Rapid7 Perspective – CyberSecurity Confabulation

Navigating the Evolving Patchwork of Incident Reporting Requirements

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), a bipartisan initiative that empowers CISA to require cyber incident reporting from critical infrastructure owners and operators. Rapid7 is supportive of CIRCIA and cyber incident reporting in general, but we also encourage regulators to ensure reporting rules are streamlined and do not impose unnecessary burdens on companies that are actively recovering from cyber intrusions.

Although a landmark legislative change, CIRCIA is just one highly visible example of a broader trend. Incident reporting has emerged as a predominant cybersecurity regulatory strategy across government. Numerous federal and state agencies are implementing their own cyber incident reporting requirements under their respective rulemaking authorities – such as SEC, FTC, the Federal Reserve, OCC, NCUA, NERC, TSA, NYDFS, and others. Several such rules are already in force in US law, with at least three more likely to become effective within the next year.

The trend is not limited to the US. Several international governing bodies have proposed similar cyber incident reporting rules, such as the European Union’s (EU) NIS-2 Directive.

Raising the bar for security transparency through incident reporting is a productive step in a positive direction. Incident reporting requirements can help the government to manage sectoral risk, encourage a higher level of private-sector cyber hygiene, and enhance intrusion remediation and prevention capabilities. But the rapid embrace of this new legal paradigm may have created too much of a good thing, with the emerging regulatory environment risks becoming unmanageable.

Current state

Cyber incident reporting rules that enforce overlapping or contradictory requirements can impose undue compliance burdens on organizations that are actively responding to cyberattacks. To illustrate the problem, consider the potential experience of a hypothetical company – let’s call it Energy1. Energy1 is a US-based, publicly traded utility company that owns and operates energy generation plants, electrical transmission systems, and natural gas distribution lines. If Energy1 experiences a significant cyber attack, it may be required to submit the following reports:

Within one hour, provide to NERC – under NERC CIP rules – a report with preliminary details about the incident and its functional impact on operations.
Within 24 hours, provide to TSA – under the pipeline security directive – a report with a complete description of the incident, its functional impact on business operations, and the details of remediation steps.
Within 72 hours, provide to CISA – under CIRCIA – a complete description of the incident, details of remediation steps, and threat intelligence information that may identify the perpetrator.
Within 96 hours, provide to SEC – under the SEC’s proposed rule – a complete description of the incident and its impact, including whether customer data was compromised.

In our hypothetical scenario, Energy1 may need to rapidly compile the necessary information to comply with each different reporting rule or statute, all while balancing the urgent need to remediate and recover from a cyber intrusion. Furthermore, if Energy1 operates in non-US markets as well, it may be subject to several more reporting requirements, such as those proposed under the draft NIS-2 Directive in the EU or the CERT-IN rule in India. Many of these regulations would also require subsequent status updates after the initial report.

The example above demonstrates the complexity of the emerging patchwork of incident reporting requirements. Legal compliance in this new environment creates a number of challenges for the private sector and the government. For example:

Redundant requirements: Unnecessarily duplicative compliance requirements imposed in the wake of a cyber incident can draw critical resources away from incident remediation, potentially leading to lower-quality data submitted in the reports.
Public vs. private disclosure: Most reports are held privately by regulators, but the SEC’s proposed rule would require companies to file public reports within 96 hours of determining that an incident is significant. Public disclosure before the incident is contained or mitigated may expose the affected company to further risk of cyberattack. In addition, premature public reporting of incidents prior to mitigation may not provide an accurate reflection of the affected company’s cyber incident response capabilities.
Inconsistent requirements: The definition of what is reportable is not consistent across agency rules. For example, the SEC requires reporting of cyber incidents that are “material” to a reasonable investor, whereas NERC requires reporting of almost any cyber incident, including failed “attempts” at cyber intrusion. The lack of a uniform definition of reportability adds another layer of complexity to the compliance process.
Process inconsistencies: As demonstrated in the Energy1 example, all incident reporting rules and proposed rules have different deadlines. In addition, each rule and proposed rule has different required reporting formats and methods of submission. These process inconsistencies add friction to the compliance process.

Recommendations

The key issues outlined above may be addressed by the Cyber Incident Reporting Council (CIRC), an interagency working group led by the Department of Homeland Security (DHS). This Council was established under CIRCIA and is tasked with harmonizing existing incident reporting requirements into a more unified regulatory regime. A readout of the Council’s first meeting, convened on July 25, stated CIRC’s intent to “reduce [the] burden on industry by advancing common standards for incident reporting.”

