FutureScot An independent publication from futurescot.com
4
Scotland’s new ultra secure data centre
5
Bill Buchanan on the cryptography debate
Distributed with The Times Scotland 28 April 2016
6
Six steps to stop business being hacked
Cyber security special
12
Why chief executives should be worried
Made in Troon The unlikely
origins of a new, more secure, internet
2
FUTURESCOT
BRIEFING
28 April 2016
FutureScot
DI Eamonn Keane, of Police Scotland’s specialist crime division, speaking at the Scot-Secure conference last week. Picture: Nicola Kenny
FutureScot is an independent publication by BrandScotland. CONTENTS
2 BRIEFING. 4 DATACENTRES. 5 ENCRYPTION. 6 HACKING. 7 CLOUD. 8 INTERVIEW. 10 COVER STORY. 12 CYBERSECURITY. 14 ENTERPRISE. 15 BIG DATA. 16 SKILLS. 17 RECRUITMENT. 18 LEGAL. 19 INVESTMENT.
EDITOR Will Peakin
0131 561 7364 will@futurescot.com DEPUTY EDITOR Kevin O’Sullivan
0131 561 7364 kevin@futurescot.com ADVERTISING Jake Oszczepalinski
0131 561 7351 jake@brandscotland.com PUBLISHER Hamish Miller
0131 561 7344 hamish@canongate.org FUTURESCOT
Creative Exchange 29 Constitution Street Edinburgh, EH6 7BS www.futurescot.com DESIGN & PRODUCTION
Palmer Watson www.palmerwatson.com TYPOGRAPHY:
Expresso and Flama from Feliciano Type Foundry http://www.felicianotypefoundry.com
‘Spearpfishing, smishing and whaling’ – we’re struggling to keep up, admits cyber cop Police Scotland hope for co-operation between officers and business as it fights against a rising tide of automated and industrial hacking
FutureScot is an independent publication by BrandScotland distributed in The Times Scotland. All rights reserved. Neither this publication or part of it may be stored, reproduced or transmitted, electronically, photocopied or recorded without prior permission of the Publisher. Futurescot is published and exclusively distributed in The Times Scotland. We verify information to the best of our ability but do not accept responsibility for any loss for reliance on any content published. If you wish to contact us please include your full name and address with a contact telephone number.
BY KEVIN O’SULLIVAN New and constantly evolving forms of cybercrime have left Police Scotland “struggling” to keep up, one of its senior cyber officers has said. Online and device-specific threats such as ‘spearphishing’, ‘smishing’ and ‘whaling’, coupled with existing cybercrime, have left officers facing a “significant investigative challenge”. “What we are seeing, and I don’t like using the term ‘pandemic’ because that is a bit alarmist, but I would say what we are seeing now from these companies, organisations like DD4BC, you will see that they are using ransomware and DDOS, and cybercrime-asa-service to target specific companies within jurisdictions,” said DI Eamonn Keane, of Police Scotland’s Specialist Crime Division. Keane spoke to FutureScot ahead of the Scot Secure Cyber Security conference at Our Dynamic Earth on April 21, where he gave a talk on ‘being the hunter’. He said it was almost impossible to quantify the totality of cyber-attacks faced by Scottish business as many go unreported. But he said there was a level of co-operation now between officers and business that was encouraging. “I’m delighted to say we’re getting much more traction and engagement from our business community and we’re here to support them,” he said. However, he indicated that the multi-jurisdictional scale of hacking presents a considerable challenge to the force. “It’s on an automated and in-
dustrial scale,” he said. “There are new crimes – and we in Police Scotland, yes we are absolutely struggling. We face a significant investigative challenge and resources dealing with all aspects of cybercrime and social media abuse.” Police Scotland has itself fallen victim to a “number of incidents where there have been intrusions” – and one individual arrested for attacking the force is due to come to court. Keane also indicated that the level of boardroom attacks on ‘C-suite executives’ (chief-level in an enterprise) appeared to be on the rise – either through ‘social engineering’ (using open source online platforms to research and target potential victims), or through ransomware. “The landscape would be that we have now a small but significant body of what we could call hacking teams they are now interested in looking at vulnerabilities in organisations.” There have been recent calls from the Scottish Police Federation to create a dedicated ‘National Cyber Crime unit’ for Scotland. Keane declined to echo the calls from the policing union but said he supports the idea of closer, collaborative working with partners, particularly with business.. “We’ve got some fantastic defence technology in Scotland, the likes of Lockheed Martin and Sopra Steria – and we need that help to assist in policing sometimes,” he added. Police Scotland is also working with global tech corporations to try and identify malicious code and “suck it out” of the internet, he said.
BRIEFING
28 April 2016
New IT jobs platform launch InSite, a platform that could change recruitment, was launched this week with fashion footwear retailer schuh the first to sign up. Developed and hosted by Head Resourcing, specialists in IT, digital and business change appointments, InSite puts the pre-interview recruitment process online. schuh, which has 118 stores in the UK and Ireland, is using InSite to recruit system developers. To entice skilled applicants, as well as the salary, skills and benefits, schuh has provided more content, images and a video to give potential candidates a better insight into the company. “We recruit for a variety of IT and digital positions and attracting the right candidate isn’t always an exact science,” said Colin Temple, managing director of schuh. “By giving potential applicants a greater insight into how we work, what we stand for and even who they could be working with, right from the first step, we’re building better engagement and getting a better fit in the people who share our approach.” Huw Martin, managing director of Head Resourcing, added: “InSite is a game changer in the recruitment market.” insite.headresourcing.com
Building a city’s digital hub Scotland’s digital technologies industry contributes around £4bn in gross value added (GVA) to the Scottish economy, with export revenues on the up, and around 80,000 people estimated to be working in this expanding industry, while data capture and informatics are also features of technology and engineering, in turn contributing £12.7bn GVA, and employing around 161,000. From health to banking, and retail to gaming, digital technology is revolutionising every aspect of people’s lives, and Edinburgh’s technology hub is at the heart of this flourishing Scottish sector. Scotland’s capital is where you’ll find the UK’s most successful computing start-up community, with the University of Edinburgh’s Department of Informatics home to the largest concentration of internationally significant and world-leading informatics research in the UK, and the UK’s largest supercomputing centre (EPCC).
