Getting inside the minds of ethical hackers
Dan Hatch gets to know some ethical hackers, learning what makes them tick and how they can help businesses by attacking them.

With their head in on the block, any IT manager would be quick to point out that no system can be 100 per cent secure. Whilst Wood accepts this, he argues they can be "adequately secure" and businesses should be proactive, rather than reactive.
"What most firms struggle with is protecting information or data in proportion to its value or sensitivity," he said. The idea is to protect the most important data with stronger controls and use less protection on less sensitive data, to avoid unnecessarily slowing down essential day-to-day business.
If IT security adds barriers, staff will find ways to work around it, and that's where problems set in.
Security is meant to help a business make money, not get in the way. The best way to ensure this is to keep your house in order.
Wood advocates regular independent analysis to help identify the most important issues. But he also recommends writing and strictly implementing a wide-ranging security policy.
"Best practice is always going to go out the window at some point," he said. "While it sounds reactive to have a series of reviews that you take action upon, it secures a business better than most other solutions."
Getting 'em when they're young
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Mike McLaughlin is a young hacker on Wood's team. He loves his work.
"The average day would involve going on site, all over the country somewhere, hooking myself up to their network and seeing what secrets I can steal," he explains.
"To go in, plug in your laptop and own everything within 10 minutes isn't unheard of at all. Nine times out of 10 we get into their system at some kind of level. When you go somewhere and they say you won't be able to do it' and then you do it, that's where you get the thrill."
McLaughlin's background isn't IT. He studied chemistry for a bit. Dropped out. He worked in bars in Spain. His interest in hacking was piqued when Wood offered him an apprenticeship. He studied for a year before joining the team.
"When I tell people what I do they all think it's like top secret CIA agents, all undercover there's a certain aura around it," he said.
"People seem to associate what we do with what they read in news stories but a lot of what we do is not really that difficult the papers just make it out to be like some sort of mystical Ninja force. It is a bit cool I guess."
McLaughlin and Wood use the same methods as genuine hackers. They launch attacks across the internet, break into a network masquerading as an employee with system access, gain access through third parties like data centres and can recreate insider attacks.
When I tell people what I do they all think it's like top secret CIA agents, all undercover there's a certain aura around it.
"There's a set route but we deviate off it," McLaughlin said. "A lot of the time you've got to be creative with what you've been given. So you've got a set list of tasks and each task can be completed by five or six methods but then if you can think of another method you stick that in."
But once the fun and games are over, and the pretense of the malicous hacker is dropped, the job is all about providing feedback to the client.
"We try and be as open and honest with them as we can and tell them what we did, how we did it, why we did it, and what they can do to remediate it," McLaughlin said. "Some people do get a bit funny about it but we do try our best to be seen as a help rather than embarrass people."
-
CISA issues warning in wake of Oracle cloud credentials leak
News The security agency has published guidance for enterprises at risk
By Ross Kelly
-
Reports: White House mulling DeepSeek ban amid investigation
News Nvidia is caught up in US-China AI battle, but Huang still visits DeepSeek in Beijing
By Nicole Kobie
-
'You need your own bots' to wage war against rogue AI, warns Varonis VP
News Infosec pros are urged to get serious about data access control and automation to thwart AI breaches
By Rene Millman
-
CrowdStrike CEO: Embrace AI or be crushed by cyber crooks
News Exec urges infosec bods to adopt next-gen SIEM driven by AI – or risk being outpaced by criminals
By Rene Millman
-
Microsoft security boss warns AI insecurity 'unprecedented' as tech goes mainstream
News RSA keynote paints a terrifying picture of billion-plus GenAI users facing innovative criminal tactics
By Rene Millman
-
APIcalypse Now: Akamai CSO warns of surging attacks and backdoored open source components
NEWS Apps and APIs bear the brunt as threat actors pivot to living off the land
By Rene Millman
-
AI is changing the game when it comes to cyber security
News With AI becoming more of an everyday reality, innovative strategies are needed to counter increasingly sophisticated threats
By Rene Millman
-
RSAC Chairman urges collaboration to ensure collective defense in security
News Chairman emphasizes the critical need for cooperation among cyber security experts
By Rene Millman
-
IT Pro Live: The future of encryption
Video AI and quantum ccomputing could be about to change the face of security forever
By IT Pro
-
Mobile apps now most common method of fraud
News RSA Security report highlights the rise in burner devices and rogue apps
By Bobby Hellard