Is Hiring a Cybercriminal in Your Security Team Ever a Good Idea?

Date: 14 July 2022

Would you ever recruit a cyber criminal in your security team?

This was the dichotomous question that executives participating in the recent Wisdom of Crowds event in London had to answer.

And of course, the responses were as interesting as the question itself!

Cyber Management Alliance recently concluded its first post-pandemic, in-person Wisdom of Crowds event. One of the most successful, stimulating and insightful physical gatherings of cybersecurity professionals, this edition of Wisdom of Crowds was a true reflection of the spirit, energy and evolving mindset of the cybersecurity community.

While each aspect of Cyber Management Alliance’s flagship Wisdom of Crowds stands out with participants and vendors alike, the one feature that truly distinguishes these events is the thought-provoking group discussions. Many other similar events are highly scripted but Wisdom of Crowds prides itself on flowing with the energy of the participants and the spontaneity of the discussions.

Led by Amar Singh, the CEO & Co-founder of Cyber Management Alliance and the event facilitator, these discussions are well-known in the cyber community for the passionate exchanges and unscripted and spontaneous discussions they provoke.

Amar is known to have a penchant for drawing out deeply insightful responses from his audience all the while keeping the discussions challenging yet engaging for those involved. In this signature style, Amar makes sure to get the best impromptu reactions out of the crowd while ensuring that everyone’s perspective is heard and taken into account.

To do justice to this special, post-pandemic edition of Wisdom of Crowds, Amar chose a question that would really bring out conflicting opinions, interesting points of view and would really push all participants to think beyond the ordinary lines. The topic was – “Is hiring a cybercriminal in your security team ever a good idea?”

The participants were segregated into groups – for and against the idea of hiring a cybercriminal. As is probably expected, some executives were strongly against the notion of having a former hacker in their team, while others did see some value in the skills and unconventional perspectives that only a cyber criminal could bring to the table.

While this question isn’t really that easy to get the right answer to, let’s take a brief look at what the attendees of the Wisdom of Crowds thought about this subject.

Many executives said that they don’t think hiring a criminal is ever a good idea. We mapped their reasons and the ensuing questions in the list below:

1. The obvious answer – Reputational Harm. Several participants said that hiring a cybercriminal is like dealing with the twin ends of a wedge. There are several potential advantages, yet you could be backstabbed/blackmailed at any given point in time and you could be regretting your decision pretty soon.
2. The point of Ethics and Integrity came up several times. Apart from just the publicity perspective, would it be right for a large, security-focussed business to give validation to a cyber criminal at a time when businesses globally are getting together to combat the scourge of cyber crime?
3. Internal Justification – How would you justify this decision to the board and management? Most importantly, would the Human Resources team ever approve and if they did, would it not create a highly misdirected view of HR.
4. Insurance Risk – Would there be an insurance-related risk to an organisation’s IT infrastructure if it hired a former criminal in its team?
5. Finally, would the cost-benefit analysis ever make it seem worth it to hire a former cyber criminal, a former enemy of the business? Would you really be able to trust such a team member?

However, there were some attendees at the London Wisdom of Crowds event, who were vocal about the fact that they didn’t think hiring a cybercriminal was such a bad idea after all. Some of the reasons they came up with were:

1. The massive shortage of highly-skilled talent in the cybersecurity industry.
2. The incredible real-world experience a hacker would bring to the team, along with her/his unique, non-corporate/standard mindset.
3. A cybercriminal in your team could give you precious insights into criminal methods and hacking techniques. He/she could help you spot vulnerabilities in your system that only a criminal looking for them might be able to spot.

While it’s hard to come to a conclusion for this discussion in a couple of minutes or over a few words, one thing was for certain – Just as the topic itself, the answers and opinions it brought out were as interesting and thought-provoking.
What was even more interesting to see was the passion with which all the participating executives felt about this subject, regardless of their opinion on the matter.

Amar himself believes that this question opens up an interesting debate for the cybersecurity industry. At a time when everyone is talking about the lack of talent in the industry and the need to keep up with the ever-evolving competence of the cyber criminal, it can be tempting to hire a hacker who already comes with the skills to beat her/his kind and knows how they think, act and attack.

However, the negative publicity that would follow from hiring a hacker can be really damaging to a business. If a large corporation hires a cybercriminal, it can easily be perceived as condoning the criminal’s past actions for corporate benefit. This can not just be a PR disaster, it can also send the wrong message to criminals, many of whom (as we have seen recently in the case of Lapsus$) are only teenagers. “And let’s be brutally honest, any positive spin on this is not going to sell,” says Amar.

On the other hand, there are cases like the world’s most well-known hacker, Kevin Mitnick, who was once on the FBI’s most wanted list and is now a consultant with Fortune 500 organisations as well as governments across the world. He has also been hired as a top cybersecurity executive by one of the world’s leading security awareness & simulated phishing platforms. Despite having hacked into the networks of 40 organisations “just for the challenge” (as his LinkedIn bio states), today Kevin is one of the most respected and sought-after cybersecurity experts in the world.

So how is it that organisations are ready to work with Kevin but not hire many other cybercriminals in their team?

“The big question,” asks Amar, “is whether the Mitnicks of the world have found redemption because they claim to be reformed, or because they were never really committing those crimes for profit or personal gain, or is it simply because of their age that one believes they are wiser and evolved? We won’t hear of large businesses hiring the Lapsus$ hackers any time soon, will we?! – even though they’re so good that many researchers believe that some Lapsus$ attacks are works of automation. So where do we draw the line and how?”

All in all, the discussion that followed was a solid reflection of the Wisdom of Crowds spirit where everyone gets to express their opinions no matter how disparate, share their insights and hope to generate some collective wisdom for the community.

Find out more about becoming a delegate and/or sponsor at the Wisdom of Crowds events.