There has been a lot written around the KPMG research which indicated that 53% of UK companies would consider hiring ex-hackers to assist in dealing with their cyber security issues. Now considered one of the biggest and most costly threats to UK businesses, cyber crime has been on the rise for a number of years now and the UK’s skills resource has been struggling to keep up. Yet the suggestion that companies should look to hire ex-hackers to deal with the epidemic has been met with scepticism by many. The head of KPMG’s Cyber Security Academy, Serena Gonsalves-Fersch, commented: “They would not hire pickpockets to be security guards, so the fact that companies are considering former hackers as recruits clearly shows how desperate they are to stay ahead of the game.”
Wait a minute though. Although we have not quite gone as far as to hire pickpockets as security guards, we have made a celebrity out of burglar Mike Fraser, who now uses his BBC television show Beat the burglar to demonstrate to homeowners how their property may be broken into. Is this not a case of sending an ex-thief to catch a thief? Is it not effective?
This method of harnessing the skills of convicted criminals to prevent future crimes is not a new idea. Famous fraudster Frank Abagnale Jr – whose life story was further glamorised in the feature film Catch me if you can – is now one of the world’s most respected authorities on security and even worked as an advisor to the FBI as part of an early prison release clause. In October 2014 a collection by notorious art forger the late Eric Hebborn sold for more than £50,000. The hefty price tags on these pieces are largely attested to the possibility that they may lead to revelations about undiscovered forgeries currently hanging in galleries, masquerading as originals. There are many examples, past and present, of convicted criminals going on to profit from skills they once used to deceive or swindle – and it is often due to the fact that their abilities have been proved effective that has won them their employment. But is this an immoral business decision or a smart and effective hiring technique?
More often that not, an employer will hire employees who have a proven knowledge and/or experience in the required field and so hiring ex-hackers to become the gatekeepers definitely ticks this box. Numerous crime writers for instance, though admittedly not themselves criminals, have often been asked to put their extensive knowledge to use in working with authorities to solve particular crimes. So it is not the ways in which the skills have been acquired, but the ways in which they may have been used in the past that we take issue with.
A world without Facebook
Assuming this, if we strictly followed this code and prevented any known former hackers from entering the IT industry, we would not have Facebook. The venture that inspired the popular social networking site was created in a Harvard dorm room by Facebook founder Mark Zuckerberg, who had to hack into Harvard’s student records to capture each students photograph and republish it on the controversial and short-lived website, Facemash. Evidently Harvard did not consider this a serious enough crime to involve the authorities, so Mark Zuckerberg has no criminal record of intentionally breaching the system security – but it remains undisputed that he did it. In fact, he has since been accused of undertaking other hacking endeavours since he established Facebook.
I am in no way condoning cyber crime of course, only speculating that, by refusing to allow former hackers to use their skills in a more productive way, we are not only risking passing over the best person for the job, but encouraging hackers to continue their illegal activity by denying them a legitimate outlet for their skills.
What I struggle to understand is how there is a skills gap when it comes to building cyber security systems – and yet there seems to be an abundance of hackers threatening it? If these skills are not so far removed from each other, then it is not a skills gap we are dealing with – it is a choice to exercise their technical ability in an illegal and immoral way, in short, to use their powers for evil.
Channeling the right skills into the right job
Perhaps then we need to look at how we can make roles in cyber security more attractive? In a similar way to art forgery, hacking seems to be as much about, (if not sometimes more), the satisfaction of fooling or surpassing the expert, as it is for financial gain. Is it maybe as simple as repackaging the role of a cyber security expert to encompass the same glamour as its criminal counterpart seems to have undeservedly achieved? Speaking as someone who works in the IT recruitment industry, job descriptions are often guilty of being a shopping list for skills required for the role, and can fail to promote the more emotive reasons for enjoying a role. The challenges involved in building and maintaining effective cyber security systems to keep out hackers are vast and make this an incredibly exciting and fast-paced career choice for candidates who wish to continue to learn, to fix problems and overcome obstacles in their profession.
I am pleased to report that IT recruitment company Skillsearch certainly doesn’t see a lack of candidates with these attributes or aspirations. So maybe it isn’t about hiring ex-hackers but making the role of the gatekeeper more enticing for talented individuals who are at risk of becoming hackers. The skills are there, now we need to look at harnessing them in the right way and perhaps be prepared to hire on the basis of talent, drive and a problem-fixing mentality – and invest more in providing the practical skills training needed to win the war on cyber security.