A Lot Of UK White Hats Used To Be Black Hats

Although it’s hardly unusual for large companies to hire former cyberthieves—even convicted ones—to test security defenses, a U.K. study has found the effort increasingly common due to a shortage of security professionals with experience breaking into secure systems. Sometimes apparently, it really does take a thief.

This point was highlighted in a report released Monday (Nov. 17) by KPMG, which saw that enterprises have found it “increasingly difficult” during the last two years to find and retain IT professionals with sufficiently aggressive cyber-security skills. Why? Most because professionals with that background are being actively recruited by headhunters. The report termed such black hats becoming white hats as “poachers turned game-keepers.”

“They wouldn’t hire pickpockets to be security guards, so the fact that companies are considering former (cyberthieves) as recruits clearly shows how desperate they are,” Serena Gonsalves-Fersch, head of KPMG’s Cyber Security Academy, told the Wall Street Journal.

“Banks, including JP Morgan, Citigroup and Bank of America Merrill Lynch are also recruiting cyber security staff, but are looking more at ex-military and intelligence officials,” the story said.

KPMG surveyed 300 senior IT and HR professionals in organizations employing 500-plus staff in the U.K. The most interesting survey answer: A little more than half of all respondents (52 percent) said they would not exclude an employee or contractor applicant because they had a criminal conviction.