Intelligent CISO Issue 15 | Page 75

get reputational kudos and/or hard currency to showcase and test their skills in a very public forum. In exchange, the hiring organisation gains new dimensions of security smarts and perspectives. Some businesses choose to hire hackers direct. Hands-on experience is key here. While it may sound counter- intuitive to make use of external hackers – some of which have a track record of criminal activity – the one thing they have in abundance is hands-on experience. At the end of the day, a hacker is a hacker. The only difference is what they do once a bug or vulnerability is found. Ultimately, employing an ex- cybercriminal is a risky decision that should be made on a case-by-case www.intelligentciso.com | Issue 15 While it may sound counter-intuitive to make use of external hackers – some of which have a track record of criminal activity – the one thing they have in abundance is hands- on experience. basis. It is also worth noting that criminal background checks only help identify previous offenders – they lack context on how a person has changed. For example, it is unlikely that someone charged for a denial of service attack at a young age has mutated into an international career criminal. Indeed, some young offenders often go on to become well respected security consultants and industry thought-leaders. Another fertile hunting ground for hackers could be closer to home. The best practitioners are curious, with a strong passion to deconstruct and reassemble. Businesses need to get better at harnessing the skills of those building their applications, code and 75