There's very little fence-sitting on the subject of hiring a reformed hacker. You're either willing to trust someone...
whose skills once landed them in trouble with the law, or you're not. SearchSecurity.com editors Crystal Ferraro and Mia Shopis take up the debate here.
Hire a hacker, not a cracker
By Crystal I. Ferraro, Site Editor
Our job titles say a great deal about who we are. Some of the preconceptions may be correct, while others may be generalizations that don't necessarily hold true for us as individuals. The title of hacker is no exception, and companies seeking security expertise should not let stereotypes keep them from considering and hiring a hacker.
A hacker, as defined by WhatIs.com and The New Hacker's Dictionary compiled by Eric Raymond, is "a clever programmer." WhatIs.com paraphrases Raymond's list of five possible characteristics that qualify one as a hacker: "A person who enjoys learning details of a programming language or system; A person who enjoys actually doing the programming, rather than just theorizing about it; A person capable of appreciating someone else's hacking; A person who picks up programming quickly; And a person who is an expert at a particular programming language or system, as in Unix hacker."
Based on this definition alone, there is no question as to the benefits of hiring a hacker. Most managers appreciate employees that actually enjoy the work they do, because it's evident in the quality of their contributions. Employees with a passion for their work often educate themselves and further their skills outside of company time. Such employees are invaluable assets.
The controversy over hiring hackers arises when one considers the other mainstream definition of hacker -- one who breaks into systems or networks without the owners' consent. However, there is nothing inherently wrong with these actions, provided that the hacker cleans up his mess when he's done. I liken it to taking a radio apart and putting it back together to determine how it works. Unlike a radio, there is no theft involved in hacking when the network or system is available for public access via the Internet.
So what is the harm in hiring a hacker, i.e. someone who knows how to take apart and put back together your systems and network and enjoys doing so? The hands-on experience possessed by a hacker can prove to be much more valuable than a string of acronyms that shows your employee knows how to pass a certification exam. It also demonstrates the ability to self-teach. It takes an incredible amount of discipline and desire to do so -- both commendable attributes in a prospective employee.
As with any title, the degree to which a hacker can carry out his job description and the work ethic with which he does so will differ. Employers perform background checks because their organizations are vulnerable in the hands of employees. A cashier at a retail store can pocket cash or merchandise. A journalist can fabricate stories and sources. A hacker, by definition, is no more or less dishonest than the candidates applying for a receptionist position (consider all the information to which a receptionist has access).
Unfortunately, the word hacker has negative connotations, due in large part to the media. In many instances, a malicious intruder is referred to as a hacker when the writer or speaker means cracker. Do I support the hiring of an intruder who has been previously convicted for his transgressions or has caused damage during his exploits? Certainly not. (Ethics aside, he's not a very good cracker if he got caught.) But that's not what we're talking about when we talk about hiring hackers. If that's what we mean, then we should say so, and who would argue with that?
Making the blanket statement that hackers shouldn't be trusted or hired by organizations is akin to saying all hackers are pimply young boys who drink Red Bull and download password-cracking freeware in their parents' basement. The majority of hackers may be male, but the individuals differ, and some may have quite a lot to offer your organization.
FEEDBACK: Would you hire a hacker?
Send your feedback to the Site Editor Crystal Ferraro.
Hiring a hacker: A match made in hell
By Mia Shopis, Assistant Editor
Imagine for a minute that you just moved into the house of your dreams. Now, this home is your palace, and you want to be sure it's secure -- that no unwanted visitors are able to get in and rummage around. Are you going to call a home security specialist or check the Internet for a list thieves and thugs for hire?
I bet you choose the security specialist. After all, would you knowingly open your home to a convicted criminal? I doubt it, and the same rationale would apply to your network security.
The network is an organization's palace -- after all, that's where all the company jewels reside, right? So, why would you run the risk of hiring a reformed hacker to help shore up your security? I understand guidelines and recommendations are available on how to "manage" a former hacker, but who has the extra time and resources -- like calling in the lawyers -- to do so?
Liability also comes to mind. As the hiring manager, do you really want the job of babysitting hackers to ensure they don't march off with sensitive company data? I doubt it.
There are some who argue that due to the shortage of skilled IT security specialists and given the proper precautions, an organization can successfully manage and maintain a reformed hacker as an employee. They also claim that reformed hackers can go on to lead productive careers in IT. After all, hackers have (most likely) paid their debt to society either through community service or in jail.
I say that's a load of rubbish. If there's a shortage of skilled infosec professionals, then something needs to be done to improve education and recruitment. Hiring hackers is simply not a constructive way for organizations to deal with a skilled worker shortage. Also, hiring "reformed" bad guys ultimately promotes negative reinforcement in the hacker community.
Hiring reformed hackers lends their skills credibility. Why would you want to reward someone for criminal behavior? That kind of reasoning defies logic and good common sense.
I realize that I seem very unsympathetic to reformed hackers, but I'm not. I applaud their courage to break what I'd imagine is addictive and, ultimately, self-destructive behavior. Reformed hackers deserve life, liberty and the pursuit of happiness just like the rest of us -- just not in the activity that landed them in the slammer in the first place. The temptation for a hacker to relapse to old, familiar habits is too great a risk for an organization to take.
So, if you're entertaining the idea of hiring a reformed hacker, just say no. Take the responsible stand on this issue, and let hackers live their lives outside of cyberspace.
FEEDBACK: Would your company hire a hacker? Why, or why not?
Send your feedback to the Assistant Site Editor Mia Shopis.
Dig Deeper on Information Security Jobs and Training