Enable breadcrumbs token at /includes/pageheader.html.twig

Disruptive by Design: When Doing Good Is Done Well

Businesses ponder crowdsourcing tactics to make and sell their goods and services.

If you have been living in a cave, Malaysia’s Borneo rainforest or the 1950s, then you might be among the few people unfamiliar with the power of crowdsourcing.

The term, a convenient meshing of the words crowd and outsourcing, refers to tapping a group of people with similar skills or interests and offering them a venue through which they compete or collaborate to accomplish a particular task, job or goal. Typically, crowdsourcing is carried out by leveraging the ubiquitous connectivity of the Internet. (For more, see “Crowdsourcing Confronts Cyber Challenges.”)

Successes still tend to surprise individuals and organizations. Take the annual Project for Awesome campaign, for example, which raised nearly $2.2 million last year to benefit various charities. Participants create and upload videos to YouTube advocating for their favorite charities, and the community promotes the videos to raise money for their causes.

Companies have taken notice of the reach of such crowdsourcing tactics. And now a new movement could capitalize on the concept, with a few well-placed tweaks, to create and deliver goods and services.

It could work, but it also could be fraught with risks. Imagine if cybersecurity tasks were crowdsourced. We’ll get to that in a bit.

Sure, the labor for goods and services might be cheaper, but the quality could suffer. If that’s the case, companies could end up losing trust and patrons.

The concept is not without precedent. A few years ago, The Coca-Cola Company launched its Share a Coke campaign, a movement not at all philanthropic but wildly successful. The catchy marketing effort displayed people’s names on bottles in place of the company’s logo. The campaign featured a designated website and a hashtag that prompted drinkers to post on various social media platforms pictures of themselves with friends and family members holding personalized bottles. They commoditized through crowdsourcing—well, marketed, at least.

Others are thinking of taking the idea a bit further, and perhaps it could easily be done. It is simple economics.

The premise is rather straightforward: Take a good or a service and add a platform that can collect hundreds or thousands of bids for producing or delivering it. Voilà! That good or service is now affordable and presumably easier to provide or produce.

While commoditizing a service or a good in this way is beneficial, inevitably, a faction of the ecosystem will argue against it—and with good reason. Yes, cheaper labor can be obtained from a larger, more competitive talent pool, but the value of a crowdsourced product is much less than the value of a unique product produced by a loyal, hardworking employee. To stay competitive and to get work, consultants will drop prices to match competitors that might be in an entirely different demographic.

Firms such as Microtask, Freelancer and Fiverr provide crowdsourcing capabilities to a handful of industries, including some of the highly specialized fields within the cybersecurity domain, such as reverse engineering, vulnerability discovery and exploit development. While search engine optimization or graphics requests are more common services on these sites, there is the promise of growth in cyber. The crowdsourcing industry still is young, rife with job opportunities, microtasks and even resources. Eventually, as with many industries, one or two startups will gain popularity and buy out the others. This consolidation of talent will yield more frequent listings of those specialized cybersecurity services.

That said, propelling a good or a service to a commodity is a secondary issue when it comes to national security. To compound the issue of a created “assembly line” of security services provided via crowdsourcing, there is a trust factor. A cybersecurity firm hired to conduct a digital forensic investigation or to perform an application penetration test for a government agency must assume a high degree of accountability. Within the crowdsourcing paradigm, functions such as employee vetting might fall within an area not yet governed by standards or best practices. Consider the implications if the hiring process becomes: “Accept anyone with an email address.” Is this how you want to choose the people who can access company applications and intellectual property?

Questions to ask before lining up products, web applications or mobile services to be tested by a crowd include:

• Are all identifiable vulnerabilities being reported?

• Would this otherwise foreign or local untrusted entity have access to the target application?

• Does the crowdsourcing firm support testing origins from a single or a static pool of known Internet protocol addresses?

• Does the crowdsourcing firm allow access to dossiers or profiles of their team members?

• Will the firm allow rejection of a tester?

It is an unavoidable outcome that the value of a pool of skilled workers will diminish as more talent develops. It too is an outcome that firms will acquire cheaper labor as focus fields become commodities. We cannot let that happen to the cybersecurity ecosystem. The notion that highly skilled, trustworthy, vetted professionals are scarce, expensive or unobtainable might be true, but it also is reversible.

Orlando Padilla is the founder of San Antonio-based Nomotion Software, which delivers cyber and software development consulting services for public and private organizations. He has lectured at MIT Lincoln Laboratory and the Government Forum of Incident Response and Security Teams (GFIRST) and published several white papers. He is a member of AFCEA’s Alamo Chapter. The views expressed are his alone.