If you’re interested in cybersecurity or offensive security, you’ve probably heard the stories of Jhonny Chung Lee, George Hotz, or Peter Ajas. These hackers were hired by the top tech companies they hacked. The Internet is packed with stories like these, inspiring awe in other technical people who wish they could work for Twitter, Google, or the FBI. Who doesn’t like boldness, skills, and wit to win against the system?
It’s undeniable that a certain cockiness pervades the industry. If you have ever wanted to put yourself on the market for a cybersecurity position, you might have even been advised that if you want to break through, you must “hack them to show them your skills.” Most probably, the person giving you this advice doesn’t work in cybersecurity. And they have given you terrible advice. Here’s why.
Back to the basics
One of the first things you are taught when you take an offensive security course is that hacking is illegal. Unauthorized access to someone’s system is prohibited by the law. In the United States, it’s a violation of the Computer Fraud and Abuse Act (CFAA). There are similar laws in Canada, including the Criminal Code Section 342.1. A first offender (misdemeanour) risks fines of up to $100,000 and up to one year in prison.
Types of hackers in the industry
There are many types of hackers, but in the industry, you will likely encounter three of them:
WHITE HAT HACKERS
Also known as ethical hackers, they hack into a system legally by obtaining explicit and written permission from its owner.
GRAY HAT HACKERS
These hackers exploit vulnerabilities without malicious intent, often without permission, balancing ethical and unethical practices.
BLACK HAT HACKERS
Hackers who deliberately exploit vulnerabilities with malicious intent, such as stealing data, causing harm, or financial gain.
This difference should be clear when you apply for a cybersecurity position. Yes, cybersecurity companies or departments occasionally hire gray hat hackers. Still, they typically require the individual to clearly understand ethical boundaries and adhere to legal and professional standards moving forward. Gray hat hackers often possess valuable skills and a unique perspective on vulnerabilities. Still, companies prioritize candidates who can operate within strict ethical and legal frameworks, usually requiring certifications like CEH or OSCP to validate their commitment to responsible practices.
Understanding the cybersecurity industry
The cybersecurity industry is gaining unreached heights of popularity among job seekers. However, it is one of the least successful industries globally. Just look at the rising number of cyberattacks: these are failures in protecting businesses and people worldwide. The constant rise of cyber threats makes companies reluctant to invest in preventive measures that cannot guarantee protection, regardless of their investment.
When businesses spend money on cybersecurity, they’re logging a loss. That budget could have been used to build a product, buy new equipment, or sell more. In other words, finding vulnerabilities in someone’s system might be exciting for you, but it is bad news for the system’s owner. Cybersecurity companies and departments must work hard to build trust and good customer relationships. As professionals, we must show that we work ethically, follow protocols, and will not abuse the intelligence we gain. Attempting to breach a company’s systems undermines that trust, is unethical, and demonstrates poor judgment.
How the hiring company sees you
Suppose you succeed in hacking into a system. Will you look like a hero? Think again: no employer wants to hire a liability. From the company’s point of view, unauthorized hacking is a red flag, indicating that the candidate cannot be trusted with sensitive information or systems. Your professional reputation will go a long way in this industry, but you might not recover from a bad start.
If the company you apply to provides services to the Government,ration, or the Military, it will require clearance. A red flag can prevent you from being hired by that company and elsewhere.
What can you do to get noticed instead
Instead of hacking:
- Build a portfolio: Develop ethical hacking projects in a controlled environment, such as a personal lab or Capture The Flag (CTF) challenges.
- Participate in bug bounty programs: Many companies offer these legal programs where you can test your skills ethically and gain recognition.
- Contribute to open-source security tools: This demonstrates both skills and collaboration.
- Certifications: Earning certifications like CEH, OSCP, or CISSP showcases expertise and professionalism.
If you’re genuinely interested in demonstrating skills for a specific company, you can:
- Ask if they run a bug bounty or vulnerability disclosure program.
- Express your interest in helping improve their security during the interview process.
In conclusion, hacking a potential employer without permission is never the right approach. Always work within ethical and legal boundaries to showcase your skills effectively and responsibly. It will pay off in the end.
