Beiersdorf’s cybersecurity workforce is at all times occupied with one of the best methods to safe their public-facing property. As their digital footprint will increase, they add new processes and methods to align with cybersecurity finest practices and search for new methods to arm their inside groups with insights and knowledge to assist harden their attack surface management.
After a 12 months of operating a non-public Vulnerability Disclosure Program (VDP), Beiersdorf is saying the launch of its public VDP. HackerOne met with Kai Widua, Chief Info Safety Officer (CISO) at Beiersdorf, to be taught concerning the challenges they face in retail safety.
Learn on to listen to Kai’s ideas on how HackerOne helps Beiersdorf be proactive about cybersecurity and his recommendation on beginning a VDP and taking it public.
Inform us who you’re.
I’m Kai Widua, CISO at Beiersdorf. I’m liable for the Info Safety in Beiersdorf globally. On this function, I take care of proactive and detective necessities to guard buyer, affiliate, and worker knowledge in our on-line world.
Inform us a bit about Beiersdorf and the cybersecurity challenges you face.
Beiersdorf began to leverage the potential of cloud computing companies earlier than many different organizations. We have now a standardized, centralized, managed IT program with many companions and methods built-in into our digital life, which will increase our digital footprint and creates a broad assault floor. The adaption of applied safety insurance policies and controls is a problem, as we work to make sure data safety is an enabler and never a “hinderer.”
How does your safety workforce function?
The digital consultants within the DevOps groups are challenged to make use of an agile strategy to extend growth pace and shorten launch cycles whereas additionally fulfilling safety necessities and sustaining code hygiene. Beiersdorf’s cybersecurity division is liable for the marketing consultant and gatekeeper roles to assist us shut potential gaps in our assault floor by informing different departments about potential dangers, new assault vectors, and methods to reduce total organizational threat.
What made you resolve to launch a public VDP?
Our Net Growth Workforce has a tricky job, they usually do it very properly. As an extra layer of protection, we determined to make use of the worldwide information of moral hackers by way of a VDP, so we may very well be knowledgeable even when it’s really too late (which means a vulnerability is printed) however nonetheless early sufficient to determine and remediate the vulnerability earlier than a malicious actor may discover it.
How does a VDP assist proactively forestall points?
By including a VDP, we not solely help our Net Growth Workforce’s super efforts, however we additionally take proactive steps to reduce our threat. The VDP permits international safety consultants to overview our public property and provides us deeper information of our assault floor, which we are able to use to raised inform our workforce and create extra strong defenses by way of inside processes.
How does digital transformation drive your cybersecurity technique?
Digital transformation actually hurries up deployments, nevertheless it additionally will increase the variety of methods and sources we use. Minimal viable merchandise (MVPs) are a particular lever to hurry up time-to-market however can threaten the wanted safety stage. A VDP is an ideal and compulsory complement to our digital transformation journey, giving us an extra layer of protection.
What occurs after a hacker finds a bug?
We see a whole lot of commodity assaults in opposition to our methods. However generally, we see very artistic methods hackers have tricked our system panorama. It is a beneficial supply of intelligence other than OWASP or different frameworks. These uncommon findings make the distinction for our DevOps groups and will be tailored to all different methods we function.
What recommendation would you give to different CISOs planning to begin a VDP?
Begin small. Get your self and the groups conversant in how researchers strategy this system and the triage course of. This can help the ramp-up and make sure you’re going as quick as you’ll be able to adequately handle. We had a wonderful studying expertise with our personal program, which helped us be assured and ready earlier than going public.
—
Click on here for extra details about Vulnerability Disclosure Packages.
Author: elizabeth@hackerone.com
Date: 2022-06-02 07:45:00
