Should you hire a hacker to prevent data breaches?

With all the recent headlines about data breaches, should your organization hire a “thief to catch a thief?” That’s a question Kevin Mitnick, sitting near the top of the hacker hall-of-fame for famous hack sprees in decades past, has been contemplating. He’s not alone – many companies are wondering the same thing. There is a sort of desperation to stop one’s own organization being paraded out in the headlines as the next in a series of “also hacked” companies who have to do the media walk of shame, reporting what happened and distributing blame (and possibly legal correspondence).

Back in the day, when scary looking agents scooped up Kevin at his apartment and scooted him off to an extended stay in the correctional system, there was a high-spirited zeal to strike back at these new-fangled hackers, and he was the poster child. The sentiment (exacerbated by various media) included a mix of frequent irrational fear mongering , along with a conspicuous void of accurate technical analysis. The public was grasping for a simple solution to complex multi-faceted issues (sound familiar?). Now he claims he’s reformed, done his time (and then some), and paid his debt to society, but would you trust him (or any similarly situated reformed hacker)?

In a recent interview, a related question was posed to Kevin that may help to shed some light: “This question is really a question of balance. Does the prospective employee (former hacker) bring enough knowledge, experience, or skills that outweighs the risks associated with hiring that person? You have to closely examine the background, values, beliefs, goals, and attitude, to gauge the risk to the business. In some cases, the person can be hired to perform a service that is a low risk or even risk free. I firmly believe that once a person has paid their debt to society for past transgressions, that individual should be free to pursue legitimate employment opportunities that benefit society.”

So is your organization ready to wade into the waters looking for a reformed hacker? In the same way it’s a bad idea to have a mechanic blindly replace car parts without a plan and analysis already in place (and hopefully a clearly defined problem), hiring a reformed hacker as a “magic bullet” doesn’t preclude your organization from needing a more complete analysis and implementation of a layered security stance, nor should it. That said, an organization may feel the risk/reward of having an employee with significant “street smarts” might make sense. It seems to be relatively popular among government law enforcement organizations. Organizations who have hired reformed hackers have been seeing good results. It may be that the potential scrutiny toward the reformed hacker/employee for being on their best behavior becomes a self-fulfilling prophecy. In any case, there seems to be a significant demand in the marketplace currently, so it might be something to keep an eye on.

Author , ESET

  • Marquisa

    This is a tricky one.
    While a reformed hacker can continue to walk a straight line, what if they suddenly relapse and go down that dark path again? Especially if they're ever let go from the company. We've seen what types of havoc ex-employees can unleash upon their former employers in the news recently, like that one guy who deleted 88 virtual servers from his previous employers network. And there was no mention of him having a history of hacking, he was just ticked off because of the company's lay-offs that effected a buddy of his.
    On one hand, there's going to be a risk no matter who you hire, but there's also the question of who could do more damage.

  • Cameron Camp

    @Marquisa: Well put. There's a certain amount of risk when an employee (regardless of background) touches equipment, so it becomes an exercise in risk management and appropriate oversight really. Also, there may be a certain wisdom in managers effectively communicating with employees and ensuring they are happy in their work environment, making them (hopefully) less inclined to do nasty things, like rm -rf /serverfolder.

  • lyecdevf

    @Marquisa First of all it would be nice if you told us when and where that happend.  I do not exactly feel like googling for a guy who, "deleted virtual servers."
    As you mentioned it your self he had no previous history of hacking.  So why did you bring this up when the discussion revolves around people who were once hackers but are now working for the benefit of the society?!  I do not think it is fair to assume because some one was a hacker once ago he would be more likely to do some thing bad to the company if angered by the actions of his employer.  Lets not get too ahead of our selves.  We want to see if a reformed hacker under normal working conditions functions the same as all the other empleyes.  So we can then take a look at lets say 10 reformed hackers and come to some conclussion about employing reformed hackers.  

Follow us

Copyright © 2017 ESET, All Rights Reserved.