As cybersecurity has become foundational to business, the role of the CISO has shifted to something more hybrid: technology guru and executive-level partner. But an increasingly dangerous threat landscape, slow remediation of cyber incidents, weakening collaboration with the federal government, and growing regulatory pressure—amplified by AI’s influence—are holding the CISO to a higher level of accountability.
Dave Gerry, who assumed the helm as CEO at crowdsourced cybersecurity firm Bugcrowd three years ago, is a seasoned expert who was formerly the company’s COO after stints at several high-growth companies in the AppSec space like WhiteHat Security where he served as Chief Revenue Operating Officer and Head of Global Operations. His tenure at Bugcrowd has seen the addition of an experienced CISO and Trust Officer that reflects the changing dynamics of the marketplace and the CISO role.
Q. There’s no doubt that the role of CISO has changed. How is the pressure on them today to be held accountable for cybersecurity incidents reshaping the role and cybersecurity in general?
A. CISOs are in the spotlight more than ever. They're seeing increased liability, and they're worried about if they know of a problem and can’t fix it. That’s starting to put a strain on the developer seesaw relationship, the head of engineering and CISO relationship. We’ve seen this in some large organizations already. As a result there’s starting to be an alignment of the CISO role under a CTO, so that you can align product security functionality and have that speed to market but still make sure it's being done securely. I don't know that that's the right answer long term, because I think it still puts pressure on the CISO and diminishes the role.
Q. Regulatory bodies like the SEC have rumbled about making executives more accountable for cyber incidents. Are CISOs rattled by the liability they may face if their organizations fall victim to a breach or some other cyber incident?
A. Yeah, we're seeing that more and more. The gap in remediation is becoming a bigger concern, meaning they often don't want to know about [an issue] if they can't fix it, which is the exact opposite this industry needs. But that’s been a [persistent] problem in the broader AppSec world, right in some form or fashion. We still haven't figured out how to build capability around remediation.
Q. Since the pandemic started and the CISO was thrust onto executives’ radar, there has been a lot of talk about the CISO’s relationship with boards. Should they be speaking with board members formally or informally?
A. I think a lot of this comes down to internal philosophy. It’s going to vary based on company leadership and board structure. In our business, I encourage my management team to have direct conversations—that's good for all of us.
Q. AI is reshaping everything, including software development? Is it making us safer or is it a liability? Or both?
A. AI is amazing in that we can all leverage vendors faster. As we deploy AI, it becomes a bigger target, creates a broader attack surface. We see this playing out real time on our platform. We have more [hackers joining the platform than ever before, because the bar to entry is so much lower. Historically, you had to have some level of capability. Self-taught on YouTube, or you played around until you figured out [how to code] then you would start to build scripting and automation and development experience. But today you develop a little hackbot based on ChatGPT or some other tool, and you can suddenly join these platforms and start a new line. Well, the adversaries are doing the same thing. So as much as we're trying to advance the defender to say AI helps you scale and move faster, we're seeing that come from the other side as well. We're seeing zero data exploits happening in hours. It’s well under 24 hours now that they're able to decompile these things, build an exploit, and launch it.
Q. How do you stay on top of that?
A. It’s not easy. There are so many different pieces. There's the human element—how you educate the team to be more aware. Our CISO sent a message to our executive team that was a deep fake of me that he created this in less than five minutes on Google Mail. I showed it to my wife, and she goes, “if I didn't see the voice, I can see it.” They've gotten really good and the voice aspect ione thing that they are working on to make it better.
Q. Is AI creating more vulnerable code?
A. Somebody that's scanning code and doing code reviews would have a better sense in real time of how this is changing. But at least from what we can see so far, we're not seeing more vulnerabilities in AI generated code. We are seeing a proliferation of the amount of code being written. So now you have three times the lines of code to do the same action. You inherently may increase risk there, but we're not seeing that it's inherently less secure.
Q. Is AI changing the skills that organizations are seeking for their development teams?
A. The U.S. Army wanted to use AI for recruiting and wanted to make sure no bias and existed. So, we've helped them develop the world's first bias assessment. Hackers didn’t show us how to break into this but rather how you manipulate the systems. Now, instead of just [candidates with] a technical background, we want liberal arts students.
Q. CISOs in private industry can’t conquer those and other cyber threats alone. How have the recent changes at CISA affected what has been a very successful public-private collaboration? The agency has lost much of its staff and key people.
A. [Former CISA] Director Jen Easterly was able to attract talent well below market salaries, yeah, and get these people going. David Mooney ran part of the vulnerability management program; he now has a really high-profile role at Eli Lilly. Jack Cable ran the Secure by Design [initiative]. He's now launched Corridor. Bob Moore was doing part of the Secure by Design stuff. In the same way that you talk about board members not always being savvy on the technical side of things, government is that much worse off now. There are some brilliant people in government, but you saw [the inexperience] play it on the national stage. The CEO of TikTok at a Congressional hearing was getting questions like, “can TikTok connect to my WiFi?” We're seeing it play out even on a state level, too.