Would You Hire A Hacker?

[William Knowles <wk () C4I ORG>]

http://www.cio.com/archive/090100_soundoff.html

By: Martha Heller

DAN GEER, CTO OF @STAKE in Cambridge, Mass., an Internet security
company, hires hackers. So does Firas Bushnaq, president and CEO for
eCompany in Aliso Viejo, Calif., an Internet solutions company. In
fact, a growing number of security organizations are hiring
hackerspeople driven by an unquenchable desire to understand
programmable systems and find the weaknesses in them.

Some hackers have questionable histories, and some are squeaky clean,
but all have what many employers consider to be a crucial element of
good security. Geer calls it "the love of the game."

Bushnaq hired Marc Maiffret as "Chief Hacking Officer" of eEye Digital
Security, a division of eCompany, precisely because of that drive and
desire to test and retest systems. "While other developers would go
through the front door and set up the installation and network
configuration," says Bushnaq, "Marc looks for the back door into
systems. He will search for a flaw until he finds one."

Mike Higgins, president and cofounder of Para-Protect Services in
Alexandria, Va., is not convinced that hackers make good security
consultants. In addition to acknowledging the risks of hiring someone
who may have gained his skills through illicit activities, Higgins
worries that hackers may not have the training or the discipline
needed for thorough security work. "Hackers give off this aura of
knowing more than anyone else," Higgins says. "But they are usually
not as well-trained as traditional IT professionals, and they often
don't have the discipline or processes to do repeatable testing."
Enamored by the newest, sexiest security tools and fixes, Higgins
argues, hackers will not always bother to fix the processes that
allowed for the flaw in the first place.

For Geer, as long as the manager of a security company or information
technology department is on his toes, the benefits of hiring hackers
far outweigh the potential dangers. "If I am a good judge of character
and am minding the store," says Geer, "then I risk little by hiring
hackers. It's only when the sergeant is a thug that you need to worry
about the infantry men who are armed."

Does the talent, knowledge and energy that hackers bring to the job
outweigh their potential for unorthodox processes and possibly even
antiestablishment tendencies? Would you hire a hacker? Tell us what
you think. (For more on hackers turned consultants, see "Pro and Con,"
CIO, June 1, 2000.)

Senior Web Editor Martha Heller can be reached at mheller () cio com.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".