A German security company has divided opinion in the IT industry this week by offering Sven Jaschan, who is being charged with the creation of the Sasser virus, a job.
Not surprisingly the antivirus companies immediately jumped into the debate, claiming it would be impossible to trust a computer criminal.
Beyond that initial reaction the story raises wider questions about whether hackers and virus writers can ever be trusted to have changed their ways, so we asked our CIO Jury if rehabilitated or reformed computer criminals could be trusted to work in a corporate IT department.
The question split the jury down the middle with six saying ‘yes’ and six saying ‘no’.
Ted Woodhouse, IT director at Leeds Teaching Hospitals NHS Trust, said “definitely not”, questioning whether past form would resurface at the first sign of disillusionment with the employer.
“If [serial-killing doctor] Harold Shipman had been younger, served his sentence in full and been released as ‘rehabilitated and having served his debt to society’, who would trust him as a doctor to treat their ailing and aged mother? A leopard does not change his spots – Jaschan belongs in gaol for international and corporate vandalism (not to say terrorism) on a massive scale.”
David McKean, director of IT services at Cable & Wireless, said the presence of a hacker in the IT department would undermine the trust everyone has to have in their co-workers. “With a criminal hacker in the ranks you do not have that trust and the risk to the business is just too large.”
Mark Foulsham, head of IT at eSure, raised the issue of the dangerous precedent hiring a hacker would set. “The issue isn’t really one of trust, it’s the message this approach sends out – successful hacking improves your employment prospects.”
Margaret Smith, director of business information systems at Legal & General suggested most firm hire hackers without being aware of it but doubted whether they could be trusted in an IT department.
“The biggest difficulty would be knowing if someone being interviewed is a hacker or not. They obviously have the right mindset in terms of problem solving/problem creating. Their motives for being hackers would need to be evaluated through things such as psychometric tests,” she said.
But, equally others would be prepared to give former computer criminals another chance – depending on the circumstances. Phil Pavitt, CIO at NTL, said people should “never be too proud to learn”, while David Jemitus, head of IT at the Government Planning Portal, said it is worth the risk if the person has specialist skills that are in demand.
Bill Gibbons, CIO at Abbey, said reformed hackers could be hired as long as the appropriate controls are in place and corporate policy supports it.
“Clearly such individuals can add value given their in-depth technical capabilities but this must be balanced against the significant risks entailed, so each ‘opportunity’ needs to be assessed on relative merits of employment,” he said.
Dr Stuart Brough, director of IT services at the University of Strathclyde, said being selective and getting the right person can “pay dividends”. He said: “In higher education we have used students, during the vacation breaks, very successfully and they may fall into a similar category. Students are excellent hackers and test our security on a daily, if not hourly, basis.”
Today’s CIO Jury was…
Stuart Aitken, CIO, Medical Research Council
Dr Stuart Brough, director of IT services, University of Strathclyde
Mark Foulsham, head of IT, eSure
Bill Gibbons, CIO Abbey Group
Neil Hammond, IT director, British Sugar
David Jemitus, head of IT, Government Planning Portal
Phil Jones, CTO, easyGroup
David McKean, director of IT services, Cable & Wireless
Rob Neil, head of ICT services, Ashford Borough Council
Margaret Smith, director of business information systems, Legal & General
Phil Pavitt, CIO NTL
Ted Woodhouse, IT director, Leeds Teaching Hospitals NHS Trust
If you are a CIO, IT director or equivalent at a large or small company in the private or public sector and want to be part of silicon.com’s CIO Jury pool, or you know an IT chief who should be, then drop us a line at firstname.lastname@example.org