back to article Would you hire a hacker to run your security? 'Yes' say Brit IT bosses

More than two in three IT professionals would consider ex-hackers for security roles, providing they have the right skills to do the job, a survey has found. In addition, 40 per cent of respondents to CWJobs' survey of 352 IT bods reckoned there aren't enough skilled security professionals in the UK technology industry. As if …

COMMENTS

This topic is closed for new posts.
  1. Nigel 11

    A very old dilemma

    So old it's proverbial: "a poacher turned gamekeeper". Or from even further back in time, "Quis custodiet ipsos custodes?"

    1. Peter2 Silver badge

      Re: A very old dilemma

      Or, "fallaces sunt rerum species".

      A job site (likely full of people without) jobs asks those people if they would recruit people with their skill sets.

      I mean, the response set is a bit self selecting, and without putting too fine a point on it people looking for jobs would probably retrain to anything if there was a steady job at the end of it. This might be interesting if there was actually some verified indication as to how many people answering it are actually working in IT at all, let alone managing anything than their dole money.

      As it is, this is a non story.

  2. Don Jefe

    Sure. Real (ex)-mercenaries make for the best physical security staff. Hackers would surely make the best IT systems security staff.

    All the looking back at someone's history and background looking for the 'cleanest' people ends up removing the worldly and experienced people from your candidate pool. You want someone who has done some dodgy things because if they haven't they don't know what they're talking about. Their opinions are about as valuable as just making something up.

  3. Anonymous Coward
    Anonymous Coward

    I would consider an ex-hacker to work in IT security, had they "done their time", not re-offended and had the right qualifications for the job. I wouldn't seek a currently active hacker (by which I presume criminal hacker is implied) to do the job though.

    I wonder exactly who the "IT professionals" asked were and exactly what question they were asked.

    1. Anonymous Coward
      Anonymous Coward

      @ AC "I would consider an ex-hacker to work in IT security, had they "done their time", not re-offended and had the right qualifications for the job."

      What about those of us who were good enough to never get caught? Discrimination of jail avoiders! :)

  4. Anonymous Coward
    Anonymous Coward

    In the words of the great Dr. House: Morons ...

    1) Why on earth would you want to hire a hacker who got caught ? Myself, I would hire the ones who didn't.

    2) If my experiences are anything to go by, there's no way on Gods green earth anyone who could remotely be described as a hacker would be employable in a corporate environment. Certainly not the ones I know who would fail the piss test.

    1. Nigel 11
      Alert

      Re: In the words of the great Dr. House: Morons ...

      Interesting idea. How would you know that you were hiring a self-proclaimed brilliant hacker who never got caught, as opposed to a con-man with just enough technical ability to sound convincing, or an active black-hat trying to play you? You want references? Slight problem. The only references worth having are people who'll put your new recruit in jail as soon as you lead them to him.

      And anyway, if he never got caught, how come he's willing to work for hire at all? If he's so very good, he's also retired on his ill-gotten gains.

      BTW why would you want him *in* the corporate environment? It's his job to sit on the outside, being paid to tell you when he's able to exploit your systems, rather than exploiting them. It's *your* job to liaise.

      1. Anonymous Coward
        Anonymous Coward

        Re: In the words of the great Dr. House: Morons ...

        "How would you know that you were hiring a self-proclaimed brilliant hacker who never got caught, as opposed to a con-man with just enough technical ability to sound convincing, or an active black-hat trying to play you? You want references?"

        Invite them to an interview in your test lab. Tell them to bring their own favorite toolkit. In the test lab, let them tell you what is wrong with this system? Monitor them closely. If they figure it out and get the job, carry on monitoring them closely. Of course if you only have the one, then you have a bit of a trust issue and a SPOF.

      2. Anonymous Coward
        Anonymous Coward

        Re: In the words of the great Dr. House: Morons ...

        Not all hackers hack for monetary reasons. A vast majority do it for the challenge or thrill.

        1. BillG
          Holmes

          Re: In the words of the great Dr. House: Morons ...

          Not all hackers hack for monetary reasons. A vast majority do it for the challenge or thrill.

          True. I was hacking corporate VAX/VMS systems in the mid-1980's. I did it for the thrill, it was fun.

          The way your brain works is, every time you create or make a discovery, your brain shoots off these opium-like chemicals called endorphins. So, in a very real sense, I was "hooked".

    2. Anonymous Coward
      Anonymous Coward

      Re: In the words of the great Dr. House: Morons ...

