Hackers and hacking groups seem intriguing to the common man. These words conjure up images of a group of nerdy individuals huddled in a basement, conspiring to steal information and money from people and organizations. But hacking is not limited to stealing and destroying, and not all hackers intend to cause damage. For instance, ethical hackers help organizations and government agencies find loopholes in security systems, so that they can be addressed. They help the organization lay down robust security controls to thwart potential attacks.
The widening gap between the supply of and demand for ethical hackers
It is hard to find such cyber security professionals who have both broad technology knowledge and specific skills in security and risk assessment. In Intel Securitys study, 71% of companies report that the shortage in cyber security skills causes them direct and measurable damage. On the other hand, passionate young minds who show an aptitude in this area cant always find a constructive environment to pursue their passion, and may be influenced to move towards the dark side of the field.
Finding the right hackers
Organizations could hire former black hatters. They could prove to be very skilled, as they have real-world experience in playing offense. There is a huge difference between people who have learned to defend a system and people who have experience in breaching a system. Even though it seems convincing, this approach has many flaws. After all, trust would be a big concern. What if the former hacker behaves in an unethical manner? So the question remains, is this the best way to guard your organization?
Another option would be to train the existing pool of IT experts in your organization. The major drawback of this approach is that these employees might lack the passion to thrive as security professionals. It also takes time and money to train employees. They need a significant amount of time, exposure to the security industry and work experience before they can become valuable resources for the organization. While this approach seems viable in the long term, it is very time consuming and cannot be used when there is an immediate need.
Crowdsourcing is an upcoming trend in the industry, which involves having the system reviewed by hundreds of security professionals across the globe. Off late, many organizations are joining crowdsourcing platforms like HackerOne and Bugcrowd to run their responsible disclosure programs. This is a smart way to detect vulnerabilities and manage your responsible disclosure programs, but will only work if you have a rock solid information security management strategy and execution capabilities in place.
Hacking contests a popular disruption
Ethical hacking being a niche skill where the right attitude and aptitude is more important than an academic score, conventional selection processes guided by standard written assessments and personal interviews of candidates from a set of accredited colleges, do not deliver the expected results.
In our experience, the most promising option would be gamified hiring. This format emulates real-life challenges by constructing various situations focused on showcasing specific personality traits that would otherwise be difficult to check. Introducing game elements can give recruiters a chance to assess the full profiles of candidates and help determine their drive for innovation, their ability to problem solve, and their capacity to perform under pressure.
At TCS, 5.6% of campus recruitment happens through gamified hiring; and this figure is expected to grow much more in the coming years. One such successful initiative is HackQuest, an ethical hacking contest. The contest, held in January this year, saw more than 4500 students participating from 609 institutes across India. After the exciting competition which lasted six hours, 19 bright, young, ethical hackers secured their spot in the finals. Then after cracking an on-the-spot hacking challenge in the finale, 18 students were offered suitable roles in TCS Cyber Security unit. HackQuest helped us successfully identify the students who had the aptitude and attitude we were looking for.
Since conventional education and policies arent meeting the increasing demand for security professionals, we need unconventional means. And HackQuest unveiled the fact that the next-generation definitely has the talent. Enterprises need to identify, nurture, and channelize such talent. Organizations are quickly moving to this new mode of hiring, and its clear that those who are not, will soon be at a disadvantage.
How does your company hire security professionals? Tell us in the comments section below.