Information Age’s guide to recruiting ethical hackers

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.

― Sun Tzu, The Art of War

It’s no longer a case of if, it’s a case of when you will fall prey to a hacker, or so industry experts and business leaders agree.

Despite this growing awareness and the notoriety around cyber risks, digital vulnerabilities persist. 2018 has been a tumultuous year for data breaches; the total value of penalties imposed by the Information Commissioner’s Office (ICO) rose to just under £5 million in the 12 months to the 30th of September 2018, up 24% from £4 million the year before. In today’s post-GDPR world, the ICO can now impose fines of up to €20m (£17.8m) or four per cent of annual global turnover.

With no slowdown in the number of cyber attacks in sight, surprisingly, there’s some good news: not all hackers are out to harm your business. That’s right, there’s a growing market of ethical hackers who want to earn money protecting organisations.

The bad news: ethical hackers are pretty hard to find. There’s a major shortage of all trained cyber security professionals at the moment. A recent report from Frost & Sullivan and (ISC)2 found that the global cyber security workforce will have more than 1.5 million unfilled positions by 2020. The demand for ethical hackers is particularly high — this is reflected in their high salaries.

According to Joblift, an online job platform, within the past three years, 3,240 ethical hacker jobs have been posted in the UK, with these positions increasing by 4% on average each month. Furthermore, during the same time frame around 3,297 Google searches for ethical hacker jobs were recorded in the UK, with this demand increasing by a staggering 12% monthly, on average.

Demand is currently outweighing supply.

If, however, despite the high salaries and the skills gap, you decide you’d like to recruit an ethical hacker; you’ll find the information below useful (you’re welcome, by the way!).

What are ethical hackers and why use them?

Across the media, the term hacker has been used fast and loose; they all get a bad reputation, it’s not fair.

In reality, the term hacker is very broad, yes, some are criminals but others aren’t. A hacker is a just a person who enjoys taking things apart and putting them back together again; they obsess over technical problems out of pure interest. A hacker can be anyone, anywhere from any background.

In layman’s terms, ethical hackers use the techniques of malicious hackers to identify the weak points in an organisation’s cyber security, and uses that knowledge to improve its defences.

Go hack yourself: What is white hat hacking and why are businesses turning to it?

The sophistication of malware and how the IT department needs to keep abreast of this and be armed with the right tools to protect the business

There are multiple alternative names for ethical hackers; such as pentesters, white hats or blue team hackers, some even call them security analysts (boring people).

With the appropriate skills in place, ethical hackers can guide organisations through numerous aspects of digital security, and make the business much more resistant to attacks.

Their advice can range from teaching programmers and app developers how to make their code harder to hack, to providing other members of staff with advice on choosing passwords that are harder to guess, or how to not fall for phishing emails.

Certifications to look for

Ethical hacking is a young industry, just 15 or so years old, so it doesn’t have the typical professional safeguards and progressions that other professions have.

Luckily, hiring an ethical hacker doesn’t mean having to get your crypto wallet out and start wading through the dark web. There are some qualifications businesses can look for to assess the credibility of a candidate. A number of organisations, such as The Council for Registered Ethical Security Testers (CREST)Mile2SANS Institute and the EC-Council all do tests and grant qualifications to ensure the right skills are being developed in the industry.

Keiron Shepherd, Senior Security Systems Engineer (UK&I) at F5 Networks, added: “There are other security credentials that will help you find those qualified for the role, such as CEH, OSCP and GIAC. Their certifications in ethical hacking are relatively new so the number of qualified individuals in the talent pool will be relatively small.

“While they can be desirable qualifications from an employers’ perspective there will be a large number of experienced hackers who don’t agree with or see the need for such accreditation. This will change in the future as the perception around ethical hacking changes and the profession becomes more mainstream.”

Hackers: who are they and what drives them?

The activity of hackers continues to rise up the news agenda, but how has people’s understanding of hackers changed in recent years?

“Indeed, there are university degrees,” argues Paul Mason, Head of Education at Secarma Ltd, but he says “some degrees are better than others, and the skills-set you need is really really vast.”

“With these courses, you end up with a chicken and an egg situation. You come out with a degree but you still don’t have a truly industry-recognised qualification. To do that you have to self-fund it yourself — a lot of hackers go down that route, they save up in their spare time. At the same time, some of the best people that I employ were kids that dropped out of school at sixteen.

“If a standard business wants an ethical hacker, they need to commit to really supporting them, so you might not be hiring people that are fully qualified yet but in the space of one or two years, as long as you commit to supporting them, you can really turn them into what you need.”

In-house training

A key place to look for ethical hackers is in-house, particularly the people who built the application/code/network etc. and use their intimate knowledge of how these things work to help uncover the bugs within the system. More often than not, they will already have a list of bugs as long as their arm, but just never bothered to disclose them as “it’s not their job” and they thought it was the job for someone in the cyber security department.

However, this has its limits.

Mason explained: “Even if you have an in-house hacker, the cyber landscape is so complex, ideally, you’ll still want to hire an external security service for the sake of assurance. You need to do both, you can’t just grow your own inside a business and rely completely on them.”

Hackathons and the importance of community

According to Daniel Beresford, Principal Consultant at Acumin Consulting, recruiters need to understand that ethical hackers come from all walks of like and do not conform to a defined career path.

He added: “Some ethical hackers tend to avoid businesses with restrictive corporate structures, extensive travel and limitations on remote working.”

When trying to find the right candidates, “there are some essential places your organisation should be seen,” says Beresford. “While the Dark Web is a good recruiting ground for so-called ‘Black Hats’ (unethical hackers), there are now plenty of opportunities for employers to spot talented ethical hackers at organised events like the annual Cyber Security Challenge, Hackathon and Blackhat.

“It’s also worth bearing in mind that the current market is candidate-driven and that the ability to have expert insight into the recruitment landscape is key to understanding where talent is, and how to attract it.”

10 year old cyber security prodigy wins $10,000 from Facebook for exposing flaw

10 year old Jani from Finland has a great career ahead of him as a white hack hacker

Bug the Bounty Hunter

“While some may choose to employ them directly, it is far more common for a business to offer a ‘bug bounty’ scheme, where operating under strict terms and conditions, any member of the public has the opportunity to search for and submit vulnerabilities they discover for a chance to earn a bounty,” says Keiron Shepherd from F5 Networks. “This works well for publicly available services, such as websites or mobile apps.

“If the affected organisation confirms the validity of the discovery, the payout can range from a few hundred pounds to tens of thousands of pounds, depending on the level of perceived risk.

“Using crowdsourcing and paying incentives to hackers to look for your bugs has obvious benefits, it awards hackers with kudos or a hard currency on the successful discovery of a bug.

“It also provides organisations looking for ethical hackers the benefit of having technically savvy employees who are incentivised to look for bugs and deliver them back to the organisation through responsible disclosure.”

There are a number of companies that already do this, such as Apple and even the US military.

Ex-hacker launches blockchain powered cyber security solution

British start-up, Uncloak.io, promises to forecast future hacks using AI, blockchain and bug bounties while making cyber security affordable to businesses of all size

Avatar photo

Andrew Ross

As a reporter with Information Age, Andrew Ross writes articles for technology leaders; helping them manage business critical issues both for today and in the future