One of the most overwhelming problems in cybersecurity is a severe labor shortage. There simply aren’t enough people who are qualified to do cybersecurity jobs to fill all the open roles.
A start-up called Synack is helping companies get around this shortage by providing “crowdsourced” security. Its software platform provides automated ways for companies to discover security flaws, then it turns those vulnerabilities over to penetration testers, known as pen-testers — basically, hackers who use their powers for good. The company makes a point of hiring top pen-testing talent, then sees how they can use the flaws to breach the client.
Synack competes with both companies that provide vulnerability monitoring with machine learning, and with bug bounty programs, which allow companies to hire hackers with hard-to-find skills en masse to test their networks.
Government agencies and companies will need creative solutions like this as they face a shortfall of cybersecurity workers for available jobs, leading to 3.5 million unfilled roles by 2021, according to Cybersecurity Ventures, which monitors cyber job trends. Synack, which ranked No. 42 on the 2019 CNBC Disruptor 50 list, has 150 global customers, including 15 federal agencies in the United States.
The freelance model makes sense, as hackers with the best skills are often in high demand or too dynamic to want to stay put at a corporate job, according to Synack CEO Jay Kaplan.
“The talent crisis in this industry is pretty massive, and these people don’t like to be pigeonholed,” Kaplan told CNBC. “So we incentivize based on their ability to find very critical, impactful vulnerabilities on our companies. I fundamentally believe that the future of this type of talent is in a freelance or gig-economy type of dynamic. These folks don’t want to work full time for these companies, but they can find the most critical vulnerabilities that can impact them.”
For many the payoff is huge. “We just had our first hacker pass the $1 million mark [this year],” Kaplan said, meaning the freelancer had earned $1 million total in bounties from companies and agencies during his career there. According to Kaplan, these pros are racking up a lot of money since their skills are in such high demand.
Earlier this decade, it was hard to convince government agencies and companies to let some of the world’s best hackers have a crack at their networks, Kaplan said. But that’s changed as companies face a seemingly endless array of novel techniques and old problems that can be combined to cause serious breaches.
“Particularly in the past couple of years, crowdsourcing and security really weren’t ending up in the same sentence. It required a lot of trust to be built into the model. We’re excited today that the industry has really swung in the complete opposite direction,” he said.
The company has stringent requirements for hackers — it only employs around 1,000 freelancers, which they vet for reliability and skills. This is one way Kaplan said the company has tried to build trust with nervous corporations.
“We weed out about 90% of the folks that come into it, and we’ve built a whole platform to facilitate trust and control and visibility,” he said.
Executives are sometimes worried that the process might expose weaknesses they don’t want to bring to the surface. But Synack tries to emphasize the positive, explaining how well a customer’s security is working, before disclosing the flaws.
“We’re giving them more of that positive validation story, by saying look at all the things that our researchers tried. But what’s just as important, here are 100 vulnerabilities,” Kaplan said.
That’s been especially helpful in federal contracting. Most recently, Synack won a portion of the Hack the Pentagon program alongside bug bounty companies HackerOne and Bugcrowd. The company also recently renewed a $34 million federal contract to work on classified systems.