FUTURESCOT
3
Here also is Scotland’s main focus for UK medical research data sharing, via the Farr network, and UK administrative research data sharing, via the Advanced Data Research network, and a world-leading genomics data facility at the Roslin Institute, along with a world-leading centre for Earth observation data at the Science and Technology Facilities Council/ University of Edinburgh’s Higgs Centre for Innovation. Edinburgh is also the focus for major Scottish activities in translational data science, through the Scottish Funding Council Innovation Centres in data science and digital healthcare, and a major joint venture with the UK’s other principal data science universities at Oxford, Cambridge, UCL, and Warwick, to found the Alan Turing Institute. ‘The answer: collaboration’, p14
Check if your password has been ‘pwned’ We all live in very real fear of our private data being hacked. But fear not, there is now an online resource where you can check to see if any of your email accounts have been ‘breached’ by a cyber attack. Just enter your email address/ es into the https://haveIbeenpwned. com site and if you find any of your accounts have been part of any of the mass leakages, start thinking about changing your critical passwords! You can also sign up to email notification alerts that will tell you if and when your email address does get hacked. haveIbeenpwned.com is compiled by Troy Hunt, Microsoft Regional Director (Asia/Pacific)
COSLA shortlisted Four Scottish organisations are among those that have been shortlisted for the Digital Leaders 100. The awards recognise individuals and organisations that demonstrate a “pioneering and sustainable” approach to digital transformation across the public, private and nonprofit sectors. Those shortlisted include the COSLA’s myjobscotland.gov.uk and the John Wheatley Learning Network (Digital Public Service Innovation), Digital Participation Scotland (Digital Inclusion and Skills Initiative) and City of Edinburgh Council (Digital Council of the Year) The winners will be announced at an awards dinner in the London Hilton on 15 June.
Lockheed Martin mentors meet students regularly to help with questions about work life and potential career paths.
Programming internship for Scots school pupils Lockheed Martin is taking on 10 paid interns this summer, at its offices in Glasgow, Edinburgh and Aberdeen, in a partnership with Career Ready UK. Career Ready helps school children to improve their confidence, professional networks and opportunities available to them. Its programme offers practical learning to help young people develop the skills they need for a career in an area linked to their academic studies or interests. Lockheed Martin began a partnership with the charity in 2014 through volunteer mentors and a donation that enabled Career Ready to employ an extra member of staff and allowed its
team to focus on the key aims of the charity. The company’s mentors meet the students regularly and provide a network to ask questions about work life, understand potential career paths and support the student in their schoolwork. At the end of S5, during the summer holidays, the students will visit the Lockheed Martin offices to complete a four-week paid placement. The students undergo a non-competitive interview to help them understand what is required for the role and provide experience on the interview process. Each student is assigned a supervi-
sor, someone different from his or her mentor, to work with them for the four weeks. The duties for the students vary from understanding programming, visiting customer sites and engaging in meetings, to a joint team project to promote mentoring a Career Ready student to Lockheed Martin staff in the UK. Following the placement, the Career Ready students will continue to work with their mentors until they complete their sixth year at school. The mentors will work with the students to help them chose the right career path for them; whether that be university, college or an apprenticeship.
Huge demand for security conference Business leaders and technologists gathered for an industry-leading cybersecurity event in Edinburgh. Organisers closed registration three weeks early as demand for places soared at Scot Secure 2016, held at Our Dynamic Earth, on April 21. The day-long event featured contributions from some of Scotland’s leading cybersecurity professionals, including Bill Buchanan, Professor in the School of Computing at Edinburgh
Napier University. “The importance of this topic was reinforced with us having to close registration three weeks prior to the event due to capacity being reached,” said organiser Ray Bugg, Founder of Scot-Tech Engagement. He added: “Having some of Scotland’s leading information security personnel both presenting and attending the event, Scot-Secure didn’t just focus on the technology but also the culture
and leadership that is required to protect the nations’ business communities from increasingly complex threats.” Scot-Tech run a series of digital technology events in Edinburgh. Its second annual Mobile Scotland conference takes place on May 26 (www. mobile-scotland.com), with the third annual Scot-Cloud event on June 21 (www.scot-cloud.com). Both take place at Our Dynamic Earth and are free to attend.
4
FUTURESCOT
CYBERSECURITY
DataVita’s datacentre employs multiple layers of security and resilience
28 April 2016
SECURITY
l Automatic number plate recognition l Vehicle ‘air lock’ and anti-ram barrier l Twin anti-scale fences l Motion sensing CCTV & RFID cards l Three factor authentication and proximity alarms l 24x7 on premise security personnel
QUALITY
l TUI certified design with construction and operations planned l UK’s first life sciences and healthcare GxP compliant DC l Indirect, adiabatic free air cooling system l Energy efficient and carbon neutral l Independent power and back up fuel stores l Pioneering ‘cloud-enabled’ datacentre
Where maximum security is taken to a whole new level Scotland’s first purposebuilt data centre sets new standards for safety and efficiency BY WILLIAM PEAKIN Chapelhall, near Airdrie, is not the first place you might think to retreat to in the event of the zombie apocalypse. But there is a building there, which, if you happened to know the right people, might just offer the chance of survival. It features motion-sensing CCTV, automatic number plate recognition (granted, your average zombie usually turns up on foot), twin anti-scale fences and a vehicle ‘airlock’ with anti-ram barrier (in the event of said zombies requisitioning an abandoned lorry). Inside, there are many more layers of security, overseen by police and military trained personnel, robust links with the outside world and enough independent power to last until even the most determined living dead lose interest. Back in the real world, the building is actually Fortis; Scotland’s first purpose-built data centre and the largest, energy efficient facility in the country, offering high quality colocation hosting and innovative cloud services. Public sector organisations, financial services companies, the NHS
and life science firms will be able to store data and run applications in a secure, cost-efficient and carbonneutral environment. The facility has been designed and will be operated by DataVita, a Scottish company formed for the purpose last year. Particularly for local and central government in Scotland, the centre provides the first real opportunity to bring efficiency into its data hosting strategy, by offering a facility that is big, efficient and secure enough to allow consolidation of the myriad public sector datacentres in use. But DataVita has also designed the data centre to meet the highest standards of compliance in the financial and health sectors, allowing it to win national and international business for Scotland. The centre will also boost Scotland’s green energy credentials, running on renewable power and using a cooling system that is among the most energy efficient in the world. ONE MEASURE of a data centre is its
