Security experts urge caution as UK firms consider hiring ex-hackers

News by Doug Drinkwater

The widening cyber-security skills gap is pushing British companies to consider employing hackers and convicted criminals, according to new research. But some experts say this is the wrong approach.

In a new study released today, KPMG surveyed 300 senior IT and HR professionals in organisations employing over 500 staff and found that most of these remain unsure how to plug the shortage which – according to previous estimates – will result in a void of two million extra InfoSec professionals by 2017.

Approximately 74 percent of businesses said that new cyber-challenges will require new skills while nearly two thirds (64 percent) admitted that these skills are different to those offered by conventional IT.

The research notes that the shortage is most keenly felt in areas such as data protection and privacy (70 percent of firms admit they lack expertise in these areas) as well as cyber-threat analysis.

But even those companies who have the right staff struggle to hold onto them – 57 percent of businesses say that they find it difficult retaining those with specialised cyber-skills, who are often headhunted for other jobs.

Consequently, some companies are considering alternative avenues with more than half admitting that they would consider hiring a hacker  (53 percent) or someone with a criminal record  (52 percent) in a move KPMG described as targeting ‘poachers-turned-gamekeepers'.

Serena Gonsalves-Fersch, head of KPMG's Cyber Security Academy, said in a statement: “The increasing awareness of the cyber-threat means the majority of UK companies are clear on their strategy for dealing with any skills gaps. However, they wouldn't hire pickpockets to be security guards, so the fact that companies are considering former hackers as recruits clearly shows how desperate they are to stay ahead of the game. With such an unwise choice on the menu, it's encouraging to see other options on the table.

“Rather than relying on hackers to share their secrets, or throwing money at off-the-shelf programmes that quickly become out of date, UK companies need to take stock of their cyber-defence capabilities and act on the gaps that are specific to their own security needs.  It is important to have the technical expertise, but it is just as important to translate that into the business environment in a language the senior management can understand and respond to.”

Speaking to shortly after the announcement, Gonsalves-Fersch added that security is ‘reactive by its nature' and said that businesses would be well-advised to up-skill existing staff, and get buy-in from the CEO.

“My concern is less who is really out there and more the untapped internal resource in their own organisations,” she said of companies, adding that up-skilling would be one way to resolve the skills gap. “[Up skilling] is turning the problem on its head.”

“Cyber-security is as much about behaviour as it is about technology. The cyber field is constantly evolving and – by nature – it's quite reactive. We don't know when the next thing is going to hit so it's about getting that response right.”

Part of that response, she said, is ensuring the right language is used at the top table, with 60 percent of survey respondents admitting they were worried about finding cyber experts who could effectively communicate with business leaders.

“Boards are recognising the problem, and there are more synergies [with cyber-security]. But it's really a translation piece; it's about articulating cyber in a way the business can understand.”

Meanwhile, Peter Wood, CEO of pen-testing specialist First Base Technologies, told that he was ‘not at all surprised' by a report which he said ‘reflects what everybody's been saying for the last year'.

“There just aren't enough people with the right skills available right now,” said Wood, who added that some companies had been ‘ignorant' of the problem with too little focus on training.

On the finding that most companies would consider hiring hackers or criminals, Wood – with 25 years' experience of being a white hat – warned that this would be difficult for companies, not only in finding the appropriate personnel but also deeming if they are trustworthy. Furthermore, he said there would be no obvious way of verifying their achievements as ‘you can hardly ask for employer references'.

“I am disappointed but not surprised about people trying to recruit ex hackers and criminals. There's a perception that people who have been on the dark side have the skills you need but businesses have to understand that even if they are reformed and have the technical skills, they might not play well with others.”

Instead, Wood – who says that most firms still approach security management with an ‘auditor's mind-set' - said that it would be much cheaper and with more ROI if they up-skilled existing staff.

“There's a massive missed opportunity in developing existing staff who are interested in adding security to their skillset,” said Wood who added that it would ‘not be a big leap' for Windows administrators, developers and internal networks staff to learn additional topics, such as vulnerability scanning and pen-testing.

“Once you've got that mind-set, you'll never lose it. Once you work in security, you're a security nerd forever.”

This news comes as KPMG launched its own cyber-awareness programme, which offers ‘cyber-learning' content across an organisation from C-suites to graduates.

Update: (ISC)² EMEA managing director John Colley has joined Wood in criticising the potential move to recruit hackers and criminals.

“The fact that over half of organisations would consider recruiting an expert with a criminal record is very difficult to swallow," he said via email. 

"How can you be sure they are an ‘ex' hacker: would you hire an ex-armed robber just because they know how armed robbers work? What's more, most of the tools and techniques that hackers use are well known to information security teams and the wider community. Security think tanks like I-4 which, is managed by KPMG or the Information Security Forum (ISF), contain a lot of this information, so if organisations are considering hiring hackers to bring in information on how hackers work, they really should consider joining these sorts of organisations."

He added: "The issue here is that the security industry is suffering from a staff shortage, and there's only one way to address that: to provide adequate training, skills and certifications to help nurture the workforce. That includes hiring people with less experience and growing them into the job, while ensuring people have the correct professional qualifications – most of which require adherence to a code of ethics.

"Ultimately, if organisations do employ former hackers to stay ahead of the game, they will probably find themselves out of the game. If I was still in one of my former roles, I would not want to engage with teams who would want to hire people with criminal records; I would find it very difficult dealing with an organisation knowing that a rogue trader is in its midst."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews