Would You Hire A Hacker?

theodp writes "A German security company has divided opinion in the IT industry by offering a job to the teen charged with creating Sasser. Silicon.com asks its CIO Jury: Would you hire a hacker? and finds the jury split down the middle, with one IT Director saying doing so would be like hiring serial-killing doctor Harold Shipman to treat your ailing and aged mother."

No, no, no!

That's not hacker! It's cracker. Hackers create, crackers destroy.

-ESR (fake)

Hacker != Cracker. How-to.

Re:No, no, no!

[Dr+Reducto]

Yeah, I don't think this kid is all too bright compared to a lot of other hackers. I mean, for one, he got caught.

Re:No, no, no!

[DogDude]

Hackers create, crackers destroy.

And while you are busy trying to make this assertion to a hiring manager, somebody else who doesn't deal with pedantic stuff like "hacker vs cracker" is taking your job.

Re:No, no, no!

[ePhil_One]

Yeah, I don't think this kid is all too bright compared to a lot of other hackers. I mean, for one, he got caught.

For another, he's clearly subject to certain moral lapses.

I've been given this opportunity before, an applicant admited to hacking into a company to demonstrate his abilities and knowledge; they hired him. While I recognized his potential to help secure our network, could I trust him not to monitor peoples mail for his own amusement, access private data like salaries, "attack" computers of folks he didn't like, or otherwise cause trouble?

It took a slam dunk "Hire him" to a long debate, we wound up not making an offer.

Re:No, no, no!

[microsopht]

Yeah, I don't think this kid is all too bright compared to a lot of other hackers. I mean, for one, he got caught.

If a hacker gets caught , doesnt have to mean he isnt bright.Eg:Mitnick.He is the role model for many.

Re:No, no, no!

[carpe_noctem]

Completely agreed. The meaning of words is determined by their use and context, and sadly, "hacker" is one of those words that has taken a negative context in the eye of the greater public...

Re:No, no, no!

[Frymaster]

log his activities to a machine he doesn't have the skills to crack...

if you could create a machine that he didn't have skills to crack... why would you need to hire him in the first place?

Re:No, no, no!

[jhoffoss]

This would fail even more quickly. Most of my clients are stressed out as it is when they bring my firm in. The one thing we have that they take comfort in is our integrity. Without that, we would be out of a job.

If a company's entire basis is the fact that their employees do not (or did not, if truly grey hat...) have integrity, they're sunk before they leave dock.

In the same breath, I will just state what I have seen someone else on /. state, and I found humorous: black hats are good hackers, white hats are good fakers, and grey hats are good liars.

Re:No, no, no!

[stratjakt]

That'd be nice if you have the manpower or spare time to babysit all your employees.

I don't and nor does anyone in this office, if theres any question of trust around here, you're out on your ass.

Re:No, no, no!

[Short+Circuit]

A Windows crackmaster may not have the skills to crack an OS/2 box, a BeOS box, or even a Linux box.

Cracking skills come with some degree of specialization. You hired the guy to audit your Windows workstations, not your UNIX-clone servers.

Re:No, no, no!

[dead+sun]

So is what's being said here equate to 'if the applicant hadn't admitted to hacking a company to demonstrate knowledge, and instead plausibly lied about having worked in a "test" environment configured just like a real company, the debate wouldn't have happened'?

I'm sorry, but at least the person you didn't make an offer to was willing to come forth about it, let people know that he found that sort of behavior acceptable, and give a chance to lay down a set of rules that are perhaps more fitting to his particular morals. He was decent enough to give that opportunity.

I wonder how many people you've worked with have ever done the same things as this individual but haven't owned up to it. I wonder if anybody you've worked with monitored mail for their own amusement and just never set off warning flags during the interview process.

It's one thing to catch somebody doing something after giving them a chance (because of not being told about certain behaviors or not). It's another entirely to deny them a chance after they're trying to be out in the open with you.

Why would a spy come out and say they're a spy? It sets off alarms and unless you're just that damn good, blows any future chance of spying you have. Why would a cracker come out and declare they're a cracker unless they're willing to change their tune while on the job? I guess, unless you're looking for feints within feints.

Re:No, no, no!

[pilgrim23]

I rememebr years ago the strident arguments on IRC: "No No! this is NOT some AOL 'room'. This is a CHANNEL!"

We need a new word that denotes a good or cool hack, or hacker. I propose "mugwump" but am open to reasonable suggestions...