      How do you ensure you dealing with a hacker who hasn't been caught?

      1. Captain DaFt

        Re: In the words of the great Dr. House: Morons ...

        "How do you ensure you dealing with a hacker who hasn't been caught?"

        Easy, take your most secure, locked down system, and hide the job posting there using every encryption book in the trick.

        Only accept applications that are appended to it.

    3. M Gale

      Re: Certainly not the ones I know who would fail the piss test.

      And if the company gives two hoots about what you do in your private time, is it really a company you want to work for?

      Q1: Can they do the job?

      Q2: Can they do it well?

      If the above two questions are answered successfully, all else should not matter. Save the moralising for the Mary Whitehouse Appreciation Society.

      1. Anonymous Coward
        Anonymous Coward

        Re: Certainly not the ones I know who would fail the piss test.

        @M Gale: I think a company can have legitimate questions about your private life. These are along the lines of - If you're going to work for a finance company, are you a bankrupt. If you're going to work as a prison warden, do you have friends in the prison. If you are going to work in IT security are you a black hat hacker? If you're going to be a Policeman do you enjoy going out raving at the weekends and get battered off your head on Es?

  5. Anonymous Coward
    Anonymous Coward

    Jobs in Security

    I was interested in working in the security field at one time, but I was put off by a colleague who had come from that side when he told me "Dead boring, all you're doing is dealing with spotty kids who think they're super hackers because they printed off instructions on how to compromise IIS" lol

    1. Nigel 11

      Re: Jobs in Security

      Maybe you should have applied to MI5 or GCHQ?

      (Or maybe you did, and can't talk about it).

  6. Anonymous Coward
    Anonymous Coward

    I don't see much of an overlap between the skills and temperament of a good hacker and a good corporate IT security specialist.

    The former is looking for novelty and an intellectual challenge. The latter is methodical because a fairly good security plan executed well is much better than an excellent plan executed spottily.

    I could image a hacker working as a consultant but running security? No.

  7. Anonymous Coward
    Anonymous Coward

    Really? Are you sure?

    A hacker is the best person to check your systems aren't vulnerable to like-minded people. But the critical cautionary point is you must be confident that this person's attitude has changed sufficiently since they were last active.

    It's all about trust. Would you give your front door keys to someone who has form for burglary and made a living from selling stolen goods to an underground network of dodgy dealers? Some hackers do it for kicks, some do it for political reasons, some for financial gain, etc. Those "callings" need to be well and truly out of their system before they can be given the front door keys of your business.

    Usually time (a lot of time) is the only thing that gets them to change. And by then they might not be so cutting edge with their skills. So maybe they're suitable to run your security department but not to do all the testing in complete solitude.

    1. djack

      Re: Really? Are you sure?

      So true.

      Unlike physical security who typically have no need to enter the secure areas - just keep others out, information security is much more far reaching. There isn't a clear boundary that is the only place you need to actively defend, you need eyes everywhere from the external boundary firewall(s) through to internal authentication, applications and data stores.

      Also, the skills needed to break in are not the same as those needed to secure. My field, penetration testing is the one where people always fail to see that. A bad guy needs to 'simply' find one way to compromise the system and exploit that.

      In addition to that I need to find as many other ways as possible and know how to mitigate or fix those issues. I also have to do that with as minimal an impact on the system (not always possible) and communicate the issues to the system owner. I'm also expected to know about pretty much anything that I encounter on a network.

  8. Aldous

    Define Ex-Hacker

    Is an Ex-Hacker a script kiddie that got caught and had their 15 minutes of fame or is it someone who was smart enough to learn things and imaginative enough to either use a lab or not get caught?

    It's not like saying "We want ex-soldiers" for security work, you can go ask the Army to prove their CV. This is like saying "We want ex-assassins"

    Sorry Mr Smith we know you single handily broke AES using only a toaster, a zx80 and a toothpick but we have are going to hire $uckMy84$$51992 as he ran L.O.I.C against paypal and did 3 months community service.

  9. Black Rat

    An Experiment for All

    Next lunch-time wander around your nearest Industrial estate looking for WEP hotspots. (no special tools required just a smartphone with WiFi)

    When you find one go knock on their door and tell them how insecure it is. (for those still not aware it takes less than five minutes to slice through WEP encryption under optimun conditions)

    Posibble responces:

    1. "Yeah whatever", "We'll tell the IT guy", "That's Bullsh#t"

    2. "Stay there, I'm calling the police"

    3. "Thanks!, can you tell us how to secure our WiFi ?"

