'You're shooting yourself in the foot if you're not willing to hire a hacker'

WhiteHat Security's Robert Hansen tells Computing that businesses need to be more open minded about hiring reformed hackers to combat cyber threats

Large organisations are shooting themselves in the foot if they're not willing to hire a reformed computer hacker to aid with cyber security.

That's according to an expert who believes that the widespread policy among businesses against hiring reformed ‘black hat' hackers - those who commit cyber crimes out of malice or for personal gain - is misguided.

"I'll tell you this much: the best people I know, every single one of them has broken a computer law," Robert Hansen, director of product management for security firm WhiteHat Security, told Computing.

Hansen, who has experience of communicating with black hats, believes most people working in cyber security are guilty of some form of black hat behaviour.

"What do you define ‘black hat' as? If you define it as somebody who's taking advantage of something they shouldn't have taken advantage of, then I don't know of any expert who hasn't broken at least one and become black hat by that definition," he said.

Hansen said one of the top cyber security professionals he knows once served time for computer hacking and is now employed by the military.

"One guy I know who does training for military contractors, he lives in a state where they're not allowed to do background checks on people for whatever reason. But he's been to jail before, for hacking," he explained.

"He's gone to jail for something and now he's teaching the best of the best how to defend against hackers and they're not allowed to ask the question if he's gone to jail or not. "

Hansen went on to suggest even if businesses have a policy of not hiring those with a history of cyber crime, it's more than likely there's already a black hat within the organisation.

"I think businesses are shooting themselves in the foot in this particular regard in that they say there's no way they would hire a black hat. Well first of all, let me just tell you, if you're a big enough company then you already have a black hat."

To emphasise his point, Hansen used an example of a 100 employees of a large multi-billion dollar organisation being in a bar, and theorised that out of the people in that room, there's going to be at least one person who would not hesitate to "screw over" everybody else in there and the company as a whole if they had the opportunity to commit a cyber crime from within and make $100m.

That, he argued, means there are black hats, or at least potential black hats, in large companies.

"You don't realise it, but if you simply do the maths, unless you have a very interesting way of hiring people to make sure that would not happen, then it's very likely you already have those people inside your company if you're big enough," he said.

"So the whole ‘we're not going to hire black hats' thing kind of doesn't matter, because even if you're not intentionally doing it, it doesn't mean you're not doing it."

Hansen suggested that big business should therefore take the opportunity to hire a reformed hacker, as they'll be able to assist with preventing the company from being a victim of cyber crime.

"If you intentionally do it then at least it's on the table and they can do the things they need to do to help you," he said.

A willingness to hire computer hackers could arguably help turn around the war on cyber crime, with Jon Ramsey, CTO of Dell SecureWorks, recently suggesting there's a worldwide security skills crisis.

"It's become increasingly apparent that there is a cyber security skills crisis. With the continued rise in cyber crime of all types, there needs to be a corresponding rise in skilled employees to tackle this epidemic," he told Computing.