What is Ethical Hacking? Skills, Careers, and Training 

“We’ve gone from what we called script kiddies and accidental, malicious insiders to people who truly have bad intent and are really smart and well-funded,” says Heather Hinton, the chief information security officer in residence at the Professional Association of CISOs and instructor at Harvard Extension School. “That’s changed how organizations talk about risks — and what it takes to protect people, data, and systems.”

To stay ahead of these advanced threats, organizations are increasingly embracing the mindset of attackers themselves. Ethical hacking has emerged as a powerful way to turn those tactics into a force for good. And it’s a valuable skill set to add to your cybersecurity toolkit.

What Ethical Hacking Is — and What It Isn’t

Ethical hacking is the practice of using hacker techniques to probe and test computer systems, networks, and applications to identify security vulnerabilities. “At its simplest,” Hinton says, “it is all about demonstrating how a bad actor would take advantage of users to compromise data.” 

Ethical hackers will push the limits, stopping short of causing damage, to reveal weaknesses. “In my experience,” says Hinton, “successful ethical hacking allows me to identify areas where we need to focus. I can go to our executives and say, ‘I have to have 2-factor authentication in place for everybody, including for you, the CEO. With such evidence, organizations can improve their security.”

Ethical hacking is different from penetration testing, which focuses on finding and fixing vulnerabilities by simulating real-world cyberattacks before malicious hackers can exploit them. Ethical hacking is more comprehensive and involves a continuous process of shoring up an organization’s cybersecurity overall.

What Are Bug Bounty Programs, and How Are They Used?

In 1983, Hunter & Ready offered $1,000 to hackers to find errors in their operating systems. Today, bug bounty programs, in which organizations offer incentives to hackers to discover and report security vulnerabilities in their systems, generate around $1.5 billion annually. 

While companies can benefit from having more eyes on a problem, these programs are not suitable for every organization. Organizations must be prepared to handle multiple reports and have a budget that supports paying ethical hacking professionals.  Lack of readiness can lead to operational challenges and reputational damage.

Cybersecurity instructor David Cass says it’s important to define what’s “fair game,” including how people identify themselves, how payout are managed, and how vulnerabilities are validated. 

“I have gotten good value out of it, but how you structure it and how you manage it is very important,” he says.

How will Artificial Intelligence Impact the Evolution of Ethical Hacking?

Artificial intelligence and other emerging technologies will shape the future of ethical hacking, as it is used with greater frequency by both attackers and defenders. 

AI is increasingly used by businesses to solve problems and scale manual tasks, but criminals are using it, too. It enables them to launch more sophisticated and efficient attacks against a broader base of victims. 

“Criminals are often early adopters of tech,” Cass says. “It’ll be another tool in our tool belt to help us, but there will also be organizations that will be eager to use it against us.”

Hinton says while AI in cybersecurity is not new, its growing ease of use means ethical hackers will use AI to automate some tasks like vulnerability detection and develop countermeasures to AI-driven attacks.
“It is also easier for vendors to integrate it into their defensive tools and makes it a lot easier for us to defend,” she says. “I have the ability to do a better job of looking for anomalies and responding to them at a speed that a human simply cannot. If there is an imbalance, it is that there is more involvement of people and processes in protecting a company than there is in attacking it.”

What Are the Leading Threats CISOs Face Today?

“The threat landscape varies depending on what industry you are in,” Cass says. “If you are in business, you have something somebody wants. If you’re in the financial services sector, there are whole groups of organized crime that are focused on monitoring loss and theft. If you are in the industrial base, there are plenty of actors, state and otherwise, interested in intellectual property. Each industry has a primary threat actor that may take precedence over others, and it evolves over time because attacks go from sector to sector.”

In today’s digital world, many risks converge to create a challenging environment. Cyber criminals are refining their techniques and using artificial intelligence to create deep fakes, personalized phishing emails, and bots to launch more sophisticated and efficient attacks against a broader base of victims.

“If you want to think about what would keep you up at night in the context of your organization, it’s all of the unknowns,” says Hinton. “What are the things you missed? The nation states that are going after water, power, utilities, health care: you bring those down and society will stop and bad things will happen.”

