hiring hackers as security consultants

Introduction：

1、Information security： Become a hacker, not a consultant

2、Hiring a Former Hacker as a Security Consultant

Information security： Become a hacker, not a consultant ♂

　　Epistemic Status: I have worked for 1 year in a junior role at a large consulting company. Most security experts have much more knowledge regarding the culture and what matters in information security. My experiences are based on a sample size of five projects, each with different clients. It is therefore quite plausible that consulting in information security is very different from what I experienced. Feedback from a handful of other consultants supports my views.

　　I was very happy to learn that information security has recently been considered a promising career path for people who want to do good. I wondered whether information security would be a thing for me too. So I set out to look for jobs and ended up with one at a large consulting company pretty quickly.

　　It will likely never be easier to get jobs in information security than now. There is a so-called skills gap. The demand for security is going up swiftly as the importance of electronic information systems is ever increasing. Since training people takes time and scaling up training takes even more time, the current demand for security experts is far greater than the supply. Consultancies are lacking competent workforce quite badly. The CEO of the company that hired me said that "we have way more opportunities than we have people". Right now, some companies are inclined to hire any person that is capable of shouldering some workload and has some basic knowledge of IT-systems.

　　I thought, perfect! Maybe my search for a fulfilling career as a do-gooder is over. Not only do I get my hands on securing information systems for companies, nation-states and other groups, I also get to do consulting! Consulting has also been considered a promising path for various reasons.

　　I was very interested in learning how my pre-existing theoretical knowledge compared to the practices in the company and how exactly projects would be like. To my surprise, I quickly found out that most projects are really poor. Few of my colleagues felt as strongly about this as I did, but most agreed. What do I mean by "really poor"?

　　In fact, most projects had no methodology or theory of change at all. These projects would be like this:

　　Consultant: Do you have [some software] installed?

　　Client: Well, we have tinkered with it, but decided against it, it is just too expensive.

　　Consultant [writes a report]: There is no instance of [some software] installed. The solution is therefore highly insecure.

　　And that would be it. Other projects had a methodology that did not work. My personal favorite is the use of subjective scores, like 1 to 5, to grade the security of a solution. After a meeting with a client we would be like: "They do not have [a software that I happen to know] installed, that is no better than a 3, don't ya think?". We would then do all kinds of fancy arithmetic with those numbers, finally extinguishing all meaning that they originally had, to come up with a picture that we thought the client would like.

　　I guess that my colleagues by and large do not sense that what they are doing is not benefitting the security of the client. Information security experts are often great in a specific technical field, be it hands-on networking, programming or configuring machines. When it comes to research and study design however, my colleagues lacked important skills.

　　Furthermore, I noted very often that even basic terminology is not clear. Words such as remediation, vigilance, resilience and others are quite frequently used without a shared definition. Basic terms like security and risk, are often used wrong, indicating that the person does not really know what a risk is. In fact, I estimate that only around 1 consultant out of 10 has a probabilistic understanding of the concept risk. I still have no sufficient explanation for this.

　　Overall, there was a very heterogeneous people-landscape in the company. Some new-joiners had no IT-related experience. They then sat next to security-crackheads that have spent the last 25 years pentesting various systems.

　　Most consultants are primarily motivated by 1) money and 2) social prestige. Both only weakly relate to security improvements. The goal of projects is not to secure the clients assets as well as possible, but rather to secure additional funding with as little effort as possible. Whilst that is obvious, it is astonishing how inefficient projects are.

　　The attentive reader might have asked himself by now: If the consultants do not produce high-quality work, lack skills and fail to secure the clients assets, why in the world would anyone in their right mind pay for such projects?

　　This is something that I am still very confused about. My leading theory: The clients are not in their right mind. The companies that have the weakest security posture and the greatest demand may purchase consultants in the hope that they will help them. But these companies are the ones that are incapable of overseeing the work of consultants. I am sure that there are tons of groups who have great security programs, but these are not the ones that would have hired us.

　　There is a lot more to this than I can present here. I also do not know what parts of the culture come from the field of information security and which do come from consulting.