    4. "Can you prove it !?"

    However.. I should warn you all...

    nobody has ever said Thankyou to me yet when conducting this experiment and outcome 4 is particulary rare from my experience.

    1. Anonymous Coward
      Anonymous Coward

      Re: An Experiment for All

      Other possible response:

      Yes, we know. The way we work on wifi is that we turned wep on to make the fully open hot spots more attractive to people wanting to get free bandwidth, but you still have to connect via a VPN to get to our servers.

      Or at least that's what we did at my previous company. The wifi wasn't even on the corporate network, it was actually directly connected to the Internet, so the VPN on people's laptops did the "heavy lifting".

    2. Richard Pennington 1

      Re: An Experiment for All

      Yes, we know. The open WiFi is connected to our honeypot.

  10. Anonymous Coward
    Anonymous Coward

    Certified cyber-security professionals?

    "The survey was released on Friday, days before the extension of a CESG-backed scheme to certify the competence and skills of cyber-security professionals working for the UK government to individuals working in the private sector."

    How many of these 'cyber-security professionals` have actually hacked a real system?

  11. Vociferous

    Hacker as in someone breaking in to companies for financial gain?

    No, I wouldn't hire anyone like that. The skills aren't the issue, the morals are.

  12. Henry Wertz 1 Gold badge

    Losing out on best talent.

    "2) If my experiences are anything to go by, there's no way on Gods green earth anyone who could remotely be described as a hacker would be employable in a corporate environment. Certainly not the ones I know who would fail the piss test."

    I wouldn't work anywhere that wanted a piss test. This type of rigid corporate environment are the ones who lose out on the best talent.

    But, anyway, I can certainly see hiring hackers for security positions, they will know the insides and outs of various systems better than someone who read about them in a book, will know the tactics hackers will likely try, and (if they hid their tracks) probably know the ways to tell someone is hiding their tracks. I'd really want to 1) Make sure they are not hacking from work. 2) Make sure they will not be leaking out info from the company. (I think quite a few hackers hack recreationally rather than for gain, so #2 is not as big a worry as one would at first think.)

  13. Mike 137 Silver badge

    The biggest real problem

    The greatest real problem we face in corporate information security is the over-emphasis of technocentric attack skills and countermeasures at the expense of adequate preparedness and basic "digital hygiene".

    Contrary to popular report, well over 80% of all successful attacks do not need highly sophisticated skills to accomplish, but are push-overs due to mismanagement - e.g. systems being left wide open - by the victim.

    For adequate defence, we need people who can take a holistic view of business processes, data processing and infrastructures, identify weaknesses and cover for them in advance much more than we need people who can find and exploit the individual holes that are merely symptoms of mismanagement.

  14. Anonymous Coward
    Anonymous Coward

    Being caught...

    ...doesn't necessarily mean their technical skills were lacking.

    There are more ways to get caught outside of poor technical skill than within it.

    I personally got shopped many years ago, though I was never charged for my alledged crimes. The person that shopped me came off as a ranting lunatic and no further evidence was found. Despite raiding three locations and taking all my kit for an entire year.

    Whether or not I committed a crime isn't a point for debate here...I'm not going to go into it.

    Needless to say, the fallout of the whole affair was big learning curve for me, I now know much more than I thought I did before the whole mess.

    The main gain from the whole thing is wisdom. The seasoned hackers here will understand the "once bitten, twice shy" mantra, to the 1337 skiddies on here, you'd do well to figure out what that really means.

    I totally agree with some of the sentiment on here as well, the vast majority of attacks are relatively low tech. Catching people trying to pull something technically sophisticated off is relatively easy compared to catching someone taking advantage of piss poor internal process management.

    I now work as a full time security professional and I spend my time effectively taking the piss out of businesses with poor internal processes and bad technical choices.

  15. IT Hack

    Brit IT Bosses

    Or in other words IT Directors. Who we already know are as about as useful as a chocolate fire grate.

  16. Anonymous Coward
    Anonymous Coward

    Ask one face to face.......

    Just spotted that one of the most famous former bad boys turned good, Kevin Mitnick is keynoting at

    IP EXPO in a few weeks time, might be a chance to ask him in person whether a (former) hacker would be a good choice to run Security

This topic is closed for new posts.

Other stories you might like