-packaged food giant.

Ethical hackers at the RomHack live Bug Bounty in Rome, hosted by YesWeHack with targets from Ferrero

“Vulnerabilities exist in increasingly complex modern applications,” said Guillaume Vassault-Houlière, CEO and co-founder of YesWeHack. “A live Bug Bounty helps organisations find and fix many vulnerabilities in a short period of time. Hacking against the clock, ethical hackers collaborate and compete to achieve eye-catching results, as well as giving developers and security teams advice that reduces the risk of new vulnerabilities being created in future.”

Live hacking event upcoming in Argentina

We’re gearing up for another live hacking event on a different continent entirely, taking place at Ekoparty in Buenos Aires next month (14 November). As usual, the identity of the vendor providing targets will be kept confidential until the event kicks off. YesWeHack will also be showcasing our vulnerability management solutions at Ekoparty, as well as at IT-SA, (Nuremburg, 22-24 October), Cyber Security Nordic (Helsinki, 29-30 October) and ECSO’s Annual CISO Meetup (Vienna, Austria; 4-5 November).

Read this monthly roundup even sooner by subscribing to CrowdSecWisdom – our LinkedIn newsletter curating news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.

Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, Bug Bounty Bulletin – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.