This article unfolds the critical role and responsibilities of Ethical Hackers particularly in Digital Transformation Initiatives. Learn how to be an ethical hacker from an expert in the field.
In this article, I want to create awareness of ethical hacking, its purpose, use cases, and a brief introduction to the role of ethical hackers in digital transformation initiatives. My aim is to help security executives and managers choose the best ethical hackers for their business. As a by-product, the information in this article can also guide the aspiring ethical hackers to build their skills and plan their experience.
Ethical hacking is a critical function for security and cybersecurity requirements of digital transformation initiatives. Every sizable digital transformation project requires at least one ethical hacker. Some massive programs may have multiple ethical hackers specializing in critical aspects and various domains of the program.
Security, in a local sense, and cybersecurity in the connected world, touch every domain, solution construct, and building blocks of the solutions in digital transformation initiatives. To this end, there are critical requirements to leverage the skills and experience of ethical hackers in these initiatives.
One may ask what ethical hacking mean, who ethical hackers are, what they do, why they do what they are supposed to do, and how they do them. These questions set the objectives of this article. I want to share my experience in the field. However, some points from my experience may conflict with traditional sources or textbooks.
I will introduce digital transformation initiatives under different subtopics in an upcoming post.
The primary use case for ethical hacking in digital transformation initiatives is to identify vulnerabilities in the systems and the solution building blocks. Identifying these vulnerabilities and addressing them in an agile manner requires deep security and cybersecurity expertise. The best talent to meet the requirements and expectations of the business stakeholders are ethical hackers.
Ethical hacking and ethical hackers in digital transformation initiatives
Ethical hackers are qualified technical specialists in the security and cybersecurity domains. These talented professionals have the required expertise and they understand security domains such as authentication, authorization, accounting, and auditing functions in detail.
These are broad categories with many subcategories underneath. I only want to provide a high-level picture so that we focus on ethical hacking and ethical hackers as the primary objective of this article. While introducing the roles and responsibilities of ethical hackers in the following sections, I touch on some subcategories of security domains.
The difference between criminal and ethical hackers
To understand the role and responsibilities of ethical hackers, it can be useful; first, we know about criminal hackers. Probably you heard a lot about criminal hackers in the media. They are the scary and bad guys with ill intentions.
Criminal hackers aim to steal data, information, knowledge, assets, and money. They may defame people. They can destroy systems, applications, and data. They can also blackmail people into gaining financial benefits. In short, they are into illegal activities. Criminal hackers are known as black hat hackers in the industry.
Whereas ethical hackers can support people and businesses, improve conditions, resolve situations, and prevent threats and vulnerabilities. They are known as white hat hackers.
In addition to these two types of hackers, there are also grey hat hackers who can be in between these two types. They are not as dangerous as criminal hackers but not as desirable as ethical hackers. The key difference is that the grey hat hackers may access the systems without permission, but they do not necessarily mean harm. Some grey hat hackers have altruistic purposes.
After this brief background, let’s focus on ethical hackers.
Ethical hackers are an antidote to criminal hacking.
Ethical hackers are as knowledgeable and skillful as criminal hackers. In fact, some professional ethical hackers are more knowledgeable and skilled than the criminal ones. In the industry, ethical hackers are expected to outsmart criminal hackers. This quality is tested during the interviews using intricate questions, simulations, and using real-life scenarios.
Ethical hackers proactively monitor the systems, identify gaps, inform the stakeholders, create a plan of action, and help execute the plan.
Ethical hackers are equipped with various powerful security management tools. The most prominent tool-set is the sniffer, also known as the packet analyzer. A packet analyzer is a software or hardware (appliance) program that can intercept in the network and capture network traffic (as communication packets).
In addition to understanding the systems and solutions, ethical hackers also understand regulatory, safety, security and industry compliance requirements. Digital products and services consumption by the public requires rigorous compliance review, auditing, and corrective actions.
