what companies hire hackers

Introduction：

1、Carmakers Struggle to Hire White Hat Hackers

2、CISOs Look to Hire White Hat Hackers to Head Off Security Breaches

Carmakers Struggle to Hire White Hat Hackers ♂

　　McConnell Trapp has a special set of skills.

　　He can hack into cars and control aspects of them from his computer.

　　Trapp, 39, who has a law degree and speaks Japanese fluently, started hacking cars about 16 years ago. He used a computer, some various vehicle spare parts, a turbocharger and the help of few friends to increase the 120 horsepower normally found in a 1995 Honda Civic sedan to almost 300 hp.

　　“It was a lot of trial and error,” said Trapp, who said he “blew up a lot of engines.”

　　Today, Trapp is director of Speed Trapp Consulting in Troy, Mich. He works as a legal “techno” consultant. He is one of the good guys who uses his ability to infiltrate car computer systems and uncover potentially dangerous flaws that would make them vulnerable to someone with malicious intentions. But if he were a bad guy, he knows how he could compromise several cars at once. Cars in operation today.

　　“I’d walk into a dealership. I would see if they have a Wi-Fi router designated for customers and gain access into that first,” he said.

　　Then, if the dealership’s service department server is hooked into the main system, he would infiltrate the service department’s storage database that the technicians use for vehicle diagnostics. From there, it’s as easy as inserting a “fake” update resembling other files for vehicles and infecting multiple cars there for service.

　　“Hypothetically, I could make a running engine turn off, or render other aspects of the car either useless, or just make it appear as though the vehicle constantly needs service or recalls when it actually doesn’t,” he said. “That’s the danger, that’s the scary part.”

　　It’s that threat associated with vehicle technology that is driving many auto companies and other industries to increasingly look to hire hackers with ethics like Trapp, called “white hat” researchers. Those hackers can identify cybersecurity flaws and thwart nefarious actions of “black hat” hackers.

　　But finding white hat hackers to hire is incredibly hard, personnel experts said. First, few people have those skills. Then, they must be vetted to make sure they have both the technological acumen and the moral compass for the job. The need for them is outpacing the thin supply.

　　Typically, computer hacking is associated with a person or a group with malevolent intentions. The hacker gains unauthorized access to a computer and a technology-dependent system to do harm.

　　In the 2017 movie, “The Fate of the Furious,” for example, actress Charlize Theron’s character hacks into every self-driving car in New York City, takes remote control of them and causes mass chaos and destruction.

　　Depending on which hacker you talk to, some, such as Trapp, say such a movie scenario is unlikely in real life, especially if a human is still needed to turn on a car. Others say, though, that we are almost to a point where that could happen.

　　General Motors Co. is leading the way in developing autonomous cars. It has promised to bring them to market in urban areas in a taxi-like platform next year. But the fear of scenarios such as the one in the movie, as well as a desire to keep customers’ information protected in regular cars, is ratcheting up the need for the company to hire white hat researchers.

　　GM launched a program this summer called Bug Bounty. It took the automaker years of forming relationships with white hat hackers. GM now will bring those hackers to Detroit and pay them a hefty bounty or cash payment for each “bug” they uncover in any of GM vehicles’ computer systems.

　　Fiat Chrysler has had a Bug Bounty program in place since 2016. It pays white hat hackers up to $1,500 each time they discover a previously unknown vulnerability in vehicle software.

　　Last year, GM’s self-driving unit, Cruise, hired famous car hackers Charlie Miller and Chris Valasek. The two, dubbed the “Cherokee Brothers” by Trapp and others in the hacking community, gained fame in 2015 when they proved they could remotely stop a Jeep Cherokee.

　　GM conducts its cybersecurity using a three-prong approach: It hires third-party companies that employ white hat hackers, it has its own hackers on staff and it has the Bug Bounty program.

　　GM and Cruise employ 25 to 30 white hat hackers on staff today compared with five to 10 in 2013, said Jeff Massimilla, GM’s vice president of Global Cybersecurity. GM has about 450 people dedicated to all other aspects of cybersecurity across the company, he said.

