Chloe Messdaghi, VP of Strategy at Point3, advocate and activist joins the show to explain common misconceptions about the hacking community and how we can do better to combat those stigmas. She also unpacks the diversity challenges specifically in the infosec industry.
The following is an edited excerpt from a recent episode of Tripwire’s Cybersecurity Podcast.
Tim Erlin: Welcome everyone to the Tripwire Cybersecurity Podcast. I'm Tim Erlin, vice president of product management at Tripwire. Today, I am joined by Chloe Messdaghi, who is a security activist, practitioner and advocate. We've got a couple of different topics to talk through with Chloe. I thought we might start with the representation of security researchers in the media. So, what does the media get wrong with its representation of security researchers?
Chloe Messdaghi: In general, what we've seen in the media is that they confuse attackers with hackers. The hacker is there to try to prevent such instances that attackers cause. In other words, the intent is very different. They use the exact same skillset to find vulnerabilities.
The thing is is that most of the media does not know that there's two separate parties because usually when they report about any situations of like a breach, malware or ransomware, they use the term “hacker” instead of an “attacker.” And this is just has been an ongoing situation, right? Because the public perception of the hacker community is that we are criminals. And so it's something that we're trying to change.
TE: We’ve used the term “the media” here, and I just want to pull it out a little bit. Where does this representation occur? Because the media isn't one thing.
CM: Good question. For those that aren't aware, media consists of press, marketing and social media. All of that forms into “the media.”
I think it's important is to work with the media. When we provide comments about the hacker community, we should use the right terminology and let them know why we're using it.
Why the Term “Hacker” Matters
TE: That’s interesting. But why do you need to use the word hacker? Why not just change your language and adopt something like security researcher instead? Why does it matter?
CM: I get this question quite a bit. So, one thing to keep in mind is that when we say “hacker,” we’re also referring to “security researcher” or “ethical security researcher” or “ethical hacker.” These are all terms that mean exactly the same thing.
The reality of it is that many of us that went into this field like the term “hacker.” Because that's what we do. A hacker is someone who uses hacking. It's not just a mindset. It's also a part of life. And so when we are saying “hacker,” it's a way to identify who we are and the type of collective agency that we are.
The issue here is that we are missing bilateral trust between the hacker community and organizations when it comes to reporting vulnerabilities. That is a huge situation. One out of four hackers will not report a vulnerability because they're afraid of being prosecuted or having companies get them lawsuits. Meanwhile, 94% of organizations on the Forbes Global 2000 List don't have any vulnerability disclosure policies. These companies aren't trying to build bilateral trust. If I were to report a vulnerability in good faith, I could land myself with a lawsuit because they think I’m trying to exploit a security weakness.
TE: So for these organizations that see hackers as potential criminals, how do you educate them to draw that distinction between someone reporting a security vulnerability and someone who has criminal intent?
CM: There are CISOs out there that are trying to push for disclosure policies and whatnot, but their Board rejects it because they're worried that that's going to grab more attention for the attackers to find vulnerabilities and exploit them. But the thing they don't understand is that every time a hacker goes to a website, there's a chance that they're looking for vulnerabilities. It’s the same when it comes to attackers. By not putting a program up, it's worse for you because you're not letting people know what is okay. It's better to say upfront, “This is okay. This is not okay.” This is how you communicate it. This helps to protect you as a company, but it also builds that bilateral trust. So then you can prevent attackers from taking ahold of vulnerabilities and running with them.
What the Hacker Community Really Means
TE: I want to switch topics a little bit. You've mentioned the “hacker community.” What are you really talking about exactly? Why is that a term that that's important to you?
CM: So the hacker community within insofec are the ones who are behind the scenes making sure that you're secure. They're the everyday heroes. They're also people who are fighting for privacy rights at the same time. We come in all shapes, sizes, everything. We’re a diverse group of folks from all walks of life, all around the world.
TE: You mentioned that the hacker community a diverse group. Diversity inclusion is an issue that's top of mind for a lot of organizations these days. I think you and I have both seen a number of companies making diversity pledges and talking about how they want to increase diversity. It's something that's certainly been present in the media. And so I'm wondering if you have any ideas about what concrete steps organizations can take. Are there recommendations that are specific to the information security industry that make sense?
CM: Let's start with the first part. If you're a board or your company has a board, which they should, look at the board and see how many women are on that board. The thing is that representation at the top does trickle down. So-and-so at the top represents you and gives a person like you a voice. And that's what's missing. When you look at boards and security, you'll see that it's pretty much all white men. And the problem with that is that for everyone else who is not a white CIS man, their voice is not being heard. That's why it's important to make sure you have a diverse C-level board as well to make sure that you're able to make the most welcoming environment for all people when they walk in that office.
You should see equal amounts of men and women. And there are non-binary who should have these manager titles, as well. Those are things that they can do. But they need to remember to not use underrepresented folks in your company as marketing collateral. We see that quite a bit. If you're going to go to them for advice on how to build diversity, pay them for it.
TE: And what about the security space specifically? Are there things that we in security should be doing specifically around diversity?
CM: Yeah. Stop gatekeeping. When HR receives your resume, they look at your name and look at other names and then think, “We're not going with this person because of their name.” Because there are human biases that exist. That's one way of gatekeeping.
Another way of gatekeeping is saying, “This person must have this number of certs, this cert in particular and this many years of experience. If they don't, we don't even look at them.” That's another problem, because the reality of it is that a lot of people can't afford those certs, and because they can't afford that, it doesn't allow them to have that position. Research has shown over and over and over again that you don't need certs nor years of experience to prove that you have that ability to do that job. It's whether or not you have the skills to do that job. It’s really important is to utilize tools and resources to test them ahead of time and remove the names from the resumes. You want to have a really clear view of the person who's applying and see if they have the ability to do the job. Because that's all you're looking for.
TE: That's interesting. It feels to me like if you're an underrepresented group, you have to acknowledge that in the hiring process, certs probably do matter. And so I'd ask you, would you encourage people on the employee side of it, not the employer side, to pursue those certifications as part of their career?
CM: I think if you are starting out in this industry, it's very hard to get into it. I know as someone who's trying to be a pentester that it could take up to two years to get a position. Certs allow you to kind of like open that door a little bit for you to even be part of that interview process if you have a lack of years of experience that they want. But at the end of the day, we need to do better in security when it comes to certs. If people can't afford it, that shouldn't be the thing that keeps them out. We are dealing with a huge personnel shortage in security, and we need to fix that. There's plenty of people out there who want to get hired, but yet we are a keeping them from having positions. And sometimes when we put positions out there for entry-level, they're not entry-level because they are still requiring 3-5 years of experience but they want to pay you low. So I think what we need to do is come together and make it more accessible. We need to be more accessible in order to fix our personnel shortage and to make sure that we're not practicing any discrimination practices.
TE: Chloe, I feel like we could continue this conversation for a lot longer, but we've come to the end of our time. I think it was really interesting and hopefully an educational conversation for all of the listeners as well. So thank you so much for your time. I really appreciate it.
CM: Oh, thank you for having me. This was fun.
TE: And thanks to everyone who listened. I hope it was interesting and enjoyable and that you tune in for the next episode of the Tripwire Cybersecurity Podcast as well.