The world of Cyber security will be around for a long time to come, there is no doubt about that ever. Also, the jobs that come with it will always be in demand, and even lucrative, but a lot depends upon the position you are aspiring for, and if you have any related certs (believe, me of which they are plenty from, it could take a series of blogs just to list them all).
I see in the headlines every day about the shortage of skilled workers that are able to fulfill these jobs … despite this, it just proves that Cyber security will continue to be a vibrant industry. Probably one of the hottest areas of growth will be that of Penetration Testing.
This is where a trained Cyber professional gets into the mind of a true attacker and tries to breach your lines of defense.
But this is all done legally and ethically of course, in order to give you, the business owner, or even the C-Level Exec, an idea of where the hidden security holes/gaps are, and how to fix them. But keep in mind, unless you do a thorough background check on whom is actually doing these tests, the people involved could actually be former Cyber attackers themselves, trying to turn over a new leaf.
So now, this begs the question: Given the shortage of Cyber workers as just described, is it worth it to hire a former Cyber attacker to work for you? There are two sides to this equation. First, the temptation would obviously be quite high to hire one of these folks.
After all, you need an IT Security worker with that specialized knowledge and skillset, and you could probably even hire them on a temp to hire basis.
The other side of the equation is that if you do indeed hire this particular individual, what guarantees do you have that he or she will not breach your own IT Infrastructure in a form of an Insider Attack?
This is obviously a tough one to answer, and the decision rests squarely on whomever is making the hiring decision. Of course then, that person’s job is at stake as well, because then they will get blamed for hiring a former Cyber attacker.
This is probably one of the toughest areas that HR departments and even law enforcement officials are dealing with at the present time. Very often, these former Cyber attackers are very young teenagers just out of high school and perhaps even starting college – but unfortunately, they just have not figured out the difference from wrong and right yet.
So, what can be done about this? My thoughts are that every individual, no matter what walk of life they come from, even if they are former convicted criminals deserver a second chance. Heck, if it was me making a hiring decision, I would probably hire a former Cyber attacker versus somebody who just graduated from college and has all of those glamorous Cyber security certs.
After all, they possess a deep knowledge and skill set about the world that cannot be taught in the classroom or through any certification program: “Curiosity, tenacity, stubbornness, parallel thinking — all of those things are more important than any professional certification or computer science degree.” (SOURCE: https://www.zdnet.com/article/is-hiring-a-hacker-ever-a-good-idea/).
Second, just because somebody has committed a Cyber attack does not necessarily mean that they will be a repeat offender. There is a greater chance that they will become the latter if Corporate America keeps turning down these individuals. Thus, they will have no legal or ethical outlet for their skillset.
Third, it is important to keep in mind is that there is a new breed of Cyber attacker that is coming out today. As mentioned, these are the teenagers who really do not have a lot of technical knowledge, but can easily purchase a Cyber attacking kit online, for example, to launch a low level Phishing attack.
Because of this, there is still a great hope that these young kids will not become true, hardened Cyber criminals such as those launch the sophisticated Ransomware attacks, such as the “WannaCry” one.
Fourth, by hiring these teenagers, this will also give you an opportunity to probe into the mind of what a true Cyber attacker is. With this intelligence in hand, this will give you an opportunity as well to further beef up those lines of defense at your business or corporation, in a logical and strategic way, versus the “throw in the kitchen sink as well” approach.
Fifth, if you hire a former Cyber attacker, it does not mean that you have to put them in a high level position with administrative rights and privileges initially. You give him or her some initial tasks at first, see how they handle it, and then move up the network permissions from there, as their job role dictates.
This method is not a sure fire guarantee that your IT Infrastructure will be completely safe, but it will at least give you some sort of assurances.
Sixth, before you hire the former Cyber attacker, you can always make them sign paperwork to the effect stating that they will not breach your critical assets, and if something does indeed happen (especially if the forensics evidence points to them) you have every right to go after them in a court of law.
Finally, if you are still not convinced into hiring a former Cyber attacker, or still on the fence about it, there are many summer training camps which have just started this year which are training “clean” teenagers the concepts and the tools that are used in Cyber security.
The hope is that these young kinds will be strongly motivated to pursue a career in Cyber security once he or she finishes high school or even college.
Perhaps you could give one of these teens an internship at your organization and teach them the ropes as well – after all, the shortage of trained workers in this field will be around for the foreseeable future. In fact, I will be writing a series of article on this very topic for a client of mine in the coming months.
Finally, the question if you should hire a former Cyber attacker onto your team should not be viewed as a black and white decision. We all have ghosts in the past, and that should not be used to haunt us again for the future.