It has benefited from the investment in training and high standards of education to produce a significant numbers of cyber security professionals, well-structured career pathways have been created to promote professional practices, underpinned by codes of conduct and ethics that are both meaningful and enforceable.
This maturity in the market has put the emphasis on the recruitment of trained, educated individuals who understand career structures and ethics, rather than a “hire the hacker” approach.
The practice of using ex-offenders is carried out with great care in other industries and the cyber security industry should be very careful, but also have an open minded approach. As an industry we need to take steps to ensure they are supported so that they do not reoffend. The codes of conduct and ethics are an important aspect in ensuring that this is carried out in a structured environment.
There is also a significant number of individuals who have come to the attention of law enforcement, but have not been charged or prosecuted. The industry must be very careful how it deals with these individuals. It would be inappropriate to exclude them from career opportunities, and again the meaningful and enforceable code of conduct and ethics are essential to manage these individuals.
Some of the people who have come to the attention of law enforcement, but have not been formally cautioned or charged, are young. Again, the UK is leading the world in this area. Working with the National Crime Agency (NCA) and the Metropolitan Police, not-for-profit accreditation and certification body Crest is developing practices to provide a secure environment for these individuals who are often young and can be tempted to take the wrong path and end up commiting serious cyber crimes.
The industry has a moral responsibility to help support these initiatives, and encourage future development in a positive way.
The use of former cyber criminals is regularly used when companies employ individuals to test out their cyber defences. Former cyber criminals are well versed in the actitivity of penetrating systems and have hands-on experience of bypassing security controls.
The risks of using someone who is operating outside the law and outside ethical bounds are obvious. In the past breaking into systems and bragging about the crimes they have commited and ending up with a criminal record is not the way forward.
Often times their previous activities were mistakes and many cyber criminals have learnt from this and want to offer a professional approach to their work and move on from the past.