Why some of the world’s top cybersecurity hackers are being paid millions to use their powers for good
- There is a shortfall of cybersecurity workers for available jobs that could reach as high as 3.5 million unfilled roles by 2021.
- A start-up called Synack provides crowdsourced security and hires freelance hackers to help companies find vulnerabilities.
- These freelance hackers are earning high salaries due to increasing demand.
Participant hold their laptops in front of an illuminated wall at the annual Chaos Computer Club computer hackers’ congress, called 29C3, on December 28, 2012 in Hamburg, Germany.
Patrick Lux | Getty Images News | Getty Images
One of the most overwhelming problems in cybersecurity is a severe labor shortage. There simply aren’t enough people who are qualified to do cybersecurity jobs to fill all the open roles.
A start-up called Synack is helping companies get around this shortage by providing “crowdsourced” security. Its software platform provides automated ways for companies to discover security flaws, then it turns those vulnerabilities over to penetration testers, known as pen-testers — basically, hackers who use their powers for good. The company makes a point of hiring top pen-testing talent, then sees how they can use the flaws to breach the client.
Synack competes with both companies that provide vulnerability monitoring with machine learning, and with bug bounty programs, which allow companies to hire hackers with hard-to-find skills en masse to test their networks.
Government agencies and companies will need creative solutions like this as they face a shortfall of cybersecurity workers for available jobs, leading to 3.5 million unfilled roles by 2021, according to Cybersecurity Ventures, which monitors cyber job trends. Synack, which ranked No. 42 on the 2019 CNBC Disruptor 50 list, has 150 global customers, including 15 federal agencies in the United States.
The freelance model makes sense, as hackers with the best skills are often in high demand or too dynamic to want to stay put at a corporate job, according to Synack CEO Jay Kaplan.
“The talent crisis in this industry is pretty massive, and these people don’t like to be pigeonholed,” Kaplan told CNBC. “So we incentivize based on their ability to find very critical, impactful vulnerabilities on our companies. I fundamentally believe that the future of this type of talent is in a freelance or gig-economy type of dynamic. These folks don’t want to work full time for these companies, but they can find the most critical vulnerabilities that can impact them.”
For many the payoff is huge. “We just had our first hacker pass the $1 million mark [this year],” Kaplan said, meaning the freelancer had earned $1 million total in bounties from companies and agencies during his career there. According to Kaplan, these pros are racking up a lot of money since their skills are in such high demand.
Earlier this decade, it was hard to convince government agencies and companies to let some of the world’s best hackers have a crack at their networks, Kaplan said. But that’s changed as companies face a seemingly endless array of novel techniques and old problems that can be combined to cause serious breaches.
“Particularly in the past couple of years, crowdsourcing and security really weren’t ending up in the same sentence. It required a lot of trust to be built into the model. We’re excited today that the industry has really swung in the complete opposite direction,” he said.
The company has stringent requirements for hackers — it only employs around 1,000 freelancers, which they vet for reliability and skills. This is one way Kaplan said the company has tried to build trust with nervous corporations.
“We weed out about 90% of the folks that come into it, and we’ve built a whole platform to facilitate trust and control and visibility,” he said.
Synack offers visualizations of a company’s cybersecurity stance.
Executives are sometimes worried that the process might expose weaknesses they don’t want to bring to the surface. But Synack tries to emphasize the positive, explaining how well a customer’s security is working, before disclosing the flaws.
“We’re giving them more of that positive validation story, by saying look at all the things that our researchers tried. But what’s just as important, here are 100 vulnerabilities,” Kaplan said.
That’s been especially helpful in federal contracting. Most recently, Synack won a portion of the Hack the Pentagon program alongside bug bounty companies HackerOne and Bugcrowd. The company also recently renewed a $34 million federal contract to work on classified systems.
Original report can be found on CNBC.
AMID COVID-19 CRISIS, CYBERSECURITY EXECUTIVES LOOK TO VIRTUAL SUMMITS FOR INFORMATION, EDUCATIONMarch 31, 2020
Atlanta Cybersecurity Conference Highlights Emerging ThreatsMarch 2, 2020
New Security Report Highlights Trends in Mid-Market Business MalwareJanuary 2, 2020
2020 Cybersecurity Trends to WatchDecember 31, 2019
The Internet: Looking Back and Forward 50 YearsNovember 18, 2019