　　One thing stands out: It seems to be general practice to over-inflate your abilities and to come off as much more knowledgeable than you are. Colleagues of mine openly shared strategies for doing so.

　　Interlude (solely for purposes of entertainment):

　　How to come off as though you know what they are talking about but you don't

　　1. Ask questions using the others language

　　2. Sit through the awkward silence

　　Possible situation - Variables (A;B;C;D) mark terms and concepts that are unknown to the consultant:

　　Client: We did have trouble fixing B, due to A.

　　Consultant: Oh yeah, A is tough for other clients as well. How are you dealing with B now?

　　[awkward silence]

　　Client: Umm, I am not sure what you mean exactly.

　　Client: Do you mean how do we address C to enrich B with D?

　　Consultant: Yes.

　　Client: Ahh, well, we ... [potentially understandable information]

　　I did not learn a lot that I would consider valuable for solving pressing problems. Most of the skills that I acquired related to getting through the administrative overhead quicker. That is, I learned to half-ass fancy slides.

　　80000 Hours has stopped recommending general consulting as a viable career path to do as much good as possible. My impression is that they also think that the acquired skills are not very valuable for other areas.

　　Information security consulting is unlikely to improve your relevant skills as much as other options and there is a great chance that you have no impact.

　　Next to my job in consulting I also self-studied. I discovered that many of my colleagues had poor knowledge of topics and concepts that one stumbles over really quickly. Most employees in information security seem not to concern themselves with textbooks. Rather, they learn from others and from formal training. I think that ?self-study is going to get you into a position where you can have an impact much sooner. Note that this is rarely the only alternative, but one that many people have. Here are some recommendations and places to start.Read How to measure anything in cybersecurity risk

　　You need a quantitative understanding of security which you wont get from reading most of the literature. The book is a must-read.Properly build and secure your home network

　　This provides a way of getting hands-on experience with common network components.?Do CTFs

　　You can do CTFs alone here or here or in many other places. Finding or founding a CTF-Team is great but difficult and not at all necessary.

　　Offensive experience gives you a better understanding of what kinds of systems are easy to hack and which are more secure. It allows you to take the perspective of an attacker and better estimate the security of a solution.Sign up to Bruce Schneier's newsletter Crypto-Gram

　　This newsletter covers a very broad range of topics. This will broaden your understanding of what kind of topics are part of information security and discover what you find interesting.Learn the basics of cryptography

　　Cryptography is the reason that secure communication is possible at all. Most security solutions rely to some degree on cryptographic concepts.Join the EA InfoSec facebook group

　　Use buzzwordsPursue formal certificates

　　I have one and the test was so cheap that I am now ashamed of having done it. I have not told my superiors or anyone else that I passed and will not show it to anyone else. Also, the "learning materials" vary in quality. You will learn quicker on your own.Learn about industry norms

　　Norms are often a good source of inspiration, but usually poorly written and sometimes even plain wrong. Most people that I have met treat norms and standards as if they were written by a benevolent god. But if you think about it, even if the people writing those standards have perfect subject-matter knowledge (which I assume they do not) then they still have no incentive to put additional effort into fine-tuning these standards so that they provide value for applied information security. As a result, the standards are a pile of ideas and should be consulted with this consideration in mind. Industry norms are widely trusted, independent documents. Therefore, they are often misused to justify recommendations. A consultant relying heavily on industry norms is one to stay away from.

　　I am aware of one high-impact job in information security. ?According to their website, Anthropic is looking for a person to secure their assets. The picture below is an excerpt from the ad.

　　The people from Anthropic also seem to value hands-on experience over formal training. If you want to make a difference, become a hacker, not a consultant.

　　Biosecurity: I have witnessed and survived the use of non-mathematical metrics, poor standards and non-probabilistic security concepts. To protect myself, I have developed something like an antenna for such bullshit. When I read about biosecurity, my alert goes off. I do not know anything about biosecurity, but if the field suffers the same issues, that is a much bigger problem. Do not hesitate to contact me if this rings true to you.

