WhiteHat CEO sees no cap on future of ethical hacking

“Dear kids,” Box CEO Aaron Levie once tweeted. “If you want a job in 5 years, study computer science. If you want a job forever, study computer security.”

It’s a point pithily made and a sort of modern equivalent to Computacenter CEO Mike Norris’s excellent quote to the effect that “there are only three certainties in life: death, taxes and IT spending.”

But the point about security would surely be echoed by WhiteHat Security CEO Craig Hinkley. An Australian with the robust views characteristic of that beautiful country’s people, Hinkley says that there is a simple reason for current issues with IT security.

“I’d put that down to one thing: lack of talent,” he says. “If you’re not employed [and a security expert], you’re between jobs. There’s something like 0.02 per cent unemployment.”

WhiteHat, as the name suggests, is a company that specialises in ethical hacking, probing for application-level vulnerabilities on behalf of customers. It does this by a blend of software tools and people, with 150 hackers scanning source code to find what he calls “the burning red-hot needle in the haystack”.

Customers pay an annual subscription for the cloud-based service from the 14-year-old Santa Clara, California company that provides “machine and human intelligence to deliver actionable outputs”, Hinkley says.

How does WhiteHat hire? Hinkley says the company has “cracked the code” with six-month training routines that crank out experts. In its Belfast, Northern Ireland office, WhiteHat has grown staff from five to 55 using that home-baked technique.

Software tools in isolation, he contends, are not enough, no matter how many features the security giants add to their portfolios:

“There is no silver bullet, no one tool set that will address the magnitude and multitude of risks.”

Boards and CEOs don’t care about the technology but they are concerned about the threat of being held personally liable for breaches. You can never have total belt-and-braces protection but by embedding security into the development teams, you give yourself the best chance of heading off threats at the pass.

“Developers are moving to Agile [methodologies] and DevOps approaches that will drive new applications and capabilities and unless you embed security you could be hurting your security profile.”

It’s not just about stopping breaches per se. Hinkley spies a looming role for WhiteHat to set its rich set of data covering vulnerabilities and time-to-remediation to work in providing a benchmark of risk profiles for cyber-insurance firms and underwriters. There may even be scope for a standardised risk register to show regulators companies’ security ‘postures’. Today, he reckons, about 55 per cent of companies could be categorised as “always vulnerable”.

“We could package up the data,” he say “In the insurance industry, it’s gold.”

Hinkley says that although the biggest companies spend tens of millions of dollars per year on security, vendors swerve being held responsible. (“If you say ‘can you guarantee it?’ they look at you like you’ve got three heads,” he says.) WhiteHat offers a $500,000 bond that customers won’t have their applications hacked.

Hinkley won’t disclose annual revenues but says a figure of $50-75m would be in the right ballpark and adds that the company grew new business by 40 per cent in North America and EMEA in 2015. YouTube shows him celebrating such successes with a backflip to encourage his troops, although Hinkley says his wife has told him to knock off that dangerously athletic behaviour.

For the future, he says that all options remain open for WhiteHat, from acquiring or being acquired to raising more money and chasing an IPO. Certainly, there appears to be no near-term let up in demand for such services.


« Startup takes aim at IBM's mainframe gravy train


C-Suite Talk Fav Tech: Karl Mendez, CWCS Managed Hosting »
Martin Veitch

Martin Veitch is Contributing Editor for IDG Connect

  • twt
  • twt
  • Mail


Do you think your smartphone is making you a workaholic?