In addition to DHS, CIRC includes representatives from across government, including from the Departments of Justice, Commerce, Treasury, and Energy among others. It is not yet clear from the Council’s initial meeting how exactly CIRC will reshape cyber incident reporting regulations, or whether such changes will be achievable through executive action or whether new legislation will be needed. The Council will release a report with recommendations by the end of 2022.

Rapid7 urges CIRC to consider several harmonization strategies intended to streamline compliance while maintaining the benefits of cyber incident reporting, such as:

Unified process: When practically possible, develop a single intake point for all incident reporting submissions with a universal format accepted by multiple agencies. This would help eliminate the need for organizations to submit several reports to different agencies with different formats and on different timetables.
Deconflicted requirements: Agree on a more unified definition of what constitutes a reportable cyber incident, and build toward more consistent reporting requirements that satisfy the needs of multiple agency rules.
Public disclosure delay: Releasing incident reports publicly before affected organizations have time to contain the breach may put the security of the company and its customers at unnecessary risk. Requirements that involve public disclosure, such as proposed rules from the SEC and FTC, should consider delaying and coordinating disclosure timing with the affected company.

Some agencies in the Federal government are already designing incident reporting rules with harmonization in mind. The Federal Reserve, FDIC, and OCC, rather than building out three separate rules for each agency, designed a single universal incident reporting requirement for all three agencies. The rule requires only one report be submitted to whichever of the three agencies is the affected company’s “primary regulator.” The sharing of reports between agencies is handled internally, removing from companies the burden of submitting multiple reports to multiple agencies. Rapid7 supports this approach and would encourage the CIRC to pursue a similarly streamlined strategy in its harmonization efforts where possible.

Striking the right balance

Rapid7 supports the growing adoption of cyber incident reporting. Greater cybersecurity transparency between government and industry can deliver considerable benefits. However, unnecessarily overlapping or contradictory reporting requirements may cause harm by detracting from the critical work of incident response and recovery. We encourage regulators to streamline and simplify the process in order to capture the full benefits of incident reporting without exposing organizations to unnecessary burden or risk in the process.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

[VIDEO] An Inside Look at the RSA 2022 Experience From the Rapid7 Team

Posted 3 years ago by Jesse Mack

The two years since the last RSA Conference have been pretty uneventful. Sure, COVID-19 sent us all to work from home for a little while, but it's not as though we've seen any supply-chain-shattering breaches, headline-grabbing ransomware attacks, internet-inferno vulnerabilities, or anything like that. We've mostly just been baking sourdough bread and doing woodworking in between Zoom meetings.

OK, just kidding on basically all of that (although I, for one, have continued to hone my sourdough game).

The reality has been quite the opposite. Whether it's because an unprecedented number of crazy things have happened since March 2020 or because pandemic-era uncertainty has made all of our experiences feel a little more heightened, the past 24 months have been a lot. And now that restrictions on gatherings are largely lifted in most places, many of us are feeling like we need a chance to get together and debrief on what we've all been through.

Given that context, what better timing could there have been for RSAC 2022? This past week, a crew of Rapid7 team members gathered in San Francisco to sync up with the greater cybersecurity community and take stock of how we can all stay ahead of attackers and ready for the future in the months to come. We asked four of them — Jeffrey Gardner, Practice Advisor - Detection & Response; Tod Beardsley, Director of Research; Kelly Allen, Social Media Manager; and Erick Galinkin, Principal Artificial Intelligence Researcher — to tell us a little bit about their RSAC 2022 experience. Here's a look at what they had to say — and a glimpse into the excitement and energy of this year's RSA Conference.

What's it been like returning to full-scale in-person events after 2 years?

What was your favorite session or speaker of the week? What made them stand out?

What was your biggest takeaway from the conference? How will it shape the way you think about and practice cybersecurity in the months to come?

Want to relive the RSA experience for yourself? Check out our replays of Rapid7 speakers' sessions from the week.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

The Hidden Harm of Silent Patches

Posted 3 years ago by Tod Beardsley

Hey all. I'm about to head off to RSAC 2022, but I wanted to jot down some thoughts I've had lately on a particularly squirrelly issue that comes up occasionally in coordinated vulnerability disclosure (CVD) — the issue of silent patches, and how they tend to help focused attackers and harm IT protectors.

