The Alarming Future of Cyber Security.

How Technology is Fast Redefining Business Risk.

The whole notion of risk management is about as appealing as watching paint dry for many business people. In business its defined as the forecasting and evaluation of financial risks together with the identification of procedures to avoid or minimize their impact.

These risks have historically come from uncertainty in financial markets, threats from project failures, legal liabilities, credit risk, accidents, natural disasters and deliberate attacks from an adversary. Managing these risks typically falls to CFOs, corporate risk managers and insurance companies.

In the 21^st century a new threat is fast making itself front and center in the risk management: cyber-attacks. And they are making front page news – including new allegations that Russian intelligence agencies may have impacted the recent US elections with hacks of key data bases in both the Republican and Democratic parties.

 
At a recently symposium on cyber security sponsored by St. John’s University School of Risk Management, Reactions Magazine and global executive search firm Korn Ferry the risks brought by this global trend were brought to vividly to life.

This symposium looked at cyber security from both a threat and business risk-management perspective. As Korn Ferry Partner and Insurance Practice Leader Tom Rowe noted “We saw this event as an opportunity to help people understand the current and future threats to cyber-security, and what many companies as well as government agencies are prepared to do about them… or not… to deal with the problem.”

The keynote speaker was Peter Warren Singer - a Harvard-educated American political scientist, an international relations scholar and a preeminent specialist and best-selling author on 21st century cyber warfare.

A Rapidly Changing Technology Landscape

Peter Warren Singer

Singer asked the audience to think about forces that will impact the future, many driven by revolutionary and disruptive advancements in technology. 

He observed “…this gives governments and people capabilities that used to be only in the realm of science fiction. ”He cited one example - “wet ware” or technology that can translate human thoughts into computer code then in turn to physical action.

Singer spoke about what can be done with information: From collecting it on social media to stealing it, blocking it as Russia did in the Ukraine, or changing it to a cyber- weapon as Israel and the US reportedly did with Stuxnet – a malicious computer worm built to sabotage Iran’s nuclear program. In the end it compromised Iranian programmable logic controllers (PLCs) and caused fast-spinning centrifuges to tear themselves apart.

In the current issue of Vanity Fair there is a chilling article called “Invading Apple” about the discovery earlier this year by  UC Berkeley Ph.D. student Bill Marczak (left) of a spyware, and a previously unknown Apple vulnerability, that allows hackers to infiltrate the Apple computers and I phones. 

This “Jail Break” hack could spy on a person’s audio, e-mail and text messages remotely. The story goes on to detail the on-going battle between “white hat” good-guy hackers and “black hat” bad-guy programmers.

Cyber Threats to Critical Infrastructure

The next panel helped define and navigate the cyber threat-landscape. They noted three major types of threats to corporate IT infrastructure:

Malware: An umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, spyware, adware, scareware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software.

Ransomware: A malicious software is delivered that is designed to block access to files on a computer system through encryption - until a sum of money is paid. After a victim discovers they can’t open a file, they get a ransom note demanding money in exchange for a private key. The attacker warns that if the ransom is not paid by a certain date, the private key will be destroyed and the data will be lost forever.

Advanced Persistent Threats (APT): A network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization.

Panelist Sarah Roland Geffrey from AT&T observed “There are two kinds of companies: Those who have been hacked, and those who don’t know it yet.”  She said many threats can be mitigated though risk assessment, being proactive about software updates and proper training of employees. AT&T has published “The CEO’s Guide to Cyber-breach Response” on how to deal with DDoS attacks.

Can Washington Keep Your Data Secure?

Apparently not so well. Thomas Pace of Cylance Inc. gave the example of the OMP.GOV (Office of Personnel Management) data breach.  In June of 2015 the US OPM announced that the records of as many as four million people had been targeted. Later, FBI Director James Comey placed the number at 18 million people, including his own information. It was the largest data breach of government data in US history. US law enforcement sources told Reuters news agency that a “foreign entity or government” was behind the attack, identified as Chinese hackers. 

Safeguarding Against Cyber Attacks

Pace offered some pragmatic advice:

Thomas Pace

Don’t wait until it is too late after a cyber-attack. Be proactive about dealing with threats. Address “silo” problems – be sure various parts of the enterprise collaborate on cybersecurity. Lots of companies buy security software and then simply don’t install it. If you buy it, install it!