I want to share the set of criteria that I developed in engaging ethical hackers in my digital transformation solutions. These criteria can help you understand the roles and responsibilities of ethical hackers in digital transformation solutions.
Let me point out a caveat here. These criteria may sound broader and more comprehensive than the traditional requirements. The rationale is there appear to be additional focus areas in transformative programs covering emerging technology stacks, extensive virtual platforms, Big Data, innovative and bespoke solutions, and critical non-functional requirements such as intricate interoperability, mobility, scalability, and capacity concerns.
How to be an ethical hacker?
In this section I provide the, criteria for becoming an ethical hacker in digital transformation programs. To make the criteria easy to read, I categorized the requirements under 6 broad categories: 1. Architecture, Design, & Industry Understanding, 2. Core Security Expertise, 3. Analytical Skills, 4. Technical Skills, 5. Interpersonal Skills 6. Business, Stakeholder, Project, and Organizational Skills
1. Architecture, Design, and Industry Understanding
Even though ethical hackers are considered technical specialists, they also need to understand architecture, design, and governance schemes. These skills enable ethical hackers to understand requirements and architectural decisions, understand the architectural and design constraints, and interpret viability assessment work-products.
Some key points are to understand the business process, consumption model, application landscape, data platforms and practices.
Ethical hackers must know their specific industry details because the rules and regulations may vary in different industries.
In architecture phases (e.g. macro design), ethical hackers perform pragmatically. They can conduct quick experiments, proof of concept, and proof of technology in urgent solution delivery cases.
Ethical hackers participate in design authority and architecture review boards as security subject matter experts.
2. Security Expertise
From specialty point of view, ethical hackers must have broad and deep demonstrated security and cybersecurity experience. Their security knowledge must be end-to-end and up-to-date.
They need to follow the security news, development, and trends carefully. Global security awareness is a critical requirement for them. At the highest level, they need to know the theories and mechanisms for an end-to-end security requirements perspective in digital transformation programs.
Security architecture is a critical knowledge area for ethical hackers. They must have deep technical knowledge of security systems, security frameworks, security patterns, and integration of security components.
Since encrypted messages in internetworks are critical in transforming business environments, ethical hackers must have a deep understanding of cryptography.
Social engineering is one of the most significant risks in business organizations. Social engineering is a widespread and the easiest way to exploit vulnerable users. Users’ lack of knowledge, social fear, confusion, assumptions can create tremendous risks. Ethical hackers know how criminal hackers use social engineering to hack complex systems. They inform all stakeholders and educate the users not to fall into the social engineering traps.
In addition, ethical hackers understand how the dark side of the Internet works. In digital transformation programs, the “darknet” or “darkweb” poses high risks and creates a huge fear for digital assets. To this end, ethical hackers inform the stakeholders and the users to take necessary measures and precautions to protect their assets proactively.
3. Analytical Skills
One of the fundamental roles of ethical hackers is to analyze systems, networks, solutions, applications, data, and databases. They can deep dive to analytical matters. They have a sharp eye for detail. They are observant and be able to see intricate and obscure patterns. They can perform the role of a security auditor in incident management teams.
4. Technical Skills
Programming (coding) and scripting skills are essential for ethical hackers. Some common languages are Python, C++, and Java. The language requirements may vary based on the program platforms. I used these 3 as an example.
Ethical hackers must possess core hacking techniques such as sniffing, scanning (e.g. W3af, Nessus, Burp), reverse engineering, disk/memory forensics, vulnerability analysis, frameworks such as Metasploit, and DoS attack. There are many more specialist hacking techniques, and those details are beyond the scope of this article.
Operating system knowledge is also essential. Some commonly used operating systems are Linux, Windows, Unix, ZoS, Android, macOS, iOS and other proprietary operating systems.
Networking and internet-working skills are critical. Ethical hackers need to understand network protocols, wireless protocols, architectures, frameworks, patterns, devices, functions, tools, connectivity, mobility, communications, and integration both in local and wide area networks.