‘Power Usage Effectiveness’, or PUE. It is the multiplier of energy used over and above that to power the computer equipment (mostly that is cooling, but also lighting and any other power consumption). According to the Uptime Institute, the independent IT infrastructure organisation, the average data centre has a PUE of about 1.7. “The PUE at Fortis is 1.18,” said commercial director Gareth Lush,
“meaning that the average public sector organisation could save around £200,000 annually on energy costs alone by moving away from trying to run inefficient in-house computer rooms to hosting their IT equipment with DataVita – and that’s before you look at other potential savings from space and staff time being freed up. “It is also unprecedented in terms of quality and security – it will be the first data centre in Scotland to achieve Tier III certification from the Uptime Institute for design, construction and sustainable operations.” DataVita goes live at the end of June and will employ up to 50 people. It’s a new business backed by a Scottish investor that was anticipating the future in diversifying its business, and two data centre experts – Lush and his business partner, operations director Danny Quinn; the brains behind the centre’s advanced features. They convinced the investor that it had the opportunity to build one of the most advanced, secure and efficient data centres in Europe and “bring to market a truly unqiue proposition,” said Lush. Currently, Scotland’s co-location data centre space (that is, available to other companies and organisations, as opposed to a firm’s private dedicated facility) is close to its limit; there are only seven in Scotland (whereas there are more than 50 just within the M25). Existing data centres in Scotland
are also ‘retro-fitted’; adaptions of buildings previously used for another purpose. Fortis has been purpose built from the ground up (in fact, below ground also with secure, dedicated internet connections and back-up fuel storage facilities). Its system of generators promise continual operation in the event of loss of external power and service to customers will not be interrupted by maintenance. INSIDE, THE centre is accessible only
through a layered system of security beginning with an authorised appointment system for background-checked personnel only and continuing onsite with three factor authentication and radio-frequency identification cards that restrict and monitor, along with internal CCTV, a person’s progress through the centre. Proximity sensors
Visitors are even weighed before and after their visit, ensuring they leave only with what they entered
alert security if someone moves too close to where they should not be and visitors are even weighed on before and after, ensuring they leave only with what they entered. For customers, visits might be rare; DataVita is championing the ‘cloudenabled’ data centre; integrating traditional data centre services with the cloud, via a secure portal allowing customers to visualise in 3D their equipment and data, manage power, run applications, drag and drop servers, and, if need be, create work requests to be fulfilled by onsite technicians. The racks that contain customers’ servers are housed in secure pods and cooled using an ‘indirect, adiabatic free air’ cooling system that utilises a combination of outside free air and an adiabatic misting system on the outer airstream to cool the air in the datacentre without the two ever mixing. Scotland’s climate is a huge sellingpoint as a location for environmentally friendly data centres (in drought afflicted California its more than 800 data centres use 158 Olympic-sized swimming pools of water a year to cool their equipment). The whole project represents an investment of £200m: “It’s an investment in the digital future of Scotland,” said Lush, “cutting-edge, a potential boon to the public sector, a real opportunity for businesses and supporting breakthroughs in health and the life sciences sectors.”
CYBERSECURITY
28 April 2016
FUTURESCOT
5
Balancing the right to privacy with the duty to protect A hack of Firefox and Google Chrome underlines the complexity of the encryption debate BY BILL BUCHANAN There are few things nicer than presenting some ideas in my home city, Edinburgh, a place that is thriving though IT innovation and enterprise. I really enjoyed the Scot-Secure conference (www.scot-secure.com) last week. It is always a responsive audience, and it’s a place you can present on some of the major issues of our time. To be invited as an academic to an industryfocused event is always a good thing, especially to stimulate a bit of debate around key issues. I also sneaked in a bit of maths and a reference to one of Edinburgh’s finest sons, John Napier! There is a major dilemma faced with the development of a secure Internet: how to balance the rights of the individual to privacy, alongside the rights of society to protect itself. In the firing line is cryptography, where it is used to protect identities and secure communications, but, on the other hand, it is used to hide terrorist activities. The debate around cryptography is thus one of the major debates of the 21st century, and it shows no signs of reaching a conclusion. IN THE UK we have the Investigatory
Powers Bill (IBP), where ISPs will log the communications of their users. The scope of this power is likely to reduce over the new five years, as almost 99% of all traffic on the Internet will be encrypted and ‘tunnelled’, which means that the logs will only contain the destination IP address, and there will be no details about the actual page
HRE1699_Head_Insite_Ad_v5.indd 1
visited or its content. Along with this, the cloud service providers such as Microsoft, Google and Facebook are moving toward encryption by default, where it will not be possible to connect to the service unless it is encrypted. In the US, we see the developing Burr-Feinstein legislation, which has the Catch-22 clause that says the US companies must protect the privacy of US citizens but support the legal system in breaking any communications if required. To many technical people, this is an almost impossible situation, and could only really be done with a ‘back door’ in software. This back door could obviously leave flaws in software that could compromise the whole of the Internet. Poor coding caused many of the current flaws, but a back door in software is likely to be discovered or leaked. This could lead to large-scale data leakages, on a scale that could encapsulate the whole world. Just imagine if Google’s
private key was released to the world; every communication through Google would then be open to those with the secret key, or they could pretend to be Google and set-up spoof search engines. MANY COUNTRIES are looking at
ways of breaking secure communications, including Kazakhstan which has a plan to replace the digital certificates that are provided over the Internet with their own certificate, and thus be able to listen to secure communications. For HTTPs, the secure communications method for Web, typically works by the client (the user) receiving a digital certificate with the public key of the Web server (such as Google.com), and then creating a new encryption key that they will share for the session. This session key is then encrypted with the public key of the server, and is sent back. The encrypted session key
is then decrypted with the private key of the server (such as Google.com). At the end of this process, both the client (the user) and the server (Google.com) have the some encryption key, and can now use it to secure the communications. We see here how important it is to keep the private key secret. The core of HTTPs is unique session keys which are only used once, and never stored. If there was some way to store these keys, law enforcement could easily go back and replay the encrypted communications. So are their any back doors in the software that we use? At the event I demoed a simple method of getting the Chrome and Firefox browsers to create a back door and, by setting a simple environment variable, the system stored all the keys that they use for their communications. Tools, such as Wireshark, can then easily read these keys and decrypt the communications. The debate around cryptography
is only just beginning, but it is one of the most fundamental debates of our time. Politicians think there is a magic wand that we can wave over the secure communications, but there isn’t. For law enforcement, it is going to be a challenging time. And for individuals, who knows? For us, we will continue researching weaknesses in cryptography, and in building systems that don’t use public key infrastructure and move toward keyless cryptography. Bill Buchanan is a Professor in the School of Computing at Edinburgh Napier University and a Fellow of the BCS and the IET. He currently leads the Centre for Distributed Computing, Networks and Security, and The Cyber Academy. www.linkedin.com/pulse/good-v-evilcatch-22-crypto-william-buchanan
21/04/2016 16:10
6
FUTURESCOT
CYBERSECURITY
28 April 2016
A hacker’s step-by-step guide to how you can beat the hackers The six cyber security steps to protect your business from harm: from an ‘ethical hacker’ whose Facebook password is 125-characters long BY KEVIN O’SULLIVAN How do you best protect your enterprise from cyber-attack, a threat that is growing and costs business £34bn a year, according to the Centre for Economic and Business Research? Well, why not start by asking hackers themselves? In this case, Michael Jack, who is in his second year ‘ethical hacking’ course at Abertay University and works part-time helping businesses stay safe with the Scottish Business Resilience Centre. Here are Michael’s top tips for avoiding that embarrassing and damaging moment when you have to tell your customers their private data has been breached. l UPDATES
Always run your patches
After vulnerability scanning your network, the first thing to is to make the software you use is patched (updated) with the relevant security, bug fixes and improvements. As Michael says: “If you’re like the nice people at Mossack Fonseca who are running content management systems that have not been patched since 2013, that’s easy pickings for
people like me.” Larger businesses should have IPS (intrusion prevention systems) and an enterprise-wide YARA signature for detecting bugs like Shellshock and Heartbleed. Smaller firms will rely more on patches or the latest Windows Hotfix or critical open-SSL update. “Just by being on the latest version of the operating system (Windows 10 or OSX 10.11) you’re mitigating a lot of the common attack threats that are out there,” says Michael. Older operating systems like Windows XP are no longer supported so are at risk; Windows 7 support is due to end in 2017, and Apple only support the two versions previous to the current version (OSX 10.10 and 10.9). The same applies to smartphones: make sure the IOS is updated on Apple, and with Android.
l DATA PROTECTION
Back up your data, and back up the back-up! “I promise you your back-up strategy will save you money,” says Michael. “It will save you money on really expensive data recovery people with fancy scanning electron microscopes and big magnets.”
Backing up data saves time and money and can defeat ransomware. If you have backups and you get attacked by CryptoLockers (a ransomware trojan) you can wipe your hard drive and restore from back-up within hours. Michael cites the example of an LA private hospital which had to pay millions of dollars in Bitcoins to get its data back, because it didn’t have a
back-up sufficiently isolated from its main system. Weekly back-up is probably the minimum if you’re looking to avoid aggravating the business and always keep another offsite, in case of fire or similar catastrophe. It’s advisable to encrypt the onsite backup and keep it in a safe. If it’s unencrypted it could fall foul of PCI-DSS (Payment Card Industry Data Security Standard) and ISO (International Standards Organization) standards. l ENCRYPTION
Encryption is not just for terrorists! “If data is exfiltrated from your network and it’s not encrypted, once it’s left your perimeter the data has long gone,” says Michael.
You should encrypt as much as you can – but be conscious of who needs access to what in the business. Therefore, internal controls should allow for individual document encryption, especially important financial information. Full disk encryption is available through Mac OSX (FileVault) and Windows (BitLocker/Drive Encryption) “If you can encrypt everything, encrypt it, but if you think you’re going to forget the password please don’t encrypt without writing the password in a book and locking it in a safe. The look on an average person’s face when they tell you they’ve enabled FileVault (Mac OSX) and then forgot the password, it’s a special sight to behold but not one you really want to see that often,” says Michael. Smartphones, if supplied to employees, should also be encrypted – in Apple IOS it’s advisable to set up the erase data function; in Android encryp-
tion can be found through the security settings. l PASSWORDS
Size does matter!
Hackers can machine generate quadrillions of combinations of characters to ‘guess’ passwords, so the longer the better. Turn four words into a ‘pass phrase’ of 15 characters or above. These are much harder to crack than eight or nine-character long passwords, which can be cracked by ‘brute force’ methods. If you can’t remember your password, get a password manager like One Pass or Last to generate long, random passwords for you, and back up, enabling two-factor verification where possible. Use apps like Authy, which couple the device to the password for the service you are trying to access, by using an additional six-digit code. Check online whether your email accounts have been compromised in any data incidents using resources such as haveIbeenpwned? (https://haveibeenpwned.com). Try not to use low numbers like 1,2,3 and letters like the vowels a,e,i,o, (these are commonly chosen) and use the space bar (this counts as a character and makes a password harder to crack). Use services which have in-built ‘rate limiters’ (limiting the number of times a password can be entered before you are locked out of an app). l PHISHING/MALWARE
education, education, education
Around about 80% of corporate breaches are through phishing emails, according to research. Within your
enterprise make sure there is user education and mandatory reporting of phishing emails, because the chances are that not all staff in an organisation will be aware of them. Phishing emails can get people to click a link through to a cloned website allowing hackers to take control of their accounts. Use enterprise-wide ad blockers – hackers like trying to take control of ad networks that serve ads to websites with malware built into the ad. Some in the enterprise may accidentally or purposefully click on an ad. Use secure, encrypted browsing through browser extensions like Https Everywhere – available on Firefox, Chrome and Opera. You can see if websites are encrypted if they have a padlock sign in the URL. l SOCIAL MEDIA
Great fun, but a risk as well
Be careful what you say! Information you reveal about yourself can be ‘socially engineered’ by hackers and fraudsters looking to target people – especially the wealthy, or corporate executives. Facebook, LinkedIn, Twitter and Instagram are all great fun but they can allow access to your most personal thoughts, family information and even where you live! Michael Jack is a 2nd year BSc Ethical Hacking student at Abertay University, Dundee. He works part-time for the Scottish Business Resilience Centre and has specialist knowledge in cryptography, defence and counter-terrorism. He presented at Scot-Secure 2016, run by Scot-Tech Engagement at Our Dynamic Earth in Edinburgh on Thursday, April 21.
