It may be tired but it is a question that is persistently asked in the security industry, because I guess we don’t feel we have answered it satisfactorily yet, and there is an absence of consensus on the topic.
It is a revealing question in so many ways, striking at the insecurities at the heart of so many security professionals, risk averse by both nature and role. It hints at the blame culture still prevalent in most organisations, the consequences for those who make errors, the fear of making the wrong call. It illustrates the reality of a job in security, where we are compelled to a defensive stance, knowing that there are those who exist solely to attack, manipulate, disrupt, steal and corrupt. The persistence of the question proves that trust is still a major issue in this area, and I suggest potentially points to a lack of insight into working with people, the real meaning of diversity and problems with labels, priorities and misdirection.
Hiring a “hacker” is the same as hiring anyone really, you should hire them not on their past but on their present. Can they do the job for you and do you trust them? If the answer is that they CAN do the job for you, and the only thing in the way of you hiring them is a lack of trust, then what to do?
As a social engineer I’ve spent years working with “trust,” finding what it takes to get someone to trust another person, especially if such trust is misplaced and misguided but needs to happen anyway. As a consultant who works in deception and uncovering insider threats and frauds, I have had occasion to analyse why people do, or don’t, trust others and witnessed numerous examples of insider threat, fraud, malicious deception and naivety, which stems from the human tendency to misplace our trust. Often, convincing interview technique, good deception skills and superficial charm, lead to poor hiring decisions, data breaches, theft of all types, and massive risk to organisations not because the company was “hiring a hacker” but because people lacked common sense, appropriate procedure, time and insight. The work we do with the company involved to uncover the deception and the damage these actions have caused can be time consuming, emotionally charged, painstakingly detailed and potentially disastrous for the organisation and individuals involved.
More often than not, and with the benefit of hindsight, the hiring or promoting manager was convinced by a “good feeling” about the (unreliable or fraudulent) individual across the table from them. To be clear, these people were not “hackers” and may not have thought of themselves as criminals or even malignant, but they were untrustworthy, and they knew they were being less than honest when applying for the job, telling their version of events or describing their actions within the organisation. They were just good at creating “trust” perhaps only in that situation or context, or perhaps in any or all situations, the very objective of social engineering and a key component in insider threat.
From years spent uncovering and repairing the damage caused by misplaced trust, as well as creating it in ethical security assessments, I can tell you that we shouldn’t rely on our “gut feelings” with decisions about whom we trust professionally or elsewhere. It is unfortunate that instinct alone often proves unreliable over time. People trust people for the most fragile of reasons, that they are good looking, well-dressed, polite or that they have something in common with them. Trust is something we often give too easily, only to be disappointed. Its fundamentally the concept that all social engineering is built on, “how can I make you trust me?”
Unsurprisingly, my answer in the “hire a hacker” question then is that whilst hiring the best person for the job regardless of their past is truly diversity in action, you shouldn’t “trust” them any more, or less, than you should trust anyone else. You shouldn’t blindly “trust” anyone in the business space, and perhaps even more widely, at least not to the extent where you give them free reign to harm you with no caveats, controlling measures or monitoring systems. Of course, we have to trust people to a certain extent at some point, and I am NOT trying to destroy faith in human nature here, but I do advise sensible limits and precautions (for goodness sake!)
Whether someone is labeled as a “Hacker” or not, people are ALL subject to temptation, extortion and mistake under the correct set of circumstances, which means we should take care of what we allow them in terms of access, and information. It is actually far easier to work well with people if you can trust them BECAUSE you have limited their potential to do harm, either purposely or by accident, or whether you have given them as much freedom as you can but are monitoring their activities closely and continuously.
It’s the same story as the IPR debates we used to have when I was in procurement outsourcing production lines into long distance suppliers, what if they copy our stuff? How do we prevent duplication, reproduction and unauthorized copying when we have to let people access it to do business?
Compartmentalization went a long way when stopping theft at a distance, and the same might be true for our hired “hackers” whom we worry are plotting a virtual smash and grab job on the business, by way of thanks for us offering them a regular paycheck. The same is true for them, as for any employee, you should try and limit access to the information and data ANY employee can use at any one time, whilst allowing them freedom to get on with their jobs. Businesses should monitor user activity, people activity, human interactions, and look for exceptions, spikes in behaviour, potential causes for concern. All humans within organisations are potential hackers. If placed under too many restrictions they will find “work-arounds” to get things done, if treated poorly or misunderstood as employees they may find reason, and opportunity to work against the company. Monitoring and limitation, done with applied thought and common sense are key to prevention here.
This not only protects the data but the employee as well, as social engineers, and indeed external hackers of many types, are looking for people within companies who can access a broad range of information via the simplest route possible. The more access an employee has, the less work the external hacker, whether human or technical, has to do, let alone actually hiring a Hacker and giving them anything but the access they actually need to do their job!
“But, they are hackers!! They’ll just take what they need!” Not an unreasonable point, but one that subtley but distinctly, shifts responsibility. Its like the scorpion who takes a ride on the frog, stinging them both and dooming them to drown whilst citing it was “in his nature” to sting the frog, regardless of the consequences, because he is a scorpion.
However, if you do worry about someone stealing something from you, (and you probably should, hacker or not,) then, and this is radical I know, KEEP YOUR EYE ON THEM AND LIMIT THEIR ABILITY TO DO THE DEED. As a good friend told me recently, “if you’re the frog carry some anti-venom, if you’re the scorpion try a life-belt!”
In business, as in the rest of life, we shouldn’t “settle” for second best. We should always look to get the best possible friends and partners we can, we should invest in our relationships and monitor and work on them continuously. Effective relationship management, coupled with good process, largely prevents the temptation for corporate skullduggery anyway as the “partners” to the deal are communicating regularly enough for trust to be established, but also, (for the cynical & paranoid amongst us,) it gets you close to the ground in terms of behaviour, making said skullduggery easier to spot quickly, if and when, it occurs.
Hackers are potentially useful on any team, but the label is unhelpful, acting as a barrier to integration as a team member and preventing any semblance of openness and trust in the relationship. Once hired, hackers need to be treated as individuals like anyone else, so we can get the measure of them as people, as we do of anyone we hire. We need to peek at the bogeyman behind the labels we give to everyone we work with, peep behind the masks people wear in their professional lives, and begin to control the associated risks and connected fears through increased familiarity and better human interactions. Get closer to the individuals behind the title, find out more about them, and we may find out something useful, something practical about ourselves, and our organisations.
The question is still one of trust, but it is not to do with whether we can trust a “hacker,” but more whether we can trust ourselves, our organisations and our industry to manage the threats we are faced with.