Would you trust a criminal with your cyber security?

The UK cyber security services market is one of the most mature in the world. It has benefited from the development of a higher education system that generates significant numbers of cyber security professionals, a mature training market that allows people to cross-train, and well-structured career pathways to promote professional practices, underpinned by codes of conduct and ethics that are both meaningful and enforceable.

This maturity in the market has put the emphasis on the recruitment of trained, educated individuals who understand career structures and ethics, rather than a “hire the hacker” approach.   

The practice of using ex-offenders is carried out with great care in other industries and the cyber security industry should learn from, and adopt, good practice in this area. We must ensure that we deal with these individuals in an open and inclusive manner and, as an industry, and that we take steps to ensure they are supported so that they do not reoffend. The codes of conduct and ethics are an important aspect in ensuring that this is carried out in a controlled manner.

There is also a significant number of individuals who have come to the attention of law enforcement, but have not been charged or prosecuted. The industry must be very careful how it deals with these individuals. It would be inappropriate to exclude them from recruitment activities, and again the meaningful and enforceable code of conduct and ethics are essential to manage these individuals. 

Some of the people who have come to the attention of law enforcement, but have not been formally cautioned or charged, are young. Again, the UK is leading the world in this area. Working with the National Crime Agency (NCA) and the Metropolitan Police, not-for-profit accreditation and certification body Crest is developing practices to provide intervention activities to reduce the risk of vulnerable young people being groomed into more serious cyber crime-based activities. 

This is a really important activity becauses it not only helps to identify talent and deflects individuals from a pathway into crime, but it is also one of the few things that starts to reduce the level of threat. The industry has a moral responsibility to help support these initiatives.    

The use of former cyber criminals often comes up when companies employ individuals to test out their cyber defences. The argument goes that if you are trying to simulate real-world attacks, then ex-criminal hackers are well placed to do this work.  

The risks of using someone who is operating outside the law and outside ethical bounds are obvious. An individual who has a spent crime must be treated in a fair way from an employment perspective. If we are going to be viewed as a professional industry, however, prosecution or potential prosecution should not be viewed as part of a career pathway or a badge of honour to enter the industry.