Technology recruitment: Why speed is of the essence Cathcart Associates says firms in the hunt for the best talent must be prepared to move fast BY KEVIN O’SULLIVAN Companies need to be more agile, flexible and quicker to market when looking to hire the best technology talent, according to one of the country’s leading recruiters. Cathcart Associates, which recruits top IT specialists, believes the intense competition for the best software developers risks leaving some firms behind in the race to find candidates. Sam Wason, director of the Edinburgh-headquartered recruiter, said the most successful firms are those who quickly get through the selection process, leaving their rivals behind. “The biggest killer is speed,” says Wason. “It’s the reason for not filling more vacancies, because companies are not agile enough. A four-stage interview process might sound great in
principle, but if it’s an HR assessment, followed by technical tests, and then a psychometric test, and a panel interview, it can take months. By that time the candidate has got another offer. “You really can’t afford to do that unless you’re someone like Google; if you have that cachet and reputation then the candidate will wait but if it’s too onerous it won’t work. If you can shorten the selection process you’re already ahead. “It’s one of the reasons that smaller companies can attract better candidates than bigger companies – because they can make candidates an offer quicker.” Cathcart Associates is what is termed in the industry a ‘360-degree’ recruiter; it differentiates itself from account manager-based forms of the service – which are more sales-focused – and recruitment process outsourcing (RPO), which removes the recruitment function from a business entirely, outsourcing it to another firm. With 360-degree recruitment, the same consultant works with the client on their needs and the candidate with
their requirements, rather than several recruiters, account managers and resourcers getting involved in the process. This gives a substantially better chance of finding the right match for both. With other recruitment models, there are too many people in the chain, and the message can get lost. “Both sides of the equation have to match up,” Wason explains. “With account management styles of recruit-
If you can shorten the selection process you’re already ahead
ment, I believe there is too much emphasis on the ‘sale’, so clients and candidates don’t always end up with the best experience. We prefer to position ourselves as a recruiter that can translate what a client might want into what a candidate is looking for – we have an input into the whole cycle.” Wason believes the firm’s ethos of finding talented graduates and training them up rather than hiring ex-recruiters from other firms has an advantage over using RPO firms as well. “We had a client who was really switched on, and would be very quick to engage with us when we found them the right candidate,” he says. “We would arrange an interview straight away and get an offer back within a week. “But their recruitment model changed a couple of years ago and they decided to use an outsourced recruiter to make hiring decisions. But they don’t necessarily know what they’re looking for so it wasn’t anywhere near as quick or effective as the service we could offer.” Wason believes the fact that his
company – which caters for contract and permanent staff – is set up to operate in technical niches gives them the advantage over the competition. The consultants spend their entire careers building up knowledge of a particular technology or area of expertise, and therefore the candidates that do that job. “I think that is one of our big advantages,” he says. “This focus means we are tracking the careers of the best candidates over time. It’s difficult for recruiters right now, as there are fewer candidates than there are jobs: it’s a buyer’s market. The candidate has control, and while I think some clients have had to come to terms with not holding the balance of power, others are starting to understand that if they offer the best package they can, financially and in terms of benefits, they will be much more attractive to candidates. This applies especially to tech SMEs; the best candidates out there will go and work for the likes of Skyscanner or FanDuel, so the smaller firms will definitely gain an edge if they, too, have a good story to tell.”
28 April 2016
FutureScot Forecast for the summer edition: the cloud (... and hopefully some sun too).
CYBERSECURITY
FUTURESCOT
7
8
FUTURESCOT
THE CLOUD
28 April 2016
The Mighty Morphin Power Rangers website is delivered by Cortex from its offices in Edinburgh
If you thought the Mighty Morphin Power Rangers were scarily impressive, just wait until you meet the Edinburgh team who help bring them to the world
Cortex is pioneering a new way of hosting enterprise websites
wall from Seattle Seahawks American football star Russell Wilson (the firm was brought in to stop the Superbowl’s website from repeatedly falling over last year).
BY KEVIN O’SULLIVAN
IT’S ALSO in the same building as
It devours data at such a rate that it has become affectionately known by those who work on it as ‘The Ripper’. It tears up gigabytes of information, shreds images and lines of code and deposits it back into a new environment, faster, leaner, meaner. Technically, it’s termed an ‘ingest tool’ but The Ripper sobriquet is much more fun: a bit like the global legion of clients Edinburgh-based firm Cortex works for, which includes the Mighty Morphin Power Rangers, by Saban. When I catch up with Peter Proud, the firm’s founder and MD, he’s in good spirits. After 18 months of rigorous development, design, build and testing work, he now has a platform which he can sell to corporations with a complex, global bank of digital assets. It’s a cloud-based enterprise delivery system which allows them centralised control of their many marketing websites with ‘near-instant localisation’. The ingest tool is just part of that process, more of which later. His office is also something else. Located at Waverley Gate, on Princes Street, the sprawling, open-plan floor features cosy seating pods, a gigantic boardroom and a signed jersey on the
Microsoft, a company Proud knows very well, having worked for the world’s third-largest company for 14 years. They are now in fact a client, with Cortex responsible for delivering the enterprise architecture for Microsoft’s global education website, with discussions underway to begin hosting more of the Seattle-based company’s web services. It’s not something I had expected, to say the least, that a small start-up with 14 staff (albeit with some considerable weight behind them; WPP Group, the world’s largest advertising company is the largest shareholder), would be able to control some of the digital footprint of a $340bn company. “This is part of the reason we came into this building, because it’s close to Microsoft – we’ve all got Microsoft badges so we can get in, and we can go and control their DNS. We can control all of Microsoft.com’s infrastructure. It’s probably a bit too much power, actually.” But it’s clear Cortex are a trusted entity: Proud digs out an old group photograph featuring him and Bill Gates. We are unfortunately not allowed to publish it (Microsoft is very protective of its founder, and the
