What good can possibly come from having your company's network hacked, right? A lot of good actually. There are companies out there, big companies, ones that I'm sure that you have heard of that actually pay hackers to discover vulnerabilities in their security. One such company that you may have heard of is, Google who will pay as much as $10,000 to anyone who can find any such chinks in the armor of their flagship browser Chrome. Other such major names that engage in this type of security management are Facebook and Mozilla, the makers of Firefox, Thunderbird and a few other big time open source software systems.
While the concern about risk is quite understandable and well founded. Hackers take down major networks all of the time. Founder and CEO of Whitehat Security, Jeremiah Grossman recently spoke at the RSA conference in San Fransisco and advised companies around the globe to " Harness the wisdom that the hacker community by enlisting their help to expose the weaknesses in your very own security systems.” Grossman also went on to say that,"This has been an effective security measure and it works very well.” He also suggested that the military, as well as other government organizations adopt their own similar programs. Noting the fact that the majority of these groups have policies in place and would maintain serious reservations against just such programs, their current avenues of integrated security shut outs aren't presently working all that well.
A lot of these systems, weak spots are being found in the security of installed applications, a frequently overlooked part of many major networks. The way that companies should set up their software/ security budget is if a company spends the largest amount on software, to make an allowance for the largest part of the IT budget to secure that software properly. In retrospect, Grossman explains that the vast majority of high profile security breaches could have been thwarted by improving web application security rather than trying to improve anti-virus software and firewall protection. The main reason for this incorrect approach to security improvements is that CISOs are simply complying the company protocols, which encourage spending on the wrong security issues.