Understanding the mind of a hacker has great value in cybersecurity. Understanding how they work has long been an exercise that happened after an incident. Now, there’s a new way to find out the mechanisms and approaches they use to exploit weaknesses. We can get a great glimpse into this perspective with pen testing, in which ethical hackers simulate attacks.
A new report looks at the mind of hackers from the angle of ethical hackers. The 2023 report offers many insights that can be valuable to any organization. The term hacker in this context is someone who conducts pen tests and vulnerability assessments. You want these people to find your issues before cyber criminals do.
As cybercrime continues to grow and cost the world billions, getting insights from their viewpoint can help any organization improve and adapt its cybersecurity strategy.
Next, we’ll break down the findings and offer context on what they mean for cyber leaders and professionals.
2023 Inside the Mind of a Hacker Reporting Findings
The trends emerging from the hacker landscape are evolving, thanks to things technology like AI and trends like remote work, which expanded a network’s endpoints and assets.
Hacker Demographics
The report reveals several data points on demographics. The majority are fluent in two to three languages. Those in non-English-speaking countries depend on ChatGPT for translating.
Hackers are predominantly aged 18 to 24, but a growing number of younger people exist. This segment doubled in the last year.
Surprisingly, India is home to the most hackers, followed by Bangladesh and the U.S. Most hackers are men (96%), so it’s an industry ripe for the possibilities of diversity. The majority have a college degree, at 54%.
The Job Landscape for Hackers
Cybersecurity is a field in dire need of more talent. There is a significant number of unfilled jobs, and hackers are part of this category. Only 29% of people hack full-time. Most are only doing it part-time. Their day jobs are often in IT or cybersecurity, as 77% report working in these roles.
So, who are they working for? They may use platforms, take freelance gigs, or work for a firm. The systems they are evaluating are in a variety of organizations, from aerospace to manufacturing to finance to healthcare. Those seeking ethical hackers should consider industry experience, especially for industries with compliance regulations.
Their skill development, which is crucial for anyone to be proficient in cybersecurity, comes from various sources, with online learning at the top. Most are self-taught, with only 24% completing formal coursework.
Degrees and certifications aren’t always the best demonstration of someone’s technical skills. It’s something to consider when assessing talent for a hacker role. The group relays that they spend considerable time on security research. This practice is likely the same for cybercriminals.
Hackers had optimistic feelings about their role, with 89% saying they believe companies view them more favorably. Almost all (96%) think they’re helping with the cybersecurity skills gap.
So, is the hacker career sustainable? Will we always need humans to simulate attacks?
AI and Hackers
AI has made the cybersecurity landscape change quickly. It can be both a tool for criminals and an asset for protection. There is a buzz around it taking over the role of an ethical hacker, using it exclusively for exercises like pen tests and vulnerability assessments. It is a topic in the study, with many saying it makes hacking faster. Most also said it has changed their workflows. They also concur that it doesn’t have the skill sets of actual hackers yet. Right now, it’s still routinely fallible.
Automation isn’t going to take the job of the hacker. It can augment what they do to accelerate their work. It has many applications to drive efficiency.
Hackers are deploying AI in ways that are making the cyber world safer. They depend heavily on ChatGPT, with 98% using it. Other AI chatbots they use are Google Bard and Bing Chat AI. Their generative AI use cases include text, code, search, and chatbots. They lean on AI chatbots heavily for their ability to write out reports.
They believe AI can be a component for many areas of security, including:
- Automating tasks
- Analyzing data
- Identifying vulnerabilities
- Validating findings
- Conducting reconnaissance
The other side of the story is what criminals can do with AI to launch attacks. They are deploying the most to build more sophisticated malware, write phishing emails, generate deep fake data, crack CAPTCHAs, and guess passwords.
Like every aspect of technology, it’s how a human applies it that makes it either good or nefarious.
The ‘Why’ for Ethical Hackers
We often talk about the “why” behind motivations. It’s important to know these in your cybersecurity staff and hackers. It can often be the key to helping an employee change behavior or enabling a more proactive approach. Ethical hackers hack for personal development over financial gain. Many like the excitement and challenge.
For the real cybercriminals, money is the top reason they do it. However, there are hacktivists who do so based on ideology. Another reason that’s similar to ethical hackers is the challenge. Some really enjoy the game.
Hackers also see it as a greater purpose. They want to make the world a secure place with these values:
- Preventing the next major cyberattack or data breach
- Educating others on best practices
- Building long-term relationships with programs and companies
So, with AI, the cybersecurity workforce shortage, and threats evolving every day, what’s the future for hackers?
The Future for Ethical Hackers
In terms of career opportunities and growth, 53% have a job in part because of their hacking skills. Another 47% recently finished coursework in cybersecurity to expand their abilities.
There is great job security in cybersecurity, and these professionals have insights and capabilities that can positively impact an organization’s cybersecurity posture.
Risk isn’t going anywhere, no matter a company’s size, defenses, or budget. More leaders outside of IT are realizing the need to be proactive in risk reduction, and that’s the kind of thing these people specialize in.
The report also looks at trends, which are all things cyber professionals are aware of, but most of their counterparts on the business side still don’t completely comprehend. They include the following:
- Companies still don’t understand the severity of a breach and what its impact would be, which causes them to hedge.
- They have concerns over point-in-time security, which is monitoring only by periodic assessment, and that it’s insufficient to be safe.
- The majority (84%) state there are more vulnerabilities now than pre-pandemic.
- Three-fourths acknowledge it’s becoming more difficult to find weaknesses in critical assets.
- One-third of hackers think companies will sacrifice customer privacy and security to save money.
So, what can you take away from this that would resonate with your cyber team?
Takeaways from the Mind of a Hacker
There are lots of good nuggets in this study that can help develop your team and have discussions about how hackers think and act. It may be challenging to get all your people to check out the data and have some learnings from it. Technical folks aren’t always the best at seeing other perspectives.
Sharing this data and having conversations about it could help move them to a place where they can see the other side. Perspective, awareness, and changing mindsets may all represent some weaknesses in your team. They may be technical geniuses but lack the people skills to conquer those areas.
It’s an ongoing problem in cybersecurity, but not one with no solution. The Secure Methodology™ is a seven-step process that focuses on developing cybersecurity professionals into excellent communicators and collaborators able to understand perspective and embrace new ideas.
They become more flexible in their approach to the job, so they can adapt and respond, all while working together more cohesively. It’s an evolution that’s good for the individual and the organization.
Here’s a quick preview of the seven steps.
The Seven Steps
- Awareness: This step is about achieving awareness of self and others so they understand the impact of their behavior and want to grow.
- Mindset: Next is opening someone’s mindset from a once-fixed stance and a reliance on black-and-white thinking.
- Acknowledgment: The third step addresses giving feedback that’s honest, open, and constructive so people feel valued and able to share their thoughts.
- Communication: Fourth is communication, which encompasses how to express thoughts and ideas in a meaningful and respectful way and being better listeners.
- Monotasking: The fifth phase concerns taking time to concentrate on one task at a time, giving them a chance to think critically and problem-solve.
- Empathy: In this step, people learn to understand and respect the perspectives of others and realize it’s useful in defending against threats.
- Kaizen: At the end is a Japanese term that means continuous improvement, so it never ends as people continue to grow.
Learn more about each step by reading Blue Goat’s founder’s book, The Smartest Person in the Room. Check out his Secure Methodology course, too.
