Many companies hire ethical hackers to play the role of an adversary who’s looking to hack into them to penetrate their defenses. Companies need to think about whether the company that they’re hiring, or their individuals are hiring are properly vetted.
There are plenty of what I would call smaller organizations out there whose individuals might have operated on the other side of the fence for a period of time and may have turned good now but you don’t know necessarily what else they may also be doing on their off hours, and so I think it’s really important to ensure that anybody that you’re looking to really work with you for any cybersecurity advice or consulting or implementation or testing has individuals that are both skilled, that they have a strong development program that supports those individuals, that they have background checks that you can validate, and that they have a strong track record in the market of providing that service to organizations which can be validated through discussions with those organizations.
Oftentimes it’s the individuals who are strongest at that type of activity. Frankly do think like a criminal. They can think about why would a criminal want to get after this organization. What would they be after, and how might they get after it?
When companies are looking to hire any cybersecurity advice, they really need to be asking those organizations about their methodologies and their quality processes. How they ensure that whatever activity those individuals are going to undertake does not put your company at risk.
When a cybersecurity professional is assessing an organization’s vulnerabilities, they are collecting a lot of sensitive information that would be confidential or highly confidential and very valuable to criminals who may not have done that activity yet. You should be asking questions around how that organization protects that data about them because it is valuable information. What are their practices for securing that information, ensuring that it does not get disclosed, for sharing it, sharing the results with the organization? What type of tools and encryption are they using even just to share the report? If organizations don’t have solid — cybersecurity organizations don’t have solid responses to these types of questions, they’re not somebody you want to hire.