Re:No, no, no!

[skiflyer]

Best logging system for super secure systems I ever heard of.

A good old fashion linefeed dot matrix printer... so a cracker may at some point be able to disable the feed, but if you were tracking them on the way in there's no way to cover their footprints electronically.

Re:No, no, no!

[divisionbyzero]

Hmmm... clearly if this kid has any brains he would know that he is under scrutiny. So what's he going to do? Spend all day looking for where the logs are kept and trying to get into the machine that stores them. It would be trivial to find out which machine is storing them because a connection has to be opened to his computer at some point and not only that since the logs would be generated on the machine and downloaded, assuming there wasn't a persistent connection for continual download which would also be blatantly obvious, the log file itself would be the perfect vector for malicious code.

For most crackers it is the thrill of defeating someone in power that gets them going. Trying to control him would only encourage him. No, if you can't trust him, then don't hire him, and someone that consistently has moral lapses is clearly not trustworthy.

Re:No, no, no!

[sunjin]

An important point to consider is that by hiring him you are sending a message to others that cracking is a good way to get a job. Do we really want a bunch of script kiddies trying to make a name a for themselves thinking it will turn into a career?

Re:No, no, no!

[dead+sun]

I suppose in a manner it depends on what he's being hired for. If the thief is needed to do thiefy things and he's honest about crossing moral lines around the office then I'd likely hire him and keep an eye on him.

If it wasn't a job where theify things needed doing then I'd have to think about it. On one hand he could have kept mum about it. If it was something he was never caught doing prior I would be none the wiser. Maybe he's trying to start clean or stay on the right side of the lines, or just wants it all in the clear first. If the information is being provided in earnest and for my sake I wouldn't use it as a disqualifying point. You can bet he'd be watched if he got the job though.

On the other hand, if they're just trying to cover their bases so they don't get screwed over when their prior transgressions are uncovered, then I'm not so sure. In that instance the information isn't being cleared into the light for anybody's benefit but the thief's. This doesn't really seem to be the case for the post I originally replied to though.

As for crackers, there's a fine line between black and white hats, an internal state of morals and conduct. It isn't something one can directly observe since covering it up is possible. I wouldn't doubt there are black hats masquerading as white hats out there that are just good enough to never get caught. From that view, how does one tell the difference?

Extreme comparisons

[AKAImBatman]

[O]ne IT Director [said] doing so would be like hiring serial-killing doctor

A little extreme on the allegories, aren't we? Virus writing is not exactly like taking out a knife and killing someone. (Although it may result in the shutdown of systems that support people's lives. I'd tend to blame this on the idiots who use Windows for those systems, though.)

As for hiring him, I think my answer would be "maybe". I certainly wouldn't hire him because of his transgressions, but rather despite them. Basically, everyone should be entitled to a second chance. If this employer believes that the guy has a lot of talent and is repentant of his past deeds, then give him another shot! He'll have to try damn hard to remove the stigma from his deeds, but try hard enough and he might just turn his life around.

Re:Extreme comparisons

[epiphani]

A little extreme on the allegories, aren't we?

Agreed. If we want to stick with the Doctor example, I would equate it more towards someone performing impressive medical research without a license. Or practicing medicine without a license.

Most of these virus writers are teenagers with no formal education and no job prospects as a result. Writing something like this proves they're not only talented, but quite bored. Give them something positive to work on, and a paycheck to boot, and im sure good results will come of it.

I think the fact that these teens exist is a result of the stupidity of the system to depend on education metrics to represent knowledge and value.

Re:Extreme comparisons

[shawn(at)fsu]

I can see three potential problems with this.

1) The possibility that this might motivate other crackers to unleash the next big worm to find a job.

2) What about the poor shmuck that does nothing wrong and gets passed up for a job.

3) Say you hire him and he goes back to his old ways. Wouldn't you be somewhat liable for damages caused to you clients.

As I said potential and possibly extreme situations.

Re:Extreme comparisons

[einhverfr]

I read a couple or articles on this case by the time it hit /. So here is what I have to say.

First, I think that this kid has been punished pretty severely already. His *dad* got fired over it, and he has recieved his share of death threats. This is not something you can just take lightly, especially when one's actions affect those close to the perpetrator. BTW I do think that firing the guy's dad is a little severe. Indeed these actions were what motivated the German security firm to offer a job to the kid.

Secondly, the comparison to the serial-killing doctor is quite misguided. In this case, it is more like hiring the serial-killing doctor as a pathologist. He *might* make a really good pathologist. But there are no guarantees.

Finally, at least in the US, our legal system recognizes that teenagers are not as capable of considering consequences of their actions as adults,and there are some scientific studies which have been published in the last few years that may provide a solid scientific case for challenging those states which allow the death penalty for individuals under the age of 18 who commit capital crimes. If you say that "we will never allow anyone in this field to ever hire a teenager who commits this crime" then you are placing, IMO, unbalanced consequences for the misguided and even criminal actions of such individuals.

Re:Extreme comparisons

[stratjakt]

It doesn't necessarily prove any talent at all.

It proves they go to their favorite hacker website, download some proof of concept code, and wrap some VBScript around it.

I wouldn't call Sasser a work of genious, but a work of pure assholery. He didn't invent something, or do it to prove a point. The point was proven, the exploit was known. He did it to be a 1337 h4x0r.

I think the fact that these teens exist is a result of their own stupidity. Guess what, you want to commit crimes for attention, it just might fuck your entire life up.

Try and get a job in retail with a shoplifting conviction. Try and get a job as a kindergarten teacher with an assault conviction. Try and get anywhere in politics with virually any conviction greater than a traffic violation.

Boo hoo for teens too stupid to realize actions have consequences, sometimes life long consequences. And I'm sick of people blaming "the education system" or "society".

This kid was mentally developed enough to know what he was doing was wrong, and did it anyways. He's lucky to be offered a job doing anything more technical than digging holes in the dirt.

Re:Extreme comparisons

[einhverfr]

How, legally, could his father get fired over the actions of the son?

I don't know how it is in Germany, and IANAL, so with that....

Where I live (Washington State), we are an "at will" state regarding employment. In otherwords, the state makes no real restrictions regarding grounds for termination. In certain cases, discrimination laws may apply, I think. So I can't fire you because of your race but I can fire you because I think your brother is a loser.

I can probably even fire everyone with the first name of "William" because I don't like Bill Gates... So....

Bad analogy

It'd be more like hiring a doctor who was convicted of illegal cloning experiments to work on alternatives to organ transplants.

Mitnick

[Klar]

doing so would be like hiring serial-killing doctor
Well, if he's good with a knife..

Honestly though, if a hacker has payed his debt to society and now wants to help businesses prevent what he was doing(Kevin Mitnick), why not let them? Having the most knowledgeable person for the job might just save you from being hacked by someone else--as long as you can trust the person.

Re:Mitnick

[System.out.println()]

I would propose a third possiblity:
C) He did not predict the impact his actions would have.

Consider how many viruses are written that never amount to anything - a few dozen infections, you get on the antivirus list, and no one cares about your virus anymore. (Have you seen the length of those virus definition lists?) Consider that, in all likelihood, the kid associated with people who had written lots of viruses like that - probably even authored some himself. What do you think he would perceive the odds of making a virus this impactful to be? About the same odds that setting off a firecracker would burn down a city block: yes, they should be charged with arson, but don't assume that they meant to set it all on fire. They were just bored and wanted to see a few sparks.

Re:Mitnick

[SpecBear]

One word: liability
It's not just about how you feel about it, it's how your clients feel as well.

There's always the danger that one of your employees is going do something evil. But hiring a known black hat makes you highly vulnerable. What happens when your competitor is giving a presentation to a potential client and says, "Yeah, those guys at FooCorp hired the guy who wrote that virus that took down GreatBigWebSite.com. I wouldn't trust that guy with my customer data, would you? Do you really want to do business with a company the rewards criminal behavior?" What percent of your potential business would you lose?

hacker?

[BoldAC]

What a loaded question?

Would I hire a worm-writing kid? No.

Would I hire a gray-hat security genius? Absolutely.

Depends on what you do

[stratjakt]

A security company might benefit from his experience, or even just the marketting angle "the best hackers work for us!"

In the field I'm in, he'd be a liability. We do government stuff, relating to law enforcement, and while we're not a bunch of angels, we don't want any skeletons in our closet either.

wow...

[Izago909]

...with one IT Director saying doing so would be like hiring serial-killing doctor Harold Shipman to treat your ailing and aged mother.

I bet Freud would have a few things to say about that subject..

I wouldn't hire one

[alatesystems]

It might be nice while they're working for you, but if you piss them off(who hasn't been an employer and had an employee pissed off?) then they have inside knowledge about your company and the ability to hack.

On the other hand, I wouldn't consider these VBS writers "hackers". They are just glorified script kiddies. Don't reward that behavior.

Chris

Re:I wouldn't hire one

[rho]

The ability? No, lots of folks have the "ability". He's already demonstrated the will to do something he knew would be (or hoped would be, which is more or less the same thing) extremely destructive.

The kid is a punk. He may always be a punk. Maybe some folks think it would be okay to hire him, but I bet most of the people who would give him a chance have never built a business themselves. When you've got this thing, this business that you've spent God knows how much time and effort building, why would you risk the whole thing by hiring a known punk? All the reasons I can think of--publicity, potential ability, altruism--fails the "will the baby eat tonight" test.

Publicity? Why not hire a well-known porn star to pose for photographs and post them daily to your web site. You'd get publicity and traffic and less risk. Ability? There's gobs of similarly talented nerds out there. If Slashdot is to judge, there's a glut of CS majors who were fired by GW Bush the same day he was inaugerated. Altruism? Give to Greenpeace.

The kid should be punted into a workhouse and made to do free tech support for the companies he harmed. Each company, in alphabetical order, until their damages have been paid back. I doubt he'd make it past the "B's" before croaking.

(A side note: Slashdotters always say that owning a tool that could be used for illegal activity is fine, and people should only be prosecuted if they use the tools for actual illegal activity. You're probably heard the litany in any random YRO article. Well, here's a punk kid who broke the law--let's see some fucking prosecution, eh?)

definitely not

[staticdaze]

Fear the day that you ever have to let him go.

Re:definitely not

[nizo]

Perhaps hire him on the condition that he have a GPS tracking device implanted in his skull so you can track him down later if he is naughty?

Hackers and Hiring

[Archangel+Michael]

I think it would depend on the QUALITY of the hack. A poorly written hack that breaks out in the wild, that causes unintended results would prevent me from hiring said person.

However, if the hack is an elegant piece of code, that does exactly and only what the author indended would be something I would consider.

Originality also would count. The creative nature of the hack would also weigh in. This prevents script kiddies from modifying existing hacks from the "application" for the job.

In otherwords, I would evaluate each hack and make judgements on the over all skill, novelty and execution of the hack, all skills needed for any programming job.

Think outside the box

[MicroBerto]

If your company designs high quality locks (haha like Kryptonite U-Locks), would you hire the best lockpick around, even though he once used his skills to break into 7/11 and steal a bunch of stuff? Personally, I would. You need people to think outside of the box and go against the grain of your culture once in a while, IMO.

Note: I'm not saying that this chump is the best programmer around, I'm sure he's not. But if he's a great man for the job and can think of things that you and I won't, then I'm on.

Short Answer: Maybe

[jallen02]

There are PLENTY of information security white hats that are just as talented, if not more talented, than the black hats. If we are truly talking about hiring a "black hat cracker". Even if they were exceptionally skilled it would depend on the individual.

They commited a computer crime. That is a liability, not an asset. All in all their benefits as a skilled IT professional would have to outweigh their liabilities (being busted for a computer crime). It is a factor that goes into the equation. I would say that in most cases it would be enough to lean me towards not hiring them. I think its a pretty serious thing to hack someone elses system. There are PLENTY of ways to make a name for yourself in a white hat way. Writing papers, studying info sec and staying on top of the field and becoming a noted voice in the communities is one. Ultimately if you need negative publicity to be known (and or hired) your just being lazy :)

Jeremy

Akin to a serial killer - moronic statement.

The FBI hired Frank Abagnale Jr. as a counterfeit specialist and it turned out to be a good thing. Why? Because he was just a freaking teenage KID that happened to be misguided through lack of maturity. If this teen hacker was given a little direction and purpose with his life then he could steer everything completely around.

I can't believe that comment about hiring him being similar to hiring a serial killer as a doctor. The director that spoke that comment is an idiot.

Depends

[jhagler]

I think I would look at what type of hacker they are.

Is it someone who knows systems inside and out and enjoys toying with them? Then definitely yes.

Is it a script kiddie who just took someone elses work and capitalized on it? Definitely not.