Third-Party and SaaS Risks

Hinton says, “The other thing that keeps me up at night is: What are all those third parties? I might not be a target, but a company that is providing a SaaS-based warehouse and has data from 10,000 different companies is a juicy target for a bad actor. They could be trying to steal the data or just trying to make the data unusable or bring down an application.”

SaaS, or Software as a Service, is a delivery model where software is hosted on the cloud and accessed online, rather than being locally installed.

Cybersecurity is a shared goal and a global public good, and no single organization can address all the challenges of cyberattacks. With so many risks facing governments, organizations, and companies, partnerships between the public and private sectors are crucial to keeping the cyber infrastructure safe from malicious actors while functioning and innovating. 

Building Ethical Hacking Skills and Knowledge 

The field of cybersecurity is constantly evolving, and continuing education is crucial for staying informed about new threats and best practices.

Legal and ethical grounding for safe practice 

Cybersecurity requires balancing the need for security measures while respecting privacy and individual rights. Ethical hackers and other professionals in this field must adhere to codes of conduct and ethical standards guiding their decision-making. 

Some of the most important ethical considerations include:

Privacy vs. security: Organizations must protect sensitive information, but monitoring network activity can encroach on individual privacy. Ethical practices mean finding a balance between protecting data and ensuring security efforts don’t violate ethical principles.

Consent and transparency: Organizations must communicate openly and clearly about their security practices, including how they manage and protect sensitive data like credit card information.

Responsible disclosure: Security flaws should be reported to affected parties so they have time to address the issue and mitigate the risk of identity theft and other cyber threats.

Hands-on experience and real-time simulations

Gaining hands-on experience is critical for aspiring cybersecurity professionals. Education programs provide online labs and simulations, internships, and real-world scenarios, enhancing technical expertise, decision-making, and preparedness for real security threats. This training is vital in the world of security operations.

Hinton says, “The way you stand out is you have experience, you demonstrate a passion for this and you build up your network, which is why doing these courses through Harvard is a phenomenal way to build out your network of people that you know, so that when an opportunity comes up, you will say ‘I know so and so, I did a course with them. I think they have the skills and aptitude needed; let’s give them a shot.’ It’s really going to depend on having those base skills in place.”

Studying Ethical Hacking and Cybersecurity at Harvard Extension School

No matter your level of experience, Harvard Extension School has courses that will help you build a strong foundation in the technical skills necessary to keep computer systems, networks, and data safe and secure from cyber threats. Curiosity and a willingness to learn will get you started. 

Because ethical hacking is so important to frontline cybersecurity practitioners and security leaders today, Cass and Hinton co-teach a course on the topic, in addition to other online cybersecurity courses. The ethical hacking course can be taken independently. And it counts toward the Cybersecurity Graduate Certificate and Cybersecurity Master’s Degree Program. 

The course is designed to be both foundational and technical. “We want students to walk away with a solid understanding of the ethics, experience with tools, and the ability to use this knowledge to make better security decisions,” Hinton says. “You’ll be able to see why something needs to be patched or why restarting Chrome matters. This is about becoming an ambassador for security.” The course includes immersive labs, hands-on exercises, and realistic capture-the-flag scenarios. 

Through the 4-course Cybersecurity Graduate Certificate, you can gain the knowledge and skills to plan, manage, and maintain the security of an organization’s computer infrastructure, networks, and applications.

If you are seeking a more in-depth education in cybersecurity techniques, the Cybersecurity Master’s Degree Program will help you build foundational skills necessary to assess and formulating cybersecurity policies, enhance skills, gain insight into the legal, social and political dynamics of cybersecurity and build a network of professionals in the field, which will help you grow your cybersecurity career.

Building Knowledge and Skills in Ethical Hacking 

Because ethical hacking is so important to both frontline cybersecurity practitioners and security leaders today, Cass and Hinton co-teach a course on the topic at Harvard Extension School and Harvard Summer School. 

The ethical hacking course is designed to be both foundational and technical. “We want students to walk away with a solid understanding of the ethics, experience with tools, and the ability to use this knowledge to make better security decisions,” Hinton says. “You’ll be able to see why something needs to be patched or why restarting Chrome matters. This is about becoming an ambassador for security.”

The course includes immersive labs, hands-on exercises, and realistic capture-the-flag scenarios. It counts toward both the Cybersecurity Graduate Certificate and Cybersecurity Master’s Degree Program.