Security hiring practices need to come of age

Last month I attended and spoke at two hacker conventions: Hope2K (H2K), put on by 2600 Magazine in New York, and DefCon in Las Vegas. My conclusion, after having attended these and dozens of other hacker events in the past 15 years, is that hacking has come of age. But have corporate hiring practices come of age, too?

H2K and DefCon had military and professional security people speaking to the standing-room-only crowds. Security guru Chris Goggans of Security Design International announced a serious flaw in Lotus Notes security in front of panicked defense and intelligence agency techies. Former spy Robert Steele decried the criminality of incompetent software companies to a cheering audience. But more telling was Department of Defense Chief Information Officer Art Money telling the DefCon crowd, "Work with us, not against us. Join us."

With technically skilled people in short supply, firms are constantly seeking candidates for long-unfilled positions. Yet company after company has told me in no uncertain terms, "We do not, and never will, hire hackers." When I press for clarification, some will say, "What we mean is that we won't hire anyone convicted of a computer crime." So that's what they consider a hacker? If so, they haven't learned anything.

Say you have two equally qualified candidates for a technical position of responsibility and accountability. One has long hair, enough strategically placed metal piercings to put airport security on alert and wears all silver-studded black clothes. The other is a prim, well-dressed young man. Whom will you hire? How do you know what they are really like? Did one just clean up his act yesterday after a friendly visit from the Secret Service about hacking into the Federal Reserve Board? Is the visually disturbing one an incredibly ethical technician who helps out at the hospice on weekends?

The question isn't one of corporate dress policy - a lot of traditional companies have finally gotten over that. It's how do you choose who gets the keys to your corporate kingdom? Systems administrators ultimately have more power than a CEO or chief financial officer. They control which insiders have access to which resources and who on the outside can remotely access the corporate goody-bag. They can make or break a company that depends on its infrastructure for revenue, profits and survival.

While the Defense Department is attempting a cooperative détente with the hacker community and the FBI has brought employment applications to hacker conventions, these agencies are going to do a fair amount of background checking before putting a hacker on the payroll.

But a criminal record only tells you that a person got caught doing something illegal: Not having a criminal record just means a person has never been caught. Most companies take major risks by hiring technical administrators with little or no knowledge of whether that person has committed, but not been convicted of, hacking-related crimes.

An emerging technique to reduce the risk of hiring the wrong person in sensitive technical positions is psychological profiling. What a profiling test does is weigh the ethics and propensities for certain behavior of people in given situations. "If you find a quarter on the street, what will you do?" Keep it. "What if it's a $10 bill?" Keep it. "What if it's a bag with $250,000?" Uh . . .

The professional who practices psychological profiling provides you with insights into the likely behavior of a person who has suddenly been given the keys to your kingdom. A person who may be largely unsupervised, who may be young and not yet well-developed ethically, and who may be faced with internal and external temptations. Is money the motivating factor? What would turn him into a disgruntled employee, thus increasing the risk of damage? What influences on your critical and trusted systems administrators could turn him against your company? What does he consider to be minor infractions, but which could have larger, damaging implications for the company?

Talk to your human resources people. Get top management involved. Talk to some of the psychological profiling professionals in your area to see how it works. Learn how to massage the approach into the critical staff hiring process without being offensive. The security implications need to be understood by management and staff alike.

It's not so much a matter of trusting your employees as hiring people who can become trusted employees. There is a big difference.

Schwartau is president of Interpact, a security awareness consulting firm, and author of many books, including Cybershock and Computer and Internet Ethics. Reach him at winns@gte.net.