Chris Pogue was given the Tech Express treatment by CBR’s Ellie Burns, with the Nuix CISO looking into the recruitment of hackers.
EB: Why would a company want to hire a hacker?
CP: It’s well-known across the board that there is a shortage in cyber security skills in the UK and abroad. It can be beneficial for organisations to turn to those who already have a depth of security knowledge to bridge the gap, and often it is the case that the people closest to these matters are former hackers. Whilst many may be put off by hiring someone labelled in a presumably derogatory manner, hackers have a tremendous wealth of experience which is invaluable to security teams. Ex-hackers or penetration testers have an understanding of the inner workings of a cyber criminal’s mind better than any trained security professional. According to the Nuix Black Report, many hackers and pentesters have indicated that the only difference between the work they perform, and those of a criminal is a statement of work; the tools, techniques, and methodologies are all the same.
They can provide insights into how organisations become compromised and can help protect against these methods. In warfare, General Sun Tzu said:
“IF YOU KNOW THE ENEMY AND KNOW YOURSELF, YOU NEED NOT FEAR THE RESULT OF A HUNDRED BATTLES. IF YOU KNOW YOURSELF BUT NOT THE ENEMY, FOR EVERY VICTORY GAINED YOU WILL ALSO SUFFER A DEFEAT. IF YOU KNOW NEITHER THE ENEMY NOR YOURSELF, YOU WILL SUCCUMB IN EVERY BATTLE.”
The quote holds as much meaning today as it did thousands of years ago. Hackers can provide that rare perspective into the mind of the enemy, as well as helping security teams understand that security is more than just a policy on a paper or an anti-virus programme.
EB: What skills do hackers have which would benefit the business?
CP: Former hackers are often people who have been studying and researching security controls and protocols from a very young age, and consequently have an unrivalled depth of technical knowledge and creativity. They also know the best tools and techniques that can be used to infiltrate organisations. According to the Nuix Black Report, which surveyed cyber attackers, 88% of hackers say they can compromise a target in under 12 hours. Most businesses won’t even realise they’ve been breached and realistically won’t be able to mount any sort of defence before it’s too late. These numbers highlight the need for a well-trained response team with a diverse range of skills, using cutting-edge technology and actively monitoring for threats, in conjunction with expert knowledge and field experience.
EB: What is the advantage of hiring hackers instead of training/reskilling staff?
CP: Former hackers have a unique insight into a world which is largely closed off to the corporate world. Someone who comes from that background has an understanding of criminal motivations that a business professional simply would not be able to emulate through training alone. Enterprises need people who can think differently and creatively, as the criminal world is currently much more agile than those defending. A former hacker can help defence teams stay ahead of the curve on potential threats by teaching them how to recognise attack patterns.
EB: How do you attract hackers for corporate roles?
CP: Attracting hackers to corporate roles is a huge challenge facing the industry, as many are tempted into a life of crime by monetary gain, and the idea of achieving status among their peers. One way we can challenge this is by offering engaging roles which allow creativity and freedom. We need to be engaging with hackers early and showing them a path to success working with organisations instead of against them. This is approach can be effective, but businesses should anticipate it to be expensive. Their skills are highly specialised, and highly sought after – so be ready to pay significantly more than you would pay for traditional IT staff.
EB: What would be your top tip for a business looking to hire a hacker?
CP: A recent study from the UK National Crime Agency found that young people are lured into a life of crime from a very young age, with the average age of a convicted cybercriminal being 17. For those in charge of recruitment, a criminal record will almost certainly ring alarm bells, and rightfully so. While there are risks involved, in general there needs to be a cultural shift in the corporate sector which lifts the stigma of hiring someone with a somewhat tenuous past. Young people need to be able to see that there are lucrative opportunities out there for people with their skills, outside of the criminal world.