Simple and serious à la Charlie Munger
How do you build a category-leading business? A two-sided marketplace in the cybersecurity industry with one side consisting of highly differentiated experts and the other of highly demanding enterprises? A model where bad news is turned into good news? A subscription business that delivers neither software nor billable hours, but just results? An essential and unique component of cybersecurity, so important that it is written into cybersecurity frameworks and regulation?
We believe in transparency at HackerOne, and I will here share our key business model learnings with the hope that many others will be assisted on their journey to build excellence in business in general or cybersecurity in particular. In writing this, I took inspiration from Charlie Munger who in his long and successful life generously shared his learnings with the world.?
We see feedback as a gift, so please add your comments, suggestions and contradicting viewpoints. Enjoy! And let me know what you think.
Simple and serious
Take a simple idea and take it seriously. This is advice by Charlie Munger whom I had the delight to meet over lunch in November last year. It is what we've been doing at HackerOne for ten years.?
The idea of ethical hacking as a way to improve software security is simple and powerful. Yet to figure out how to make it work consistently at scale, you must take it seriously.?
Like Charlie Munger had learned and as he taught us, you must employ many models in order to understand and solve big problems. Looking for solutions using just one model "is a dumb way of handling problems".
At HackerOne we have learned a lot and tried to apply many perspectives and models in figuring out the ideal way to build this business. We have built a massive force for good in cybersecurity. Millions of ethical hackers stand ready to help make the internet more secure. HackerOne has paid out well over $300,000,000 in rewards to our hackers - more than all our competitors combined.?
In this work, half a million vulnerabilities have been found and fixed, saving our customers hundreds of billions of dollars in breaches that didn't happen. Today, leading tech companies and consumer brands are HackerOne customers. For anyone needing the best protection against security vulnerabilities, HackerOne is the place.
Secrets of success
Our most fundamental experience is that although your job is to produce tangible results every single day, you need to keep your eyes on the horizon. If you lose touch with the mission or your long-term goals, you will lose touch with your everyday business. Quarterly business goals are a finite game, but the mission of HackerOne is an infinite game.
At HackerOne we return to our first principles every time we make a decision. We are here to empower the world to build a safer digital society. We are a two-sided marketplace that originates with hackers and brings unique value to paying customers - value that no other mechanism can produce. Our strategic thinking starts from the mission and the supply side - from the hacker perspective. This allows us to build the best possible service for customers.
We play the role of building trust between two groups that otherwise might not trust each other. Transparency is the most powerful way to build trust, so we practice transparency. Our model is about telling customers what's wrong, so we make sure to practice what we preach and treat feedback as a true gift.?
We acknowledge that our supply side - the hackers - are participating in the work out of their free will, so we build systems of empowerment rather than coercion, models of collaboration rather than command, blue ocean opportunities rather than zero-sum games. The more open the model is, the more the ethical hackers will thrive, which is the way to produce outstanding results. Closed models have been tried by others with unimpressive results.
The millions of ethical hackers we represent are a diverse community, working in a distributed way all over the world. Consequently, we have organized our company in a similar way. We are a diverse team, digital-first, working out of homes and co-working spaces. Cybersecurity is not something a small clique can accomplish. It is something achieved together.
It's about incentives?
It's a good starting point to assume that nobody can be forced to do anything. Everything is driven by incentives. If the incentives are well designed, they will keep the model working. But incentives can be tricky to construct. Incorrectly applied they will damage the outcome. There is more nuance and dimensions in incentives than many would assume.
In the case of ethical hacking, monetary reward is the most common incentive. But it is not the only one and it is not sufficient on its own. The popularity of vulnerability disclosure programs that pay no bounties is a strong reminder that other incentives are at play. Many hackers have a desire to do good whether they are paid for it or not. They care about fairness and how they are being treated by the organization they report a vulnerability to.
领英推荐
Many hackers see hacking as a competition and a career path. They care about halls of fame. They want to learn more in order to qualify for bigger roles in their career. And many hackers seek social interaction. For them, a major incentive is to get to hang out with amazing people. It is impossible to set useful incentives for people if you don't know their intrinsic motivations. When we build hacker engagement programs that cater to the various incentives, we get the strongest and most devoted hacker community in return.
Charlie Munger had some great insights on this too. He wrote that the game of competitive life often requires maximizing the experience of the people who have the most aptitude and the most determination as learning machines. Concretely, this means paying the highest bounties for the best finds and inviting the best hackers to our Live Hacking Events, as this amplifies and multiplies the usefulness of our model.
With our customers, there is an intriguing juxtaposition of incentives. Some customers hope we will not find many vulnerabilities. Some hope we will find all there are to be found. Our best customers know that it's good news when we find vulns and equally so when we don't. As long as they can trust the diligence of the testing effort, they know any result brings them closer to their own goal of improved security. This means HackerOne both improves and proves the security of its customers.
The cybersecurity market
The global cybersecurity market is a complex economic system in which we have chosen a very specific path for our company to deliver unique and compelling value to customers.
The size of the cybersecurity market is around $200 billion per year. Half of this is products and half is professional services. This means it takes a lot of technology to get all aspects of cybersecurity addressed, and then it takes an equal lot of professional services to get it all to run smoothly. Customers are short on both tech and staff, so they will end up buying lots of both from the cybersecurity vendors.
In our observations, pure product companies bring a lot of complexity to their customers. And professional services companies, while offloading demanding work from customers, become entrenched and dependent on the continuation of the engagement. As a result, productivity and efficiency may not improve much for the customer.
HackerOne is neither a software vendor nor a professional services outfit. We built a model where we get paid for the demonstrable value we provide. With our scalable community model, we perform work that otherwise would burden the customer. Given we get paid for results and not work hours or product units, it is in our own interest to operate efficiently and automate as much as we can. With AI bringing unparalleled automation and curation abilities to any workflow, we streamline our value delivery further.?
For our customer it means even better bang for the buck, and a continued reduction of complexity of operating a hacker-powered security testing program. Interests are aligned between customer, hacker and HackerOne, and that is how we can avoid the business model pitfalls and complexities that befall so many other cybersecurity vendors.
What we are up to now
Over the past few years, we have been building out the portfolio of services we can offer to our customers. We take a platform approach so that workflows can be centrally managed and integrated with other workflows of our customers across the entire software development lifecycle.?
We have built a powerful AI deployment with strict protection of the training data. With this deployment - called Hai - we make life easier for the various personas who use our platform: customers, hackers and HackerOne staff.
Artificial Intelligence is pushing our digital civilization faster into the future. The first area to be upended is software development and deployment. New code can be curated and produced faster than ever using AI. But new code has new vulnerabilities, and adversaries will know to take advantage of this. The risk is broader than security. AI deployments can also cause massive embarrassment and brand damage, violate privacy, expose harmful bias, and freely hallucinate, just to mention a few of the downsides.
In this world, security testing by external unbiased humans becomes more critical than ever. AI provides the automation and curation of the testing work. Humans provide the curiosity and ingenuity needed to uncover the most damaging weaknesses. Human security testing augmented by AI will always outperform pure humans and also pure AI.
As we keep building HackerOne, we look to wisdom from Charlie Munger and other great thinkers. We apply many mental models, turning the matters around to see them from different perspectives. We know that the ideal solution may not be a compromise or average, but a case of managing contrasting aspects that surprisingly reinforce each other.?
Initially, hackers and enterprises stood very far from each other. Today, enterprises and government agencies know they cannot even begin to validate their software deployments on their own. They need vast numbers of external unbiased experts who are motivated and incentivized to help build a safer internet.
Marten Mickos
CEO, HackerOne