The U.S. Army ventured into unfamiliar territory last week, the first day of its \u201cHack the Army\u201d bug bounty program that challenges dozens of invited hackers to infiltrate its computer networks and find vulnerabilities in select, public-facing Army websites."We're not agile enough to keep up with a number of things that are happening in the tech world and in other places outside the Department of Defense," explained Army Secretary Eric Fanning in announcing the plan in mid-November. "We're looking for new ways of doing business," which includes a break from the past when government avoided working with the hacker community.Like the Army, enterprises are also realizing that the term hacker is not synonymous with criminal, and that hiring hackers may be the only way to keep up with the real bad guys.Some 59 percent of executives surveyed by Radware and Merrill Research have either hired or would hire an ex-hacker as a way to inject cybersecurity talent into their workforce. More than a quarter of organizations have been using ex-hackers for more than two years, according to the survey, including so-called white hats or ethical hackers, gray hats \u2013 those who skirt the law or ethical standards but not for malicious purposes -- and black hats who operate with malicious intent.[ ALSO ON CSO: 7 steps to start a bug bounty program ]Postings for ethical hacker jobs on the tech career website Dice.com has jumped from 100 jobs in 2013 to over 800 jobs today. \u201cWhile that\u2019s still a small number considering there are more than 80,000 tech jobs posted on Dice on any given day, it\u2019s clear demand for these professionals is growing rapidly,\u201d says Bob Melk, Dice president.\u201cHackers are exceptionally skilled in finding the little tiny things that other people forget \u2013 those vulnerabilities you don\u2019t know yet, things you thought you fixed but not entirely properly,\u201d says Alex Rice, CTO and co-founder of HackerOne, a bug bounty platform with 70,000 hackers in its community. \u201cEvery organization out there has something they\u2019ve missed.\u201dOrganizations are willing to assume the risks in exchange for access to the unique mindset and skillset of a hacker.\u201cWe\u2019ve seen it on the vendor side for years, and now we\u2019re starting to see it on the user side, as well,\u201d says Jon Oltsik, senior principal analyst and the founder of cybersecurity service at Enterprise Strategy Group. \u201cSomeone who hacks for fun or who hacked as a researcher -- those people certainly could be great hires. They make good hunters and forensic investigators. They may not have the certifications, but they have the skills.\u201dBut hiring someone who\u2019s had a run-in with the law for hacking has its risks, and companies must weigh those risks against their objectives. \u201cShould you hire felons or criminals regardless of their background? That depends. In some cases, it might make sense\u201d based on their individual risk assessment, Rice says.Many famous black hat hackers have gone on to successful, legitimate careers. In 2008, then 18-year-old Owen Walker was charged as a ringleader of an international hacking group that caused more than $20 million in damages. He went on to work in the security division at telecommunications company Telstra. Jeff Moss, founder of Black Hat and DEF CON computer hacking conferences, ran an underground network of hackers ranging from the curious to the criminal. In 2009, he joined the U.S. Homeland Security Advisory Council, and in 2011 was named CSO for ICANN, the agency that oversees domain names. Kevin Mitnick is now Chief Hacking Officer at security awareness training site KnowBe4. He was once on the FBI's Most Wanted list for hacking into 40 major corporations.Shades of grayThe vast majority of hackers are not felons or criminals, Rice says. \u201cThey fully intend to leverage their skills for good. These people could choose to be criminals if they want to be, but they decided not to -- the same goes for any other type of profession.\u201dBut between the white hats and black hats, how can companies vet all the shades of gray hackers in between? \u00a0\u201cOne man\u2019s hacker is another man\u2019s security researcher,\u201d says Stu Sjouwerman, founder and CEO of KnowBe4. \u201cJust as one man\u2019s freedom fighter is another man\u2019s terrorist.\u201dOne man\u2019s hacker is another man\u2019s security researcher.Stu Sjouwerman, founder and CEO of KnowBe4On the vendor side, companies usually hire ethical hackers, Oltsik says. \u201cMaybe they\u2019ve skirted with the law, but usually it\u2019s not someone who\u2019s got a long rap sheet or has been convicted of a crime.