　　“As we continue to get more connected and into AV, we will want to increase that number of white hat researchers,” said Massimilla.

　　Massimilla declined to say how much GM is investing to hire cybersecurity personnel, but he said, “It’s an extremely high priority, we’re well funded and well resourced.”

　　GM relies on its three-prong approach because of the shortage of white hat hackers, he said. Plus, many don’t want to work for one company.

　　“Hacking a Camaro is pretty darn exciting, hacking an autonomous vehicle is pretty darn exciting — but it’s tough to attract that talent because they’re just not there or they want to do it through bounty programs where they can work from home and have flexibility,” Massimilla said.

　　More than half of employer demand related to connected and self-driving cars is for workers in data management, cybersecurity and information technology, said the 2017 Connected and Automated Vehicles (CAV) Skills Gap Analysis by the Workforce Intelligence Network.

　　In 2015-16, there were 10,344 total job ads placed for CAV-related employment, and 5,400 of those ads were for jobs in data management and cybersecurity, the report said.

　　And, as demand rises for such skilled workers, the supply remains flat, thus inflating salaries. The average salary for CAV jobs in 2014-15 was $89,616. In 2015-16 that rose to $94,733, the WIN report said, citing data from Burning Glass Technologies.

　　There’s a gap in demand for cybersecurity personnel, especially white hat hackers, versus the supply cuts across many industries. There also is in health care and insurance, said Bob Zhang, chief information officer of Strategic Staffing Solutions in Detroit, which works to find contract workers to fill such roles for its clients.

　　“The supply is really low right now. By 2020, the job gap will be 2 million jobs. That means 2 million unfilled openings in cybersecurity,” Zhang said. “You can’t just teach hacking. It requires a whole lot of knowledge from IT and computer science … you have to be the jack of all trades with a deep interest in systems networking.”

　　Some organizations offer training courses to verify a hacker as a “certified ethical hacker,” he said.

　　But most large corporations find it beneficial to hire third parties staffed with white hat hackers for specific projects.

　　“If I’m an IT manager, do I really want to hand-pick somebody and say, ‘I’m going to put all of this multibillion-dollar company in the hands of the people I hire?’ Or outsource it to a company that focuses on this type of service? Many do both.”

　　The gap in cybersecurity job demand versus supply probably is the largest gap in the IT industry’s history, Zhang said.

　　“Once the security world matures and the amount of security providers increase, the demand will even out,” he said.

　　Some colleges and universities offer courses in cybersecurity, but expanding that curriculum and recruiting younger people into vocational hacking courses to grow the talent pool can’t happen fast enough to meet the soaring demand, said Jennifer Tisdale, director of connected mobility and infrastructure for Grimm.

　　Grimm is a technology consulting company with a new “car hacking lab” in Sparta, Mich. It uses white hat researchers for automotive clients as well as other industries.

　　“We need to hire 20-plus researchers in the next two years,” Tisdale said. “I don’t have time to wait for a college to structure a program for cybersecurity.”

　　College programs might not be the full answer anyway, Grimm CEO Brian Demuth said.

　　“There’s not a degree that should be created to do all of this, but there are things like extended learning that can help,” he said.

　　Grimm, which has 46 employees across the country, looks for people who have a “fundamental view of computer science” and then trains, teaches and grows them from there, Demuth said.

　　Demuth, 38, is a hacker himself with a computer science background and a passion for tinkering with cars.

　　“I was always interested in how things worked. I grew up the son of a Marine, and he was in the intelligence field, so there were always computers and amateur radios around,” he said. “My father was into mechanics and working on vehicles and making them start faster or stop faster. That’s what drove my passion into this.”

　　Part of the difficulty in recruiting hackers lies in the stigma surrounding the pursuit.

　　Matt Carpenter, 44, is Grimm’s lead researcher dedicated to automotive, aerospace and energy businesses. Carpenter works with four other white hat researchers in Grimm’s car hacking lab.

　　“What I do and my team does is everything that can be done by an attacker,” Carpenter said. “We do this so that we can benefit the community and identify problems before someone with bad motives can do it.”

