CNBC Disruptor 50

The cybersecurity talent war you don't hear about

By Joel Dreyfuss, special to
Andrey Popov | Getty Images

When CEOs make lists of the challenges they face, cybercrime has to rank near the top. A study for McAfee by the Center for Strategic and International Studies last year estimated the cost of illegal hacking to the global economy at $449 billion.

With almost daily reports of cybercriminals penetrating corporate and government systems—from Sony to the White House—companies are anxious to hire cybersecurity experts. There just aren't enough of them to tackle the soaring number of data breaches—up 49 percent last year from 2013, according to a report by Gemalto, a digital security firm. (Tweet this)

"We don't have enough expertise in the right places now," Peter Singer, co-author of the recent book "Cybersecurity and Cyberwar," told UPI. "We often frame cybersecurity as a technology problem. It is a human problem." One Rand Corporation study estimates there are around 1,000 top-level cybersecurity experts globally vs. a need for 10,000 to 30,000.

Finding the right Internet security guru can be as much a challenge as keeping your corporate data safe. Up to now, the hiring process for highly-skilled software engineers has often been haphazard, with some companies putting candidates through as many as 10 interviews, sometimes led by people without the skills to judge a candidate's talents.

HackerRank team
Source: HackerRank

Enter HackerRank and Synack, two California start-ups that promise to upend the usual hiring process. The two companies have different approaches, but both offer to screen candidates in the U.S. and abroad by testing for specific technical skills. Much of the testing is done over secure connections via the Internet.

Read MoreMeet the 2015 CNBC Disruptor 50 companies

The idea for HackerRank came to CEO Vivek Ravisankar and co-founder and CTO Harishankaran Karunanidhi after they graduated from the relatively unknown National Institute of Technology, Tiruchirappalli, in South India and were turned down for jobs they really wanted. What made the rejection sting was that the company that rejected them hired someone for whom they had little respect. "We thought he was really dumb," said Ravisankar.

The incident convinced the two men that the interview process for software engineers was deeply flawed. After working at Amazon in India, they decided to create a company to address the recruitment problem. Like a lot of start-ups, they stumbled through several approaches before finding a business model that worked. They built a website for engineers to practice video job interviews—it was spectacularly unsuccessful but won Ravisankar a coveted spot at incubator Y Combinator. The company evolved into an online platform for software engineers to show off their coding abilities and to compare their skills.

HackerRank: Better hiring
HackerRank: Better hiring

It was an obvious next step to match the best performers with companies seeking programming talent. HackerRank enables companies to use existing challenges on its site to find candidates. Recruiters can also set up tests customized to their own needs.

"PayPal can create a credit card transaction, or Target could create a program to predict what customers will buy next," said Ravisankar. Once HackerRank has identified a candidate, it's up to the hiring company to perform background checks and negotiate a salary, and if they want to bring a foreigner into the U.S—acquire a visa. Customers have included Wal-Mart, VMWare, Adobe and Yahoo.

Read More50 disruptive start-ups revolutionizing business—and the world

HackerRank has completed three rounds of financing for a total of $12.3 million, including a $9.2 million series B in 2014 led by Silicon Valley VC firms Khosla Ventures and Battery Ventures. But the founders clearly have not forgotten that early job rejection. Said Ravisankar: "Our tagline is 'Hire skill, not school.'"

Synack founders Mark Kuhr (left) and Jay Kaplan
Source: Synack

Synack's Jay Kaplan doesn't want you to hire programmers—at least, not full time. Instead, he's created a company that identifies the best cybersecurity experts around the world and enables them to work part-time through a secure online platform. Customers engage with Synack on a subscription basis to gain access to its experts.

Kaplan and co-founder and CTO Mark Kuhr used to work for the National Security Agency, and not surprisingly, they have focused on security. He said the traditional corporate approach of using security consultants to perform annual or semiannual audits of their systems is no longer adequate when "hackers are continually trying to make their way in."

Read MoreGoogle is even more influential than you think

Synack's sales pitch is that companies need constant high-level human intervention to keep their systems safe. "We recruit global security researchers," said Kaplan. Like HackerRank, Synack tests candidates for the specific skills customers are seeking and does a thorough vetting, including face-to-face interviews. A test might consist of finding known vulnerabilities in a mock mobile-banking application.

"This lets us determine if they are as good as they say," said Kaplan. "We weed out over 80 percent of candidates." Synack has signed up hundreds of cybersecurity experts in 39 countries who can work from where they live.

All interactions between the experts and customer systems take place through Synack's proprietary secure connection, called LaunchPoint. "We enable them to safely engage with our customer base in a trusted environment," says Kaplan. Consultants are paid for the vulnerabilities they find in a customer system. Many of the "researchers" that Synack signs up are already employed at large companies and would normally be beyond the reach of its customers. "They primarily work [for Synack] nights and weekends, separate from their daytime jobs," he said.

Read MoreTHIS will be critical for space travel: SpaceX exec

The big challenge for Synack is scaling up its staff and operating efficiency as business booms. The company has 50 internal employees now but expects to have 100 by the end of the year. So far, all its own employees are based in the U.S.

A shallow pool of Grade A players

Serial entrepreneur Philippe Courtot sees companies like HackerRank and Synack as part of an evolution made possible by the cloud, but he is skeptical about these next-generation recruiting platforms. Courtot is chairman and CEO of Redwood City-based Qualys, a provider of on-demand security that completed a $100 million IPO in 2012. He worries that screening an already-slim talent pool will not solve the shortage of qualified talent.

"When you have a shortage of people, how do you solve it?" he asked rhetorically. "Automation that does 99 percent of the work."

However, like HackerRank, Synack has found plenty of optimistic investors who believe these recruiting start-ups can help close the talent gap. Earlier this year, Synack closed a $25 million B round led by GGV Capital and Icon Ventures, bringing to $34 million the amount raised over two years.

"As an experienced investor in the security space, it was easy to see how Synack stands tall as a game-changing company," said Tom Mawhinney, general partner at Icon Ventures, at the time of the funding announcement.

—By Joel Dreyfuss, special to