The surge in far-flung and destructive cyber attacks is not good for national security, but for an increasing number of hackers and researchers, it is great for job security.
The new reality is on display in Las Vegas this week at the annual Black Hat and Def Con security conferences, which now have a booming side business in recruiting.
“Hosting big parties has enabled us to meet more talent in the community, helping fill key positions and also retain great people,” said Jen Ellis, a vice president with cybersecurity firm Rapid7 Inc, which filled the hip Hakkasan nightclub on Wednesday at one of the week’s most popular parties.
Twenty or even 10 years ago, career options for technology tinkerers were mostly limited to security firms, handfuls of jobs inside mainstream companies, and in government agencies.
But as tech has taken over the world, the opportunities in the security field have exploded.
Whole industries that used to have little to do with technology now need protection, including automobiles, medical devices and the ever-expanding Internet of Things, from thermostats and fish tanks to home security devices.
More insurance companies now cover breaches, with premiums reduced for strong security practices. And lawyers are making sure that cloud providers are held responsible if a customer’s data is stolen from them and otherwise pushing to hold tech companies liable for problems, meaning they need security experts too.
The non-profit Center for Cyber Safety and Education last month predicted a global shortage of 1.8 million skilled security workers in 2022. The group, which credentials security professionals, said that a third of hiring managers plan to boost their security teams by at least 15 percent.
For hackers who prefer to pick things apart rather than stand guard over them, an enormous number of companies now offer “bug bounties,” or formal rewards, for warnings about vulnerabilities that leave them exposed to criminals or spies.
One of the outside firms that handle such programs, HackerOne, said it has paid out $18.8 million since 2014 to fix 50,140 bugs, with about half of that work done in the past year.
Mark Litchfield made it into the firm’s “Hacker Hall of Fame” last year by being the first to pull in more than $500,000 in bounties through the platform, well more than he earned at his last full-time security job, at consulting firm NCC Group.
In the old days, “The only payout was publicity, free press,” Litchfield said. “That was the payoff then. The payoff now is literally to be paid in dollars.”
There are other emerging ways to make money too. Justine Bone’s medical hacking firm, MedSec, took the unprecedented step last year of openly teaming with an investor who was selling shares short, betting that they would lose value.
It was acrimonious, but St Jude Medical ultimately fixed its pacemaker monitors, which could have been hacked, and Bone predicted others will try the same path.
“Us cyber security nerds have spent most of our careers trying to make the world a better place by engaging with companies, finding bugs which companies may or may not repair,” Bone said.
“If we can take our expertise out to customers, media, regulators, nonprofits and think tanks and out to the financial sector, the investors and analysts, we start to help companies understand in terms of their external environment.”
Chris Wysopal, co-founder of code auditor Veracode, bought in April by CA Technologies, said that he was initially skeptical of the MedSec approach but came around to it, in part because it worked. He appeared at Black Hat with Bone.
“Many have written that the software and hardware market is dysfunctional, a lemon market, because buyers don’t know how insecure the products they purchase are,” Wysopal said in an interview.
“I’d like to see someone fixing this broken market. Profiting off of that fix seems like the best approach for a capitalism-based economy.”