Getting inside the minds of ethical hackers
Dan Hatch gets to know some ethical hackers, learning what makes them tick and how they can help businesses by attacking them.

With their head in on the block, any IT manager would be quick to point out that no system can be 100 per cent secure. Whilst Wood accepts this, he argues they can be "adequately secure" and businesses should be proactive, rather than reactive.
"What most firms struggle with is protecting information or data in proportion to its value or sensitivity," he said. The idea is to protect the most important data with stronger controls and use less protection on less sensitive data, to avoid unnecessarily slowing down essential day-to-day business.
If IT security adds barriers, staff will find ways to work around it, and that's where problems set in.
Security is meant to help a business make money, not get in the way. The best way to ensure this is to keep your house in order.
Wood advocates regular independent analysis to help identify the most important issues. But he also recommends writing and strictly implementing a wide-ranging security policy.
"Best practice is always going to go out the window at some point," he said. "While it sounds reactive to have a series of reviews that you take action upon, it secures a business better than most other solutions."
Getting 'em when they're young
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Mike McLaughlin is a young hacker on Wood's team. He loves his work.
"The average day would involve going on site, all over the country somewhere, hooking myself up to their network and seeing what secrets I can steal," he explains.
"To go in, plug in your laptop and own everything within 10 minutes isn't unheard of at all. Nine times out of 10 we get into their system at some kind of level. When you go somewhere and they say you won't be able to do it' and then you do it, that's where you get the thrill."
McLaughlin's background isn't IT. He studied chemistry for a bit. Dropped out. He worked in bars in Spain. His interest in hacking was piqued when Wood offered him an apprenticeship. He studied for a year before joining the team.
"When I tell people what I do they all think it's like top secret CIA agents, all undercover there's a certain aura around it," he said.
"People seem to associate what we do with what they read in news stories but a lot of what we do is not really that difficult the papers just make it out to be like some sort of mystical Ninja force. It is a bit cool I guess."
McLaughlin and Wood use the same methods as genuine hackers. They launch attacks across the internet, break into a network masquerading as an employee with system access, gain access through third parties like data centres and can recreate insider attacks.
When I tell people what I do they all think it's like top secret CIA agents, all undercover there's a certain aura around it.
"There's a set route but we deviate off it," McLaughlin said. "A lot of the time you've got to be creative with what you've been given. So you've got a set list of tasks and each task can be completed by five or six methods but then if you can think of another method you stick that in."
But once the fun and games are over, and the pretense of the malicous hacker is dropped, the job is all about providing feedback to the client.
"We try and be as open and honest with them as we can and tell them what we did, how we did it, why we did it, and what they can do to remediate it," McLaughlin said. "Some people do get a bit funny about it but we do try our best to be seen as a help rather than embarrass people."
-
Gen Z workers are keen on AI in the workplace – but they’re still skeptical about the hype
News Younger workers could lead the shift to AI, but only think it can can manage some tasks
-
DORA 6 months on: What’s still left to learn and do?
Compliance doesn’t have to be a scramble, and choosing the right vendor can be the difference between success and failure
-
RSAC in focus: Key takeaways for CISOs
The RSAC Conference 2025 spotlighted pivotal advancements in agentic AI, identity security, and collaborative defense strategies, shaping the evolving mandate for CISOs.
-
RSAC in focus: Quantum computing and security
Experts at RSAC 2025 emphasize the need for urgent action to secure data against future cryptographic risks posed by quantum computing
-
RSAC in focus: How AI is improving cybersecurity
AI is revolutionizing cybersecurity by enhancing threat detection, automating defenses, and letting IT professionals tackle evolving digital challenges.
-
RSAC in focus: Collaboration in cybersecurity
Experts at RSA Conference 2025 emphasised that collaboration across sectors and shared intelligence are pivotal to addressing the evolving challenges of cybersecurity.
-
RSAC in focus: Considerations and possibilities for the remainder of 2025
As 2025 unfolds, RSAC explores the pivotal considerations and emerging possibilities shaping the cybersecurity landscape
-
RSAC Conference 2025: The front line of cyber innovation
ITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
RSAC Conference 2025: AI and quantum complicate security
Organizations are grappling with the complications of adopting AI for security
-
RSAC Conference 2025 was a sobering reminder of the challenges facing cybersecurity professionals
Analysis Despite widespread optimism on how AI can help those in cybersecurity, it’s clear that the threat landscape is more complex than ever