20 Aug 2009
Picture the scene. A UK-based engineering group finds that its markets in Asia have suddenly been flooded with counterfeit versions of its products. What’s worse, they’re very good counterfeits.
In fact, a little too good. When the company gets hold of these products and examines them, it can see that they are based on its own genuine designs. The truth dawns: organised criminals have penetrated its core corporate systems, and stolen the intellectual property that underpins its business.
A growing threat
This scenario is fictional, but the threat is anything but. Digital information such as business-critical IP and data on customers, employees and financial transactions plays an increasingly pivotal role in companies’ business models. Yet this asset is ever more vulnerable to espionage, cyber attacks and theft.
Recent statistics underline the problem. In July 2009, the Ponemon Institute’s annual survey of over 600 UK public and private sector organisations found that 70% had experienced a data breach in the past year, up from 60% the year before.
Yet, when PwC conducted research into information security with more than 7,000 senior IT executives from 119 countries, 35% did not even know how many security incidents their organisations had suffered.
This relatively weak grip on security is all the more worrying given the rising importance of data and IP in major industries. For example, the business model of pharmaceuticals companies is shifting towards a reliance not just on drug-related IP but on valuable research data, as they target, treat and monitor individual customers throughout their lives. Increasingly, businesses that fail to protect their systems effectively are putting their very existence at risk.
Where’s the talent?
However, this requirement raises many challenges. Clearly, having the right security technology is important for preventing, tracking and addressing breaches. But potentially more difficult is the task of finding and recruiting the talent needed to stress test corporate systems and identify and address vulnerabilities before the criminals do.
This growing need for ‘information guardians’ has opened up a gap in the recruitment arena, as highlighted by a recent PwC study (see box). The problem is that the people best-qualified to defend a business against cyber attacks are not traditional corporate recruits or technology geeks, but complex problem-solvers with naturally inquisitive minds who are also outstanding technologists.
The task of finding and recruiting such people is hampered by the fact that they often have few formal qualifications, are probably not on the jobs market and may even feel a cultural aversion to working for a ‘corporation’. For their part, senior management and boards have little understanding of the work these information guardians would do, and no experience of managing and incentivising them.
As our information panel suggests, we believe the solution lies in finding a way to tap into ‘dark pools’ of talent that has previously been below the corporate radar.
Some areas of government, such as the security services, are familiar with recruiting and managing these people, but for most large companies this means moving well outside their comfort zone.
It also means using different recruitment approaches and criteria. Rather than looking at people already on the jobs market, companies might trawl the military, covert services and hacking groups. And rather than seeking formal skills and experience, recruiters need to test for the right character traits, such as a refusal to take answers at their face value and deep practical problem-solving abilities.
Hackers often have the ideal talents for the job, but they are notoriously difficult to find and recruit. They are usually male, start hacking at 13 or 14 years old and continue hacking away quietly though their school and university years. It is those who do it for the challenge rather than out of criminal intent that organisations should look to attract.
Building up our business testing of corporate security measures and advising on and implementing improvements has taught us a lot about finding, employing and managing ‘dark talent’.
In our experience, the optimal approach is to recruit and manage these people
in a small, tight-knit team with a distinct culture from the rest of the
business. They are motivated more by intellectual challenge and curiosity than
by money, so should be provided with challenging research activities as well as
regular security work. And they are more likely to join a business where
like-minded people are already working.
Attracting and keeping this new type of talent will not be easy, but companies have no choice. They will either fish in dark pools or face an uncertain future.
Jay Abbott is a director in PwC’s threat and vulnerability practice.
MANAGING DARK POOL TALENT
Talent recruited from the non-traditional ‘dark pool’ raises particular people management challenges for companies accustomed to managing employees with more orthodox academic and professional qualifications. PwC has recently produced a report ‘Managing tomorrow’s people: how the downturn will change the future of work, which uses scenario planning to trace the corporate history of three companies, looking back from 2020.It includes the following account of events around 2009/10:
‘Data, intellectual property and intangible assets became an increasingly core part of many business models. Some companies relied heavily on banks of customer data to intelligently target bespoke products and services through the consumer’s life span… Performance management within organizations increasingly focused on capturing, monitoring and manipulating a vast range of employee metrics. Data and communications networks were increasingly vulnerable to e-espionage, cyber attacks and theft by organized criminals.
‘Companies needed to find a way of countering these threats. They started to fish in dark pools for the talent they needed to create a protective shield. This new wave of corporate employee included those previously involved in covert government operations, the military, technological innovators and ex-criminals.
A recruitment gap was identified: companies needed complex puzzle solvers who happened to use technology, not just technology experts.
‘The influx of dark pool talent provided people management challenges for managers and leadership who understood the need for, but not the nature of, the work these teams undertook. Some were unconventional and eccentric characters with values and life experiences very different from traditional candidates. Care was needed to manage and incentivise these people, especially during their exit, as many of them carried knowledge that could be used to compromise, even destroy, operations.’
In my experience I would agree with this account as many base risk assessments on auditor tick boxes to give management the assurance. I can tell you now that policy and reality are somewhat different. Other IT professionals making the business believe that NT4 boxes no longer can be infected\targeted by malware only proves the lack indepth understanding. This maybe have a little truth when you look at annual rate of attacks to the masses, but absolutely none when you become the victim of a spearheaded attack. Its not that difficult to move exploits between SP's & releases with the use of a free debugger\frameworks and a few NOPS. If you started looking into the stealth of Rootkits you may also be inclined to let go of you XP to vista 64bit or beyond and protect the boot. (ie he who can load code first wins) Granted that maybe all be big statement depending on your environments the point is sometimes you need this level of knowledge to really assess the security landscape and gain the total risk which you can accept inline with the data classification.
Posted by: Steven Fenton, 28 Sep 2009 | 00:00
In my experience I would agree with this account as many base risk assessments on auditor tick boxes to give management the assurance required. I can tell you now that policy and reality are somewhat different. Other IT professionals making the business believe that NT4 boxes no longer can be infected\targeted by malware only proves the lack indepth understanding. This may have a little truth when you look at annual rate of attacks to the masses, but absolutely none when you become the victim of a spearheaded attack. Its not that difficult to move exploits between SP's & releases with the use of a free debugger\frameworks and a few NOPS. If you started looking into the stealth of Rootkits then you may also be inclined to let go of you XP. Moving these to vista 64bit or beyond and protecting the boot. (ie he who can load code first wins) Granted that maybe a big statement depending on your environments, the point is sometimes you need this level of knowledge to really assess the security landscape and gain the total risk with which you can accept, in-line with the data classification obviously
Posted by: Steven Fenton, 28 Sep 2009 | 00:00
You may also like
If budgeting is to have any value at all, it needs a radical overhaul. In today's dynamic marketplace, budgeting can no longer serve as a company's only management system; it must integrate with and support dedicated strategy management systems, process improvement systems, and the like. In this paper, Professor Peter Horvath and Dr Ralf Sauter present what's wrong with the current approach to budgeting and how to fix it.
In this white paper CCH provide checklists to help accountants and finance professionals both in practice and in business examine these issues and make plans. Also includes a case study of a large commercial organisation working through the first year of mandatory iXBRL filing.