John Patrick, Vice President of IBM coined the term “ethical hacking” in the mid ‘90s but the concept dates back to the beginning of the entire notion of hacking. The word was first used by engineering students at MIT 40 years earlier and meant finding creative ways to optimize machines and systems to improve performance.
I myself was an ethical, “white hat” hacker for years. I worked with businesses to test defense systems for weakness and vulnerability to improve organizational security posture. This type of hacking is consistent with the original meaning of the word.
The truth is, the majority of hackers use their skill for good. But, public perception of the label has gone dark due to malicious, “black hat” hackers creating one of the greatest challenges facing the modern world economy. White hats have been known to start their own companies to combat these cybercriminals and put an end to patterns they see in the field while ethically hacking. I am one of them and am here to discuss the skill set of a white hat and how it translates into successfully leading a cybersecurity company in today’s threat landscape.
Data from ESG and ISSA shows that a “lack of adequate training of non-technical employees” and a “lack of adequate cybersecurity staff” are the top two contributing factors to cybersecurity incidents. A white hat doesn’t need an extensive research project to understand this. Even better, we know exactly how to exploit weakness in personnel and therefore develop systems to negate inevitable human error. These lessons are not always learned in a technical manner and social engineering was the most telling way for me to understand when and where to strike.
Almost daily a network would announce a security flaw and recommend patching. It commonly takes large organizations weeks and even months to do this, and it’s the job of the white hat to figure out which companies have these security holes. Often it came down to trivial tactics such as calling or emailing companies and posing as an employee. I’d ask questions such as have we been patched, what’s the time table, how do these vulnerabilities impact our systems? This knowledge essentially gives you the keys to the castle. In terms of preparation for starting your own company, you understand how personnel can easily be taken advantage of and what type of technology and practices are needed to prevent disastrous consequence.
Jack of all trades
Bug bounties are increasingly being brought to the public eye by companies such as HackerOne and Cobalt, but bug bounty programs have kept white hats in business for years. These programs provide tremendous experience in leading a business.
The reason is bug bounties give you exposure to many different products and platforms, providing intimate knowledge of how they tick from a security perspective. If you were to work at one company your entire career, you would only understand one type of tech stack. With bug bounty programs, your exposure is almost limitless. This prepares you for curveballs and provides the type of broad security knowledge essential for leading a company.
Information can be held for ransom, but the only thing that you absolutely cannot get back is time. When you're a white hat, you have to be very careful how much time you invest in various avenues of attack. Time boxing different approaches and moving on when things aren't bearing fruit is a critical skill that yields results and translates extremely well into the leading of a company. As a leader, you have to realize when a particular initiative or approach isn't working and quickly move on.
Tinker to the top
White hats are people who like to find out how things work under the hood. They are tinkerers, people who took things apart as a kid and put them back together. It’s a trait some people have and some don’t. White hats do.
There simply aren’t enough people with this trait working in the cybersecurity field so organizations are looking to automate tedious processes as much as possible to allow the tinkerers to carry out tasks that cannot be automated. These are the truly important tasks such as making critical business decisions based on knowing how the engine really works.
Leveraging computer science skills
I found in my white hat career that the most successful white hats know how to write code and understand how programmers think. Software is where the vast majority of security flaws exist and I used computer science knowledge to mentally reverse engineer a product and find places in software where security controls might be difficult to add and engineers might cut corners in order to exploit a system.
When designing security technology or conceptualizing products of your own, holding these computer science skills is a tremendous benefit in knowing what type of software can easily be compromised and what can’t.
Black hats are only going to get more sophisticated in their tactics and will see increased attack surface opportunity as businesses accelerate digital transformation. It’s up to the white hats to leverage experience as a good, bad guy and transition hacking skill into entrepreneurial success.
Bojan Simic, Co-Founder and CTO, HYPR