Who's Watching Over Your System's Security?

I've been following a discussion and survey floating around the net lately regarding the hiring practices of security-related companies. The discussion and survey encompass the question of whether a person should do business with a firm that employs known ex-hackers and crackers.

This particular discussion interests me because several months ago I was talking with a major television show producer who told me about a well-known antivirus software company that was, at the time, rumored to be employing at least one well-known system cracker. The rumor struck me rather hard because this particular cracker is known to take part in the release of new viruses and Trojans into the Internet community.

From my perspective, this alleged employment situation seemed like a rather obvious conflict of interest. But then, putting myself in the antivirus vendor's shoes, I could see how such an employee would offer business advantages. Think about it—an antivirus vendor with a known virus producer on the payroll. How convenient!

To make a long story short, I never could confirm the rumor one way or the other. But if the rumor is true, that knowledge would definitely change my buying habits with this particular vendor. I don't trust crackers any more than I trust a bank robber, so I wouldn't trust a company that employs one. My reasoning is simple: Although the employing company might be reputable to a large extent, ex-hacker/cracker employees aren’t, as evidenced by virtue of their past actions. Am I to expect that such a person (an ex-hacker or cracker) has really reformed completely, and is now so reformed that I can entrust part or all of my information security concerns to the individual? Sorry, but I don't think so. Certainly, there are a few truly reformed people out there who do become great assets to various companies, but how do you know which ones aren't still ill-tempted at some level? Well, you don't, and therefore it's probably not wise to put much trust into an area where so much uncertainty exists.

I'd be interested to know what you think about this matter. Would you trust a company that employs ex-hackers and crackers or ex-virus and Trojan makers? Send me an email and let me know your thoughts—I'd love to find out what you think.

Before I sign off this week, I want to inform you that beginning with this issue, Security UPDATE Newsletter will now be published every week instead of every 2 weeks. We're sure you'll find the more frequent publication schedule to be of even greater value, and I look forward to visiting with you on a more regular basis! Until next time, have a great week.