In the old cowboy movies, the good guys typically wore a white hat and the bad guys wore a black one. Today, this same Wild West symbolism plays a central role in cyberspace — specifically in the way we talk about online outlaws and the ethical hackers whose job it is to rein in their nefarious activities and keep them from trespassing.
While black-hat hackers work the dark side — using malware, ransomware phishing and a range of other tactics to pull off virtual break-ins, lootings and heists — their white-hat counterparts use similar high-tech tactics to defend against an ongoing stampede of cybercrime.
The good news for current and aspiring cybersecurity professionals is that, when it comes to the world of ethical hacking, it pays to be on the right side of the law. Read on for a closer look at the career landscape for white-hat hackers, whose services are in high demand across nearly all industries and who can often command salaries of $100,000 and above.
What Do Ethical Hackers Do?
Ethical hackers are paid good money to try to break into computer systems. It is often said that, to excel at their jobs, these cybercrime-fighters must “think like a black-hat hacker” — that they must understand a black-hat hacker’s strategies, motivations and modus operandi in order to block intruders from illegally infiltrating networks and systems to engage in criminal activity.
Generally speaking and depending on the needs of their employers, ethical hackers are engaged in such activities as penetration testing, vulnerability assessments and a range of strategies intended to keep their organizations safe from cyberattacks of all kinds. This can include:
- Preventing malicious attackers from accessing and stealing private data
- Discovering vulnerabilities in their employer’s networks and systems
- Helping to put defenses in place to secure or “harden” those weak spots
- Working to put in place secure networks to deter security breaches
- Helping their organization earn the trust of customers and investors by safeguarding information and assets
For private-sector ethical hackers, this usually means protecting company assets; for those employed by the government, the work will often involve defending national security by protecting systems and secrets from terrorists.
Types of Hackers (White Hat, Black Hat, Gray Hat)
Despite the “hat” symbolism, hackers are not actually identifiable by their choice of headgear. Starting with the white hats and black hats, here is a breakdown of the different types of hackers:
What is a White-Hat Hacker?
The white-hat hacker is a cybersecurity professional hired to find vulnerabilities in software, hardware and networks that may be susceptible to attack, report on those vulnerabilities and often play a role in securing such weak spots. According to TechTarget.com, they will disclose vulnerabilities to the vendor whose hardware or software is affected, so it may patch other customers’ systems. White-hat hackers use many of the same methods, tools and techniques as their black-hat counterparts.
What is a Black-Hat Hacker?
The black-hat hackers are the outlaws. They are known for illegally breaking into victims’ networks to disrupt systems, steal or destroy data, conduct espionage or sometimes to engage in some malicious mischief just to prove they can. Black-hat hackers typically have extensive knowledge about circumventing security protocols and cracking into computer networks. Some are also adept at writing malware used to infiltrate systems.
What is a Gray-Hat Hacker?
The gray-hat hacker combines key traits of white- and black-hat counterparts; for example, probing a system for vulnerabilities without malicious intent but also without the owner’s knowledge or permission. If they find vulnerabilities, they would likely report them to the owner, along with a request for a fee to fix the issue. If the owner does not respond or comply, then the gray-hat activity can get a little darker.
Those are the big three, but there are also lesser-known green-, blue- and red-hat designations as well.
What is a Green-Hat Hacker?
Green-hat hacker typically describes an amateur, novice, newcomer or “noob” — someone who is eager and intrigued about hacking but lacks advanced technical skills and education. Many in this category are interested in expanding their skills and becoming more deeply involved in the world of hacking.
What is a Blue-Hat Hacker?
The term blue-hat hackers can apply to two very different individuals. One is an amateur hacker who is motivated by seeking revenge. The other, typically styled “BlueHat,” refers to a security professional who is contracted by a company to inspect software for vulnerabilities (such as Microsoft and Windows).
What is a Red-Hat Hacker?
The red-hat hacker is the sworn enemy of the black-hat — often characterized as vigilantes because of their reputation for going after the lawbreakers. Red-hats seek out malicious hackers, but not just to report them; they are known for using sophisticated techniques to shut them down or even to disrupt or destroy their computers.
How Ethical Hacking Helps Cybersecurity
The cybercrime epidemic is a $6 trillion problem (that’s Cybersecurity Ventures’ prediction for the annual, global cost of cybercrime by 2021), and one that requires multiple layers of solutions. Ethical hacking is one of the most important methods for disrupting cybercrime, discovering the hackers’ targets and techniques, and counteracting their efforts to cause virtual mayhem.
Ethical hacking is considered essential both for companies looking to safeguard their information and assets, and for governments looking to defend people and shared infrastructure from evildoers.
Stats About the Cost of Data Breaches
With trillions of dollars at stake, data breaches are so common that the ever-growing list of high-profile victims is filled with well-known names across all sectors — major corporations (Target, CVS), restaurant chains (Wendy’s, Panera), financial firms (Citigroup, Equifax), universities (UC Berkeley, Johns Hopkins), social media sites (Facebook, LinkedIn), secretive governmental agencies (NSA, IRS) and more.
