This article was co-authored by Mitch Harris. Mitch Harris is a Consumer Technology Expert based in the San Francisco Bay Area. Mitch runs his own IT Consulting company called Mitch the Geek, helping individuals and businesses with home office technology, data security, remote support, and cybersecurity compliance. Mitch earned a BS in Psychology, English, and Physics and graduated Cum Laude from Northern Arizona University.
There are 16 references cited in this article, which can be found at the bottom of the page.
This article has been viewed 24,083 times.
Hiring an ethical hacker, also known as a "white hat," can help you protect your business from threats like DDoS attacks and phishing scams. We'll help you find qualified candidates to help you find and fix any security breaches in your companies internet technology.
Steps
Filling the Position
-
1Evaluate the risks of going unprotected. It may be tempting to try to save money by sticking with your existing IT team. Without specialized backup, however, your company’s IT systems will be vulnerable to attacks that are far too sophisticated for the average computer whiz to catch. All it would take is one of these attacks to do serious damage to your business’s finances—and reputation.[1]
- All told, the average cost of securing and cleaning up an online data breach is around $4m.[2]
- Think of hiring a white hat as taking out an insurance policy. Whatever their services command is a small price to pay for your peace of mind.
-
2Identify your company’s cybersecurity needs. It’s not enough to simply decide that you need to beef up your internet defenses. Come up with a mission statement outlining exactly what you hope to accomplish by hiring an outside expert. That way, both you and your candidate will have a clear idea of their duties going in.[3]
- For example, your financial company might need increased protection from content spoofing or social engineering, or your new shopping app may put customers at risk of having their credit card information stolen.[4]
- Your statement should function as a kind of reverse cover letter. Not only will it advertise the position, but also describe the specific experience you’re looking for. This will allow you to weed out casual applicants and find the best person for the job.
Advertisement -
3Be prepared to offer competitive pay. Having an ethical hacker on your side is a wise move, but it isn’t a cheap one. According to PayScale, most white hats can expect to pull in $70,000 or more per year. Again, it’s important to keep in mind that the job they’ll be performing is worth what they’re asking. It’s an investment you most likely can’t afford not to make.[5]
- An inflated pay rate is a small financial setback compared to having a hole blown in the IT system that your company depends on to make a profit.
-
4See if you can hire a hacker by the job. It may not be necessary to keep a white hat on your IT staff full time. As part of your objectives statement, specify that you’re looking for a consultant to spearhead a major project, perhaps an external penetration test or a rewrite of some security software. This will allow you to pay them a one-time retainer rather than a continual salary.[6]
- The odd consulting job may be perfect for freelance hackers, or those who have recently received their certification.
- If you’re pleased with your cybersecurity expert’s performance, you can offer them a chance to work with you again on future projects.
Tracking Down a Qualified Candidate
-
1Look for candidates with Certified Ethical Hacker (CEH) certification. The International Council of Electronic Commerce Consultants (EC-Council for short) has responded to the growing demand for ethical hackers by creating a special certification program designed to train them and help them find employment. If the security expert you interview can point to official CEH certification, you can be sure they’re the genuine article and not someone who learned their craft in a dark basement.[7]
- While hacking credentials can be difficult thing to verify, your candidates should be held to the same rigorous standards that all other applicants would.
- Avoid hiring anyone who can’t provide proof of CEH certification. Since they don’t have a third party to vouch for them, the risks are just too high.
-
2Browse an online ethical hacker marketplace. Take a look at some of the listings on sites like Hackers List and Neighborhoodhacker.com. Similar to ordinary job search platforms like Monster and Indeed, these sites compile entries from eligible hackers seeking opportunities to apply their skills. This may be the most intuitive option for employers who are used to a more traditional hiring process.[8]
- Ethical hacker marketplaces only promote legal, qualified specialists, which means you can sleep easy knowing that your livelihood will be in good hands.
-
3Host an open hacking competition. One fun solution that employers have started using to attract prospective candidates is to pit competitors against one another in head-to-head hacking simulations. These simulations are modeled after video games, and are designed to put general expertise and fast-thinking decision making abilities to the test. The winner of your competition may just be the one to provide the support you’ve been looking for.[9]
- Have your tech team cook up a series of puzzles modeled after common IT systems, or purchase a more sophisticated simulation from a third party developer.[10]
- Assuming that devising your own simulation is too much labor or expense, you could also try getting in touch with past winners of international competitions like Global Cyberlympics.[11]
-
4Train a member of your staff to handle your counter-hacking duties. Anyone is free to enroll in the EC-Council program that white hats use to earn their CEH certification. If you’d prefer to keep such a high-profile position in-house, consider putting one of your current IT employees through the course. There, they’ll be taught to perform penetration testing techniques that can then be used to probe for leaks.[12]
Bringing an Ethical Hacker into Your Business
-
1Conduct a thorough background check. It will be necessary to have your candidates thoroughly investigated before you even think about putting them on your payroll. Send their information off to HR or an outside organization and see what they turn up. Pay particular attention to any past criminal activity, especially those involving online offenses.[15]
- Any type of criminal behavior that pops up in the results of a background check should be considered a red flag (and probably grounds for disqualification).[16]
- Trust is key to any working relationship. If you can’t trust the person, they don’t belong in your company, no matter how experienced they are.
-
2Interview your candidate in depth. Assuming your prospect successfully passes their background check, the next step in the process is to conduct an interview. Have your IT manager a member of HR sit down with the candidate with a list of questions prepared, such as, "how did you get involved in ethical hacking?", "Have you ever performed any other paid work?", "What sorts of tools do you use to screen for and neutralize threats?" and "give me an example of how defend our system from an external penetration attack."[17]
- Meet face-to-face, rather than relying on phone or email, so you can get an accurate idea of the applicant's character.
