Would you hire a former hacker?

A panel of experts at Computing's recent Enterprise Security & Risk Management conference argue whether it's a good idea to hire a former black hat for an enterprise security role

Given the dearth of security skills available to recruiters, should enterprises be wary of hiring former black hat hackers, or jump at the chance of working with someone with proven skills?

That question was debated at Computing's recent Enterprise Security & Risk Management Live conference.

Laura Jones, senior risk analyst cyber security at the Financial Times said that she potentially would hire such a person, but it depends on the individual.

"If a 16-year old has been bored enough to become a hacker, then yes that person deserves a chance to work in the industry as a white hat," said Jones. "Programmes exist where they take young hackers and work with them to ensure they're directing their efforts towards being smart and being challenged so they can become a white hat hacker," she added.

Carlo Petrini, IT telecommunications coordinator at Allianz said that former hackers should be used for their ability to evangelise security principles as much as for their skills.

"There is a fasinating aura around black hat hackers. But based on their skills, if I had the budget I'd contract the next black hat for cyber security evangelism, to deploy the message rather than to take care of our defence. And that's not due to lack of trust, but rather that we already have the right security skills in place," said Petrini.

Michael Barry, head of IT risk and compliance at Gallagher Global Brokerage UK said that former hackers deserve the chance to prove themselves.

"It's well worth giving them the opportity to demonstrate they have the skills and can focus themselves in the right direction," he argued.

Jones agreed, drawing attention to the security skills shortage.

"We're in a skills shortage, so just hire smart people," she said.

Arshid Bashir, CISO at the Department for Transport admitted that he himself has links into hacking communities, and finds it useful for understanding the trends.

"I'm a geek at heart, I started from very technical basis. I still have links into hacking subculture, and it's useful to know what's going on. But as for recruiting them, it depends on the skillset.

"It's like playing chess. From defensive standpoint we're playing an unknown number of three dimensional games of chess, and most of the time we don't even know we're playing. Having a defensive midset is useful, but when you take people who are almost freelancers and put them into organisation with all beauracracy that entails, it can be uncomfortable for them."

Earlier in the session the panel admitted their biggest security blunders.