In the bad old days, most major software vendors were rather notorious for sweeping vulnerability reports under the rug. They made it difficult for legitimate researchers to report vulnerabilities, often by accident, occasionally on purpose. Researchers would report bugs, and those reports would fester in unobserved space, then suddenly the proof-of-concept exploit wouldn't work any more. This was (and is) the standard silent patching model. No credit, no explanation, no CVE ID, nothing.

The justification for this approach seems pretty sensible, though. Why would a vendor go out of their way to explain what a security fix does? After all, if you know how the patch works, then you have a pretty good guess at the root cause of the vulnerability and, therefore, how the exploit works. So, by publicizing these patch details, you're effectively leading attackers to the goods, based on your own documentation. Not cool, right?

So, the natural conclusion is that by limiting the technical details of a given vulnerability to merely the patch contents, and by withholding those details explained in plan languages and proof-of-concept exploit code and screenshots and videos and all the rest, you are limiting the general knowledge pool of people who actually understand the vulnerability and how to exploit it.

Unpacking the silent patch

This sounds like a great plan, but there's a catch. When a software company releases a patch for software, in nearly all cases, they're not using exotic packers, they're not employing anti-forensics, and even if the patch data is encrypted and obfuscated, at some point it's got to modify the code on the running software — which means that it's all available to anyone who has a running instance of the patched software and knows how to use a debugger and a disassembler. And who uses debuggers to inspect the effects of patches? Exploit developers, pretty much exclusively.

Knowing this, let's modify the expectations of the silent patch strategy: When you silently patch, you are intending to limit knowledge of the patched vulnerability to skilled exploit devs.

It's still true that you're excluding the casual attacker (or "script kiddie," in the common parlance), and that's great and desirable. However, you're also excluding a huge population of IT protectors: penetration testers who are paid to write and run exploits to test defenses leap to mind, in addition to the folks who write and deploy defensive technologies like vulnerability management, intrusion detection and prevention, incident detection, and all the rest. You also exclude tech journalists, academics, and policy makers who want to understand and communicate the nature of software vulnerabilities, but who aren't likely to bust out a disassembler.

Most significantly, you're excluding the most important audience for your patch: the regular IT administrators and managers who need to sort out the incoming flow of patches based on some risk and severity criteria and make the call for downtime and update scheduling based on that criteria. Not all vulnerabilities are equal, and while protectors want to get around to all of them, they need to figure out which ones to apply today and which ones can wait for the next maintenance cycle.

By the way, it's true that some of these IT professionals also have the capability to reverse-engineer your patch. In practice, people who are only interested in keeping IT humming never, ever reverse patches to see if they're worth applying. It's way too complicated and time-consuming. I've never seen a case where this is part of the decision-making process to patch now or later.

Don’t leave defenders in the dark

So now, let's reexamine the case for silent patching yet again: When you silently patch, you are communicating vulnerability details, exclusively, to skilled, criminal attackers who are specifically targeting your product, while leaving your customers in the dark. You are intentionally withholding information from casual attackers, secondary defenders, and your customers and users who are desperate to make informed security engineering decisions involving your product or project. Oh, and let's not forget, you're also limiting knowledge about these fixed vulnerabilities from future employees and contributors, who very well might re-introduce the same or similar bugs in your product down the road. After all, the details are secret, even from future-you.

All this is to say, silent patching is tantamount to full disclosure to a very small audience who mostly want to hurt you and your users. Fully documented patches reach the much, much larger audience of people, present and future, who want to help you and your users. While it's true that you are also offering educational opportunities to casual attackers along the way, I believe the global population of casual attackers is much, much smaller than your legitimate users and all the secondary and tertiary defenders who are on your side.

So, next time a vulnerability researcher states their intention of publishing details about their reported (and now patched) vulnerability, try to examine your urge to keep those details under wraps, and maybe even encourage them to be honest and transparent with their findings. The alternative is to build up the operational capabilities of the true criminal and espionage enterprises while degrading the decision-making power of IT protectors.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

A Year on from the Ransomware Task Force Report

Posted 3 years ago by Jen Ellis

If you follow cybersecurity, you’ve likely seen one of the many articles written recently on the one-year anniversary of the Colonial Pipeline ransomware attack, which saw fuel delivery suspended for six days, disrupting air and road travel across the southeastern states of the US. The Colonial attack was the biggest cyberattack against US critical infrastructure, making it something of a game-changer in the realm of ransomware, so it is absolutely worth noting the passage of time and investigating what’s changed since.