 

Pace noted most cyber-attacks come in via e-mail, so avoid clicking on links or attachments from unfamiliar e-mails. Tell all employees to avoid opening .exe files, or executable files that run as a program on a computer.

He advised that companies should pay ransom when facing ransomware, get the decryption key and hope it works. Pace added “The #1 solution: have good, secure data back-up.”

Scott Lailberte – Managing Director of the Cyber Security Practice at Protoviti Inc. identified the bad guy hackers as “The Red Team” and noted that “cyber security attack factors have changed.” He advised “Take a kill-change approach. Accept that you will lose at the initial phase. Then put controls in place to safeguard the administrative rights – then guard the data.”

He added “Firms need controls at each stage, to monitor at various levels on the detection side.” Continuing “Most firms are doing this very poorly.”

Elissa Doroff -  who oversees risk management services for cyber liability at global insurance firm XL Catin remarked: “The cyber insurance industry is necessarily ready to deal with catastrophic exposure scenarios.” A scary though indeed, if anyone even knows what this means.

Aileen Alexander co-leader of the cyber security practice at Korn Ferry noted that “There is a glaring lack of data security specialists available to corporations today. That training, awareness and a cultural awareness of cyber-security threats are the best things any company can employ to safeguard against this threat.”

She concluded: “From the view of the hackers – the weakest link is the human element.”

The Future of Cyber Security

For a hair-raising view of future of cyber-security check out what the UC Berkeley Center for Long-Term Cyber security came up with in their report published in April 2016 called “Cyber Security Futures 2020.” They describe the future in terms of five possible scenarios.

Imagine a world where computer algorithms are capable of predicting — and manipulating — the people’s behavior with a high degree of accuracy; where economic collapse puts our private information on the market to speculators or criminals; where wearable devices track our thoughts and emotions, leaving us vulnerable to surveillance, hacking, and blackmail; where the Internet of Things (IoT) takes control of more and more of our lives; and where widespread distrust of institutions’ security results in a digital “Wild West” of lawlessness.

“Scenario thinking has really encouraged us to stretch our imaginations and expectations about the future of cyber security,” said Betsy Cooper, executive director of the CLTC.

I get the feeling that the whole cyber security issue will be much more than an academic exercise over the next 15 years. The CLTC scenarios are the stuff mind boggling science fiction and really scary horror movies are made of.

Who wants to work at a Fortune 500 company?

Apparently fewer than one in seven recent college graduates want to work at a big company, according to the Accenture Strategy 2016 US College Graduate Employment Study. This is a stark change from the many years when a large company corporate career track was the preferred way to work and prosper in America. The study found:

• Only 14% of the class of 2015 would “prefer” to work for a large corporation.
• 44% of new grads want to work either for medium-sized business or a small, entrepreneurial or start-up business.
• University grads are passionate, committed and willing to work hard – 69% cited picked their major in college because they were passionate about that area of study.
• But just 42% picked a major because it offered abundant job opportunities and only 23% indicated their choice was based on how much money they could make.
• Half of recent graduates surveyed feel they are underemployed.

Who is winning the battle for the top Millennial talent? 

LinkedIn just published a story “Behind the Top Attractors: How we discovered the world’s best hirers and keepers of talent.”

The story noted that Fortune 500 CEOs see lots of change on the horizon, and the ability to attract and retain top talent will be key to their future success. But the story missed a blinding glimpse of the obvious.

The experience for many Fortune 500 employees, especially the entry level millennial generation crowd, is not so great compared to what it used to be.
Are the Fortune 500 firms themselves are to blame for the talent flight to start-ups and smaller privately held firms?

Here’s what many of the big companies used to offer, but seem to have walked away from in name of cost-cutting and corporate efficiency. But it’s interesting to note that a number of the LinkedIn “top talent attractors” are bucking these trends and delivering what clearly matters to their employees:

Employee Training / Clear Career Development Paths:

The Accenture study analysis suggested that the next generation of workers are in fear being lost in the dense forest of a large corporation. They are concerned their individual needs and talents will be neither noticed nor nurtured.

Big corporations continue to cut back on formal training programs. The thought is “why bother training them… they are only going to leave” is often the excuse. Larger companies now emphasize on-the-job experience, coaching, collaboration and self-directed learning. In short it’s sink-or-swim for many employees, with no lifeguard on duty.

Current Best Practice: Microsoft offers a unique approach to career development: “an individual adventure” as they define it.

Its 118,000 employees are encouraged to plot their own path, working towards becoming a specialists or generalists. Career resources include 2,000 training programs.