　　When asked if he calls himself a hacker, he said, “I like to be called a good guy, but there’s no way to be considered a good guy by everybody and do what I do. There’s a great stigma around being a hacker.”

　　Many people misunderstand the work white hat hackers do, which Carpenter said is “vital” to secure every car on the road.

　　“It takes a lot of deep knowledge and deep work,” he said. “You can’t pull me off for an hour or I will lose ground. I will do four hours, take a short break, and go back for four hours more. But it’s very interesting work.”

　　The work can help automakers, for example, develop security initiatives such as over-the-air updates for firmware, Carpenter said. Those updates would allow a carmaker to fix a bug via a secure update across thousands of cars without having to do a recall.

　　Carpenter and Trapp are adept at reverse engineering a car’s system to find bugs or develop security points. But in doing so, Trapp reluctantly admits, he is a hacker.

　　“As I look for that problem in a vehicle or system and find vulnerabilities, I try to see if I can re-create it,” Trapp said. “And, that’s hacking.”

　　Many hackers have hesitations about applying for jobs.

　　For one thing, there is the fear of the legality of it, said Jennifer Dukarski, head of the connected and autonomous vehicle group at law firm Butzel Long in Ann Arbor, Mich.

　　“There are blurred and unclear computer laws,” she said. “Even if you have authorized access, do you have full access? And a lot of hackers don’t want their employers to know that they have poked around and have experience.”

　　Ironically, most hackers also enjoy the notoriety when they do hack into something, so they eschew contracts that demand confidentiality, Dukarski said. They also dislike exclusivity.

　　“Most hackers want to go into various vehicles and find flaws. They want to go into Fords and find fault, or GM or hack into their own toaster,” Dukarski said. “Working for one automaker limits them.”

　　GM’s Massimilla understands this mentality. He said any hackers to whom GM pays a bounty are free to do bounty work for other automakers. “We don’t view cybersecurity as a competitive advantage; we see it as an industry problem,” he said.

　　But if a hacker proves talented, joining a company can be lucrative. For example, the Cherokee brothers likely command north of six figures, Dukarski said.

　　GM declined a request by the Free Press to interview Miller and Valasek. But Massimilla said the two have been great ambassadors for white hat hacking.

　　“Hiring Chris and Charlie was excellent, not just in their capabilities, but it shows the research community that we are really open and forward looking and focused on the safety of our customers,” Massimilla said. “It gets the word out that cybersecurity is a top priority for the company.”

　　The need for white hat hackers will only grow, industry leaders said, making it one of the hottest professions.

CISOs Look to Hire White Hat Hackers to Head Off Security Breaches ♂

　　Many companies continue to struggle to secure their data and identify and address system vulnerabilities. But chief information security officers (CISOs) are finding the best way to defend against hackers might be to hire a hacker of their own.

　　However, that expertise and security assurance comes at a hefty price, according to Matt Comyns, global co-head of search firm Russell Reynolds Associates’ cybersecurity practice in this recent article.

　　CISOs themselves can command between $500,000 and $700,000 a year, with compensation at some technology companies reaching as high as $2 million, with generous equity grants included, Comyns says. In comparison, CISOs who have been with a company for five or more years are on average receiving $200,000 to $300,000 per year, Comyns said.

　　“If you’re a CISO and you’re looking to build a great security team, one of the best places to start is with a white-hat hacker, or a certified ethical hacker,” says Ryan Lee, COO of online IT skills training firm CBT Nuggets.

　　“Of course, some companies shy away because these folks are expensive, but without an emphasis on proactive security, the costs to a company could be even more disastrous,” Lee says. Certified ethical hackers can command salaries upwards of six figures, he says, though the specific range depends on each company individually.

　　[Related: Serious Flaw in GnuTLS Library Endagers SSL Clients and Systems]

　　The demand for CISOs and security specialists like white-hat hackers is somewhat anecdotal, but overall the IT community is becoming increasingly nervous about security issues and there is an uptick in interest in security and ethical-hacking related content, says IT security expert and training professional James Conrad, who develops and teaches security and ethical hacking courses for CBT Nuggets.

