How do you fancy a career that involves breaking into the computer systems of large companies and stealing vast amounts of money - but with no risk of prosecution? Welcome to the world of ethical hacking, otherwise known as "penetration testing". As computer networks proliferate and an increasing amount of data is held electronically, cyber-crime is rising. This means that there is a growing need for skilled specialists to pinpoint weaknesses in the systems of a wide range of organisations, from banks to government departments, and ensure they can keep hackers out.
Many of us now bank and shop online and it's thanks to people like Roger Hoyle, a senior penetration tester with the security company, QinetiQ, that our transactions are protected. "Cyber-crime is mainly money-related," he explains. "It's attractive to criminals because, unlike walking into a bank with a shotgun, the rewards are high and the risks low." But the job may also involve protecting systems from hackers engaged in international espionage or terrorism, as well as the vengeful ex-employee who wants to create havoc.
You have to be able to think like a hacker. "It's a challenge," says Hoyle. "You're constantly asking yourself: am I good enough to break into this system?" A tester needs to have an enquiring mind, be able to think fast and pay attention to detail, he goes on. "You also need to be tenacious, as you're often looking for just one small chink in the system's armour," he says. "We once took control of the entire network of a global company after accessing a modem through a single phone line."
Testers come from a wide range of IT-related backgrounds - Hoyle was previously a research scientist working on military simulations. It's now also possible to specialise in penetration testing at undergraduate level. The University of Abertay Dundee launched its BSc in ethical hacking and countermeasures last September, the first of its kind in the UK.
"Candidates need to be methodical with good problem-solving skills and mathematical ability," says Dr Geoff Lund, who oversees the course. He is confident that the market for graduates will continue to expand. "Company auditors now often insist on security-testing, and building a robust system is a priority for businesses," he says. There are also short courses such as certified security testing at associate or professional level, offered by training providers such as 7Safe. These count towards the postgraduate certificate in penetration testing and information security that the company administers in partnership with the University of Glamorgan. But, if you've ever been involved in the less than ethical side of hacking, you may as well forget it. Training institutions and employers run stringent criminal-records checks on all applicants.
Large organisations may employ their own penetration testers but many, like Hoyle, work for security companies and are contracted out to clients. "There's a lot of fast-paced, short-term work," he says. "It's varied so it keeps the job interesting. You get closure and the sense of a job well done but you don't get the big office party that often comes with the end of a long-term project in other areas of IT." Testers generally work office hours but there can be a lot of travel involved - about half Hoyle's time is spent on company sites around the country.
In terms of career progression, testers can move on to management and then into consultancy. Forensic work is another option. For the ambitious, there is the highly respected Check qualification administered by the Government agency the Communication Electronics Security Group.
Ethical hackers generally earn between £30,000 and £60,000 a year, although experienced consultants can make considerably more. And if you're wondering what happens to the vast amounts of money siphoned from the accounts of client organisations in the process of testing, "don't worry," says Hoyle. "We give it all back."Reuse content