Introduction：

1、Majority of Firms Would Hire Ex-Cons as Cyber-Security Pros

2、Is hiring a hacker ever a good idea？

Majority of Firms Would Hire Ex-Cons as Cyber-Security Pros ♂

　　Over half of senior IT and HR professionals would consider hiring former hackers in a bid to overcome crippling cyber-security skills gaps and shortages, according to new research from consultancy KPMG.

　　The firm interviewed staff in UK businesses with anything from 500-10,000 employees and found increasing levels of concern when it comes to human resources, with three-quarters (74%) admitting new skills are needed to combat ever-evolving threats.

　　However, despite the majority (60%) claiming to have a strategy to deal with any gaps that might arise, 57% said they are finding it more difficult to retain those highly skilled in specific areas of information security, and complained of high churn thanks to aggressive headhunting.

　　With this backdrop, it’s perhaps not surprising that 53% said they would hire a hacker to bring extra skills into the cyber-security team, while 52% said they would consider employing an expert even if they had a criminal record.

　　The majority of those interviewed (57%) said it has become more difficult to retain skilled information security specialists over the past two years.

　　Skills particularly in demand include data protection and privacy, which 70% of respondents admitted a shortfall in.

　　A further 60% said they were having trouble finding candidates who could communicate effectively with the business – a perennial problem in the cyber-security sector.

　　Serena Gonsalves-Fersch, head of KPMG’s Cyber Security Academy, argued that firms would be better off developing cyber security skills within "current security and IT frameworks" than considering hires which may introduce greater risk into the organization.

　　“With many businesses struggling to recruit cyber specialists and with their salaries increasing rapidly it has become less of an alien concept to considering tapping into the market of former hackers," she told Infosecurity.

Is hiring a hacker ever a good idea？ ♂

　　In the fight against cyber crime, it's often claimed there aren't enough security professionals around to keep organisations safe from ever-evolving security threats.

　　But there is one group who should have the skills and the mindset to find the gaps in computer networks that crooks misuse and help to close them: criminal hackers themselves.

　　Often these are young, foolish and sometimes not even aware they are breaking the law. But how to make sure that the talents of these youngsters are harnessed for good, rather than for evil, is a challenge that the tech industry and law enforcement agencies are still grappling with.

　　"We do a lot to prevention to stop these kids from going into cyber crime -- some don't even know that it's criminal what they're doing," said Paul Hoare, head of cyber crime incident management at the National Crime Agency, speaking at Cloudsec Europe 2018 in London.

　　"A lot of them are very talented and would be a huge boon, so there are lucrative careers for them in cyber security without getting involved in criminal areas -- we're trying to divert them from that."

　　SEE: Inside the boot camp reforming teenage hackers [CNET]

　　But there's a key issue looming over the question of hiring those who dabbled with the dark side, or even been convicted of such: can they be trusted? Could they take advantage of a position of trust and abuse it for malicious intent?

　　"It's a really difficult ethical question and it's a really difficult risk-management question -- not just for a security vendor, but for anyone whose hiring effectively someone into a position of trust," Rik Ferguson, VP of security research at Trend Micro and host of the Cloudsec panel, told ZDNet.

　　"Even the concept of domain admin within a corporate scenario is a position of elevated trust where, if you wanted to, you could do a lot of damage or have access to a lot of things you shouldn't have access to for the purposes of stealing information. However, everyone deserves a second chance," he added.

　　But for those who've previously been arrested or convicted for cyber criminal activity, refusing to engage with them could also mean they can't find a legitimate outlet for their skills.

　　"It isn't black and white. Some people say if they've committed an offence, they'll never hire them -- but you're basically giving them a life sentence and that's very problematic," said Nicole van der Meulen, senior strategic analyst at Europol.

　　SEE: (TechRepublic)

　　And while there are training schemes to encourage people into cyber security, some of the traits demonstrated by hackers -- and former hackers -- can't be taught in class.

　　"Curiosity, tenacity, stubbornness, parallel thinking -- all of those things are more important than any professional certification or computer science degree," said Ferguson.