　　“One of the things I’ve noticed is the escalating need for security pros at all levels, especially in the last few years,” Conrad says. “When the Web was young, security was a secondary priority, but as unscrupulous people found ways to exploit vulnerabilities, it moved quickly to the top of the list, and it has stayed there,” he says.

　　However, while the demand for highly skilled security pros hasn’t lessened, the available talent pool has, especially among specialized talent like vulnerability testers, penetration testers and white-hat hackers, he says.

　　[Related: 4 Lessons CIOs Can Learn From the Target Breach]

　　[Related: Target CIO Resignation Puts Retail CIOs on Alert]

　　“Most IT security pros are already working between 40 and 60 hours a week maintaining, building, patching systems and otherwise putting out fires,” Conrad says. “They just don’t have the time to do much more, especially in the area of finding new vulnerabilities. Sure, there are teams of security personnel, and in an ideal world they could devote their time to these issues. But in the real world, that stuff is pushed aside in favor of day-to-day routine work,” he says.

　　And that complacency is all a hacker needs to enter and exploit a company’s systems, data and information. That’s especially true when dealing with large organizations with less-secure branch offices or with small businesses that don’t have huge security budgets in the first place, Conrad says.

　　Unfortunately, many companies don’t understand the value of having hackers working for them, even as security breaches, data loss and state-sponsored cyber attacks dominate the headlines, says CBT Nuggets’ Lee.

　　“The highly publicized Target and Neiman Marcus security breaches [and] the discovery of the Chinese hackers targeting the U.S. are the kinds of advanced, persistent threats companies face every day, and it can be expensive and time-consuming to proactively fight against them,” Lee says. “But that’s how these threats have to be handled,” he says.

　　[Related: Businesses Can Do More in Battle Against Gameover Zeus Like Botnets]

　　Education is the best weapon, Lee says. Certified ethical hackers can help businesses understand both the nature of the threats and the potential for disaster by discovering potential vulnerabilities and stopping attacks before they begin.

　　“The goal of most of the honest, white-hat folks is to become a penetration tester, to perform legal hacks on systems to determine vulnerabilities,” says CBT Nuggets’ Conrad. But many times ethical hackers’ hands are tied, so to speak, by the legalities of contracts, privacy statutes and compliance concerns.

　　“When an ethical hacker is contracted, oftentimes they must sign a legal contract based on an attorney’s advice that defines the scope of the work they’re doing, what data and systems they can and can’t access, as well as the length of time they can devote to these hacks,” Conrad says. In most cases, ethical hackers are given a few weeks in which to work, and that’s just not enough time.

　　“It’s such a challenge. Black-hat hackers sometimes take months and even years to create and deploy attacks; it’s not like they are bound by traditional ethics codes,” Conrad says. “The longer you can give a white-hat to work within your systems, the better, but many companies bury their heads in the proverbial sand and don’t want to spend the money on doing so — until it’s too late,” he says.

　　While some of the most obvious hacks and attacks can be found and exploited within a week, many of the more sophisticated attackers will ignore the “low-hanging fruit” and simply wait out businesses for weeks, months or years in order to gain the data or the access they desire, Conrad says.

　　While many businesses that employ white-hats will feel they’re adequately protected because they’ve kept up with patches, antivirus, anti-spam and software updates and have hired an ethical hacker to address blatant vulnerabilities, they often find they’ve missed more complicated, less obvious vulnerabilities.

　　“One of the most important jobs an ethical hacker has is to educate companies on how hackers can leverage their way into the systems,” says Conrad. “They have to prove their own ROI, in a sense, and justify why it’s worth a business paying them the six-figure salaries they can now command,” he says.

　　Of course, this begs the question: How do you know for certain that the ethical hackers you’ve hired are, in fact, ethical? Unfortunately, you can’t ever know for sure, says Conrad, since the entire profession of white-hat and ethical hackers is based on a code of personal integrity and an ‘honor system.’

　　“When you become a certified ethical hacker, you do have to sign a legal document agreeing that you will use your powers for good, not for evil,” Conrad says. “But that’s no guarantee, and, unfortunately, there’s really no way to be absolutely sure. It’s one of the built-in risks companies have to take in order to address these threats,” he says.