This blog will do that, but I’ll take a slightly different tack, as I’m also marking the anniversary of the Ransomware Task Force’s (RTF) report, which offered 48 recommendations for policymakers wanting to deter, disrupt, prepare, and respond to ransomware attacks. The report was issued a week prior to the Colonial attack.

Last week, I participated in an excellent event to mark the one-year anniversary of the RTF report. During the session, various ransomware experts discussed how the ransomware landscape has evolved over the past year, how government action has shaped this, and what more needs to be done. The Institute for Security and Technology (IST), which convenes and runs the RTF, has issued a paper capturing the points above. This blog offers my own thoughts on the matter, but it’s not at all exhaustive, and I recommend giving the official paper a read.

High-profile attacks raised the stakes

Looking back over the past year, in many ways, the Colonial attack – along with ransomware attacks on the Irish Health Service Executive (HSE) and JBS, the largest meat processing company in the world, all of which occurred during May 2021 – highlighted the exact concerns outlined in the RTF report. Specifically, the RTF had been convened based on the view that the high level of attacks against healthcare and other critical services through the pandemic made ransomware a matter of national security for those countries that are highly targeted.

In light of this, one of the most fundamental recommendations of the report was that this be acknowledged and met with a senior leadership and cross-governmental response. The Colonial attack resulted in President Biden addressing the issue of ransomware on national television. Subsequently, we have seen a huge cross-governmental focus on ransomware, with measures announced from departments including Homeland Security, Treasury, Justice, and State. We’ve also seen both Congress and the White House working on the issue. And while the US government has been the most vocal in its response, we have seen other governments also focusing on this issue as a priority and working together to amplify the impact of their action.

In June 2021, the Group of Seven (G7) governments of the world’s wealthiest democracies addressed ransomware at its annual summit. The resulting Communique capturing the group’s commitments includes pledges to work together to address the threat. In October 2021, the White House hosted the governments of 30 nations to discuss ransomware. The event launched the Counter Ransomware Initiative (CRI), committing to collaborate together to find solutions to reduce the ransomware threat. The CRI has identified key themes for further exploration and action, with a similar focus on deterring and disrupting attacks and driving adoption of greater cyber resilience.

Status of the RTF recommendations

This is all heartening to see and strongly aligns with the ethos and recommendations of the RTF recommendations. Drilling down into more of the details, there are many further areas of alignment, including the launch of coordinated awareness programs, introduction of sanctions, scrutiny of cryptocurrency regulations, and a focus on incident reporting regulations. The RTF paper provides a great deal more detail on these areas of alignment and the progress that has been made, as well as the areas that need more focus.

This, I believe, is the key point: A great deal of progress has been made, both in terms of building understanding of the problem and in developing alignment and collaboration among stakeholders, yet there is a great deal more work to be done. The partnerships between multiple governments — and between the public and private sectors — are hugely important for improving our odds against the attackers, but progress will not happen overnight. It will take time to see the real impact of the measures already taken, and there are yet measures to be determined, developed, and implemented.

Uncertain times

We must keep our eye on the ball and stay engaged, which is not easy when there are so many other demands on governments’ and business leaders’ limited time and resources. The Russia/Ukraine conflict has undoubtedly been a very time-consuming area of focus, though expectations that offensive cyber operations would be a key element of the Russian action have perhaps helped increase awareness of the need for cyber resilience. The economic downturn is another huge pressure and will almost certainly reduce critical infrastructure providers’ investments in cybersecurity as the cost of business increases in other areas, resulting in budget cuts. While both of these developments may distract governments and business leaders from ransomware, they may also increase ransomware activity as economic deprivation and job scarcity encourage more people to turn to cybercrime to make a living.

According to law enforcement and other government agencies, as well as the cyber insurance sector, the reports of ransomware incidents are slowing down or declining. Due to a long-standing lack of consistent incident reporting, it’s hard to contextualize this, and while we very much hope it points to a reduction in attacks, we can’t say that that’s the case. Security researchers report that activity on the dark web seems to be continuing at pace with 2021, a record year for ransomware attacks. It’s possible that the shift in view from law enforcement could be due to fears that involving them will result in regulatory repercussions; reports to insurers could be down due to the introduction of more stringent requirements for claims.

