Content

Debate

Legitimate companies should consider hiring former black-hat hackers.

FOR

Winn Schwartau, president, The Security Awareness Co.

Are all black hackers the same degree of black? Ashley Towns essentially created a harmless ‘Rick Roll' on jailbroken iPhones running SSH that only affected users who neglected to change a default root password. Was his ‘hack' as damaging as Mafia Boy's DDoS attack? I argue no.

I have long advocated that background checks are useless. To determine the proclivity and potential deception of a candidate, the employer should run an industrial psychological profile on all mission critical positions within the company (admins, etc.).

For a former hacker developer, does their code have oversight? Do they have excessive access to resources? Everyone in their past has a few skeletons, and most of us should not have to pay a life-long price for a past transgression.

Black Hat hackers? Evaluate their true criminality, damage and proclivities. Determine the worst case risk from such a hire. Apply common sense, and avoid the blogosphere's lemming-like hysteria.

AGAINST

Paul Ducklin, head of technology, Asia Pacific, Sophos

I'm not so hard-hearted as to say “never.” Criminals can regret and repent and reform. But if you have been a cybercriminal, and are now seeking work even remotely connected with IT, I think it's reasonable that you should find the job search tough.

You'll need hard evidence good enough to convince not just me, but also all my customers, that you can now be trusted around their personal data. Just being a “former hacker” is not enough, and for me to hire you on that basis would be irresponsible of me, to say the least.

Don't bother with the excuse: “Black hats aren't all cybercriminals.” Any sort of unauthorized access is criminal, and you jolly well know it.

And spare me the self-serving “poachers make the best gamekeepers” argument.

Computer companies that blindly buy that myth, like the Aussie outfit that hired a wannabe programmer for his “expertise” in writing the first-ever iPhone virus, don't deserve to be trusted.


Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.