Would You Hire a Hacker?

In recent months, four young individuals have been arrested and charged with suspected involvement in the Marks & Spencer, Co-op, and Harrods ransomware attacks. As news of their arrest spreads, it's natural to condemn those responsible for the disruption caused. But is it fair to rush to judgment? In an era of skills shortages, high numbers of security breaches, and an aging cyber security workforce, should we consider alternative pools of young talent, including hackers, to address these challenges?

Mike Gillespie, CEO of information and physical security consultancy Advent IM, notes that it's an "ageing profession." As someone who is 56 years old himself, Gillespie explains that he is considered average in his field. The industry still lacks diversity and remains predominantly white and male, making it difficult for employers to find qualified candidates from a diverse pool of talent.

Gillespie argues that organizations are struggling to find suitable candidates due to a lack of alternative role models. This limited perception of the profession is deterring people from pursuing careers in cyber security. Gillespie emphasizes the need for greater diversity and representation within the industry to attract a more balanced range of talent.

Amanda Finch, CEO of the Chartered Institute of Information Security (CIISec), agrees that the lack of alternative role models is a significant issue. Finch highlights that the perception of cyber security as solely being about high-tech jobs like penetration testing and offensive hacking can be off-putting for those interested in more governance-focused roles.

"Although we, as an industry, are doing better at explaining the diversity of roles within the profession," Finch says, "we're still not doing enough to show that cyber security is a multifaceted field with various career paths." Finch emphasizes the need for greater awareness and understanding about the range of roles available in the industry.

Chris Wysopal, co-founder of application security company Veracode and a former L0pht hacker, believes that one major challenge is getting high school kids with an aptitude for cyber security aware that they can turn their interest into a career. Wysopal highlights the need for better industry promotion and education to encourage young people to pursue careers in cyber security.

Wysopal also notes that many talented individuals who could be good practitioners are not interested in pursuing a four-year college degree. This presents an opportunity for employers to consider non-traditional candidates with relevant experience or certifications.

A recent study by cyber training and certification body ISC2 found that employers would consider candidates for entry- and junior-level jobs if they had previous IT experience or entry-level cyber security certificates over graduates with no work experience. However, some hiring managers still request qualifications intended for more experienced professionals.

This highlights the need for greater understanding about the requirements for various roles within the industry. Employers are starting to recognize the value of alternative talent pools and investing in raw talent, such as those participating in programs like Bugcrowd's hacking games.

Casey Ellis, founder and CEO of crowdsourced security platform Bugcrowd, emphasizes that hackers are being recruited by black hat groups from gaming forums and Discord servers. Ellis believes it's essential for the industry to step up and counter this recruitment strategy.

"The idea is to get them when they're young as they're easier to manipulate," Ellis says. "We need to create a safe space for these young hackers to explore their skills in a positive way." Bugcrowd offers training programs like The Hacking Games, which provides access to industry figures, mentors, and job opportunities.

Ellis highlights that the industry needs to move beyond its current narrow focus on traditional candidates. "There's much gold in the younger generation," Ellis says. "It's not just about finding them a job; it's about getting their strategic input as they're native to the tech environment we're creating right now."

Ellis emphasizes that the industry must listen to each other and learn from these young talent pools to stay ahead of the criminal gangs and future-proof the industry.

Gillespie agrees that there's a widespread misunderstanding of what a hacker is. Gillespie notes, "The difference between black hat and ethical hackers is the same as between burglars and locksmiths." Wysopal adds that some people are viewed as having different moral compasses.

"Hacker is a loaded term," Wysopal says. "We need to move beyond this perception and recognize that not all hackers are bad. We can hire someone with a conviction if they've changed their ways and can bring valuable skills to the table."

As we reflect on the challenges facing the cyber security industry, it's clear that finding alternative talent pools is crucial. By recognizing the value of diverse candidates, investing in raw talent, and creating safe spaces for young hackers to explore their skills, we can future-proof our industry.