Hiring a Former Hacker as a Security Consultant ♂

　　The problem with hiring a former hacker as a computer security consultant is that his or her past hacking experiences may not be ideal for your business. In addition, bringing in rent a hacker. Here's what you should know before hiring a hacker as a security consultant. If you want to get the most out of your investment, read on for some advice.

　　Hiring a hacker to be a security consultant comes with some risks. Firstly, hiring a criminal may not be a good idea because the person might not be trustworthy. Always remember that choose and rent a hacker with the professionals and highly qualified cyber experts. While it is understandable to be wary of people with criminal records, a former hacker will often claim that they are reformed and that they're now in a stable job.

　　Nonetheless, they won't be legally able to work for you if they are still on the loose. In addition, they'll have access to your system and can't be reported to the suitable legal authorities.

　　Additionally, hiring a hacker will have a negative impact on your reputation. Hiring a former hacker might cost you clients, which could negatively affect your business. You may even end up losing other business ventures because of the reputation damage. This is why it's critical to hire someone with a clean record. You have to trust a former hacker that you won't do anything illegal, or your reputation could be at risk.

　　While it's true that some former hackers have become world-renowned security consultants with impressive pay packages, other ex-hackers are frauds. They exploit their criminal backgrounds to get a job as security consultants and then drain their clients dry. You may be surprised to find that a former hacker is much cheaper than a computer science Ph.D. If you are hiring a former hacker as a security consultant, you essential to take a couple of steps to protect your business.

　　The biggest risk associated with rent a hacker as a consulting security expert is the lack of trust. After all, a former hacker is likely to have been involved in criminal activities. As such, there is no way to know whether they are a good fit for your company. Although a former hacker may claim to be reformed, they are not legally allowed to work as a security consultant.

　　Many people miracle if it is wise to hire a former hacker as a security expert. However, there are several downsides to hiring a former hacker. Among them are the risk of negative impact on customers, shareholders, and reputation. A former hacker may have the experience to help you shape more secure systems, but he or she could also do more harm than good.

　　Do you know? That hiring a hacker is a treacherous move. Not only does it put your company at risk of a cyber-attack, but you may not be able to trust this person's word. While they might promise to be a reformed, stable employee, and security system improver, it's hard to say whether or not they are trustworthy. Hiring a former hacker is not a good idea if you're unsure about their contextual and don't trust the person's claim.

Related questions

Engaging in activities related to hiring hackers, especially through the dark web, is illegal, unethical, and highly risky. Such actions can lead to severe legal consequences, financial loss, or exposure to cybercrime. Instead of pursuing this path, consider the following ethical and legal alternatives:

Risks of Seeking Hackers on the Dark Web

1. Scams: Most "hackers" on the dark web are fraudsters seeking to exploit you.
2. Legal Consequences: Participating in or soliciting illegal activities can result in criminal charges.
3. Malware/Ransomware: You risk infecting your devices or being blackmailed.
4. Law Enforcement Stings: Many dark web forums are monitored by authorities.

Legal Alternatives

If you need assistance with cybersecurity or data recovery:

1. Certified Ethical Hackers (CEH): Hire professionals trained in penetration testing to legally identify vulnerabilities.

   • Platforms like Upwork, LinkedIn, or cybersecurity firms can connect you with experts.

2. Cybersecurity Companies: Reputable firms like CrowdStrike, HackerOne, or Bugcrowd offer vulnerability assessments and incident response.

3. Law Enforcement: If you’re a victim of hacking (e.g., stolen accounts), report it to agencies like the FBI (IC3.gov) or your local cybercrime unit.

4. Tech Support: Contact official support teams (e.g., Google, Microsoft, or your bank) for account recovery or fraud issues.

If You’re Exploring Out of Curiosity

• Educate yourself about ethical hacking through resources like:
  • Certifications (CEH, CompTIA Security+).
  • Online courses (Coursera, Cybrary).
  • Books/documentaries on cybersecurity.

Final Note

The dark web is not a solution to problems—it amplifies risks. Always prioritize legal, transparent methods to address cybersecurity needs. If you suspect unauthorized access to your systems, consult a professional rather than taking matters into your own hands.