Mainstream media coverage of hacking often perpetuates the stereotype of hoodie-wearing hackers up to no good. For this reason, some people remain sceptical about hacking, even if it is in relation to ethical hacking undertaken by cyber security professionals.
A new report, Ethical Hacking in 2020, highlights the benefits of ethical hacking engagements, such as penetration tests (pentesting) and red team operations. These benefits were identified by a panel of industry experts and representatives from organisations that use ethical hacking services.
Redscan CTO, Mark Nicholls, explains:
“Protecting data benefits not only an organisation, but its customers and wider society too. In ethical hacking, the added value of engaging ethical hacking for a client is in learning where their security controls sit and whether they are effective”.
The benefits of ethical hacking apply to organisations across all industries, including the financial tech sector where Jim Hart, CISO at Pollinate International, contends that:
“Whether the outcome of a pen test is good, bad or ugly, the crucial part is the validation of the delivery methodology. We are looking not just at the remediation of the vulnerabilities found, but also for the root causes, so these can be addressed too.”
Giles Ashton-Roberts, CISO at FirstGroup, agrees:
“As a transport provider, we follow the NIS Directive, as well as a requirement to protect consumer data under the likes of GDPR and PCI DSS, so we are torn all over place. We use ethical hacking as a continual improvement programme, with a series of pen tests carried out through the year. For me it’s not just a tick box exercise. It’s about making the improvements, closing the gaps on the vulnerabilities that are found.”
Key benefits of ethical hacking
The Ethical Hacking in 2020 report highlights six key benefits of ethical hacking to organisations:
- Fixing vulnerabilities before they are exploited by cybercriminals
- Providing independent assurance of security controls
- Improving awareness and understanding of cyber security risks
- Supporting PCI DSS, ISO 27001 and GDPR compliance
- Demonstrating a continuous commitment to security
- Supplying the insight needed to prioritise future investments
The evolving nature of ethical hacking
Ian Glover, President of CREST, an international not-for-profit accreditation and certification body that represents and supports the technical information security market, feels that the benefits of ethical hacking are only going to become more valuable:
“The word ‘test’ has the connotation of a pass but that’s not possible with pen testing. Instead it is about providing assurance in a fast-changing technological world. Regulators are now becoming more involved as cyber gets board-level attention, so we need to improve security not just by testing but by giving clients actionable outcomes.”
Lauri Love, security consultant and hacktivist, agrees:
“There is a move for the hacker to be more integrated with the client, not just for testing. This enables the ethical hacker to give clients a better understanding of their systems as they continuously evolve the security of them. This relationship builds a rich eco-system in the industry with threat hunting, sharing information online together and a rising professionalisation.”
The thoughts of these industry experts were expressed as part of the Ethical Hacking Roundtable 2020.