"I don't know if people have really realized what's possible," hacker Dr. Jared DeMott tells CNBC. "We all live with a gross amount of insecurity."
DeMott, a Ph.D. whose very first job out of college was at the NSA, is working about as hard as a person can to help Americans better understand the threat posed by cybercriminals — and the ways to protect yourself and your data.
He is an associate professor of cybersecurity at Dakota State University and the founder of VDA Labs in Michigan, a cybersecurity company. (VDA stands for Vulnerability Discovery and Analysis.) He gives talks. And, in his spare time, he does contract work for Synack, one of the 50 CNBC Disruptors of 2017, a company started by other ex-NSA types. Synack hires good-guy hackers to act like bad-guy hackers in order to help clients realize and attend to their vulnerabilities.
In short, this "white-hat" hacker on Synack's prestigious Red Team thinks your threat alert level, when it comes to issues of cybersecurity, should probably be orange. That's something to keep in mind when investing in technology like smartphones or even cutting-edge digital thermostats.
"I don't personally early adopt things," says DeMott. "I'm not going to put the Nest in my home, right? I know too much."
According to him, waiting for later generations of these gadgets is safer. "You know they're not being built securely at first," he says, because "the awareness of the importance of that doesn't shake out until later on."
Advancements that let you do things remotely — adjust the temperature of your home, for example — may seem exciting, but they can be "dicey," says DeMott. With "cool, new technology," you have to "wait for kinks to get worked out." Otherwise, these devices can leave you vulnerable to attackers, he says.
Your mobile phone can open you to attack as well. Knowing that, DeMott was resistant at first to getting a smartphone. "I didn't get the iPhone 1 or 2," he says. "My first iPhone was like the 4 or something. I did originally wait on that."
At least, he says, the iPhone is a little more secure, since most malware is Android-based. "Mac does a little better vetting apps," he says.
DeMott might not resemble the hacker of popular imagination: He does not have a dragon tattoo, nor is he, in the memorable words of President Trump, "somebody sitting on their bed who weighs 400 pounds." He describes himself as a "clean-cut guy from the Midwest." Still, he was drawn to ethical hacking, and the desire to thwart potential evil-doers, from the beginning.
"Even in college, I kind of got into the whole security thing," DeMott says. "We showed our professor his password as he was logging into his Yahoo [account]. He was freaked out by that."
DeMott has since learned that there's no way to remain entirely protected online: "Security will always be between a one and a nine, not a zero or a 10," he says. Still, with some basic tweaks, you can go from a six to a seven or from a seven to an eight.
And, although the need to be aware has been ongoing for decades, most Internet users don't make great choices. "I never fail to be surprised by the obvious lapses," he says, on behalf of both individuals and companies.
He has turned his fascination, and his efforts to help, into a lucrative career. DeMott coaches clients to improve their "poor password practices" and general "cyber hygiene." His is a significant and growing industry, he says. "There's a need" for more good guys, since "there's so much work" and a shortage of qualified individuals.
Half of Synack's white-hat hackers come from overseas, since there aren't enough Americans who fit the bill. Right now there's a "talent gap," Synack co-founder Mark Kuhr tells CNBC. "I will always take more Americans," he says.
But an international workforce is also useful: "Can't beat a Russian unless you have one on your team," says Kuhr.
The field pays well, too. According to Kuhr, Synack has 100 full-time employees and has been growing by two to three times each year. It has also been doubling revenue for 12 consecutive quarters, though he declined to share specific revenue figures. "It's been a wild couple of years," he says.
DeMott says that, at a normal day job, a white-hat hacker could make between $40,000 and $240,000 a year. Top hackers could make $300,000 a year without even working full-time. It's "pretty lucrative," he says. There's lots of flexibility.
Possibly even rarer: There's also the sense that you're doing something that's meaningful and important. As DeMott puts it, he and the other white-hat hackers operating behind the scenes are working to "make the world safer and better."