Hiring Hackers
by Ken Pfeil, More posts from Ken Pfeil
Mon, 2006-11-13 22:09
Topic(s):

Welcome to the first "Pfeil Not found". Glad you have a few minutes to
catch up. I plan to use this space to talk freely with you frequently on
things I'm seeing in the industry that have bearing and importance on
how we work as security executives. While you may not always agree 100% with me on all issues and matters, I do hope that my insight assists you in seeing some things in a way that you might not have thought about. That's the value I'm hoping to add here.

Hiring Hackers

Last year I did a discussion panel at Blackhat and Defcon with a few
other CSO's called "CISO Q&A with Jeff Moss". For those of you who are
not familiar with these two conferences, Blackhat bills itself as
"Putting put you face to face with people on the cutting edge of network
security" and Defcon is "The largest Hacking convention in the US". The
audience asked a lot of interesting questions of us, but the one that
stuck with me the most was "Do you hire hackers?". My answer to this was
(and still is) very simple:

No. I don't hire hackers. I hire smart people.

I won't hire someone based on a label (appropriate or not). "Hacker",
"reformed-hacker", "ethical hacker", CISSP, MCSE, M-I-C-K-E-Y-M-O-U-S-E
and (insert acronym of the day here) IMHO are not necessarily a
reflection of someone's competency or skillset. And most certifications
are a mixed bag. Some certified people know what they are doing, some
couldn't troubleshoot their way out of a shopping bag. I'll hire someone
based upon the needs of the position, and what they can contribute to
the program - both individually and collectively. While some of these
labels or acronyms *can* be applicable in some instances, I won't rule
out a potential candidate just because they don't include them in a
2-pager designed to skip past an HR person. I also wouldn't rule out a
candidate just because they've made a name for themselves in finding
flaws in computer systems.

Just as you wouldn't dare ask someone about what they do at home in
their bedroom, why would you need to know what they do at home on their
computer? As long as everything's legal and above-board ethically and
they are able to keep their work life separate from home life, I have no
issues with them having a passion for learning on their own time and
contributing back to the community we're a part of. There's no way you'd
ever be able to prevent or police this anyway, so why go through a
bottle of Rolaids about it to begin with?

My point here is that we should not be so quick to judge people based
soley upon sterotypes, letters on a business card or a presence of a
"handle". Like a candy bar, it's what's inside that matters most. Don't
get fooled by the packaging.

Shifting gears for a second, be sure to look for a piece I'm currently
writing for an upcoming issue, "The CSO's InfoSec Toolbox (On the
Cheap)". It's packed with freebies your business shouldn't be without.
And a lot of them were written by "hackers" :-)

Getting back to the question. So, would I hire an HD Moore, a Pieter
Zatko, a Matt Miller or a Dave Aitel?

In a New York minute.

Like I said before. I don't hire hackers, I hire smart people.

» read more from Ken Pfeil | post a comment
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
* Denotes a required field
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast