Tighten up your security

Picture the scene. A UK-based engineering group finds that its markets in
Asia have suddenly been flooded with counterfeit versions of its products.
What’s worse, they’re very good counterfeits.

In fact, a little too good. When the company gets hold of these products and
examines them, it can see that they are based on its own genuine designs. The
truth dawns: organised criminals have penetrated its core corporate systems, and
stolen the intellectual property that underpins its business.

A growing threat
This scenario is fictional, but the threat is anything but. Digital information
such as business-critical IP and data on customers, employees and financial
transactions plays an increasingly pivotal role in companies’ business models.
Yet this asset is ever more vulnerable to espionage, cyber attacks and theft.

Recent statistics underline the problem. In July 2009, the Ponemon
Institute’s annual survey of over 600 UK public and private sector organisations
found that 70% had experienced a data breach in the past year, up from 60% the
year before.

Yet, when PwC conducted research into information security with more than
7,000 senior IT executives from 119 countries, 35% did not even know how many
security incidents their organisations had suffered.

This relatively weak grip on security is all the more worrying given the
rising importance of data and IP in major industries. For example, the business
model of pharmaceuticals companies is shifting towards a reliance not just on
drug-related IP but on valuable research data, as they target, treat and monitor
individual customers throughout their lives. Increasingly, businesses that fail
to protect their systems effectively are putting their very existence at risk.

Where’s the talent?
However, this requirement raises many challenges. Clearly, having the right
security technology is important for preventing, tracking and addressing
breaches. But potentially more difficult is the task of finding and recruiting
the talent needed to stress test corporate systems and identify and address
vulnerabilities before the criminals do.

This growing need for ‘information guardians’ has opened up a gap in the
recruitment arena, as highlighted by a recent PwC study (see box). The problem
is that the people best-qualified to defend a business against cyber attacks are
not traditional corporate recruits or technology geeks, but complex
problem-solvers with naturally inquisitive minds who are also outstanding
technologists.

The task of finding and recruiting such people is hampered by the fact that
they often have few formal qualifications, are probably not on the jobs market
and may even feel a cultural aversion to working for a ‘corporation’. For their
part, senior management and boards have little understanding of the work these
information guardians would do, and no experience of managing and incentivising
them.

Learning lessons
As our information panel suggests, we believe the solution lies in finding a way
to tap into ‘dark pools’ of talent that has previously been below the corporate
radar.
Some areas of government, such as the security services, are familiar with
recruiting and managing these people, but for most large companies this means
moving well outside their comfort zone.

It also means using different recruitment approaches and criteria. Rather
than looking at people already on the jobs market, companies might trawl the
military, covert services and hacking groups. And rather than seeking formal
skills and experience, recruiters need to test for the right character traits,
such as a refusal to take answers at their face value and deep practical
problem-solving abilities.

Hackers often have the ideal talents for the job, but they are notoriously
difficult to find and recruit. They are usually male, start hacking at 13 or 14
years old and continue hacking away quietly though their school and university
years. It is those who do it for the challenge rather than out of criminal
intent that organisations should look to attract.

Hands-on experience
Building up our business testing of corporate security measures and advising on
and implementing improvements has taught us a lot about finding, employing and
managing ‘dark talent’.

In our experience, the optimal approach is to recruit and manage these people
in a small, tight-knit team with a distinct culture from the rest of the
business. They are motivated more by intellectual challenge and curiosity than
by money, so should be provided with challenging research activities as well as
regular security work. And they are more likely to join a business where
like-minded people are already working.
Attracting and keeping this new type of talent will not be easy, but companies
have no choice. They will either fish in dark pools or face an uncertain future.

Jay Abbott is a director in PwC’s threat and vulnerability practice.

MANAGING DARK POOL TALENT

Talent recruited from the non-traditional ‘dark pool’ raises particular
people management challenges for companies accustomed to managing employees with
more orthodox academic and professional qualifications. PwC has recently
produced a report ‘Managing tomorrow’s people: how the downturn will change the
future of work, which uses scenario planning to trace the corporate history of
three companies, looking back from 2020.It includes the following account of
events around 2009/10:

‘Data, intellectual property and intangible assets became an increasingly
core part of many business models. Some companies relied heavily on banks of
customer data to intelligently target bespoke products and services through the
consumer’s life span… Performance management within organizations increasingly
focused on capturing, monitoring and manipulating a vast range of employee
metrics. Data and communications networks were increasingly vulnerable to
e-espionage, cyber attacks and theft by organized criminals.

‘Companies needed to find a way of countering these threats. They started to
fish in dark pools for the talent they needed to create a protective shield.
This new wave of corporate employee included those previously involved in covert
government operations, the military, technological innovators and ex-criminals.

A recruitment gap was identified: companies needed complex puzzle solvers who
happened to use technology, not just technology experts.

‘The influx of dark pool talent provided people management challenges for
managers and leadership who understood the need for, but not the nature of, the
work these teams undertook. Some were unconventional and eccentric characters
with values and life experiences very different from traditional candidates.
Care was needed to manage and incentivise these people, especially during their
exit, as many of them carried knowledge that could be used to compromise, even
destroy, operations.’