Ethical hackers proved their worth over the 14 months that the pandemic ravaged economies and organizations were at their most vulnerable, preventing $ 27 billion in cybercrime during the time when flaws threatened to overwhelm security teams worldwide.
During the period from May 1, 2020 to August 31, 2021, eight in 10 ethical hackers found a vulnerability that they had never come across before, according to a report from Bugcrowd, which analyzed survey responses and security research conducted on its platform as well. as millions of data points on vulnerabilities from nearly 3,000 security programs that the company amassed. The findings represent a significant shift in the threat landscape.
The annual report dispels the stereotype of the shady, hooded hacker that Hollywood favors and instead noted that security researchers now skew younger, are more entrepreneurial and stretch across generations.
“I’m always inspired by the ingenuity and entrepreneurial mindset of those drawn to ethical hacking,” said Casey Ellis, founder and CTO at Bugcrowd. “Our latest report shows that 79% of ethical hackers taught themselves how to hack using online resources.”
And they have found opportunities in the wake of the pandemic. Nearly three-quarters, or 71%, said that remote work has led to higher earnings. “Our report found that 47% of ethical hackers earned more on Bugcrowd than they did in the previous period and the time between sending a report and receiving payment had decreased on the Bugcrowd platform; in some cases to less than 30 minutes, ”Ellis noted.
Ethical hacking may also prove to be a path to much-needed diversity in the security industry. “The report also found that this is the youngest and most ethnically diverse generation of ethical hackers in history,” said Ellis. But women are still underrepresented. Only 3% of ethical hackers in the report are female.
“By incentivizing women or nonbinary individuals with broader scope and more accessible programs, organizations can empower a huge (and necessary) movement toward greater gender representation within the ethical hacking community,” the report said. “Without this continued advocacy, security teams risk spiraling into a homogeneous, uninspired culture — not to mention falling short of their social responsibility to promote diversity within the workplace.”
The strides this crop of hackers is making are undeniable. “The impact this cohort has on thwarting cyberattacks and advancing the industry is monumental, and this is sure to continue,” said Ellis.
Given the benefits, organizations would do well to lure ethical hackers.
“IDG Research Services found that 78% of IT leaders are not confident in their companies’ security postures, which lead 91% of organizations to increase cybersecurity funding by 2021,” said Ellis. “Ethical hacking is the logical solution to testing the gumption of these investments, and there are a few different avenues for organizations to consider.”
But the market is competitive.
Ellis explained that “as a pentester, you are paid for your time,” while a bug bounty hunter is “paid for impact.”
But “either way, individuals who find themselves in this calling are looking for companies that treat their work with respect, communicate clearly, compensate fairly and fix issues in a timely manner,” said Ellis.
And steps must be taken to protect ethical hackers, who risk running afoul of the law just by doing their jobs.
“Anti-hacking laws around the world — such as the Computer Fraud and Abuse Act (CFAA) —are built on the idea that a hacker is a bad person by default and doesn’t make room for bounty hunters and good-faith hackers to do their work safely, ”said Ellis. “Until these anti-hacking laws evolve — and as vulnerability disclosure, bug bounty and crowdsourced security programs grow — there’s a clear need to create and standardize legal‘ band-aids ’to bridge this legislative gap, and to drive the adoption of both VDP itself, and the kind of safe harbor languages that ensures that helpful hackers acting in good faith feel safe. ”
He pointed to initiatives like “Hackers On the Hill” by I Am The Cavalry, the BOD 20-01 vulnerability disclosure directive from CISA / OMB, and the Hack The Pentagon program by the Department of Defense as “useful tools to demystify good-faith hacking and hackers themselves in the eyes of legislators. ”
But more is needed. “The other thing would be renewed and persistent effort into updating and modernizing anti-hacking laws, and continuing the ‘rolling thunder’ started in this space over the last 10 years, including the Van Buren case — which involved, in no small part, educating SCOTUS themselves through friends briefings, as well as combating anti-hacker disinformation from others, ”Ellis said.