Would you employ a hacker or malware writer?

Features
By Davey Winder
published

Microsoft has pointed the figure at a Russian antivirus outfit's former technical expert, claiming he was the brains behind the Kelihos spam botnet. Davey Winder is prompted to ponder whether it's ever advisable to hire a former hacker or malware author...

Not all ex-hackers are quite as 'ex' as they would like you to think.

I know a number of ethical hackers who get hired as penetration testers by large corporates, who also earned their stripes before they started wearing the white hats they sport today.

It goes without saying that not all ex-hackers are quite as 'ex' as they would like you to think. And that's where the real problems start.

How can you trust someone not to work for you and steal from you at the same time? The answer is in exactly the same way that you trust someone not to steal money from the shop till or sell your secrets to a competing business.

It's what happens during the interview and selection process; it's the picture that you paint from talking to someone, checking their backgrounds and seeing if the two things gel; it's the personality profiling that you employ that specialist company to carry out on your behalf.

If the would-be employee 'fesses up about his or her past as a hacker then at least they have honesty on their side. Such honesty also suggests they are more than willing to leave you to make the judgment call and risk not being employed as a result. If they don't reveal their past and you uncover it, then they probably are not quite what you are looking for.

Ultimately, the decision is yours. You have to weight up the positives (in-depth knowledge of network and data security threats and methodologies, which can be put to good use protecting your data from their contemporaries who would wish to do you harm) against the negatives (the potential for things to go wrong with dire consequences for your network, your data and your brand reputation).

This is where the real nitty gritty comes into play: can you trust the ex-hacker to be on your side when things are no longer rosy, if your working relationship has gone pear-shaped and they have become an ex-employee? For a great many of the businesses I talk to about such matters the answer is a categorical 'no' and it is this greater potential for disaster which ends up tripping the risk assessment against the ex-hacker and in favour of someone with less obvious 'skillz'.

Davey Winder
Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.