OK...I was at this debate, recently held at the RSA conference in San Francisco. There were two points that were made that are not clearly stated above:

1) Kevin himself, when asked, said that "NO, you should not hire a hacker because he was a hacker. You should hire someone that has proven skills and has proven themselves to be honest." He claims that he has viable skills and that his recent record speaks for itself in regards to his honesty. He stated that hackers do not have any special skills just because they are hackers.

2) Several people made a comparison between this argument and other industries. If you are a lawyer and commit fraud and get disbared, you can never be a lawyer again. If you are an accountant and commit fraud you can never be an accountant again. Etc..etc. In most professional industries if you violate the law specifically pertaining to your profession you are forbidden from ever practicing that profession again. Why should computer security be an exception.

Also, a point made above regards public companies. If you hire a hacker, and they end up hacking your network, you have to answer to thousands of stakeholders. This has, in fact, happened on several occasions. Basically, you brought in someone with a track record for stealing, and they stole - in some cases you yourself could be liable. Now, (as debated in SF) if you have never been busted, that doesn't mean you never hacked. But all other things being equal, why hire someone with a record when there are 50 others just as qualified with no record? In the business world, the potential ROI from this very question is non existant. This isn't a question of "Can a hacker being a good security consultant?" this is a business question of "Would you give a convicted hacker the ultimate access to your personal bank account and the livelihood of your company?"

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/3982/19516#19516