The issue is not about elitism, it's about attitude, someone who has gone to the effort to learn something and apply it is in a whole different world than someone who is so socially mal-adjusted they feel the need to tweak the latest worm to say "I RULEZ" and sends it back out.

I did hire a hacker!

[Offwhite98]

And he worked out great. We both had similar skills and were able to hammer out a lot of code. We do not work together anymore, but I still work with hackers. If you do not enjoy pulling things apart to see how they work and hack them to do new things you should not be writing software.

Nope.

[captnitro]

Use of the term 'hacker' here is a misnomer. Would I hire someone who has a broad technical ability and excels in why things do and don't work? Absolutely. But allow me to go on a little old-man rant here (and hell, I'm in my 20s): viruses these days aren't what they used to be.

In the 1980s-1990s, you could pick up a copy of 2600 and read the code for a relatively complicated polymorphing boot sector virus -- complicated because it took a good knowledge of assembler, specific system calls, the boot process on a PC, etc., among other things. With a few tweaks, it would be slow-incubating, but deadly.

The internet has changed the way we deal with security, because no longer is the question "How clever is the virus?" so much as it is "How cautious is the user?" Example: the "Microsoft Office 2004 Beta" for Mac appeared on P2P networks a few months ago. When run, it deleted the contents of your user folder. Devastating, yes, but nothing I couldn't do myself without programming knowledge. So the 'virus' wasn't clever, tricky, or even unique in function, except for the method of delivery, which was social in nature -- not technical.

The same applies to security holes in your OS. Whether the hole should be patched is another discussion, but taking the obvious routes through those holes to bring down computers isn't particularly noteworthy. If everyone at my office has VNC installed without a password, and I go delete their My Documents folder at noon today, am I a hacker? No. I'm just a prick.

So when you ask, "would I hire a hacker?" Yes.

But when you ask, "would I hire someone who creates/uses something annoying and not that special; requiring a moderate level of programming skill if at all; that relies on the user to activate it or a major security flaw in the OS?" Absolutely not. These kids' salaries should be going to sociologists who can better analyze group behavior, and real coders, not scr1pt k1dd13z.

I would not hire a hacker

[here4fun]

It is not about skill or knowledge, it is about "Can I trust this person?". If someone can write a virus, that might demonstrate good knowledge. Releasing the virus shows the person either did not think about the damage they would make, or worse, they did not care. I would not want someone like that in my company or organization. I happen to think those kinds of people belong in jail, because sooner or later they will do something as stupid as the common thug.

Re:My employer does...

[friendscallmelenny]

They put computers online in honeypot setups

mmm honey

I give up, what sort of stuff do you do at National Endowment for the Arts?

Re:My employer does...

It's amazing to me what kind of gullible suckers the mods are around here.

Depends

[Gyorg_Lavode]

Would I hire the Sasser worm kid? Never.

Would I hire com Adrian Lamo? Yeah.

It depends a lot on the intent of the attack and what was done once it was successful. Also on the personal morals of the individual.

Amen!

[PCM2]

Hear hear! I can't stand how many people keep making this simple mistake. By calling destructive computer criminals "hackers," you're bringing down everybody who codes for the love of it. Lots of us have been calling ourselves hackers for years, only now to get painted with this negative brush.

I don't expect the mainstream press to know any better, but this is Slashdot. Can we please try to keep our definitions straight?

A hacker is a skilled, passionate computer programmer -- nothing more.

A person who commits malicious computer crimes is a biscuit. Like those evil software pirates who walk around with those parrots on their shoulders: "Polly want a biscuit!" Get it right, people.

Re:Amen!

[fitten]

Lots of us have been calling ourselves hackers for years,

The "hacker code" that I grew up by was: "Hacker" is sort of an honorific. You can't call yourself a hacker. Others have to call you a hacker. If you call yourself a hacker, you almost assuredly aren't one.

Re:Amen!

[Kehvarl]

Why should computer criminals be called "Crackers"? What have they done to deserve their own special descriptor? Nothing constructive. computer criminals should be laeled as criminals with the nearest normally-applying label. If you break into a machine without proper authorization and make off with privae or sensitive data, that probably falls under some existing laws against expionage. same applies to any computer crime. If there is no pre-existing label for the crime, why not? is it something that can only be done with computers? if so then is it actually a crime? and if it is, label it and apply the proper label to those who perpetrate the act.

Wow that was incoherent of me.