　　CBT Nuggets currently offers version 7 of its Ethical Hacking course and is in the process of finishing version 8 of the class, which will be released in its final form in June 2014. CBT Nuggets’ Lee says version 8 has already amassed more than 12,000 views, and expects that number to keep growing as security concerns and highly publicized attacks dominate headlines.

　　“Security as a whole is a huge area right now, especially with news of Target, eBay, Neiman Marcus and others,” Lee says. “It is key to educate and open people’s minds to the dangers and the cyber security threats out there, and that’s what we’re trying to do,” he says.

　　To become a certified ethical hacker, candidates should have a minimum of helpdesk-level IT skills, some server experience and familiarity with Linux, says Conrad. Obviously, the more experience the better, but resources like those available at CBT Nuggets can help developers quickly get up to speed, he says.

　　“The market’s wide open for certified ethical hackers, especially as attacks become more sophisticated and vulnerabilities less obvious,” Conrad says. “There’s not a lot of folks out there doing these kinds of hacks — yet. But the damage they can do is monumental and the need for these skills will continue to grow,” he says.

Related questions

Companies across various industries hire ethical hackers (also known as white-hat hackers) to strengthen cybersecurity defenses, identify vulnerabilities, and protect sensitive data. Below is a categorized list of sectors and examples of companies or organizations that actively recruit ethical hackers:

1. Tech & Cybersecurity Firms

• Big Tech Companies:
  • Google (e.g., Project Zero for zero-day vulnerability research).
  • Microsoft (Microsoft Security Response Center).
  • Amazon (AWS Security), Apple, Meta (Facebook), and Tesla (vehicle/software security).
• Cybersecurity Specialists:
  • Palo Alto Networks, CrowdStrike, FireEye/Mandiant, Rapid7, Check Point, Fortinet, and Darktrace.
• Bug Bounty Platforms:
  • HackerOne, Bugcrowd, and Synack (connect freelance hackers with companies seeking security testing).

2. Consulting & Professional Services

• Big Four Firms:
  • Deloitte, PwC, KPMG, and EY (all have dedicated cybersecurity practices).
• IT Consultancies:
  • Accenture, IBM Security, Booz Allen Hamilton, and Optiv.

3. Financial Institutions

• Banks & Payment Processors:
  • JPMorgan Chase, Bank of America, Goldman Sachs, Visa, and Mastercard.
• Fintech Startups:
  • Stripe, PayPal, and Square (now Block).

4. Government & Defense

• Government Agencies:
  • NSA (U.S. National Security Agency), CISA (Cybersecurity and Infrastructure Security Agency), GCHQ (UK), and Interpol.
• Defense Contractors:
  • Lockheed Martin, Northrop Grumman, Raytheon, and BAE Systems.

5. Healthcare & Critical Infrastructure

• Healthcare Providers:
  • Companies like UnitedHealth Group (Optum) or Cerner (health IT security).
• Energy/Utilities:
  • Schneider Electric, Siemens, and General Electric (industrial control system security).

6. E-Commerce & Retail

• Retail Giants:
  • Walmart, Target, Shopify, and Amazon (retail division).

7. Startups & Scale-Ups

• Emerging cybersecurity startups (e.g., Snyk, SentinelOne, Wiz) and tech unicorns prioritizing app/cloud security.

Roles & Job Titles

Ethical hackers may hold positions such as:

• Penetration Tester
• Security Engineer/Analyst
• Red Team Specialist
• Threat Intelligence Researcher
• Chief Information Security Officer (CISO)

Freelance & Contract Work

Many companies engage ethical hackers via:

• Bug Bounty Programs: Tesla, Intel, and GitHub offer rewards for vulnerability disclosures.
• Platforms: HackerOne, Bugcrowd, and Open Bug Bounty.

Key Certifications

Certifications like CEH, OSCP, CISSP, or CompTIA Security+ are often required. Government roles may require security clearances.

Note

Ethical hacking is legal and structured, focusing on improving security. Companies avoid the term "hacker" in job postings, preferring titles like "Cybersecurity Analyst" or "Penetration Tester." Always verify a company’s legitimacy and adhere to legal guidelines.