Profile of an Ethical Hacker

Feb. 16, 2005 — -- Almost every day in the United States, savvy, determined hackers attempt to break into computer networks and pilfer valuable information. But here's the good news: Some of them are professionals, being paid to test the safety of the same computer systems you may be using regularly.

They are "ethical hackers," computer security experts hired by companies hoping to avoid costly holes in their information networks. While the term "ethical hacker" has been in use at least since the 1980s, it has only been a job description since the mid-to-late 1990s -- and it seems to be an increasingly common one at the moment, as computer security becomes a booming business. Research firm IDC, of Framingham, Mass., estimates worldwide computer security revenues will expand from $19 billion in 2002 to $45 billion in 2007.

That means more opportunities for ethical hackers, especially at major industry players. Take Joshua Lackey, a senior ethical hacker at IBM, who is based in Tucson, Ariz., and can sum up his job in one crisp sentence: "We'll go out and break into your computers."

Like many people in the field, Lackey had a personal interest in the subject before it became his profession.

"I've always been interested in security, always had that bent of mind," says Lackey, who joined IBM in 1999, as he was finishing his Ph.D. in mathematics at the University of Oregon.

Not that there is one dominant career path for ethical hackers, though; one of Lackey's IBM colleagues is a former CIA agent.

"I think the one thing we have in common is that there is a little different approach when you're a security guy," says Lackey. "Somehow breaking things is a little more ingrained than getting things to work."

In the world of technology, breaking things, or at least attempting to do so, is also an integral part of getting them to work. Many contracts IBM inks with large clients require a security audit, involving an authorized visit to the firm by a team of hackers using agreed-upon "rules of engagement." For what Lackey calls a "premium hack," an IBM team might take two weeks to do the job.