In the world of Cybersecurity, there are essentially two players: The good guys and the bad guys. Without too much further explanation, we know what this really implies. The former are the average individuals and businesses in Corporate America, and the latter are the Cyberattackers.
It’s like a “We” versus “They”, in a constant tug of war, that seems to be never ending. But keep in mind also that not all of the good guys are good, and not all of the bad guys are totally bad either.
For example, just last night I was writing an article for a client on the risks of BYOD (which stands for “Bring Your Own Device”). One of them is the risk of an insider attack. Although you might be letting your employees use their own device to conduct their work-related matters, there is a grave security issue.
Although you may trust him or her with your life (in a proverbial sense) with you confidential Personal Identifiable Information (PII) as it relates to your customer base, there is that chance that this employee can turn their back against you and actually steal that PII that they have access to on their personal device to launch Identity Theft attacks.
On the flip side, the Cyberattacker really may not prove to be that bad after all. Note that I am not in any support for the nefarious threat vectors that they launch and the respective damages that it creates. But there is that chance, or even glimmer of hope that they could turn to the good side and use their intellect and knowledge and funnel that towards helping our cause.
In fact, in one of my podcasts, I even interviewed one guest who was a hacker in his mid to late teens, was actually questioned by law enforcement, and even brought to court. But at that time, there really no laws or legal precedence that could be used to prosecute this person, so he was given a short probationary period.
After realizing the legal gravity of what had just happened, my guest then decided to turn to the good side and use his knowledge and hacking powers in a job that he got with the federal government. This is just one story, but there are instances when Cyberattackers, all of a sudden wake up one morning and just come to the grips of what they are doing is wrong, and eventually, the potential is real that they could get caught and even get some serious time in prison.
So, when somebody turns to the good side, or has never done anything illegal before on the hacking front but wants to help businesses find their weak spots and vulnerabilities, this becomes technically known as “Ethical Hacking”.
In fact, there are even numerous Cybersecurity certifications given out for this, and one of the more popular ones is known as the “Certified Ethical Hacker”, or “CEH” for short. Believe it or not, many companies even now require individuals to have this designated certification even before they will be considered for an interview for a Penetration Testing role.
Because of what an Ethical Hacker can offer to the table, this has actually started to become a lucrative career for those individuals who possess this unique skillset. In fact, according to a recent market research project that was conducted by HackerOne, 18% of the respondents polled claimed that Ethical Hacking is now their full-time career.
This study has been published in a report entitled the “2020 Hacker Report”, and it can be downloaded at this link:
Hackers from all over the world were polled, and here are some of the other results that the survey found:
*Bug Bounty programs – where companies offer huge sums of compensation to Ethical Hackers finding for vulnerabilities and gaps that can be discovered in their software applications (typical examples of this include Google, Microsoft, Apple, Oracle, etc.) have increased by almost 1,000. In fact, the total payout in 2019 was over $40 million, and so far in 2020 earnings are well over $82 million;
*There are more than 600,000 Ethical Hackers worldwide, and that number just continues to grow by the leaps and bounds;
*There are nearly 850 hackers that turn to the good side on a daily side in order to help businesses worldwide;
*78% of the respondents have claimed that they have used Ethical Hacking as a steppingstone for other, more lucrative positions in Cybersecurity;
*40% of the Ethical Hackers do it hacking jobs for at least 20 hours per week;
*Most of the Ethical Hackers are actually based here in the United States (at 19%), followed by India (at 10%), Russia (at 8%), China (at 7%), Germany (at 5%), and Canada (at 4%).
My Thoughts On This
Honestly, if I could, I would even make Ethical Hacking a career, along with the technical writing that I do. But it is very important to keep in mind. Hacking requires a totally different mindset, and it requires one to have a rather substantial experience in coding (such as Python), and have the ability to sit at long hours in front of a computer in order to break down the walls of defenses of a particular company and to find their weak spots.
Not just anybody can do it, it also requires a very unique way of thinking and perception as well. So, this now comes down to the other issue: The severe workforce shortage that currently exists in Cybersecurity. As I have written about before, this is actually a Catch 22 proposition. For instance, there are many individuals out there that have a degree in Cybersecurity, but companies don’t want to hire them because of their lack of experience.
They only want to hire experienced professionals, and because of the enormous amount of pressures that they are put under, the burnout rate is very high, especially with CIOs and CISOs. In the end, this like a vicious circle, with no clear end in sight. At some point in time, businesses are simply going to have to hire people with some skillsets and bring them up to speed to where they need to be at.
So, in this regard, why not hire an Ethical Hacker to be a part of your IT Security team? You may not hire him or her as a direct employee at first, but you could even start them out as a contractor. After all, they have the skillset you will most likely need, as well as the real-world experience that you, the hiring managing are savoring after. This is one way of shortening up the wide Cybersecurity employment gap.
But also, Ethical Hacking can also be used in the legal front as well. For instance, once a Cyberattacker has been apprehended, and depending upon the severity of their crimes, the prosecution team could perhaps offer this individual a form of required community service in which they have to offer Ethical Hacking services for good purposes to Corporate America. If after successful completion of this, perhaps then the charges could be dropped against this individual, and perhaps even be hired on somewhere else as an Ethical Hacker.
Keep in mind that prosecuting a Cyberattacker and trying to lock them up is costly, and a very time-consuming process. So why not use this approach when a Cybersecurity suspect has been apprehended? This could perhaps even lead to other Cyberattackers and groups to turn over to the good side as well, just as Darth Vader did in “Return of the Jedi”.