Long-Term Wealth Building Opportunities:
Many emerging growth companies / start-ups are offering their employees stock options as way to be competitive with larger firms and help attract and retain the best and brightest people. In contrast most big corporations reserve stock options for only their senior people.

Nearly all big firms have eliminated their defined benefit (pension) plans and most have cut way back on their 401(k) matching contributions and employee stock purchase plans. Many Millennials think it doesn’t pay to hang around big companies waiting to get rich.

Current Best Practice: Last fall Apple launched an RSU Grant (Restricted Stock Units) Program making everyone who works at Apple eligible for the new program. Grants were given to employees worth $1000-$2000 in Apple stock. This is addition to the existing Apple Employee Purchase Stock Plan (ESPP) which makes Apple stock available to employees at a discount.

Willingness / Ability to Embrace Technology-Driven Innovation: 

Many Fortune 500 firms are on the back-end of the tech innovation curve. Who’s still buying all the blackberry phones and PCs these days? How many big firms have really cool smart-phone apps?

How many have created and tested highly disruptive business models? Have offered their rank-and-file management an opportunity to learn computer coding? Encouraged senior people to pair-up with junior digital natives as tech mentors?

Current Best Practice: Goldman Sachs gets kudos for being an old-line investment banking firm that is repositioning itself as a tech company, with about a quarter of its 36,500 employees being engineers and tech staffers. The company is actively investing in early-stage fintech companies and partnerships are more common than acquisitions. They've even sponsored hackathons.

Placing Value on Seasoned Employees: 

Seems that being over 50 and making more than $150K+ a year puts many large corporate employees on the “endangered species” list. Institutional knowledge is being shown the door every day in corporate America in the interest of cost-cutting.

“Cheap and Cheerful” employees seem to be the new order of the day. The younger employees often don’t even know what they don’t know, worse yet senior management often doesn’t seem to care. Customer satisfaction and loyalty can suffer in the end.

Current Best Practice:  Barclays Bank has launched an innovative apprenticeship program for professionals over 50 years of age. The banks views this as a way to up-skill the younger generation of their employees. The bank predicts “that bringing in apprentices over 50 years of age will make the institution more accessible, providing greater empathy with requirements of certain customers.” 

Attractive Corporate Cultures: 

The Accenture study shows that corporate culture matters to this new generation. 74% of recent college grads would choose to work at an organization with an engaging, positive social atmosphere, even if it meant accepting a lower salary. And a striking 92% of 2016 grads say it’s important to be employed at an organization that demonstrates social responsibility.

Current Best Practice:  Last year Google achieved the #1 ranking for corporate social responsibility from the Reputation Institute. What put Google on top?

The company has been carbon neutral since 2007 and has implemented numerous environmentally friendly initiatives, including Google Green.

The LinkedIn study was interesting because it was based entirely on actions of users – drawn from LinkedIn primary behavioral data. It leveraged actions such as job applications, engagement (non-employees viewing / connecting with current employees) and new hire staying power.

The companies at the top of the list are disruptors, tech savvy, innovative in creating new types of workplaces, provide professional growth opportunities, job flexibility and even stock option plans to large numbers of employees.

An even more interesting data point is the market cap and growth trajectory of the 40 companies on the LinkedIn “Top Attractors” list. If the charge of a public company is to maximize shareholder value, most of these companies are doing it in spades.

By delivering long-term profitable growth, the capital markets are rewarding them with higher equity valuations. And this all may be underpinned to a large degree by happy, hard-working, loyal and satisfied employees. Go figure.



 

Disruption Decends on the Financial Services Sector.

A perfect storm is sitting on top of the financial service industry today, one that is likely to massively disrupt this business sector over the next ten years. The converging storm fronts include the following:

FinTech Competitors:

Many aspects of financial services are under attack by a host of aggressive Fintech competitors including consumer banking, wealth management, payments, lending, currency and insurance.

Players include Stripe who wants to redefine the way payments are made (without banks), Common Bond is radically changing student loans, Betterment is robo-advising people about their retirement savings at a much lower cost than traditional financial advisors, and Bitcoin and other virtual currencies are creating the digital cash marketplace.

From the Silicon Valley to NYC these fintech firms are primarily using technology to create new business models that exploit inherent weaknesses present in banks and other financial services firms: High costs, poor customer service, thin value propositions and glaring lack of product / service innovations.  

