How to hire an ethical hacker
It’s important to look for aptitude and soft skills, as well as certifications, writes Haris Pylarinos, CEO of Hack The Box
The Cabinet Office’s recent advertisement for the position of Senior Ethical Hacker shone a spotlight on the growing trend towards offensive cybersecurity.
Today’s security teams must think and behave like attackers, finding vulnerabilities before the bad guys do. As Sun Tzu put it: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”
What is an ethical hacker?
First, let’s explain what ethical hackers do.
Ethical hackers, also known as ‘white hat hackers’, are cybersecurity experts who penetrate a computer system, network, application, or other computing resource on behalf of its owners – with their authorisation.
Organisations call on ethical hackers to uncover potential security vulnerabilities before malicious hackers get a chance to exploit them. So, they hack for ‘good’ reasons rather than ‘bad’ reasons.
It’s also important to note there are different professional roles within ethical hacking.
For example, penetration testers simulate cyber-attacks to help companies learn where there are security vulnerabilities in their computers and networks.
Another role is “bug bounty hunter”; they discover and resolve bugs to prevent criminal hackers from exploiting potential vulnerabilities.
One does not exclude the other, and professionals can choose to specialise in one or more of these roles. Both roles are very lucrative professions and highly sought after. In fact, Zoom awarded $1.8 million in bug bounty rewards last year.
What should you look for when hiring?
Finding the right ethical hacker is no easy task. To narrow the search, businesses must look for a few key traits which go beyond relevant experience.
First, candidates need to demonstrate high technical proficiency. This must take priority in the recruitment process, and fortunately it’s relatively easy to identify and evaluate.
For example, hiring managers could give candidates a live system-testing assignment where candidates submit a report of their key findings. This allows hiring managers to gauge hackers’ knowledge of the latest exploits and attack vectors across new tech solutions and platforms being used by organisations, such as cloud computing.
Candidates must also have an innate curiosity for how things work, which helps them understand technology on a deeper level. As a result, ethical hackers should be able to spot vulnerabilities and dig within systems to ensure they’re configured in the correct way.
If a business is unable to assess the skills of a candidate, qualifications can be helpful in understanding the individual’s ethical hacking abilities.
The most respected and up-to-date certifications in the industry, such as the GIAC Penetration Tester (GPEN) or the CREST Registered Penetration Tester (CRT), are good certifications to consider in the hiring process.
In addition, Hack The Box has started to roll out the HTB Certified Bug Bounty Hunter (HTB CBBH), which is a hands-on certification designed to assess bug bounty hunting and web application pentesting skills.
But while certifications are a great way to validate a candidate’s skills, a lack of a certification should not prevent a candidate from continuing in the hiring process.
An ethical hacker’s level of skill should be considered. For example, a hiring manager can consider how often the candidate is active on various training platforms along with what their latest scores on those platforms may be.
If the hacker is solving challenges and engaging with various difficulty levels of machines on a weekly basis, that is usually an indication a candidate is dedicating their time to perfecting their technical skills.
Soft skills such as communication, adaptability, and teamwork are also important when hiring an ethical hacker.
The best ethical hackers have an ability to communicate the severity of different situations clearly and accurately while being able to provide effective counsel as well.
What’s more, they should be able to provide actionable suggestions to mitigate issues and build a relationship of trust in a high-pressured working environment.