Over half of senior IT and HR professionals would consider hiring former hackers in a bid to overcome crippling cyber-security skills gaps and shortages, according to new research from consultancy KPMG.
The firm interviewed staff in UK businesses with anything from 500-10,000 employees and found increasing levels of concern when it comes to human resources, with three-quarters (74%) admitting new skills are needed to combat ever-evolving threats.
However, despite the majority (60%) claiming to have a strategy to deal with any gaps that might arise, 57% said they are finding it more difficult to retain those highly skilled in specific areas of information security, and complained of high churn thanks to aggressive headhunting.
With this backdrop, it’s perhaps not surprising that 53% said they would hire a hacker to bring extra skills into the cyber-security team, while 52% said they would consider employing an expert even if they had a criminal record.
The majority of those interviewed (57%) said it has become more difficult to retain skilled information security specialists over the past two years.
Skills particularly in demand include data protection and privacy, which 70% of respondents admitted a shortfall in.
A further 60% said they were having trouble finding candidates who could communicate effectively with the business – a perennial problem in the cyber-security sector.
Serena Gonsalves-Fersch, head of KPMG’s Cyber Security Academy, argued that firms would be better off developing cyber security skills within "current security and IT frameworks" than considering hires which may introduce greater risk into the organization.
“With many businesses struggling to recruit cyber specialists and with their salaries increasing rapidly it has become less of an alien concept to considering tapping into the market of former hackers," she told Infosecurity.
"Many of these people who have been behind cyber-crimes have the ability to identify potential threats and help companies mitigate cyber risk. This doesn’t come without risk, but companies should have advanced enough identity and access management processes to not allow one employee to run the entire cyber security function."