The point is that it’s too early to tell, which is why we need to maintain a focus on the issue and seek out data points and anecdotal evidence to help us understand the impact of the government action taken so far, so we can continue to explore and adjust our approach. An ongoing focus, continued collaboration, and more data will help ensure we put as much pressure as possible on ransomware actors and the governments and systems that allow them to flourish. Over time, this is how we will make progress to reduce the ransomware threat.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

The Forecast Is Flipped: Flipping L&D in New Hire Training

Posted 3 years ago by Megan Yawor

Rapid7’s onboarding program, Making the Band, first came to the stage in the fall of 2017 when the original 2-week, video-based program evolved into a dynamic 90-day experience. The updated program delivered learnings to new hires through digital self-paced content and a 2-day live training focused on tactical elements, as well as foundational company knowledge.

However, in the spirit of Never Done, the Rapid7 People Development team challenged convention and recently evolved the onboarding program to address the needs of our evolving business and the future of work.

After analyzing the current state of the program, People Development realized that what was needed was a streamlined experience that supported and connected a growing, hybrid company, as well as one that aligned and prepared employees for role-specific success, regardless of their location or position.

The goal of this work was to reimagine the current onboarding process in a way that sustained the essence of the original 2017 experience, but also adapted and scaled as we onboarded a global new hire population. This would be achieved by keeping ALL Moose in mind, curating opportunities that built connections in this new normal, emphasizing the importance and impact of our culture, and seamlessly guiding new Moose through the fundamentals in order to shorten their time to impact.

Flipped learning: Delivering a vision for evolution

A primary focus for Rapid7’s People Strategy team is to help our Moose build the best career experience. Onboarding is the first step to building this experience. Denee D’Andrea, Sr. People Development Specialist and visionary behind the evolved program, recognized this and wanted to ensure that the program delivered the right content at the right time. This resulted in a new global onboarding experience that extended beyond one-and-done live sessions and self-paced content to a full, multifaceted experience, using blended learning and flipped-classroom approaches.

D’Andrea’s new onboarding vision focused on 3 key phases grounded in our Core Values: Connection, Impact in Your Role, and Embodiment of Bring You.

Rapid7 recognized creating connections was a key element of success while working in a hybrid environment. Because of that, D’Andrea partnered with organizations across the business to ensure opportunities for connection were threaded throughout the entire program. The Connection piece was fostered using the flipped approach – meaning the majority of “classroom time” was spent teaching through discussions led by Rapid7 Culture Ambassadors (our own Moose!) and subject matter experts.

Additionally, to stay true to the Challenge Convention mindset, I created a fully virtual, interactive multi-phase challenge with the goal of further encouraging connections. By navigating animations, digital games, and customized puzzles and codes, new hires were introduced to the security landscape, customer challenges, and Rapid7’s portfolio. The intentional design of the challenge provided the space and activities to encourage discussion and collaboration towards a common goal. New Moose would not only connect with each other (regardless of their location) but also feel like they were connecting with Rapid7’s history, culture, and Core Values.

Next, Impact in your Role focused on encouraging the Never Done mindset and highlighted the connection between individual growth and the success of our teams, customers, and the company as a whole. This mindset was woven throughout the entire 90 days, both within “classroom time” and in the on-demand, self-paced digital content. To create the most impactful learning environment, the team again utilized the flipped classroom. Live sessions provided collaborative learning and discussion opportunities, and then digital flipped-learning materials further fleshed out the learnings. This design ensured New Moose not only benefited from social learning but also fostered accountability to their development both during and beyond the onboarding experience.

And finally, Embodiment of Bring You. At Rapid7, we truly want our people to bring their authentic selves to their work because we believe that these unique perspectives, ideas, and values enable us to Challenge Convention and enhance the work we do. The final piece of the program, an experiential learning challenge, encouraged New Moose to embrace the value Bring You while collaborating with their cohort and Culture Ambassadors to build their cross-functional network.

The New New Moose

On January 3, 2022, this new program launched, for the first time, with a cohort of 43 New Moose. Since then, over 370 Moose, globally, have engaged with the program.

And how has it been? EPIC.

Making the Band is where our New Moose start building the career experience of a lifetime.This program not only motivates and empowers employees to embody our Core Values but also helps them to understand that we are #onemoose, and when we Impact Together, we accelerate together.

Check out what some of our New Moose are saying!

