Swapping black hats for white

By on
Swapping black hats for white

IT security is one of the few professions where getting caught in the act, so to speak, can be the start of a great new career. Recently, there have been a number of high-profile cases of “poacher turned gamekeeper”, with virus writers being hired almost from the court steps.

On one side are those who believe that "once a crook, always a crook" and that such people should be given a wide berth, in the same way you wouldn't trust a car thief as a chauffeur.

The other side of the argument goes something like this: you should set a thief to catch a thief, and the best person to catch a computer criminal is another one, although now reformed. So hire away, and put up with the bad press.

Trustworthiness is an essential requirement for any security post, but to assume that someone who has a criminal record (or narrowly escaped gaining one) is automatically untrustworthy is naïve. I have friends who have made such mistakes in their past, but have since proven to be extremely reliable and trustworthy.

There isn't enough data to sensibly judge the recidivism rate for computer crime in the UK, but I bet when there is, it will be a lot less than the 100 per cent assumed by many.

You should, of course, take reasonable steps to check the trustworthiness of any potential employee. I'm not suggesting that you can ignore someone's background, but equally it is only one of many factors to consider.

Equally naïve is the assumption that because someone is a former computer criminal they are automatically a computer security expert. Technical expertise is only one part of the skillset for many security posts, and if you care to examine the general coding quality of recent malicious software, it will make you think twice about trusting its authors to write a "hello world" program, never mind secure your network.

Even the "set a thief" assumption has dubious merit. There is little evidence that crooks make good detectives, and the mindset required to exercise proper risk management to secure a business is very different from that required to poke holes through the perimeter.

If you simply discard applications from reformed criminals, you could be losing out on some potentially excellent staff. And if you blindly accept a Computer Misuse Act conviction as an entrance qualification, you could be very disappointed.

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?