Stupid CIOs

[Lord+Kano]

one IT Director saying doing so would be like hiring serial-killing doctor Harold Shipman to treat your ailing and aged mother.

Being that Shipman is dead, it would be really stupid to hire him for anything.

LK

Re:My employer does...

[SpyPlane]

All you script kiddies out there who are drooling, be warned that you probably wouldn't have a chance in hell of getting a TS/SCI security clearance.

Move along, certainly nothing to see here. BTW I second the post that the Mod's are gullible today. Of all days that I have no points.

Can you get me Charlton Heston's Signature?

[mykepredko]

It sounds exciting working for the NRA.

Hmmm, how many other organizations start with "N" and end in "A" that have nothing to do with computers?

myke

Nope

[papasui]

I believe his actions speak for the quality of his charector.

Hire him! Hire him!

[Mr+Tall]

We had a lesser, but similar situation at the company where I work. This guy applied for a programming job, and his entire coding experience consisted of writing spamming tools.

He'd openly, and seemingly without shame, listed all his spammer tools on his CV (resume for you over-the-pond types)

I desperately tried to get the guy doing the recruiting to hire him, just so I'd get an opportunity to beat the shit out of the filthy bastard.

Just how fucking insane is our society anyway?

[theolein]

The IT Director who made the Shipman comparison should be fucking fired. Just what kind of values does a man have when he equates a mass murderer with a teenage computer virus writer? My god, the kid is exactly that, a kid! He isn't a violent drug crazed sociopath, he's doing what many kids do, i.e. messing around to see what he can do and how far he can go, with the exception that he got caught.

This kind of fanatic mentality, where a stupid fucking computer (or a song or movie on the internet) becomes more valuable than people's lives, is a sad testament to the state of our society.

You think I'm over the top? Why is it that people who download songs from the internet get punished harder than the executives of corrupt and failing corporations?

If you give someone a chance, after he or she has messed up, especially as a teen, they might or might not do something useful with their lives. But if you dismiss them outright, you are condemning them for the rest of their lives.

Way to go fuckers.

Why is he qualified?

[MacGabhain]

Why on earth should we assume that someone who can break security has the slightest knowledge of how to fix security? I can break regular glass with a rock, but have no clue how to make shatter-proof glass.

Keeping to computer security: Say a particular system has 5000 current, undiscovered ways of being broken into (or just broken). Breaking into it requires finding one of them. But you have to find 2500 of them just to have a 50% chance of finding the one the hack.. err... cracker finds. If a typical passibly decent hacker can find 5 holes, he'd have over a 95% chance of finding one of the ones the security team, that found 2500, missed.

Yes, I wouldn't hire a computer criminal because of his ethical problems. I also wouldn't hire him because if he actually thinks that breaking into a system makes him qualified to work securing systems, he clearly knows nothing about securing systems.

A matter of hiring the fox to guard the chickens

[digital+photo]

I'm a big believer in second chances and turning over leaves, but we are talking about a person who has demonstrated a weakness of moral fiber.

Whether or not the individual is good(skillwise) or not is irrelevant. What is relevant is how one goes about redeeming themselves in the eyes of the community.

I suppose it comes down to your company's comfort level. It is alot like the transition homes where families take in young ex-criminals to help give them a second chance. Sometimes, you honestly see great things come from second chances. Other times, you get a family who is robbed by the one they entrusted.

It doesn't take a rocket scientist to write a replicating piece of code. It doesn't take alot of brains to take an existing one and modify it either.

Which brings one to wonder why hire someone whose only done these things?

The only apparent benefit is to use him to get at other virii writers through association online and by monitoring his access and communications. By hiring him, they increase his profile and will likely draw the attention of script kiddies who will get caught by the firm.

Otherwise, such a hire only risks stock prices and makes the company liable for future damages.

stuff that matters

[monsterhead78]

Ok, first off, hacker is a very missunderstood word and not defined properly, by definition a hacker is a self trained computer professional / programmer.

Would I hire a hacker? The answer is absolutely; hire someone who learns on their own without some instructor holding their hand.

Hackers have the best problem solveing, and deductive reasoning skills of anyone in the IT industry not to mention attention to detail. One could only be so lucky to have one on staff (and you probably do).

Don't get me wrong, there are definitly milicious hackers (crackers) who find joy in compromising, stealing, and destroying systems and networks, but to be honest, most of them do not get cought, and if they do, one needs to wonder, how good are they anyway if they got cought.