　　"Because the technical skills you can teach someone -- being the appropriate type of person for the role, is not something you can teach. That's why this question of if you should hire someone with a shady past is such a tough one because clearly they have the curiosity, tenacity, stubbornness, because that's why they went down that path in the first place. I have no idea what the long-term answer to that is," he added.

　　However, not all young kids who stray into cyber criminal activity can be treated as highly skilled, because it can be surprisingly simple to pick up malware, DDoS or other attacks and deploy them. In some cases, almost no skill is required at all.

　　"When you actually speak to some of them and see how they did their attacks, they're not that clever, some of them," said Charlie McMurdie, former head of Police National Cyber Crime Unit and now senior cyber-crime adviser at PwC. "It's fairly easy and fairly cheap to commit cyber attacks, to buy a phishing kit or whatever".

　　McMurdie suggests organisations talk to these lower-level attackers to get into the minds of a hacker, to understand why they do what they do -- information which can be ultimately used to understand attacks and also improve security.

　　"I think where they're useful sometimes is to understand the motivations and why they do certain things, how they got involved in certain acts, rather than hiring them for their technical capabilities," she said.

Related questions

Creating a form to hire a hacker, even for ethical purposes, requires careful legal consideration. Below is a structured template for a "Hacker Services Agreement Form" with embedded terms, conditions, and clauses to ensure compliance with laws and ethical standards. This template assumes the context is ethical hacking/penetration testing with explicit client authorization.

Hacker Services Agreement Form

(For Ethical Hacking/Penetration Testing Only)

Client Information

Name: [Client Name]
Company: [Company Name]
Contact Email: [Email]
Phone: [Phone]

Service Request Details

• Target System(s): [Specify systems/networks to be tested]
• Scope of Work: [Describe tasks, e.g., vulnerability assessment, penetration testing]
• Authorization:
  • Client confirms they own or have written permission to test the target system(s).
  • Attach authorization documentation: [Upload File]

Terms & Conditions

1. Legality & Authorization

   • Services will only be performed on systems explicitly authorized by the client.
   • Unauthorized access, data theft, or Denial of Service (DoS/DDoS) attacks are strictly prohibited unless explicitly approved in writing as part of a controlled test.

2. Prohibited Activities

   • Client agrees not to request illegal activities, including but not limited to:
     • Unauthorized system access.
     • Data breaches.
     • DoS/DDoS attacks without written consent from the target owner.

3. Liability & Indemnification

   • Service provider is not liable for:
     • Damages from authorized tests (e.g., downtime from a DoS stress test).
     • Legal consequences if client violates terms or lacks proper authorization.
   • Client agrees to indemnify the service provider against claims arising from misuse.

4. Confidentiality

   • Findings and data will remain confidential unless disclosure is legally required.

5. Governing Law

   • Agreement governed by laws of [Jurisdiction]. Illegal requests void the contract.

6. Termination

   • Either party may terminate if terms are breached.

DoS/DDoS Testing Clause

(If Applicable)

• DoS/DDoS testing requires separate written consent from the target system owner.
• Client assumes all risks (e.g., downtime, legal action) and must provide proof of authorization.

Acknowledgment

• ?? I confirm:
  • I own/have authorization for all systems tested.
  • I will not request illegal activities.
  • I understand the risks of DoS testing (if applicable).

Signature: ___________________________
Date: _______________________________

Important Notes

• Consult a Lawyer: Both parties should seek legal advice before signing.
• Ethical Use Only: Unauthorized hacking is a criminal offense.

Disclaimer: This template is for illustrative purposes only. Customize it with legal counsel to ensure compliance with local laws. Unethical or illegal requests must be rejected.

Key Takeaways:

• Always require proof of authorization for target systems.
• Explicitly prohibit illegal activities (e.g., unauthorized DoS).
• Include indemnification and liability limitations.
• Advise legal review before use.

This framework prioritizes compliance and risk mitigation while addressing the ethical use of hacking services.