Barriers to hiring hackers
Global CSO Shawn Burke would love to pick the brain of a black hat hacker to find out what his team at Sungard Availability Services isn’t considering when they implement security controls in their solutions. “There is definitely something they could bring to the table,” he says. But that will likely never happen because Sungard provides services to highly regulated financial institutions and government entities with strict requirements on background checks. “Of course, If they haven’t gotten caught, I guess it wouldn’t be on their resume” or background, he adds.
Sungard does employ a handful of white hat hackers who have completed SANS penetration testing and ethical hacking training courses. One employee was involved in “NSA top-secret work” in his former position. “[Former NSA workers] have seen things that nobody on my team has ever seen,” Burke says. “While they can’t talk about it – they certainly know how to say, in their own cryptic way, that we should probably posture our controls in a certain kind of fashion.” When choosing these employees, trust is key, Burke adds. “I have to trust the employees to do their job.”
Proceed with caution
Companies that are considering hiring a hacker should take several precautions, these experts say.
First, perform background checks before hiring new security employees, Oltsik says. “The red flag would be any kind of law enforcement issues or criminal background, a history of malcontentedness or confrontation with other people they work with, HR incidents, multiple jobs – nothing any different from anyone else you would hire.”
If evaluating a gray or black hat who might have a record, “It’s very often referrals and who you know and who they know” that gets them the job, Sjouwerman says. “If you get a verbal [endorsement], that’s the only somewhat-reliable way to get this done.”
Once hired, put the hacker in roles where they can be successful, but make sure you’re managing and monitoring them, Oltsik says. “They do have skill sets that can be damaging. With the right amount of oversite, you could quickly devise whether someone was doing things that are suspicious.”
Companies should also consider whether a hacker is a good fit within the organization. Hackers by nature tend to work independently and aren’t team oriented, Oltsik says. “If you have someone who loves breaking systems, but isn’t the most social, do you have a role that can fit them where it’s beneficial for you and a good fit for them?”
Hackers as consultants
Companies in doubt about their risk tolerance or culture for hackers may want to consider independent consultants on a project basis, Sjouwerman says.
Sign up for Computerworld eNewsletters.