Hacker, Researcher, and Security Advocate

Month: September 2019

What Is a Hacker?

Reclaiming the Hacker Title, and Ending the Stereotypes

For some, the term hacker elicits images of a person wearing a black hoodie in a dark room working tirelessly on a computer. In other cases, connotations of criminal syndicates or nation-state attackers jump to mind. Unfortunately, thanks in part to media and entertainment portrayals of hackers, the reality is rarely understood. In fact, even formal descriptions of hackers tend to focus solely on their actions as the defining measure. In truth, the term hacker describes an identity. It refers to characteristics of how a person looks at problems and attempts to solve them.

Tattoo with GrrCON logo that says artists and inventors not criminals and freaks.
My tattoo from GrrCON ’14 with the phrase from Jayson Street’s keynote that have inspired me ever since.

In 2014, I attended a security conference called GrrCON. A well respected member of the security community, Jayson Street, gave a very powerful keynote speech. His discussion focused on the history of hackers and drove home the message that hackers are not criminals and freaks. Instead, we are artists and inventors. His discussion impacted me so greatly that I got a tattoo at the conference that emblazons those words on the back of my shoulder.

The Mysterious Hacker

When we think about computer hackers in particular, we think about the secretive nature of hackers. People operating in anonymity, using handles rather than their names, using private and sometimes obscure communications channels to share information. Especially in the early days of the internet, this was an accurate view of the hacker community. As a result, it only adds to the myth and mystique of hacker lore. Since hackers were seen as criminals, anonymity was a crucial tool in simply advancing their craft. While their motivations were often rooted in curiosity, law enforcement had very different opinions.

As with any growing community of people, a social order began to develop as well. Personalities clashed, competition often ensued with rival hackers seeking to establish their place among the most skilled by demonstrating proof of their latest hack. Sometimes they even attacked each other. Even today, many of these behaviors persist. There is a degree of fame and respect that is given to those that demonstrate extraordinary skills. But hackers are so much more.

Curiosity and Creativity

“What makes me a hacker is my unfettered, at times almost obsessive need to understand the inner workings of technology.”

Alyssa Miller

If you’ve spent any time on my site or social media pages, you know I identify myself as a hacker. While I’ve taken over domain admin accounts by passing hashes, gained command line access to web servers via poorly configured web applications, and even dumped the entire contents of databases using blind SQL injection vulnerabilities, these skills don’t make me a hacker. On the flip side, I’ve never discovered a 0-day vulnerability, never stolen money or data, and never gone to jail for my activities. These facts don’t make me any less of a hacker.

What makes me a hacker is something more intrinsic, something very integral to my very being. What makes me a hacker is my unfettered, at times almost obsessive need to understand the inner workings of technology. It’s an optimistic problem solving skill. Believing that anything can be changed or improved if I can just simply understand first how it functions.

Many hackers, myself included, will tell you that as children we took things apart. Driven by a curiosity to understand how technology worked, we learned through examination. This is a cognitive trait that shapes how we look at problems and solve complex issues. This, in my opinion, defines what makes a hacker a hacker.

Hackers and Ideology

Take a look at the interactions of hackers on social media or other forums and you’ll discover hackers are typically very idealistic. While we don’t all have the same values, more often than not, they are all rooted in positive motivations. Street, in his presentation, discussed Nikola Tesla as an early hacker. Tesla had a vision for supplying electricity to the world without cost. He built upon the discoveries of his peers and predecessors to develop new technologies. His inventions drive many of the technologies we’ve become dependent on today. He wanted everyone to take his works and use them and continue to improve them. However, due in part to businessmen with less noble values, Tesla died broke and alone. His inventions tied up with patents that prevented new innovations.

Hackers often look at the internet the same way, with very idealistic vision. Most place a great deal of value on the free exchange of ideas and information while also valuing privacy and individual liberty. Many of us work to make the internet more secure to help ensure that vision. Nowhere is this ideal more clearly displayed than at the various hacker conferences that occur every year. Tens of thousands of hackers come together in various venues around the globe in an effort to share our knowledge, our research, and our opinions on how to improve the technology of the world we live in.

Gate-keeping

Unfortunately, while many in the security community work to promote a more positive image of hackers, there are some who want to perpetuate the stereotypes. They prefer the mystique of clandestine individuals or groups that have the power, because of their skills, to disrupt society and the world. That image of the hacker culture is seen as cool and almost elitist in a way. As a result, some attempt to establish their position in the social order by trying to define who is worthy of being called a hacker. Usually the definition relies solely on the level of their skills or the novelty of the exploits they unearth.

This view is counter-productive to establishing a truly free exchange of ideas and knowledge. It serves to create cliques, toxic competitiveness, and secrecy that break down the ideals. Sure it’s part of where we came from as hackers. Yes, competition can be healthy and productive. But to be truly great as a community, we must be able to build off the work of others. We have to leverage the unique perspectives we each bring to the table and let those drive new ideas. That is how we become l33t.

You're Hired

Talent Shortage, Really?

Examining the disconnect between employers and job seekers in Security?

There is a lot of talk among business leaders about a critical shortage of cyber security talent. Many cite studies and surveys that provide context for just how big the problem has become. In fact, Cybersecurity Ventures predicted in 2017 that by 2021 nearly 3.5 Million security jobs will go unfilled. While this discussion is seemingly ubiquitous in the business world, there is another side to the story.