\u201dKnowBe4 employs four white- and gray-hat security researchers. Occasionally, the firm has skirted the law in its efforts to stop attacks \u2013 most recently a CEO fraud attack on Sjouwerman himself.Someone impersonating Sjouwerman sent an email to his comptroller requesting a wire transfer of $40,000. Recognizing the scam immediately, his team went to work to identify the thief and turn the tables in a reverse social engineering scheme.\u201cWe sent him a phishing email to his AOL account that read, \u2018there have been too many logins and your AOL is temporarily blocked. Please log in to unblock your account.\u2019 He fell for it in a flash,\u201d Sjouwerman recalls.Five minutes later, Sjouwerman\u2019s team had the attacker\u2019s user name and password of his AOL account. Once inside, they emptied out his AOL account into their own PSD file and examined his work. The operation was netting the scammer about $250,000 a month.\u201cWe knew that we weren\u2019t allowed to do it, but we did anyway,\u201d Sjouwerman says. When it comes to hiring hackers, \u201cthis is the kind of thing that you are easily tempted into if you\u2019re a white hat or gray hat.\u201dBarriers to hiring hackersGlobal CSO Shawn Burke would love to pick the brain of a black hat hacker to find out what his team at Sungard Availability Services isn\u2019t considering when they implement security controls in their solutions. \u201cThere is definitely something they could bring to the table,\u201d he says. But that will likely never happen because Sungard provides services to highly regulated financial institutions and government entities with strict requirements on background checks. \u201cOf course, If they haven\u2019t gotten caught, I guess it wouldn\u2019t be on their resume\u201d or background, he adds.[ RELATED: How (and why) to start a bug bounty program ]Sungard does employ a handful of white hat hackers who have completed SANS penetration testing and ethical hacking training courses. One employee was involved in \u201cNSA top-secret work\u201d in his former position. \u201c[Former NSA workers] have seen things that nobody on my team has ever seen,\u201d Burke says. \u201cWhile they can\u2019t talk about it \u2013 they certainly know how to say, in their own cryptic way, that we should probably posture our controls in a certain kind of fashion.\u201d When choosing these employees, trust is key, Burke adds. \u201cI have to trust the employees to do their job.\u201dProceed with cautionCompanies that are considering hiring a hacker should take several precautions, these experts say.First, perform background checks before hiring new security employees, Oltsik says. \u201cThe red flag would be any kind of law enforcement issues or criminal background, a history of malcontentedness or confrontation with other people they work with, HR incidents, multiple jobs \u2013 nothing any different from anyone else you would hire.\u201dIf evaluating a gray or black hat who might have a record, \u201cIt\u2019s very often referrals and who you know and who they know\u201d that gets them the job, Sjouwerman says. \u201cIf you get a verbal [endorsement], that\u2019s the only somewhat-reliable way to get this done.\u201dOnce hired, put the hacker in roles where they can be successful, but make sure you\u2019re managing and monitoring them, Oltsik says. \u201cThey do have skill sets that can be damaging. With the right amount of oversite, you could quickly devise whether someone was doing things that are suspicious.\u201dCompanies should also consider whether a hacker is a good fit within the organization. Hackers by nature tend to work independently and aren\u2019t team oriented, Oltsik says. \u201cIf you have someone who loves breaking systems, but isn\u2019t the most social, do you have a role that can fit them where it\u2019s beneficial for you and a good fit for them?\u201dHackers as consultantsCompanies in doubt about their risk tolerance or culture for hackers may want to consider independent consultants on a project basis, Sjouwerman says.A vulnerability disclosure company, such as HackerOne, connects businesses with security researchers to resolve their security vulnerabilities. HackerOne\u2019s network of 70,000 hackers have earned more than $10 million in bug bounty rewards for solving companies\u2019 problems. The hackers, who range from teens to highly specialized academics to security pentesters with day jobs, are vetted through a reputation system that tracks what the individuals have done when they\u2019ve identified vulnerabilities and reported them, Rice says. The framework lets people practice their hacking skills \u201cin a way that demonstrates their good intent,\u201d Rice says. Proven ethical hackers can then be invited to work on privileged projects, such as the \u201cHack the Army\u201d event.\u201cOrganizations realize that the only way to get ahead of criminals is to work with those with the skills but none of the [criminal] motivation,\u201d Rice says. \u201cIt does take one to know one.\u201dHead over to Facebook to comment.