SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
The business case for an in-house ethical hacker
Wed, 28th Oct 2020
FYI, this story is more than a year old

“To know your enemy, you must become your enemy”. That's the advice of renowned ancient Chinese military strategist Sun Tzu in his famous work The Art of War.

Becoming your enemy in the war against cyber-attackers translates to practising ethical hacking.

Ethical hackers, also known as penetration testers or white-hat hackers, mimic the techniques used by malicious hackers to try and break into computer systems and discover vulnerabilities before the bad guys can exploit them.

Ethical hacking has a reputation for being the most exciting job in IT, and ethical hacking skills are in high demand. Ethical hackers are certainly well-paid, considering there is no university degree required for the job. As of October 2020, Payscale reports the average salary for an ethical hacker to be US$82,469.

Demand is being driven by the rise in both quantity and quality of cyber-attacks on organisations.

The Australian Cyber Security Centre's (ACSC) Annual Cyber Threat Report for the year to June 2020 revealed that it had received cybercrime reports over the year at an average rate of one every 10 minutes.

The case for an in-house ethical hacker

Employment of an ethical hacker may well be beyond the budget of smaller businesses, but there are good reasons for a larger company to employ one full time.

Penetration testing is not like routine maintenance, which is undertaken at regular intervals. The cyber-threat landscape changes daily as new vulnerabilities are discovered in widely deployed software. Also, the IT environments of many organisations are continually changing, potentially creating new vulnerabilities.

A single successful attack could cost an organisation far more than the ethical hacker's salary, and there are other compelling reasons for having one on your team, rather than using an external contractor.

An ethical hacker who is part of the team is likely to have a much greater commitment to the long- term security of the business.

They will also develop a more intimate knowledge of your IT environment than any external contractor, giving them a distinct advantage when it comes to searching for vulnerabilities.

Spotting vulnerabilities within a network is not easy. It's problem-solving without knowing what problem you are trying to solve. However, a significant advantage of employing an ethical hacker is that they will become increasingly familiar with your network.

And if a breach does occur, an in-house ethical hacker is likely to be able to detect and counter it much faster than an external contractor less familiar with your environment.

There may also be a temptation to delegate ethical hacking duties to another member of the IT security staff. This would be a mistake. IT security staff already have their hands full keeping abreast of frequent developments in commercial software that can create new vulnerabilities, applying a constant stream of software patches. Expecting them to find time to try and break the system is likely to be an unreasonable burden.

It's also a task that demands proactivity. When staff are busy reacting to many other priorities, the job is likely to be neglected.

Ethical hacking certification

Once the decision is made to add an ethical hacker to the cybersecurity team, CISOs have two options: hire one or train an existing staff member. Due to such high demand in the field, it can often be a far more economical decision to upskill a current staff member, rather than hire a new employee. Either way, ethical hacking staff must acquire a qualification.

Certified cybersecurity professionals are trained in the latest hacking tools, techniques and methodologies used by hackers, enabling them to hack an organisation lawfully.

Students gain an in-depth understanding of ethical hacking phases, attack vectors and preventative countermeasures. They learn how hackers think and act, enabling them to configure security infrastructure to resist future attacks.

They learn to understand and identify system weaknesses and vulnerabilities and strengthen system security controls to minimise the risk of compromise.