UK hires hackers, convicts to defend corporate networks

You might not hire a pickpocket to be a guard, but the UK's cybersecurity shortage has prompted a skill hire, no matter the origin.
Written by Charlie Osborne, Contributing Writer

Black hat, white hat or a bit of both — either way, in the United Kingdom, you're hot property in the cybersecurity marketplace.

It might seem like an odd concept at the outset — the idea of hiring convicted hackers as well as the white hat variety to bolster cybersecurity teams responsible for keeping sensitive corporate data from intruders. However, when there is a severe lack of skilled staff to plug the gap made worse by increasing rates of cybercrime, desperate times, desperate measures.

When you live in a world where hackers break into corporate networks for the "lulz" and teenagers merrily wander through Microsoft and the US military's networks to pinch programs and unreleased games for the sake of it, corporations are constantly battling advanced persistent threats and consumers are placed at risk, there's a problem.

Coupled with the skills gaps, it should come as no surprise that those with the talent — whether used unethically in the past or not — are being snapped up by UK corporations.

A survey conducted by KPMG suggests that nearly three quarters — 74 percent — of businesses admit that cybersecurity requires new skill sets, and 64 percent acknowledge these are different from conventional IT skills.

In total, 70 percent said their organization "lacks data protection and privacy expertise," and the same proportion are concerned about their company's ability to assess incoming threats. This realization in itself may be enough to prompt a new way of thinking about recruitment. 

After questioning 300 senior IT and HR executives in organizations with at least 500 employees, researchers found that 57 percent of UK companies are finding it very difficult to retain specialized staff in cybersecurity, especially within the past two years. In addition, 52 percent agree there is aggressive headhunting taking place in the field, no doubt due to the rising threat of cybercrime — which can not only result in regulatory fines, but the loss of consumer & corporate data as well as reputation.

See also: Top tips on hack-proofing your life

According to the research, the skills gap is forcing companies to consider other ways to keep up to speed in cybersecurity.

As a result, over half of companies — 52 percent — said they would consider recruiting a hacker to bring inside information to their security teams, and the same number would also consider recruiting an expert even if they had a previous criminal record.

Commenting on the findings, Serena Gonsalves-Fersch, head of KPMG's Cyber Security Academy, said:

The increasing awareness of the cyber threat means the majority of UK companies are clear on their strategy for dealing with any skills gaps. However, they wouldn't hire pickpockets to be security guards, so the fact that companies are considering former hackers as recruits clearly shows how desperate they are to stay ahead of the game.

Rather than relying on hackers to share their secrets, or throwing money at off the shelf programmes that quickly become out of date, UK companies need to take stock of their cyber defence capabilities and act on the gaps that are specific to their own security needs.

Read on: In the world of security

Editorial standards