One could argue that there are two crises in the IT world today. The first is the seeming inability of many (or even most ?) companies to secure their IT infrastructure, and the second is the shortage of talent to help them do so. This article will explore the motivations and challenges that businesses face in hiring qualified individuals for Information Security roles, with special attention to the roles that hackers play.
What is a Hacker ?
Let’s start by clarifying what we mean by a “hacker.” In its modern and colloquial meaning, it refers to an individual who has the skills necessary to bypass the conventional deterrent controls we deploy to protect our IT resources and sensitive information. The term is often prefaced by “black hat” or “white hat” (think: Western movies) to distinguish those that act in their own interest to defeat an organization’s security from those acting to improve the security of an organization. In practical terms, this means that “white-hat” hackers, also known as “Ethical Hackers,” have previously obtained the permission of the organization they attempt to breach, whereas “black-hat” hackers have not.
The irony, of course, is that there is huge overlap in the skillset of black-hat and white-hat hackers, and the same skills that enable one to breach an organization’s security also empower one to make specific and concrete recommendations as to how to improve it.
Readers who are interested in learning Penetration Testing skills should read our article entitled “How To Become A Professional Hacker“.
Why Hire a Hacker?
When I was a kid (totally dating myself here), there was a popular TV series called “It Takes a Thief,” starring Robert Wagner as a reformed elite criminal who assisted law enforcement in catching criminals. (As an aside, he was highly skilled, and very cool for the times.) The underlying premise of the show was “to catch a thief, you need a thief.” In other words, to anticipate what the bad guys will do, you need to think like them. You probably see where I am going with this.
The conventional approach to cybersecurity is to embrace a continuous ongoing improvement model that iteratively assesses risk, identifies and implements risk-reduction controls and policies, and then measures against practical success criteria; rinse and repeat.
The role of the hacker comes into play during the “measure against practical success criteria” portion of the process. A typical goal of cybersecurity initiatives is to reduce the number of network and software vulnerabilities, particularly those that are “exploitable” (i.e. can be used to effect a breach). Who is better qualified to find them and recommend deterrents that a professional hacker?
The professional job title is “Penetration Tester,” and it describes someone responsible for the ongoing security testing of network infrastructure, web-applications, and other software. The deliverables are typically test reports that detail the vulnerabilities found, whether and how they were exploited, and recommendations for their elimination.
Regardless of whether it is is full-time or part-time, employee, contractor, or vendor, a Penetration Tester is an essential role within any company that seriously hopes to thwart attackers.
Finding a “Hacker”
Assuming that you agree with the premise that you would be better off having a friendly hacker testing your infrastructure before a hostile one does, the question becomes how you find one that best serves your needs. The avenues are fairly obvious:
- Try to hire one
- Try to grow one inside the organization
- Contract one
As you ponder which of the options is viable within your organization and situation, recall our earlier premise that there is currently a dearth of cybersecurity talent, and consequently proficient Penetration Testers are neither common nor cheap.
Qualifying a “Hacker”
Candidates must be carefully screened to ensure they have the necessary skills. This is often especially challenging because the hiring organization may be completely lacking in those skills themselves. The organization might engage a specialized recruiter or consultant to assist them, but this is sounding more expensive by the minute. I can hear managers saying, “I was lucky enough to get the headcount to begin with; I can’t go asking for more funding to qualify them.”
Thus, we broach the topic of Certifications: topic-specific industry standard accreditations that professionals may earn to demonstrate their knowledge, expertise, and commitment to their profession. Such professional certifications are essentially third-party endorsements that an individual has demonstrated a core knowledge of a particular subject.
IMPORTANT: Certifications are no substitute for a rigorous interview and qualification process for candidates, and I am not suggesting otherwise. It is safe to ask, however: if all other things are equal, why wouldn’t you choose the candidate with relevant industry recognized credential(s)?
In the context of Penetration Testing, one such certification is the “Certified Ethical Hacker,” developed and managed by the EC Council. It is one of many, but a good example of a widely recognized, highly respected credential that demonstrates the holder has made a study of Penetration Testing.
A “Certified Ethical Hacker” (CEH)
If we consider the actual skills that an effective Penetration Tester must bring to the table, the list is extensive and intimidating. The individual must be knowledgeable in the following areas:
- Networking, wired and wireless
- Host and service discovery
- Network and Application (desktop, web, and server) Vulnerability Scanning
- Vulnerability Exploitation
- Social Engineering
- Technical Writing
- Technical Presentations
We must then consider the hundreds of tools available in each of these areas and acknowledge that a working competency of at least one tool in each area is necessary.
It is a formidable skill set, which leaves no wonder as to why such individuals are in scarce supply.
The Certified Ethical Hacker certification realistically acknowledges these requisite skills and does its best to test for them in the form of a 125 multiple-choice, 4-hour proctored examination. Exam preparation training is typically grueling: 5 full days of lectures and hands-on labs, punctuated with thought-provoking mock exam questions.
Readers (who remain conscious at this point) will note that we made the following arguments, which I am elaborating slightly for dramatic effect at the end of the article:
- It is a good idea to have a Penetration Tester around, at least periodically
- Penetration Testers need to know a lot about a lot of things, and consequently they are hard to come by
- Due to high demand and scarce supply, truly qualified individuals will command premium compensation in the marketplace
- Current market dynamics incentivize individuals to present themselves as more qualified than they actually are
- Industry standard certifications distinguish professionals who have earned them, as being committed to their role and the industry
- It may be more practical to grow Penetration Testing skills internally rather than seek to recruit them
- Encouraging and incentivizing existing employees to obtain industry standard Penetration Testing certifications such as Certified Ethical Hacker can be part of a strategy to grow much needed cybersecurity expertise in-house
About the Author
Joseph Fisher is the founder and President of Affinity IT Security, a cybersecurity consulting firm that includes Penetration Testing in its portfolio of services, and which offers training and exam preparation for the EC Council Certified Ethical Hacking certification.
Learn more about how to prepare for CEH Certification with Affinity IT Security here.