Information Security News mailing list archives
Would You Hire A Hacker?
From: William Knowles <wk () C4I ORG>
Date: Mon, 4 Sep 2000 02:41:49 -0500
http://www.cio.com/archive/090100_soundoff.html By: Martha Heller DAN GEER, CTO OF @STAKE in Cambridge, Mass., an Internet security company, hires hackers. So does Firas Bushnaq, president and CEO for eCompany in Aliso Viejo, Calif., an Internet solutions company. In fact, a growing number of security organizations are hiring hackerspeople driven by an unquenchable desire to understand programmable systems and find the weaknesses in them. Some hackers have questionable histories, and some are squeaky clean, but all have what many employers consider to be a crucial element of good security. Geer calls it "the love of the game." Bushnaq hired Marc Maiffret as "Chief Hacking Officer" of eEye Digital Security, a division of eCompany, precisely because of that drive and desire to test and retest systems. "While other developers would go through the front door and set up the installation and network configuration," says Bushnaq, "Marc looks for the back door into systems. He will search for a flaw until he finds one." Mike Higgins, president and cofounder of Para-Protect Services in Alexandria, Va., is not convinced that hackers make good security consultants. In addition to acknowledging the risks of hiring someone who may have gained his skills through illicit activities, Higgins worries that hackers may not have the training or the discipline needed for thorough security work. "Hackers give off this aura of knowing more than anyone else," Higgins says. "But they are usually not as well-trained as traditional IT professionals, and they often don't have the discipline or processes to do repeatable testing." Enamored by the newest, sexiest security tools and fixes, Higgins argues, hackers will not always bother to fix the processes that allowed for the flaw in the first place. For Geer, as long as the manager of a security company or information technology department is on his toes, the benefits of hiring hackers far outweigh the potential dangers. "If I am a good judge of character and am minding the store," says Geer, "then I risk little by hiring hackers. It's only when the sergeant is a thug that you need to worry about the infantry men who are armed." Does the talent, knowledge and energy that hackers bring to the job outweigh their potential for unorthodox processes and possibly even antiestablishment tendencies? Would you hire a hacker? Tell us what you think. (For more on hackers turned consultants, see "Pro and Con," CIO, June 1, 2000.) Senior Web Editor Martha Heller can be reached at mheller () cio com. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Would You Hire A Hacker? William Knowles (Sep 04)
- Re: Would You Hire A Hacker? Oscar Rau (Sep 05)