The NY Times devoted an entire special section to the subject this past spring called “FinTech’s Power Grab.” The lead-in summarized the situation:

“If you spend more than 15 minutes with any senior executive of a large bank these days it is almost impossible to not to hear the phrase ‘fin tech’ uttered. It is usually spoken with a sense of optimism, but sometimes with a sense of dread.”

It is estimated that $19 billion has been invested in the fintech sector in the past year according to Citigroup, up from just $1.8 billion just five years earlier. Big banks have good reason to fear these well financed fintech competitors.

Environmental Issues:

The banks themselves have been distracted by huge increases in regulatory requirements coming out of the financial crisis of 2008. For example, JP Morgan has hired an additional 13,000 people in the area of compliance since 2012.

Banks have also been forced to make massive investments in IT to fend off new cyber-security threats. The American Banker identified a number of them last year including: mobile banking being ripe for attacks, SMS and malware strikes on Android devices, payment breaches surging ahead of the shift to EMV chips in debit / credit cards and the Internet of Things (IoT) creating new vulnerabilities.

Financial services firms also face extraordinarily stiff competition from start-ups when it comes to attracting and retaining bright and motivated employees, especially in the IT and senior management professional tracks.

Cuts backs in training programs and the glaring lack of long-term wealth building opportunities for most financial services sector employees have made working in the area far less attractive than it once was. Many of the best and brightest business school grads are opting for careers with start-ups and in the tech sector rather than banking.

The Trust Factor:

There is also a glaring lack of trust on the part of many consumers and businesses in the banking sector. Banks have undertaken huge cost-cutting initiatives that have adversely impacted the quality of customer service, continued to increase fees and focused a large amount of energy on their own trading activities in an attempt bolster sagging profits.

In the end - bank customers have gotten the short end of the stick and are more than ever customers are considering non-banking options for their financial service needs.

According to the most recent Chicago Booth / Kellogg School Financial Trust Index survey fewer than half of the people surveyed trust banks in general and even fewer trust national bank brands.

Branding Challenges:

In 2015 the Harvard Business Review wrote an article entitled “Why our trust in banks hasn’t been restored.” They reported “Since the financial crisis of 2008, a major question has been how banks can restore the trust of their clients.

For example, JP Morgan has hired an additional 13,000 people in the area of compliance since 2012.” I suspect this was a reactive and defensive measure on the part of Chase.

The banks seem to be missing a blinding glimpse of the obvious: Financial service brands are built on trust, and that is earned based on positive customer experiences.

At the top of the list for improving the customer experience by banks is timely problem resolution. This seems to be a lost practice these days. Think about how many times you’ve been put on hold when calling your bank’s toll-free service number, only to be connected to an overseas-based customer service rep, with a limited knowledge of the English language.

The HBR goes on to suggest that banks would be better served rebuilding trust, and thereby their brands, by focusing on three elements identified by research:

Ability: Are you competent?

Integrity: Are you honest?

Benevolence: Do you care about my interest?

Most people might be hard-pressed to apply any of these attributes to a major bank – therein lies the opening for many alternative / disruptive financial services businesses.

Changing Consumer Expectation and Behaviors

Millennial consumers are especially unhappy with banks. A recent study published by  Scratch – part of Viacom Media found that banks are at the highest risk of disruption. Why?

·      53% don’t think their bank offers anything different than other banks. 

·      71% would rather go to the dentist than listen to what their bank has to say.

·      1 in 3 are open to switching banks in the next 90 days.

·      All 4 of the leading banks (JP Morgan Chase, Bank of America, Wells Fargo and Citigroup) are among Millennials’ ten least loved brands. 

·      73% said that they’d be more excited about new financial services options from Google, Amazon, Apple, PayPal or Square than from their own nationwide bank.

These data points should strike fear into the hearts of senior management and marketing executives at the larger banks, but alas, they’re probably in a compliance meeting and won’t notice.

Surviving in a Disrupted World?

The Deloitte Center for Financial Services recently issued a compelling report called “Banking Reimagined – How disruptive forces will transform the industry in the decade ahead.” 

Deloitte’s basic premise is not If the banking sector will be disrupted, but how, when and to what degree it will change.

The question is not whether the disruptions that we are witnessing today will transform banking and capital markets, but rather how will they do so?

Which entrants will have the most success? What technological disruptions will take root and transform the way business is done?

What does the future hold?