THE CLOUD
28 April 2016
“So I asked Bill [Gates] to do a two-hour session on the connected consumer in 2006, and we did something like $50 or $60m in revenue on the back of this meeting, which was unplanned.” Peter Proud, Cortex
CMS used to do the editing and delivery but we’ve broken it apart so the delivery is done from a very scalable cloud infrastructure and you just hook the editing capability into it.” AFTER WORKING at a senior level For the Microsoft Education for Accenture, Proud then decided to site, which spans 120 pages, Cortex go it alone. With Cortex, he has sunk developers used the ingest tool they £3m of investment into the company had created to suck in all the existing – some of it his own, plus investment content on November 22nd last year, from WPP – bringing in Microsoft and ‘re-platformed’ it four weeks later. consultants (who else?), and has based So how good is Azure, as an enterprise his business on the Microsoft Azure delivery system? platform. He is in the process of trying “It’s awesome,” says Proud. “Mito get a patent for the “rock solid” crosoft have got it so right. They are platform, which can build websites in going to do so well. What we’ve done around three minutes. is really unique as well – we’ve given “We’ve turned the whole way the global, local capability, so all of the industry works on its head. Everybody stuff that is controlled from the centre starts by building the CMS (content is bolted down and controlled centrally management system) and tries to from Seattle (headers, footers, main/ build on top of it – but they’re not very core products etc) and then the local scalable, they’re not very secure, and subs have got access to control things kind of clumsy, so we’ve just taken that locally.” element out and used Azure websites, The technology also allows a much with a built-in connector where you faster page loading rate; the websites Apr 16 with bleed.pdf 1 14/04/2016 11:55:12 can use theFutureScot CMS asadthe editor. The not only look slicker, they respond
M
Y
much more quickly, too. As a result the ‘bounce rate’ – visitors who come onto the site but leave soon after - dropped by 55%, and page views went up 46% in a month. Proud is keen to demonstrate the quickness (his mantra is ‘crawl, walk, run’) and shows me some demo sites – another client is Dyson - on a giant screen in the boardroom. They don’t disappoint. The Dyson site is particularly impressive. Featuring some staggering CGI – Proud is working with a creative director in London – the 360 Eye Robot website even allows you to shake the dust off the vacuum, using a tablet. “It’s beautiful isn’t it?” says Proud. “And it’s just a vacuum cleaner.” PART OF the process for creating web-
sites for global companies is the rather obvious need to translate them into different languages: the Dyson site alone is in 39 countries and 28 languages. Working so closely with WPP Group allows Cortex to call on the support of its translation team. However, things
don’t always go to plan. On one translation for the Microsoft Education site there was a line on how the company wanted students to be ‘passionate’ about what they learn; in the Chinese version it came back as wanting students to be ‘sexual’. Needless to say the error was quickly corrected before it went live. As for the direction Proud wants to take his company, he is clearly ambitious and sees no reason why Cortex can’t be a £250-300m company. However, he taken a step back from the demands of constant transatlantic travel, and is obviously happier based at home in Scotland (Fife to be precise). He has an enthusiasm for teaching, and has taken on two apprentices, including a “really smart” kid straight from school; some will work towards the Microsoft Certified Solutions Developer course and within two years will become highly-paid individuals. He is also keen to recruit “good dotnet people”, as it’s easier to train up engineers to become proficient in content
CY
CMY
management systems than the other way around. The apprentices are actually cutting their teeth at helping the Glasgow-based Homeless World Cup (Cortex’s only Scottish client: 98% of the business is elsewhere in the world) with its website, lending its services for free. Now it has proved its technology can work – and The Ripper happily chews its way through a raft of new clients, including Group M (the world’s largest media investment company), Proud is obviously happy that his stack idea has come to fruition. He wants to go on “delivering global, scalable, rich user experiences” to as many clients as he can. And he’d particularly like to get plugged into the Scottish market. “If there were more companies here on our doorstep we could help that would be quite nice. We could quite easily help the whisky industry, the tourist industry, maybe even VisitScotland, any organisation that needs to project itself out to the world.”
Scotland IP Firm of the Year 2014 - 2016
Intellectual Property:
CM
MY
Protecting and commercialising your ideas with Scotland’s award winning legal IP team
Managing Intellectual Property Global Awards
K
ABERDEEN
EDINBURGH
9
Peter Proud, founder and MD of Cortex, right, with Jason Cockrum, Director WW Education Marketing at Microsoft
world’s richest man). But the image, taken on February 20, 2006, neatly illustrates the genesis of how technology and marketing functions within large companies – in this case the client was Unilever – began to converge. “From one conversation my career took a total change,” says Proud. “I put this meeting together after the CIO of Unilever came to me and said, ‘Look, we’ve never been able to speak to marketing’. “And if you look at the way technology and marketing are converging you should be getting closer to the CMO. So I asked Bill to do a two-hour session on the connected consumer in 2006, which was quite early on in this world, and we did something like $50 or $60m in revenue on the back of this meeting, which was unplanned, it just randomly came about.” Proud said he was then able to go off and do some “really cool things” for Microsoft, like starting the One Microsoft Programme, building the company’s enterprise market (it already had 1.5bn consumers), starting a platform called Bundle (later sold to Capital One) and creating a ‘stack’ for marketing, which laid the foundations for where he is now. “I ran a session whereby we got 86 product teams in one room, which had never been done before. We ended up with a stack for marketing. We came up with an idea for an infrastructure layer, a services layer, a data layer, a content creation layer and then a distribution channel for marketing.”
