Thinking outside the code: How the hacker mindset drives innovation

Keren Elazari is an internationally recognized security analyst, author, and researcher. Since 2000, Keren has worked with leading Israeli security firms, government organizations, innovative start-ups, and Fortune 500 companies. She is the founder of BSidesTLV and Leading Cyber Ladies and a research fellow at Tel Aviv University.

In this Help Net Security interview, she discusses the hacker mindset and its impact on cybersecurity. She explores the significance of ethical hacking skills in cybersecurity strategies, emphasizing the role of bug bounty programs in fortifying cyber defenses and fostering innovation within tech teams.

From your experience, what are the key characteristics that make someone excellent at identifying and preventing cyber threats?

I think the best analysts are people who can wield a unique blend of paranoia and creativity. It’s this truly intuitive ability to connect the dots across seemingly unrelated events, and look at one anomaly and understand it in the context of a larger scenario, of a potential breach. Put simply, if you’re constantly questioning and imagining the unimaginable, cybersecurity is a great career choice for you.

How vital are ethical hacking skills in modern cybersecurity strategies?

I like to refer to friendly hackers as the internet’s immune system. Hackers have the uncanny ability to think in unexpected ways, identify and find loopholes before anyone else does. One topic which I have focused on my research work since 2014, is the growing adoption of bug bounty programs.

We all know how in the Wild West, a sheriff could offer a bounty to get the public to help him find the bad guys. In our era, bug bounty programs (vulnerability disclosure/ reward programs) are a way for companies like Intel, Microsoft, Google, Apple, Meta to offer a reward to hackers for finding software bugs or design failures – ones that even these huge, well-funded companies with top tier engineers, missed in their own security reviews.

Dozens of Fortune 500* companies have such programs in place, harnessing the power of friendly hackers as an external element of their cyber defense strategy. I hope to see more and more companies doing it!

*(In 2024, 17 out of the top 50 companies on the Forbes 500 list have a bug bounty program, mostly for the companies in the technology and communications sector).

How does the hacker mindset foster innovation within tech teams, especially in software development and data science?

The hacker mindset has a healthy disrespect for limitations. It enjoys challenging the status quo and looking at problems with a “what if” mentality: “what if a malicious actor did this?” or “what if we look at data security from a different angle? This pushes tech teams to think outside the code, and explore more unconventional solutions.

In its essence, hacking is about creating new technologies or using existing technologies in unexpected ways. It’s about curiosity, the pursuit for knowledge, wondering “what else can this do?” I can relate this to movies like The Matrix; it’s about not accepting reality as a “read-only” situation. It’s about changing your technical reality, learning which software elements can be manipulated, changed or re-written completely.

How does fostering a culture of curiosity and continuous learning impact an organization’s success, especially in technology?

Curiosity is one of the most important elements to fuel growth. Organizations with a “question everything” attitude will be the first to adapt to new threats; first to seize opportunities; and last to become obsolete. For me, ideal organizations are tech-driven playgrounds that encourage experimentation and celebrate failure as progress.

What advice would you give to educators to encourage students to explore and excel in technology and cybersecurity?

Pink Floyd famously said, “Hey, teacher, leave them kids alone”. Educators should embrace students’ natural desire to break free and encourage them to hack, tinker, and break things (legally, of course). Then give students room to rebuild – but with a crucial twist – do not hand over the answers.

Guide them through the troubleshooting process, help them analyze their mistakes, and empower them to find creative solutions to fix what they’ve broken. Make it fun! Cybersecurity doesn’t have to be all doom and gloom.

Show students how their skills can be used to build amazing things and make the world a better place. I believe the most important thing a teacher can do for their students is provide them with the moral compass, the guidance of HOW & WHY they should use their skills for good.