The likely outcome of all this disruption will be a vastly different competitive landscape for the financial services sector. New entrants will leverage technical expertise with a clear focus on improving the customer experience. 

There will be greater industry fragmentation as consumers turn to alternative financial service offerings, many web and mobile based. 

The big banks will face pressure to adapt new business models or face massive customer defections and market share losses. They will need to make big investments in talent and technology if they hope to remain relevant, viable, competitive and profitable.

Who on Earth Wants to Work at IBM?

Who on Earth wants to work at IBM these days? Or for that matter, any other Fortune 500 corporation? That seems to be the sentiment among a huge number of millennial business school graduates these days.

“For the first time ever last spring – top investment banks (Goldman Sachs) and consulting firms (McKinsey, Boston Consulting Group) were not filling their on-campus recruiting interview schedules with enough interested candidates,” according to Ellis Chase at the Career Management Center of the Columbia Business School.

And there is good reason for millennials to turn their backs on Fortune 500 firms. As Reid Hoffman points out in his book The Start-up of You the traditional corporate career escalator simply does not work anymore.

As Hoffman states, “that escalator is jammed at every level. Many young people, even the most highly educated, are stuck at the bottom, underemployed or jobless.” Unpaid internships now seem to be a part of the “career path” of many college grads.

Is there anything large Fortune 500 firms and other old-line prestigious firms can do about attracting and retaining the best and brightest millennials entering the job market?

They might start by focusing on what’s important to millennials these days when it comes to considering a potential employer. According to a recent survey of American college students by HR consulting firm Universum, students focus on employers that will offer:

1. Respect for their employees.
2. Secure employment.
3. A creative and dynamic work environment.
4. Professional training and development.
5. A friendly work environment.

It’s little wonder that startups present themselves as such an attractive alternative career path to large corporations. Millennials came of age during the Great Recession, a time when headlines were rife with mentions of massive headcount reductions, cutbacks in training programs, and reports of generally staid and often boring work environments.

Hoffman later advocates in his book that people should adopt the same principles that have propelled the massive success of Silicon Valley startups: take intelligent and bold risks to accomplish something great; pivot to a breakout opportunity.

Savvy Fortune 500 firms are adopting this philosophy with the rise of employer branding initiatives.

The Harvard Business Review reported the trend earlier this year. The HBR states: “As the global economy picks up, there is a growing concern among CEOs about finding and keeping the best talent to achieve their growth ambitions.” Many firms reported talent shortages and are concerned about the availability of new skills.

So what are Fortune 500 firms actually doing about this recruitment problem?

IBM is a company in transition, moving from mainframe computers to a new set of strategic imperatives including data management, security, cloud computing, mobile technology, and cognitive computing with IBM Watson. But it is a safe bet that most college graduates are unaware of this shift, or even what it is like to work at IBM.

IBM Instagram Post

IBM has wisely adopted the lingua franca of millennials: social media. They’ve developed surprisingly attractive content that is driving their reach, engagement, and message amplification. All of these elements are key to successful employer branding in 2016.

“While we certainly enjoy widespread brand recognition, we need to help overcome their murky perception of what IBM does…we need to communicate our strategic imperatives: Data management, security, cloud computing, mobile technology, IBM Watson,” noted Jennifer O’Brien, Global Candidate Attraction & Social Media Recruitment leader at IBM.

Other companies, GE for example, have taken to using expensive, high production value TV ads  for their employer branding. This new campaign from Madison Avenue ad agency BBDO uses humor to explain how GE is evolving as a company, and that it is a great place to work. This message seems contrived, less than authentic, and potentially easy to ignore, or for the viewer to feel “talked at” with hype rather than being engaged with a relevant message.

Even companies that rank near the top of the “Ideal Employer Rankings” are finding it necessary to address the concerns of potential employees. Take for example consulting giant McKinsey. While consulting has always been considered a great career path for top business school graduates, it comes with a well known cost: 70+ hour work-weeks and the constant need to be on the road.

McKinsey has countered this problem with its "Take Time" program that allows consultants to take off between 5-10 weeks per year between engagements to pursue personal interests and passions. And they are aggressively promoting this program on social media and with digital marketing.

  

Looks like savvy Fortune 500 firms are embracing the new world order of employer marketing that attracts and engages their millennial audiences, and using smart phones, social media, and employee generated content to make their message authentic. Pity the firms that miss the boat on this trend, as they will need to endure fast thinning ranks of qualified recruits to build their futures.