The term “hacking” carries so many negative implications in the corporate world that few companies can perceive hackers as a force for good. Many erstwhile criminal hackers have discovered, however, that their skills are transferrable to that corporate world and that they can use those skills on the positive side of the law to develop careers as cybersecurity analysts. Some of the more notorious black hat hackers from the past several years have successfully made this transition.
Consider, for example, Kevin Mitnick, who, at the height of his black hat hacking activities, lifted source code from DEC and Nokia and roamed freely within networks operated by Sun Microsystems and Pacific Bell. Following several arrests and many years in jail for his activities, Mitnick formed MitnickSecurity.com, which is one of the most successful white hat hacker cybersecurity analyst firms in the country. Another California-based hacker, Kevin Poulsen, utilized his hacking skills to break into phone systems and to manipulate those systems to win cars and cash from various contests. Poulsen evaded the FBI for more than 18 months before he was apprehended and served a short prison sentence. Following his release, he used his skills to nab a sex offender who had been targeting children on the social media platform MySpace.
Corporate demand for hackers with skills that match Mitnick’s and Poulsen’s hacking abilities has opened a path for programmers to start their careers as cybersecurity analysts without participating in illegal or improper activities. Network security companies are offering starting salaries of $50,000 to $100,000 per year to programmers that have cybersecurity experience. The perks of being a white hat hacker might not include the thrills that come with illicit hacking activities, but cybersecurity analyst positions also carry none of the criminal liability risks that hackers face every day when they target private or government information systems networks.
A white hat hacker will attempt to penetrate the security systems of a cybersecurity analyst company’s clients. They will scan network access ports and look for defects in operating systems and ineffective patches on those systems. He may attempt to contact low-level employees for password information or attempt to connect with a company’s internal personnel in the same manner as a black hat hacker. In most cases, a cybersecurity analyst company’s activities will be authorized by a small internal group from a client company that wants to test the integrity of its security systems. The challenges faced by white and black hat hackers are identical. Where white hat hacking is concerned, the hacking activities are authorized and do not expose the cybersecurity analyst to criminal liability.
As companies become more aware of the risks and liabilities that they face when their electronic systems are compromised, more of them are procuring cyber liability insurance to cover financial losses associated with those risks. Cyber liability insurance companies rely on white hat hacker’s services in the underwriting of those insurance policies. When a cybersecurity analyst determines that a company has erected more robust defenses against hacking and network incursions, that company’s cybersecurity insurance premiums will be substantially lower. If the analyst’s report shows reveals less adequate defenses, the target company will also then have an opportunity to improve weak systems and to get a more favorable insurance premium quote.
A small subset of hackers will always exist outside of the legitimate world of white hat hacking, virtually guaranteeing long-term employment for cybersecurity analysts. Companies that want the best protection for their information systems and networks will benefit from hiring an analyst that thinks like a black hat hacker in order to level the cybersecurity laying field.