Why boards need to be across ethical hacking

Not all hackers are cybercriminals. Ethical hackers can be deployed as the first line of your cyber defence and should form part of every organisation’s strategic plan. They can expose system vulnerabilities before bad actors exploit them and many experts consider them essential to robust cybersecurity.

When Chinese AI company DeepSeek released its open-source large language model (LLM) in January, it generated global headlines, topped app download charts and even caused US tech stocks to sink.

With the world’s attention on the startup, so-called “white hat hackers” at cloud security company Wiz Research started attacking its firewalls. Within minutes, they had accessed one of DeepSeek’s internal databases, ClickHouse.

But instead of using ransomware to extort the company, the ethical hackers at Wiz Research privately gave it the heads up. This gave DeepSeek the opportunity to remedy the weakness before malicious actors discovered it.

The practice of “ethical hacking” is an increasingly important part of an organisation’s cyber posture. A white hat hacker uses their skills to help protect companies, whereas a “black hat” hacker seeks to exploit them for financial gain.

“Ethical hacking is an acknowledgement of a single organisation’s inability to fully protect itself through traditional security testing methods,” says Manjunath Bhat, research VP at Gartner’s software engineering practice.

“There’s this huge asymmetry between the number of users and, therefore, potentially malicious users of a system and the people building it.

“It could be 100 million consumers on ChatGPT, for instance, versus less than one per cent of people actually building it. It is no longer within the remit or within even the capacity of any individual organisation to secure its own system.”

Like open-source developers, in many cases ethical hackers work without expectation of payment. “Ethical hackers are passionate about what they’re doing,” says Bhat. “They get a dopamine rush by successfully hacking systems. In many cases, they don’t ask for payment but may say, ‘Here’s a link to our donation page’.”

Surprising vulnerabilities in corporate networks

By mimicking a nefarious hacker, ethical hacking can reveal weaknesses that wouldn’t otherwise surface during regular system testing. It is why the likes of Google, Microsoft, Facebook and Netflix now actively encourage ethical hackers to help them. Meta has a ‘Bug Bounty’ program with financial rewards that so far have exceeded US$22.5 million.

It is also possible to undertake internal ethical hacking simulations with the aim of better guarding customer data and intellectual property, known in cybersecurity terms as the “crown jewels”.

Extra set of eyes

However, not all boards are convinced of the benefits of ethical hacking, according to Bhat. “The biggest misconception among directors is that all kinds of hacking are tantamount to criminal activity,” he says.

“Another myth is that ethical hacking may not even be necessary. They might say, ‘We’re doing dynamic security testing — why do we need something else in addition to everything we already have in place?’”

An adversarial mindset is crucial in today’s cyber landscape, according to Brenton Steenkamp MAICD, a partner and head of cyber and data governance at Clayton Utz lawyers.

“Boards need to embrace ethical hacking for the purposes of gaining an extra set of eyes around vulnerabilities within their organisation,” he says.

Low-hanging fruit

These “extra eyes” are invaluable. An alarming vulnerability often found in corporate networks is a lack of adequate checks to prevent phishing scams.

“Employees are still granting excessive permissions to third-party applications or services without proper vetting, passing their security credentials on to shadow IT-type folk and as a result, giving away very important credentials,” explains Steenkamp.

“There’s no proper risk consideration taking place. Another scary one is someone using a weak password with critical applications. In my experience, threat actors are looking for the low-hanging fruit and a weak password is one of the easiest ways to gain access.”

When it comes to internal ethical hacking programs, Steenkamp says it is important to remember it is not foolproof and needs to be done consistently over time.

“There’s a misconception around ethical hackers that they can uncover all areas of risk,” he says. “It is just not possible. Today’s IT environments, particularly within larger organisations, are very complex and there’s always a time and cost associated with what systems and applications can be tested. The approach around scope is important.”

Furthermore, says Steenkamp, an effective ethical hacking initiative will factor in training to address weaknesses caused by human behaviour, which still represent the cause of most infiltrations by cybercriminals. Having strong procedures in place to guard against phishing attempts is critical.

Preventing internal friction

Gartner tracks the market for providers of penetration testing as a service and recommends performing this testing every time an update is installed. These providers deliver services by combining automated tools and human expertise.

While “pentesting” aims to boost resilience by discovering internal weaknesses, the approach is important. Maintaining trust and transparency between the board, senior management and IT teams is key.

“Depending on how you see it, ethical hacking may create confidence at the board level, but it also can create mistrust at the operational level within the organisation, particularly around the CISO (chief information security officer) and the IT teams,” says Steenkamp.

“The purpose of these exercises is to help build resilience, it’s not about naming and shaming the IT team. You need to work together, not against each other, to create the optimum level of IT security. The CISO and IT director also know best where the operating issues are within the environment, so it’s very much about working together.”

According to Gartner’s internal research, application security is a top priority for software engineering leaders. This means it is not as much of a friction point as it may have been in the past.

“There’s been a gradual realisation that security is just another aspect of quality,” says Bhat. “We test our software for functional correctness or quality issues, and security is just another pillar of that.”

Common misconceptions

Ben Le Huray, solutions architect team leader at Ingram Micro Australia, which specialises in cybersecurity, says a common misconception is that ethical hacking is only relevant to IT teams.

In reality, it’s a board-level concern, as successful attacks can jeopardise business continuity, damage reputations and erode shareholder trust.

Another misconception is that hiring ethical hackers might expose sensitive data. However, professional pentesters follow strict protocols and work under legal contracts to maintain confidentiality.

“Directors sometimes also assume a single penetration test is enough,” says Le Huray. “It’s an ongoing process. The cyber threat landscape is constantly evolving, so regular penetration testing and vulnerability assessments are essential.

“It is also a common belief that an existing IT security is sufficient, underestimating the ingenuity of modern cybercriminals. Security is a continuous improvement cycle.”