Interacting with the security community through social media, one quickly discovers that there are significant numbers of job seekers unable to find security jobs. In fact, I recently tweeted about a job opening that I have coming up. With roughly 4,200 followers, I had over 200 people send me direct messages expressing interest. After weeding out those who were clearly not fits, I still have a list of over 50 potential candidates. With that much interest from one tweet about one position, it seems odd that organizations are having a hard time finding candidates. This dissonance is so powerful that I personally call BS on the talent shortage. What we have is a talent disconnect, but why?

Job descriptions and unrealistic expectations

Browse the listings of security jobs and you’ll quickly see just how poor and unrealistic many of them are. In my own less-than-scientific research, I’ve noted a few of the more common issues:

  • Requirements for an overly broad range of expert-level skills beyond what any single human could possibly possess
  • Length of experience requirements that are not commensurate with the position (e.g., 6-8 years of security experience for a security analyst role)
  • Unrealistic salary ranges for a given title (e.g., a Senior Security Architect role with a salary range of $50,000-65,000)
  • Seeking impossible levels of experience in emerging technologies (e.g., 10 years experience with block chain technology)
Breaking it down

Let’s tackle these one at a time. Overly broad skills requirements often stem from building job descriptions like a wish list. The approach ends up being “we can’t have it all, but whoever checks the most boxes in this list is the one we choose”. There are two problems with this methodology. First, job seekers read those lists as hard requirements. The more items on the list they can’t check, the less likely they are to apply. Second, picking a candidate with broad knowledge but little depth may leave the organization in a bad position when deep technical expertise is needed.

Security related job descriptions are still new to many organizations. As such, they are often derived from other technical roles with similar titles. This can lead to a scenario where the length of experience being asked for does not match up to what the market would dictate for that level position. This same scenario can often lead to the seeking impossible levels of expertise. Ultimately, more time and analysis is needed from security leaders and Human Resources working together to develop market-aligned expectations.

One of the most frustrating issues isn’t always visible from the job description itself. When the salary range attached to a role is unrealistic in terms of market forces, both hiring managers and candidates are impacted. Candidates often go through multiple rounds of interviews before finding out the pay range is too low. They end up feeling like their time was wasted. In cases where initial screening interviews are used to match salary needs, the hiring manager will likely receive few qualified candidates options, resulting in further frustrations on their part.

Engaging the Security Community

Another common issue that seems to hamstring many recruiters is their inability to connect with the security community. Anyone who has security experience listed on their LinkedIn profile has likely gotten messages from recruiters. Commonly, recruiters will use one or two search criteria and match highly experienced candidates with entry-level or unrelated positions. The “hot” job market in security brings many non-technical recruiters out in search of security talent. The resulting credibility problems for recruiters in the security industry in particular creates a heavy divide.

Recruiters must overcome that credibility problem with a genuine understanding of the security landscape. Additionally, they must learn to engage security professionals through less traditional avenues. The best security recruiters have learned how to connect with the community via social media. They’ve learned how to have meaningful interactions on Twitter and are patient in their approach. It takes time, but recruiters who take time to learn security and develop long-term relationships with members of the security community find greater overall success in filling roles.

Breaking the mold

A side effect of interacting with the security community is that organizations will also shed their preconceptions of what security talent looks like. Sometimes there literally is a bias as far as the appearance of security professionals. Bold hair colors, visible tattoos, body piercings, and non-traditional fashions are very common among security experts. Meanwhile, the corporate world continues to shift at a glacial pace toward acceptance of such appearances.

Security and business leaders alike still carry heavy bias, albeit sometimes unconscious, against individual expression. Conformance to traditional standards is still sought and often to degree of disqualified otherwise highly qualified candidates. Managers hiring for security positions (or any positions for that matter) need to understand this and move beyond their preconceived images.

Incubating talent

I find it particularly frustrating how little foresight organizations put into developing security expertise in their current staff. As digital transformation trends continue, security has to be a part of every phase of our business. So why then don’t leaders look to groom security expertise in all business functions? Imagine a world where every team from accounting to finance to development was required to have security expertise.

An approach like this has multiple benefits. First and foremost, it begins developing a culture in which security is always a consideration. No longer do we allow admin or operational groups to fly under the radar of security considerations. Second, these resources now become an internal pool of candidates from which security-focused positions can be filled. Essentially, it becomes an incubator of security talent. Third, this type of investment in employees also helps combat turnover. Employees are able to develop marketable skills that give them a clear path for advancement or new challenges.

Obviously, this type of approach requires executive level buy-in and support. Business and support functions will be reluctant to dedicate portions of their budgets to training in skills they see as unrelated to their purpose. However, at an executive level, when the cost of training is weighed against recruiting costs, turnover costs, cost-of-vacancy, and third party services expenses, the business case is easy to build. Organizations must stop relying on someone else to develop security talent and instead they must take an active role in the process.

Bridging the gap

Is the idea of a talent shortage truly false? It’s hard for anyone to say for sure. However, the way organizations search for and cultivate talent clearly contributes to the problem. We’re seeing a shifting of the tides in terms of how security talent and hiring firms come together, but there’s still a massive gap. To those of us active in the community, that disconnect is very visible everyday.

Powered by WordPress & Theme by Anders Norén