C
FUTURESCOT
GLASGOW
BRUSSELS
@BrodiesTechBlog
brodies.com/blog/technology
10 FUTURESCOT
COVER STORY
28 April 2016
The future of the internet might lie in a hut in Troon with a software company whose boss is a part-time lifeboat helmsman Stranger things have happened but could MaidSafe’s plan for an alternative internet actually float – or sink without trace? BY KEVIN O’SULLIVAN Two years ago a little-known software company from Troon rather unexpectedly announced that it had raised $6m in the space of five hours by crowdselling access to a new product they had not even yet created. Through its own community forum, a developer mailing list and Google Hangouts, the firm in question, MaidSafe, had managed to excite enough people to invest in what was – and still is as I write – an idea. If it was a pitching effort on Dragon’s Den, you might expect to be told ‘you don’t have a business’, but that hasn’t stopped a dedicated team of developers run by a part-time lifeboat helmsman in a seaside town otherwise known for its golf course and its ice creams. But for those who have supported MaidSafe over the last 10 years – friends, families and a grassroots online community (company COO Nick Lambert jokes that they are “one of the world’s oldest startups”) it is because of a deeply-held belief in their cause. That cause, not to put too fine a point on it, is to create a new internet. As jaw-dropping as that sounds - it’s “bonkers” according to one of their advisers, Michael Jackson, the former COO of Skype, who has taken an active interest in the tiny firm which operates out of a ramshackle hut-like office – the idea is grounded in some pretty sound principles, as I am increasingly persuaded during conversations with both Lambert and Jackson. To grasp why MaidSafe could
potentially have a huge impact on the digital world, it helps to look back at the history of the internet, which was originally designed to be a means of communicating information across a decentralised network. THIS IDEA came about in the mid-
1960s and the first workable internet was ARPANET – a US Department of Defense research project. It has been claimed that the intention of this project was to create a pool of critical government and military information spread across a network that could survive a nuclear attack, although those design goals are still debated. Nevertheless, Lambert’s argument is that the internet has paradoxically evolved to become very centralised, with vast corporations holding much of our private information in remotely located data centres located around the world. We trade much of our information – sometimes reticently, sometimes willingly – for access to many of the ‘free’ web services we enjoy: Facebook and Google to name perhaps the two most powerful. There is a tacit understanding – tied up in many, many pages of ‘privacy’ agreements that we accede to – that our information may be sold on to advertisers, hence why we don’t actually pay for any of these services. It is that trade-off, a necessary one for the current free models to work, that has partly inspired MaidSafe – through the idea of its founder David Irvine – to establish an alternative internet, where the network is returned back to its original decentralised state, and where we can all exercise our fundamental human rights of privacy, security and freedom. That is all very well, and more than a bit theoretical, but who can claim these days that they feel safe when browsing online that the many usernames and passwords they enter into websites to access their banks, social media accounts and emails are immune from
“The SAFE network is a crowdsourced internet, replacing data centres and servers with users’ spare computing resources” Nick Lambert, COO, MaidSafe loss or theft by increasingly sophisticated hacking attempts? You only have to think of the attacks on Sony and Talk Talk to realise that our data can be very vulnerable. And it’s not just a feeling. According to the Breach Level Index – a survey by the world-leading digital security firm Gemalto – more than 3.6 billion data records have been exposed worldwide since 2013 when the index began benchmarking publicly-disclosed data breaches. The report found that in 2015, ‘malicious outsiders’ were the leading source of these breaches, accounting for 964, or 58%, of breaches and 38% of compromised records, while identity theft remained the primary type of breach, accounting for 53% of data breaches and 40% of all compromised records. These breaches increasingly leave people with the unnerving sense that they might be next, a sentiment echoed in last year’s Eurobarometer – an EU-wide survey of 28,000 people on the subject of data protection. The central finding of the survey shows that trust in digital environments remained
David Irvine, MaidSafe chief executive and founder, left, with company chief operating officer Nick Lambert
low. Two-thirds of respondents said that they were worried about having no control over the information they provided online, while only 15% felt they had complete control. SO, IF AN alternative way of data storage and communications could be created, it would it would surely command a great deal of popular support. And this is where companies like MaidSafe could potentially come in, with its SAFE (Secure Access for Everyone) network. Originally using the software language C++ (this has now been supplanted by Rust, a simpler, more efficient code) the company is about to launch its MVP (Minimum Viable Product) to the world, where it will hopefully demonstrate that SAFE not only works, but is much better than what we currently have. “The SAFE network is a crowdsourced internet replacing data centres and servers with users’ spare computing resources,” explains Lambert. “What we are creating here is an infrastructure and what we will be trying to do is engage with application developers like Dropbox, like social networks, who can then build applications on top of the network knowing that all the privacy and security considerations are taken care of.” ALTHOUGH THE concept is difficult
to grasp – for me at least – the basic theory behind it is that the network is the users themselves. So rather than uploading our files to data centres and servers that are prone to theft (and surveillance, as the Edward Snowden revelations demonstrated), when we join SAFE we become part of a direct peer-to-peer data storage and communications network. There is no need for a middle man. This is revolutionary stuff, if it works. There is also no fee for joining but a payment in kind: users donate their computing power and spare resources (the unused part of our hard drives)
and in return they earn a cryptocurrency called Safecoin, which can be exchanged for access to services; those app developers are in turn rewarded in Safecoins which are earned according to the number of people using their applications; they can also be traded in for hard cash. If MaidSafe became the alternative internet of tomorrow, Facebook’s business model might well collapse if it lost the advertising revenue from people’s data it potentially wouldn’t be able to see. But it would have a new revenue stream through the amount of Safecoins it was able to earn, creating a subscription model instead. Lambert believes companies might choose to hedge their bets by offering their applications on the old internet and MaidSafe’s new one; but what it does do is offer a competitive advantage to services which might struggle to break into the top tier of its market. IN CLOUD storage terms, Lambert
says, that would help the 40 or so providers who sit beneath the likes of Dropbox, Google Drive and Microsoft OneDrive. The really clever part, in security terms, is that any data we may eventually store in the SAFE network is encrypted, broken into chunks and
COVER STORY
28 April 2016
randomly distributed across all the users. “The cool thing about that is those locations where that data is stored is constantly changing so if you turn your computer off, people still need to access it, so the network copies it across to another node that it knows is online,” says Lambert. “So it’s making it even more secure, where in the centralised web it’s insecure because a lot of the time it’s not encrypted but it’s also not secure because the location stays the same and people generally know where to look.” The retrieval process is also more secure because the password needed to access data is locally stored: all you need is a PIN, a keyword and a password. The pin and the keyword locate your data on the network and then the keyword delivers it backs to your machine, where the password decrypts it. “The password never leaves your machine,” adds Lambert. “You never send your password to the network in the same way that you would with other services.” I ask whether MaidSafe will protect locally stored passwords, and Lambert accepts there is still an issue with keystroke logging software and ‘end-point
security’; there are USB-type plug-in devices like Trezor, Lambert adds, but it is an issue they are alive to. ANOTHER potential problem with the
