Attackers get the fame, defenders get the blame

The best team wins

In information security you have lots of people that learn to hack, that know how to find vulnerabilities and how to make exploits. They become pentesters or bounty hunters, or builders of hacking tools. They are the ethical variant of the hacker: they can break into systems but their intentions are good. Their skills are badly needed as they will try to do the same as the other variant, the non-ethical hackers (a.k.a. criminals) could do. That way they are the final quality control on the efforts of security teams to create secure systems and environments.

The above observation begs a few questions. Is it necessary that anyone working in information security has hacking skills? Can you protect against hackers without deep hacking skills? Or the other way around, if you do have deep hacking skills, are you automatically good at protecting systems? A quick check in sports suggests that these are different skills executed by different people, although understanding the other skills of the other side helps a lot in one's own specialty.

A fundamental characteristic highlighting the difference in hacking versus protecting is the imbalance in the objectives for each of them. A hacker needs to find only one way into the target organization to hand out the label "insecure", whereas a defender has to avoid all vulnerabilities to earn the label "secure". Even if in most cases the ethical hacker does not stop with the first issue found, what the criminal could do, neither will the hacker commit to having spot all issues that are present in the target.

It is more likely that the hacker community discovers a new type of vulnerability than that defenders find it. The zero-day exploits are proof of this: they are the golden grail for malicious hackers, and a nightmare for defenders. If no-one has thought about a certain problem yet, it are the people looking for new options that look for more trouble. The defenders have already enough to deal with by focusing on known issues. This point too may cause the hackers to be perceived as the "heroes" and the defenders the "losers".

It is easier to become popular as an attacker than as a defender. Attackers win games, defenders avoid losing games. In soccer for instance, when asked about the best players, people will likely mention Maradona, Ronaldo, Messi and of course De Bruyne. 

In cybersecurity context, most people will have heard about K. Mitnick, J. Assange, Morris, C. Manning, and E. Snowden, see: 

• https://en.wikipedia.org/wiki/Kevin_Mitnick
• https://en.wikipedia.org/wiki/Julian_Assange
• https://en.wikipedia.org/wiki/Chelsea_Manning
• https://en.wikipedia.org/wiki/Edward_Snowden

Defenders must know about vulnerabilities and understand the complexity that is required to make working exploits for different types of vulnerabilities. However, their prime focus is on avoiding vulnerabilities. A common strategy still found today is: engage (ethical) hackers to find vulnerabilities, address them, and if the retest confirms their resolution all is fine - the infamous "penetrate and patch" paradigm. If all vulnerabilities would be found by the hackers, this might work, but they don't.  The testers would be in the same hard situation as defenders if they had to find all instances of all vulnerabilities. 

Security testing always has this caveats, for good reasons: .

• we do not guarantee we find all instances of all issues
• our result is only valid right now, we make no statement about the future
• we work time-boxed so anything too complex is likely not found 

In the end, it must not be a contest between parts of the same security organization. The two roles are necessary and complementary. Defenders build the best protection for the money, and attackers show how strong that defense actually is. Creating synergy between defensive and offensive skills  produces a strong team.