Dan Geer, CTO of @Stake Inc. in Cambridge, Mass., an Internet security company, hires hackers. So does Firas Bushnaq, president and CEO for eCompany in Aliso Viejo, Calif., an Internet solutions company. In fact, a growing number of security organizations are hiring hackers--people driven by an unquenchable desire to understand programmable systems and find the weaknesses in them.
Some hackers have questionable histories, and some are squeaky clean, but all have what many employers consider to be a crucial element of good security. Geer calls it "the love of the game."
Bushnaq hired Marc Maiffret as "Chief Hacking Officer" of eEye Digital Security, a division of eCompany, precisely because of that drive and desire to test and retest systems. "While other developers would go through the front door and set up the installation and network configuration," says Bushnaq, "Marc looks for the back door into systems. He will search for a flaw until he finds one."
Mike Higgins, president and cofounder of Para-Protect Services in Alexandria, Va., is not convinced that hackers make good security consultants. In addition to acknowledging the risks of hiring someone who may have gained his skills through illicit activities, Higgins worries that hackers may not have the training or the discipline needed for thorough security work. "Hackers give off this aura of knowing more than anyone else," Higgins says. "But they are usually not as well-trained as traditional IT professionals, and they often don't have the discipline or processes to do repeatable testing." Enamored by the newest, sexiest security tools and fixes, Higgins argues, hackers will not always bother to fix the processes that allowed for the flaw in the first place.
For Geer, as long as the manager of a security company or information technology department is on his toes, the benefits of hiring hackers far outweigh the potential dangers. "If I am a good judge of character and am minding the store," says Geer, "then I risk little by hiring hackers. It's only when the sergeant is a thug that you need to worry about the infantry men who are armed."
Does the talent, knowledge and energy that hackers bring to the job outweigh their potential for unorthodox processes and possibly even antiestablishment tendencies? Would you hire a hacker? Tell us what you think. (For more on hackers turned consultants, see "Pro and Con," CIO, June 1, 2000.) Senior Web Editor Martha Heller can be reached at email@example.com.
HIRING A HACKER IS THE SAME as hiring an armed thug for security. Sure, thugs can provide security on a street-level scenario, but for a true world-class security department, you must invest in a professional security department. Some companies look for the easy way out and hire the street thugs, but having dedicated professionals doing security is the true sign of a best-of-breed operation. (Remember, you get what you pay for!) Richard Cope Manager, IS and Technology The Clorox Co. Oakland, Calif. firstname.lastname@example.org YES, HACKERS ARE IMPORTANT. THE FBI uses informants, the media has secret sources and banks hire former con men to teach employees scams to look out for. The IT industry needs to do the same. Scott Johnson CTO E-corrugate.com Los Angeles email@example.com I WAS LABELED A HACKER 10 years ago while working as an independent consultant (not specializing in security) for a large multinational. The majority of IT managers there were appalled that I had the audacity to not only break into all of their systems but to present them with a detailed analysis of what their problems were and how to fix them. The security chief demanded that I be terminated immediately. Six months later I had his job.
I've moved on to bigger and better things, but being a "hacker" to me means being a person that is knowledgeable in a breadth of technologies, as well as the scope of companies' business systems. I only wish that I could now find more people like this, which is the real issue. Anonymous Wall Street CIO FROM WHAT I READ ABOUT HACKERS, it's the thrill of the game that gets them excited. Most of the time the game is benign, but there are times their actions are meant for criminal purposes or to prove a point. Also, doesn't hiring hackers validate and even encourage an illegal activity? The question is, Is the thrill still there if it's your 9-to-5 job? My guess is that a hacker will lose interest quickly.
I think you are better off challenging people within your company to find the holes; they are the trained professionals, and everyone loves a challenge. Plus you protect the integrity of the IT industry. Cary Weltken Director, Business Development SVI America Corp. Charlotte, N.C. firstname.lastname@example.org I WOULD ABSOLUTELY NOT HIRE ANYONE who has illegally hacked into private networks. In an industry where ethics may be hard to come by, I am strongly against rewarding those who have done wrong. Rick Ollerman CIO Enginehouse Media Troy, Ala. email@example.com THE ARTICLE IS IRONICALLY ALL too familiar for me. In recent months, my company has invested a tremendous amount of resources into persons who are classified as hackers. Much like the recent ventures with well-known hackers, such as the team from L0pht Industries with the likes of major vendors such as Compaq, I too found a need and an opportunity for the would-be opportunist. I was able to find people who work for very sensitive areas of the government and now are able to reap the rewards of doing what they do best and that is to identify deficiencies.
Hiring them was one thing--keeping them happy is another. B.J. Carter CIO ValCom South Portland, Maine firstname.lastname@example.org WOULD YOU HIRE A HACKER?
Want to sound off on this or other topics? Join the ongoing debates at comment.cio.com.