As ethical hackers have to deal with data from many angles, understanding the data platforms, practices, storage, data lakes, data lifecycle management, databases, information, and knowledge systems. They also deal a lot with the Big Data for special forensic investments.
Digital mobility knowledge is critical for ethical hackers. They understand the digital technologies, mobile networks, workflows in these mobile networks, protocols, and device relationships.
Ethical hackers have a broad understanding of the mechanisms and implications of emerging technology stacks such as IoT (Internet of Things), Cognitive Computing, Cloud Computing, Edge and Fog Computing, Artificial Intelligence, and Big Data Analytics.
5. Interpersonal Skills
One of the key distinguishing factors of ethical hackers is caring, trustworthy, and reliable nature. Contrary to criminal hackers, ethical hackers, have empathy and compassion for users. They are non-judgemental and can approach people with corrective actions. They are team players and mentors for other security professionals.
6. Business, Stakeholder, Project, and Organizational Skills
Ethical hackers need to have excellent stakeholder management skills. Some critical capabilities in this area are communicating at all levels and speaking the business language. They can articulate risks, issues, and dependencies both to technical and business stakeholders. While they can see the big picture, they are also capable of delving into details.
In large business organizations, ethical hackers closely work with project managers. Therefore, they understand the project methods and tools. They have a particular focus on agile methods as security and cybersecurity issues are usually considered emergency issues requiring expedited delivery with priority number one approach.
Ethical hackers do not spend too long with root cause analysis during critical situations. They have to deal with incident management processes. During the incident management process, they must identify risks, issues, and dependencies very quickly.
They still need to provide input to the problem management team, but it happens after the priority incidents are resolved. Therefore a reasonable knowledge service management framework such as ITIL is desirable for ethical hackers.
They don’t have to know everything about service management as it is a broad domain. However, ethical hackers need to know how to elicit information and gain tacit knowledge by interacting with architects, specialists, project managers, and power users during the incidents. Event and configuration management are other areas they get involved in the service management domain.
Since the legal departments in digital transformation programs use ethical hackers, they also need to understand the legal issues, hacking implications, and other legal security concerns, and be able to speak effectively with legal professionals.
Sponsoring executives also require their lead ethical hackers to have inventive and innovative mindset to contribute to their innovation agenda in their critical security initiatives such as Cloud security.
Certification Requirements for Ethical Hackers
I witnessed job applicants going for ethical hacking roles without certification. However, nowadays, it is a prerequisite to have recognized certification for ethical hackers. The certification covers knowledge, skills, competencies, and proven experience in the areas mentioned above.
The most popular and globally recognized qualification is provided by The International Council of Electronic Commerce Consultants (EC-Council). EC-Council provides a qualification called CEH (Certified Ethical Hacker). CEH is the most fundamental requirement for the certification of ethical hackers.
Other essential qualifications are Advanced Penetration Tester, Certified Network Defender, and Forensic Investigator provided by EC-Council. There are several other education and certification programs on the market, such as OSCP (Offensive Security Certified Professional), FUH (Foundstone Ultimate Hacking).
There are also many online training programs on ethical hacking technical skills. However, I haven’t come across a training program covering all aspects mentioned in the criteria I introduced in this article. The reason is, the role of ethical hacker is not merely knowledge based but experience and expertise based.
Ethical hackers are critical security specialists and subject matter experts in digital transformation programs. They have an important mission in these programs. They possess unique skills, experience, and expertise.
I provided an overview of the knowledge, skills, competencies, and experience requirements of ethical hackers in digital transformation programs. The content in this article can guide security executives and managers to recruit qualified ethical hackers for their business-critical initiatives in their programs.
The aspiring ethical hackers who plan to work in digital transformation programs can create a checklist and plan their path using the criteria. There is a tremendous demand for ethical hackers.
The field is rapidly developing, and there is not an adequate number of qualified ethical hackers to meet the current market demands. My aim is to create awareness on this topic by reflecting on my industry experience in the field.