During RSA 2018, IT Career News sat down with Alex Heid, white hat hacker and chief research officer of SecurityScorecard, to learn more about ethical hacking and how IT pros can get into the field. Before joining SecurityScorecard, Heid worked in counterintelligence and also did ethical hacking for the finance industry.
How did you get into information security?
It’s probably something I’ve been doing since I was a kid, through the world of video games. Growing up, my computer was even a legacy system back then, and it didn’t have the capability to play all the fancy games my friends were playing. I made it a point to make it as difficult for them to play their games as possible. I had to learn to maximize my resources and make their fancy resources difficult. Eventually, that became a career.
I like breaking stuff. I’m not much of a developer. I can kick over sandcastles really well, but not so much build them.
How have ethical hacking and penetration testing evolved?
Ten years ago, executives would need convincing that there was a need. “White hat hackers – why would we need such a thing? Were you not doing your job? You don’t think it’s secure?”
Even for someone who’s not technical, there’s still a place for them in the information security world.
Now there’s a known need for it, so it’s becoming part of compliance and standards of business. You need to have an external offensive type of security system, and I think it’s going to continue to grow, especially as more regulation frameworks get mandated and more breaches happen. The surface area is widening massively with new technologies. It’s all vulnerable, one way or the other.
It’s all set up by humans at the end of the day, and it’s humans who are not talking to each other. One company makes the technology and another company buys it. One person installs it, but another configures it, another fixes it and yet another uses it, so there’s a disconnect. That’s where the concept of the information security specialist and the white hat hacker come into play.
When you compare white hats versus black hats, there might be more money available in the black hat world, but you have to look over your shoulder all the time, and there’s a very good chance the lawyers will get all your money after it’s all said and done. In the white hat world, you can make a living and you don’t have to worry about the negative implications. You can actually do good instead of harm, which is a better feeling.
How would you compare the roles of ethical hacking to cybersecurity analyst?
White hat hacking is a domain of information security overall. Even for someone who’s not technical, there’s still a place for them in the information security world. Compliance regulations, business continuity practices, all of the old business frameworks that now need to recognize there’s a cyber component to be integrated with that.
Whether or not they need to know the ones and zeros, usually not. There’s likely someone on the team who knows that. Don’t be discouraged if you don’t have a technical background because there’s so much opportunity.
Hesitation is the enemy of anyone who wants to get in, because the sooner they get in, the better. Start attending groups like the Information Security Systems Association (ISSA) and the Open Web Application Security Group (OWASP) – these are high-level, welcoming groups. They’re usually pretty business oriented, and it merges into the security world.
Introducing CompTIA PenTest+
In July 2018, CompTIA will launch its new intermediate-level cybersecurity certification, CompTIA PenTest+. The performance certification covers the skills needed by today’s penetration testers and ethical hackers. Learn more.
For someone who’s just starting out, what skills should they should focus on?
Certifications go a long way. They can even go further than a college degree in that they show you practical skill sets. When I’m doing hiring, I’ll look for SANS certifications and Offensive Security Certified Professional (OSCP). Both SANS and OSCP put you to the top of the pile, whereas other ones may not get as much attention.
I know CompTIA from when I started – those are the fundamentals. I would definitely want to check out CompTIA’s cybersecurity certifications. CompTIA has the establishment of having been around forever, so it’s not a fly-by-night enterprise, and now it’s expanding into information security, which is great.
Read more from RSA 2018:
Launch your cybersecurity career with the CompTIA Cybersecurity Pathway.