According to a HackerOne / Opinion Matters study, RSSIs are mainly hostile to the use of ethical hackers to test their security.
To test the quality of the security of your information system, the practice of penetration testing undoubtedly constitutes the royal road. To do it without limiting supervision, the use of ethical hackers paid for the fault discovered is the most radical way. But a majority of RSSIs are more than reluctant to this practice. Thus, according to a study carried out by HackerOne from a survey conducted by Opinion Matters, 51% of French RSSI would prefer to run the risk of having vulnerabilities in their system rather than inviting unknown hackers to find them. Their German and British colleagues are even more reluctant with 59% and 62% respectively refusing the test by strangers. The average for the three countries is thus 57%.
However, 87% of respondents in France and 86% on average in Europe admit that fears regarding security hamper digital innovation. 83% of European RSSIs (90% in the United Kingdom, 88% in France and 80% in Germany) thus ensure that software flaws constitute a serious threat to their organization. However, this does not prevent security management from being of overall concern. 64% of European RSSIs (68% in France, 63% in the United Kingdom and 60% in Germany) complain of insufficient staff to keep pace with the changes in their organization. 48% of European RSSIs (46% in France) also believe that they spend too much time looking for software flaws. 26% of European RSSIs complain of an insufficient budget to carry out an offensive security program (17% in France, 22% in the United Kingdom, 32% in Germany). And 35% of European RSSIs feel generally hampered by a lack of budget and skills to move forward (30% in France, 34% in the United Kingdom and 40% in Germany).
The hacker seen as a threat and not a solution
In terms of results, 45% of European RSSIs (65% in the United Kingdom, 39% in Germany and 30% in France) believe that penetration tests do not provide results that meet expectations. But resorting to external hackers gives rise to significant fears and reluctance. Only 26% of European RSSIs thus feel ready to accept bug submissions from the entire hacker community (17% in the United Kingdom, 23% in France, 36% in Germany), this score increasing considerably (up to ” at 40% in France) if hackers are certified.
At European level, 54% of RSSIs are not comfortable with the idea of collaborating with hackers with a criminal past. The French are the least attentive (44%), much less than their German (55%) or British (62%) colleagues.