- If you have any lingering concerns, schedule one or more followup interviews with another member of management team so you can get a second opinion.
-
3Assign your cybersecurity expert to work closely with your development team. Going forward, your IT team’s number one priority should be preventing cyber attacks rather than cleaning up after them.[18] Through this collaboration, the people creating your company’s online content will learn safer coding practices, more exhaustive product testing, and other techniques for outsmarting would-be scammers.[19]
- Having an ethical hacker there to check each and every new feature may slow down the development process slightly, but the new airtight security features they devise will be worth the delay.[20]
-
4Inform yourself on how cybersecurity affects your business. Take advantage of your white hat’s wealth of knowledge and learn a bit about the types of tactics commonly used by hackers. When you begin to form an understanding of how cyber attacks are planned and carried out, you’ll be able to see them coming.[21]
- Ask your consultant to submit regular, detailed briefings on what they’ve uncovered. Another way to brush up is to analyze their findings with the help of your IT team.[22]
- Encourage your hired hacker to explain the measures they’re implementing rather than just leaving them to do their thing unquestioned.[23]
-
5Keep a close watch on your hired hacker. While it's unlikely that they'll attempt anything unscrupulous, it's not outside the realm of possibility. Instruct the other members of your IT team to monitor your security status and look for vulnerabilities that weren't there before. Your mission is to protect your business at all costs. Don't lose sight of the fact that threats can come from the inside as well as the outside.[24]
- An unwillingness to explain their exact plans or methods to you may be a warning sign.[25]
- If you have reason to suspect that an outsourced specialist is harming your business, don't hesitate to terminate their employment and search for a new one.
Expert Q&A
-
QuestionWhat qualifications should I look for in an ethical hacker?Mitch HarrisMitch Harris is a Consumer Technology Expert based in the San Francisco Bay Area. Mitch runs his own IT Consulting company called Mitch the Geek, helping individuals and businesses with home office technology, data security, remote support, and cybersecurity compliance. Mitch earned a BS in Psychology, English, and Physics and graduated Cum Laude from Northern Arizona University.
Consumer Technology ExpertLook for someone who is authoritative, not authoritarian. A qualified professional should address your fears and concern with knowledge and instruction, not overbearing direction. -
QuestionHow do you manage an ethical hacker?Mitch HarrisMitch Harris is a Consumer Technology Expert based in the San Francisco Bay Area. Mitch runs his own IT Consulting company called Mitch the Geek, helping individuals and businesses with home office technology, data security, remote support, and cybersecurity compliance. Mitch earned a BS in Psychology, English, and Physics and graduated Cum Laude from Northern Arizona University.
Consumer Technology ExpertEstablish simple rules for your employee. If your rules are too tedious, they might not follow them.
Warnings
- Stay away from uncertified free agents, hackers with strong political or religious leanings, and so-called “hacktivists.” These rogues may attempt to use the information they gain access to for insidious purposes.⧼thumbs_response⧽
- Working with a hacker, even an ethical one, could reflect poorly on your company in the eyes of your partners or clients.⧼thumbs_response⧽
References
- ↑ http://www.businessnewsdaily.com/8231-small-business-cybersecurity-guide.html
- ↑ https://www.esecurityplanet.com/hackers/how-to-hire-an-ethical-hacker.html
- ↑ https://www.techworld.com/careers/how-hire-ethical-hacker-3653832/
- ↑ https://www.esecurityplanet.com/hackers/how-to-hire-an-ethical-hacker.html
- ↑ http://www.tomsitpro.com/articles/white-hat-hacker-career,1-1151.html
- ↑ Mitch Harris. Consumer Technology Expert. Expert Interview. 23 June 2021.
- ↑ https://cert.eccouncil.org/certified-ethical-hacker.html
- ↑ https://www.recruiter.com/i/how-to-hire-an-ethical-hacker/
- ↑ https://www.techworld.com/careers/how-hire-ethical-hacker-3653832/
- ↑ https://www.fastcompany.com/3026749/not-your-typical-hackathon-symantecs-cyberwar-simulation-transforms-employees-into-criminals
- ↑ https://www.cyberlympics.org/
- ↑ https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/
- ↑ https://www.eccouncil.org/wp-content/uploads/2016/02/cehv9-brochure.pdf
- ↑ http://www.gocertify.com/certifications/ec-council/certified-ethical-hacker.html
- ↑ https://www.esecurityplanet.com/hackers/how-to-hire-an-ethical-hacker.html
- ↑ http://www.techrepublic.com/blog/it-security/hiring-hackers-the-good-the-bad-and-the-ugly/
- ↑ http://resources.infosecinstitute.com/ethical-hacking-interview-questions/
- ↑ Mitch Harris. Consumer Technology Expert. Expert Interview. 23 June 2021.
- ↑ http://www.techrepublic.com/article/ethical-hackers-how-hiring-white-hats-can-help-defend-your-organisation-against-the-bad-guys/
- ↑ https://www.esecurityplanet.com/hackers/how-to-hire-an-ethical-hacker.html
- ↑ http://www.businessnewsdaily.com/8231-small-business-cybersecurity-guide.html
- ↑ Mitch Harris. Consumer Technology Expert. Expert Interview. 23 June 2021.
- ↑ Mitch Harris. Consumer Technology Expert. Expert Interview. 23 June 2021.
- ↑ http://blog.trendmicro.com/the-inside-job-how-hackers-are-stealing-data-from-within/
- ↑ Mitch Harris. Consumer Technology Expert. Expert Interview. 23 June 2021.