JP Morgan: 'We would hire a reformed black hat'
And other industry hacker recruitment policies from our latest summit
JP Morgan would "absolutely employ a black hat", according to the firm's risk and decision-making specialist and non-executive board director, Shefaly Yogendra.
Speaking at Computing's Enterprise and Security Risk Management Summit 2016 last week, Yogendra was apparently enthusiastic about taking on an ex-criminal at the international banking firm.
"I would absolutely employ a black hat," said Yogendra.
"The reasons are three-fold: One, they know what's going on, and the second is that people need a chance at redemption. Third, there is a legal requirement that there's a list of jobs in which you can't have an unspent conviction, but if they have spent that conviction, I see no reason not to employ black hats."
Terry Willis, head of information systems at Age UK agreed, up to a point, remarking that all manner of "disgruntled employees" are working at companies right now.
"You just have to go to HR and see who has the most grievances," he explained, saying that bringing in somebody who had reformed was no different to awaiting the risk of an unhappy current employee potentially turning to the ‘dark side'.
"If you bring someone in who's reformed, everyone deserves a second chance. I mean, look at the President Elect," he said, before adding, "I'm not a fan by the way!".
Beverley Allen, group risk manager at PhotoBox Group, wasn't so sure, however.
"I'm not aware that we've ever recruited a black hat, but I would err on the side of caution," Allen told delegates.
"I don't know how you reform someone like a black hat hacker. They have skills way beyond our employees' ability to monitor and manage what they were doing. And part of being employed is the implicit trust we have in our people that they will do the right thing, and only the right thing."
Allen observed that PhotoBox Group has "checks and balances" to make sure employees aren't "stepping out of bounds".
"But a black hat? I know what power white hats have - so it terrifies me. It's too great a risk ,and outside my risk appetite. Maybe there are some businesses for who it would work - certainly on the illicit side of things. but not for our business," she concluded.
Mieke Kooij, security director at Trainline, had similar misgivings when asked if she'd hire a black hat.
"I would say probably not," she replied.
"I've got good white hat hackers, so why would I do it? And I don't see any real difference between white and black hat hackers in terms of what their capabilities are, it's just about how they go, and how far I trust them.
"White hats can do it all just as well as someone who breaks and enters for a living, so why would I go and hire a criminal - even if they'd been reformed - to come into my organisation, when I've got someone I can trust?"
But, asked moderator Graeme Burton of Computing, how can you be sure your existing white hats won't suddenly just go black?
"There's nothing stopping someone changing," admitted JP Morgan's Yogendra, "The white hat hacker of today could become the black hat of tomorrow. The answer is to have the checks and balances."
"You have to be careful of the most disgruntled employees," said Allen, echoing Willis' earlier attitude.
"A black hat might just say, 'Damn the consequences' and go for it. Our white hats, as I know, don't think like that - they have a target and they have an approach, and they stick with it."
Have you, or would you, hire a black hat hacker as part of your security team? Do you think JP Morgan and Age UK are wise to consider it, and are PhotoBox Group and Trainline missing a trick by backing off? Please leave your comments below.