The program

“AWESOME… Onboarding has been an incredible experience so far… One of the best onboarding experiences I have had in my professional career… I believe Rapid7 has an amazing and talented team facilitating the onboarding experience.”

Virtual, interactive challenge (“Insuring” the Security of MiracleMoose Insurance)

“That was fun and engaging… The group roles/participation were great…it was a fun way to collaborate with my fellow new Moose… and the content was highly engaging which provided a meaningful intro to Rapid7's portfolio and the customer while also fostering communication and critical thinking skills.”

Stay tuned over the next several months to dive deeper into how People Development will be introducing flipped content and other innovative practices into all of their programs for 2022 and beyond in our blog series, “The Forecast Is Flipped.”

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Security for All: How the Rapid7 Cybersecurity Foundation Will Expand Access and Inclusion

Posted 3 years ago by Peter Kaes

Rapid7’s mission is to advance cybersecurity for all — and an essential part of that effort is making the field and its best resources easier to access. That’s why we deliver solutions that meet the needs of large enterprises but can also be deployed and operated by more resource-constrained teams. It’s also why we’ve put so much time, effort, and capital into creating open-source tools and research that help democratize security knowledge.

In keeping with this focus, access and inclusion have also been at the core of our philanthropic and community engagement efforts. Over the years, we’ve launched and supported numerous initiatives to expand diversity by ensuring greater access to careers in cybersecurity. This includes supporting STEM programs that provide opportunities for experiential learning with industry professionals, as well as programs like Hack.Diversity that ensure we’re accessing the full talent landscape as we hire our next thousand employees.

Introducing the Rapid7 Cybersecurity Foundation

As we address the challenges in cybersecurity, we must also remain focused on ensuring the underserved and underrepresented have access to careers and solutions in the field. Over the past 10 years, we’ve allocated millions of dollars in support of organizations that help support this goal. In 2020, Rapid7 established and funded a Donor-Advised Fund with the Tides Foundation, and in 2021, we donated over $300,000 to numerous organizations from our Fund. But we were far from done. A few months ago, we formed the Rapid7 Cybersecurity Foundation and seeded it with $1 million.

The Foundation’s mission is to democratize cybersecurity by focusing on access for the underrepresented and underserved. We do this by promoting a diverse and inclusive cybersecurity workforce, supporting free and open security solutions, and advocating for those who often lack a voice in advancing security.

The Foundation will partner with organizations that work in the following areas in pursuit of creating a secure and prosperous digital future for all:

STEM education, diversity and inclusion in technology, and efforts by organizations to expand opportunities to historically underrepresented groups and make careers in cybersecurity more accessible for all
Open-source tools and volunteering to help make effective cybersecurity solutions available to under-resourced organizations, including nonprofits and municipalities
Research and policy advocacy to strengthen cybersecurity for vulnerable communities, improve cybersecurity awareness, and make achieving effective security outcomes more available to all

Putting purpose into practice

After more than 8 years of having the privilege of being Rapid7’s General Counsel, I’m ecstatic to have the opportunity to serve as Executive Director of the Rapid7 Cybersecurity Foundation and to head up our growing ESG (Environmental, Social & Governance) program. In preparing for this transition, I recently read the excellent 2022 Letter to CEOs written by Larry Fink, CEO and Chairman of Black Rock. In it, he writes that a clear sense of purpose, consistent values, and engaging with and delivering for key stakeholders is what distinguishes truly great companies.

Accelerating digital transformation continues to create new challenges and opportunities for cybersecurity practitioners and the industry. It is also redefining the relationship between a company, its employees, and society. Fink writes:

Putting your company’s purpose at the foundation of your relationships with your stakeholders is critical to long-term success. Employees need to understand and connect with your purpose; and when they do, they can be your staunchest advocates. Customers want to see and hear what you stand for as they increasingly look to do business with companies that share their values. And shareholders need to understand the guiding principle driving your vision and mission.

The Rapid7 Cybersecurity Foundation, with its focus on helping advance cybersecurity for the underserved and underrepresented, is a natural extension of Rapid7’s mission to advance cybersecurity for all. It’s part of our effort to put that guiding purpose at the center of our relationship with our customers, employees, and shareholders.

Later this week, we will be unveiling our first Social Good Report, which highlights our broader work advancing social good, for which the Foundation will be an important complementary vehicle. We are eager to get started and look forward to engaging with members of our community and organizations globally to help build a secure and prosperous digital future for everyone. Please reach out info@rapid7.org to partner with us.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.