Ethical hacking has a definite role to play in keeping businesses secure, according to the Symantec’s CEO Enrique Salem, but the company will not hire known hackers to carry out the service.
Responding to Computerworld questions at a media conference in Sydney, Salem said the issue of hackers playing both ethical ‘white hat’ roles as well as criminal ‘black hat’ roles to become effectively ‘grey hats’ was an issue in the security industry.
“You always worry about [grey hats]. Symantec has a standing policy that we don’t hire anyone to be a part of our company who has done any kind of known hacking,” he said. “We will not employ hackers.”
Despite the policy of not employing active hackers, the company still had strong internal resources to keep up with new threats developed by black hats, Salem said
“I was in a meeting and somebody said, ‘does that mean you’re not going to get the best thinking?’ And I say, no, we have a bunch of very smart people who will figure out better than anyone else, how to protect customers.”
This, Salem said, did not equate to admitting that Symantec trained up its own team of in-house hackers.
“We train people on the best techniques to detect vulnerabilities… that’s a very clear point of view on how our job is to protect customers and data, and what you want is that no-one can compromise your websites,” he said.
Salem added that he disputed the term ‘ethical hacking’, arguing that the phrase was just another name for the standard process of vulnerability checking.
“When you think about business – companies need to figure out where the yare vulnerable. [Ethical hacking] is one of the techniques they can use to figure that out,” he said. “The challenge with the phrase ‘ethical hacking’, is that it has the word ‘hacking’ in it. To me it is just a quality assurance process.”