What you need to know about the mindset and motivation of ethical hackers

Why do people become ethical hackers? Given the negative connotations the word “hacker” has sadly acquired over the decades, it’s hard to see why anyone would attribute themselves to that oxymoron.

Still, ethical hackers are playing an increasingly important role in cybersecurity, and the ranks of the ethical hacking community are growing significantly. If you’re thinking about working with or hiring ethical hackers—or even becoming one yourself—it’s important to understand what drives this unique breed of cyber-professional.

If you talk to people in the hacker community, you will find that the opportunity to earn cash rewards through bug bounty programs is a major motivator for many. But it’s not the only one, and maybe not even the most important.

Some people sign up for the sheer fun of hacking without breaking any laws. Others want to test their cyber skills and create a resume. Some just want to be part of a community. There’s even an element of vigilance and the thrill of finding vulnerabilities before bad actors do, helping not only organizations but even friends and family to protect themselves.

As someone who has been hacking ethically since high school and now helps build and manage a community of ethical hackers in my career, I have a deep understanding of what makes and motivates a good ethical hacker. Here’s what I learned.

It’s not just about the money

As with many side business, the money is important. But not always a decisive factor.

A recent survey of my community of ethical hackers shows that money is a big motivator. The pay can certainly be good, as a third of all ethical hackers make at least $1,000 a month.

But there’s more to becoming an ethical hacker than financial rewards. According to the survey, 60% of the community spends at least 10 hours a week hacking, 40% spends more than 20 hours and 18% clocks in more than 40 hours a week. By putting so much time into it, it turns out that it’s not just about the money. Given the skills ethical hackers have, they could probably make more money working as cybersecurity analysts.

It starts with curiosity

For many ethical hackers, the journey begins with a deep-seated interest in solving puzzles and learning how things work. For example, Sebastian Neef (alias Gehaxelt) is a computer science Ph.D. student in Germany who started hacking when he was 17.

He said it seemed like a cool thing to do in 2011, when hackers used to compromise websites. He said it also seemed easy, but unlike some mayhem actors interested in vandalism, Sebastian was motivated by curiosity. He wanted to know what administrators would do if he warned them about vulnerabilities in their systems. Some were grateful and addressed the vulnerability. Others did nothing.

Stories like Sebastian’s are common, which many get into due to an aptitude for technology and a curious mindset. But once they discover their skills and become addicted to hacking, there is a fork in the road. People like Sebastian choose the ethical path.

Belonging to a community has a strong appeal

Like any band of professionals, ethical hackers form groups and communities where people share both tips and respect. Those communities are not like recreational soccer teams where everyone fights for a common goal, but they are certainly competitive. Many ethical hacking communities have leaderboards. Everyone knows who tops the leaderboard and everyone wants to be number one.

There is also a camaraderie of working together. Sebastian and about 30 other ethical hackers are on a German bug bounty Slack channel. Once a year, they rent out a co-working space, pick a few targets, and together see who can find the most vulnerabilities. For Sebastian, the community also extends to Tuesday gatherings where people gather and talk about safety or participate in capture the flag competitions.

Protecting what is near has a purpose

In some ways, ethical hackers are a lot like everyone else. They are concerned about the security of websites and other technologies they use every day. But unlike most people, ethical hackers have the skills and knowledge to test things and make sure they’re safe. And once you’ve seen the dangers lurking in technology and know you have the skills to spot them, it’s very hard not to act.

The concern about the security of everyday technology is also one of the things that motivates ethical hackers to choose targets. In addition to the bounty program, they are concerned about their own well-being and the cybersecurity of their friends and family.

Like many professionals inside and outside the technology field, Sebastian and his cohort are motivated by autonomy, mastery and recognition. Ethical hackers can work alone and on their own time to find weaknesses in an organization’s infrastructure that cybercriminals could exploit. It’s a sense of autonomy that few others in cybersecurity can claim. Exposing vulnerabilities in an organization’s systems and networks that others cannot find – because of the specific skills and knowledge an ethical hacker possesses – brings a sense of pride and recognition in the community.

But mostly ethical hackers do it because they want to do the right thing, especially if it leads to stronger security measures that prevent future attacks. These professionals have the potential to do something that seems impossible or unlikely to many in the cybersecurity field: give hacking a good name.

Fredrik Nordberg Almroth is a co-founder and security researcher at Detectify.