According to the 2020 Cost of a Data Breach Report from IBM, the average cost of a data breach is approximately $3.86 million. Such calculations are an inexact science, of course. A 77-page report from Digital Guardian examined incidents reported by 507 organizations from 17 industries and 16 regions around the globe and found that, depending on the location and industry, the average cost of a breach can range from $1.25 million to $8.19 million.
The United States tops the list of highest average cost per data breach ($8.19 million in 2019, up from $7.91 million in 2018). By industry, health care, financial services and energy are among the hardest hit.
Demand for Ethical Hackers
Amid the ongoing wave of cybercrime, it is easy to see why demand is so high for cybersecurity professionals in general and ethical hackers, in particular. Industry watchdog Cybersecurity Ventures predicts there will be 3.5 million unfilled cybersecurity jobs globally by 2021. The talent shortage has led to the cybersecurity job market being described as one that is experiencing zero percent unemployment.
A recent search for “ethical hacking” jobs on LinkedIn reveals several thousand jobs at a range of well-known organizations, including Booz Allen Hamilton, Fidelity Investments, Microsoft, TikTok, Tesla, the Federal Reserve Bank and the U.S. Department of Defense.
Common Careers in Ethical Hacking
Common job titles within the field of ethical hacking include:
- Penetration Tester
- Vulnerability Assessor
- Information Security Analyst
- Security Analyst
- Certified Ethical Hacker (CEH)
- Ethical Hacker
- Security Consultant
- Security Engineer/Architect
- Information Security Manager
The skills required for such jobs will vary greatly depending on the position and the organization. To earn the highly sought-after Certified Ethical Hacker credential, the EC-Council, which administers the certification program, lists the following skills as needed to pass the exam:
- Strong knowledge of networking and computer systems
- Understanding of current security protocols for regularly used operating systems, such as Linux, Windows and Mac
- Ability to hack into network or systems, with permission, to assess vulnerabilities
- Able to perform preventive, corrective and protective countermeasures against malicious attempts
- Should be proficient in identifying and cracking multiple types of passwords
- Know the phases and methodologies of ethical hacking
- Should know how to erase digital evidence of networks and system intrusions
- Understand encryption techniques and cryptography
- Adhere to the code of ethics and professional conduct
- Should be aware of common cyberattacks, such as phishing, social engineering, trojans, insider attacks, identity thefts, etc. and should know how to undertake appropriate evasion techniques and countermeasures.
The EC-Council also suggests that aspiring ethical hackers be proficient in multiple coding languages such as Python, SQL, PHP, Java, C and C++.
Ethical Hacker Salary Data
Salary estimates for cybersecurity positions related to ethical hacking vary significantly based on the methodologies used and because figures are often adjusted in real time based on changing data. Here are some recent ethical hacker salary snapshots from leading online employment and cybersecurity websites:
- $116,323 – Ziprecruiter.com (Penetration tester)
- $104,000 – Cyberseek.org (Penetration and vulnerability tester)
- $99,081 – Salary.com (Ethical hacker)
- $81,179 – Payscale.com (Certified ethical hacker)
In addition, another type of ethical hacker — freelance “bug bounty” hunters — can earn huge sums. Private companies and government agencies both augment their security systems by inviting freelance hackers to hunt down bugs that threaten their overall security. According to bug bounty platform HackerOne, more than 100,000 hackers now make their career as a bug bounty hunter, with six having earned more than $1 million.
How to Become an Ethical Hacker
Education and experience are key. A strong background or bachelor’s degree in computer science is extremely helpful. Early career experience can be gained by working in network support, network engineering or in any number of positions related to information security.
Ethical hacker certifications
Professional certifications also play a key role in the ethical hacker employment landscape. The CompTIA Security+ certification is often the first one cybersecurity professionals earn; the EC-Council’s Certified Ethical Hacker (C|EH) credential is sought after by many employers hiring ethical hackers. Other popular cybersecurity certifications include:
- Certified Information Systems Security Professional (CISSP)
- Certified Information Security Manager (CISM)
- Certified Information Systems Auditor (CISA)
- SANS/GIAC Certification
Education: How a Master’s Degree Can Help
Many cybersecurity employers require or prefer a master’s degree, but advanced education is not required for all roles. However, earning an advanced degree is an option many current and aspiring cybersecurity professionals choose for important reasons. For example, earning your degree:
- Equips you with comprehensive knowledge and practical skills
- Positions you, in some cases, to demonstrate work experience in the form of in-depth exercises and hands-on sandbox lab work that closely simulates real-world scenarios
- Gives you a strong competitive advantage in the job market
The University of San Diego, a highly regarded cybersecurity industry thought leader and education provider, offers a career-building degree program that you can take on campus or 100% online. Learn more by checking out USD’s cybersecurity blog or by reviewing the degree overview page for the Master of Science in Cyber Security Engineering.
What Are Some Other Top Cybersecurity Careers?
Cybersecurity is a fast-growing, high-paying field with a range of different types of job openings. Which role might be ideal for you? Take a moment to explore some of the other exciting careers in cybersecurity:
Want to see the top paying jobs in cybersecurity? Read this article.
Want to see the top entry level jobs in cybersecurity? Read this article.
Want to see the top non-technical jobs in cybersecurity? Read this article.
Want to learn how to land the best jobs in cybersecurity? Read this article.