|Best practices for hiring hackers
Hire hackers for discrete, well-defined projects
Clear hires and contracts with your legal department
Insist on being present during penetration tests
Don't start with mission-critical sites
Perform tests at noncritical hours, if possible
Don't substitute hackers for systematic auditing
So when somebody boasts of their hacking prowess, they may really be saying they have nothing better to do than sit in their room and bang away at firewalls. "They're relying either on known holes or massive computing power," says Raman Sud, vice president of engineering at Burlington, Mass.-based PurchasingCenter.com, a portal for maintenance and janitorial supplies. Sud does not hire hackers. "That's a shotgun solution," he says. "You need a long-term strategy."
Hiring managers should heed the experts' rule of thumb: The harder a job applicant tries to portray himself as an ultra-hip member of the hacker underground, the more skeptical you should be of his credentials. Action plan
So who do you hire to protect your data? The road forks; you either decide you'll hire hackers or decide you won't. Either way, here are some suggestions: If you hire hackers...
Probe, question, check, and double-check credentials. Set aside stereotypes and think about what type of hacker you want in your organization. Are you willing (or empowered) to hire people convicted of computer crimes, gambling that their expertise offsets their previous mistakes? Or will you ban on the convicted but hire folks whose backgrounds indicate they've done their share of hacking?
Either way, pull in the lawyers. The earlier the better. "When setting up a penetration test, bring the legal people in before contract negotiations," advises Raines of the Federal Reserve Bank of New York. Your legal department may want to kibosh the whole idea, in which case you'll have to do some fancy footwork to gain buy-in. More likely, they'll add helpful clauses to your contract.
|Raman Sud, VP of engineering at PurchasingCenter.com, has a no-hacker policy. "That's a shotgun solution," he says.|
Finally, PurchasingCenter.com's Sud suggests that if you invite a hacker into your organization, "Hire them for a specific task--not as part of a long-term plan." If you ban hackers...
You still need somebody to guard the crown jewels. "The best security people I've ever seen are just smart network administrators who took the time to research security," Winkler says. Easier said than done, because such employees tend to be overworked, with many fires to fight. But when experience is in short supply, training is always an option. "Find highly skilled system and network administrators," Winkler advises. "Give them the time and training they need to become proficient in security."
Moxley of Blackbird Technologies agrees. He says it's best to hire someone who's worked as a systems administrator, a network engineer, or a software developer, "but always had a side interest in security." Skilled, curious IT people can learn the security craft with relative ease, experts say.
Time is always hard to come by, and that situation shows no sign of easing up; skilled IT workers are always in demand all over the organization. In the past, the training was scarce as well. But thanks to an increasing menu of certification programs, that's changing (see sidebar, "Securing certification
Experts agree that paying attention to the basics is your best bet. Perform periodic audits. Stay current with updates issued by the Computer Emergency Response Team. Leverage your vendors' security teams. PurchasingCenter.com's chief vendor is Exodus Communications Inc., a Santa Clara, Calif.-based Internet hosting and services company. "They have a security team that we make use of," Sud says.
In the final analysis, a solid, systematic security program, backed by top management, is the best way to fight security breaches. No matter who you hire for the job, they need time, training, and a clear mission. // Steve Ulfelder is a freelance writer who lives in Southboro, Mass. You can contact him at firstname.lastname@example.org.