software, which is similar to blockchain technology (in that it is a distributed network), but crucially different because it offers complete anonymity, is that it could be used for nefarious purposes, which makes it harder for the security services to stop criminality. While ideal for ordinary private citizens who want their digital footprint to remain private, it is not so great if you are GCHQ or the NSA. “I think this will present problems for security services,” adds Lambert. “But mass surveillance of data doesn’t actually get them anything. It’s been proven time and again that being able to read my emails and your emails doesn’t actually catch more terrorists. These events are so freak that nothing can predict them, so having this information is useless.” Lambert adds: “The other thing is that it also presents opportunities for government, which has its own difficulties trying to hide information.” Another interesting debate will be on the issue of rewards. The centralisation of Bitcoin through the growth in size of mining firms is at times detrimental to that network, Lambert
“It’s a crazy thought. That’s why I like it. Skype itself was a pretty crazy project for a lot of people” Michael Jackson, MaidSafe adviser and former COO of Skype argues. “It’s something we are acutely aware of,” he adds. “There’s no point having a decentralised network only for it to become centralised again, so we’ve put a mechanism into the farming (end users are ‘farmers’ and developers are ‘builders’) algorithm whereby you earn a certain rate until you get to about 20% above the average. So let’s say the average amount of data stored on each node on the network is about 40GB; you will continue to earn up to about 50GB and then 20% above the average rate the earn-
ing algorithm will flatten out, so you won’t earn any more.” It sounds like a neat solution to stop power accumulating at the top but again you can also argue that hard-coding a rule into the network is interference in the concept of the free market. MAIDSAFE IS a company that has
generated an awful lot of interest among its user community; to raise the amount of money it did through a grassroots crowd-sale is quite staggering. But without the product being rolled out, it’s very hard to quantify what its impact on the market will be. We have all heard about attempts to disrupt existing business models, but to disrupt the entire internet seems like an impossible dream. When I catch up with Michael Jackson, who has moved on from Skype (he is now a partner of Luxembourg-based venture capitalist Mangrove Capital Partners), I’m keen to know whether MaidSafe is a horse worth backing. “It’s a crazy thought,” he says. “That’s why I like it. But Skype itself was a pretty crazy project for a lot of people. I was involved with that right from the beginning. We had all of these people saying, ‘You can’t do it’, ‘You won’t do it’, ‘Nobody will let you do it’. But in the end the proof was there; we
FUTURESCOT
11
did manage to pull it off. And of course Skype had very few resources but it went on to make a pretty big impact.” On the practical side, Jackson, who stresses he is a friendly adviser (he has visited the company in Troon, describing their office as a bit like a “Nissen hut”), says the promise and philosophy of MaidSafe is great, but the onus is now on them to deliver. “For all the ideas, the proof is in the customers, or users, if you want to call them that.” “It’s a massive project; the idea of turning the privacy concept of the internet on its head is really quite ambitious. And it’ll take a very long time to be meaningful. So I think what MaidSafe has to do is to push itself quite quickly into a position where people begin to see the value of it. Then they can get themselves behind the project.” According to Lambert the MVP will be a quiet launch within the next few weeks. An excited developer forum is currently preparing for the open source network to arrive. Safecoin will take a while longer, but finally people will be able to understand what 18 staff – 10 in Troon and eight located around the world in countries like Australia, Slovakia and Brazil – have been doing, behind closed doors, for so long.
12 FUTURESCOT
CYBERSECURITY
28 April 2016
Unmasked: Where the real danger to company security lurks Cyber attacks might originate with a reclusive teenager in a white mask, but if organisations want to be safe from them they should focus not on their IT department but on their boardroom. BY WILLIAM PEAKIN Paul Boam is speaking about his father, a fireman for 25 years. “When he stays at a hotel, the first thing he does is drop his bag and walks out, via the fire escape. He’s checking it works. At home, before he goes to bed at night he makes sure there’s a key in every door so they would be no delay in getting out. He’s fastidious about alarms, about having the right kind of fire extinguisher. It’s because, in his job, he’s seen some terrible things …” Boam, a security consultant, is reflecting on the advice he gives to companies about how they can protect their assets from being targeted by a con, a cyber attack or, indeed, an artful blend of the two – and how he leads his own life online and in the physical world. “You can’t go through the mayhem that has been caused to some of the people that we work with and not bring the experience home with you and think: ‘You know what? I don’t want that to happen to me’.” He has a clear message for chief executives and company boards; the answer does not lie in technology. Yes,
technology can help protect companies but it is as much about culture: how executives lead their work and personal lives, the practical measures that a company takes to protect its assets, and how confidence can be instilled in employees to challenge any attempt – overt or covert – to circumvent those measures. The number of recent high-profile hacks of company data – among them Target and Ashley Madison in America and Talk Talk here – has encouraged a belief that cyber security is a black and white issue; that the threat is technological, the solution is technology and it is all down to the IT department. Wrong, says Boam, who is technical director for the Stirling-based firm Net-Defence. Technology can provide a layer or layers of security, but companies are vulnerable in a myriad of ways and human behaviour is often the most significant. LAST JULY, a global healthcare
company lost £18.5m when a fraudster telephoned its finance department in Scotland and requested money to be transferred to accounts in Hong Kong, China and Tunisia. The financial controller believed the man to be a senior member of staff and exchanged several calls with him as well as emails. The scam involved a combination of social engineering, based on what Boam describes as ‘open source intelligence’ – information available on the internet and social media – and digital manipulation; spoofing the executive’s email address, something which Boam says is easy to achieve. According to the FBI, impersonating the email accounts of chief executives has cost businesses around the globe more than $2bn in a little over
two years. The FBI has seen a sharp increase in ‘business email crime’, a simple scam that is also known as “CEO fraud”, with more than 12,000 victims affected globally. The average loss is $120,000 but some companies have been tricked into sending as much as $90m to offshore accounts. “It is about your business’s culture and it has to be led from the top,” says Boam. “You can’t pay lip service to it because if you do you will be compromised in some way. It involves a combination of people, processes and technology. Irrespective of where they reside, they can lead to a multitude of risks. It doesn’t necessarily have to be in relation to cyber; that’s just one way that the risk might manifest itself. The chief executive and people at executive level have to take ownership of all the risks and not just consider it to be an IT problem. “If we speak to a business, have a conversation around risk and security, and they say: ‘You need to talk to the IT director’, then we know we have a challenge. It’s not about technology; it’s about people. Management systems are at the core of the most effective security. If they are embedded at a senior level, at corporate governance level, they work. The further they move down, away from corporate governance, the less chance they have for success. Boards need to truly understand the risks they face.” A REPORT BY IBM earlier this year
revealed a disconnect between technology leaders in companies – chief information officers, for example – and the rest of the executive team. It found that chief marketing officers, chief financial officers, chief human resources officers and even chief executives were
“Recent high-profile hacks of company data – among them Ashley Madison and Talk Talk – has encouraged a belief that the threat is technological and the solution is technology. Wrong.”
CYBERSECURITY
28 April 2016
FUTURESCOT 13
Hackers have made the headlines with large-scale data breaches from major organisations. Safety from similar cyber attacks is as much to do with company culture as it is with technology
among the least engaged when it came to cybersecurity threat management activities. “These executives often feel as though cybersecurity preparations didn’t include them in a functional approach,” according to the report. “CEOs were the most sceptical of all when asked whether the cybersecurity strategy of their enterprise was ‘wellestablished’.” The report warned: “As to the wisdom of such a stance, the number of CEOs that have lost their jobs — or quit voluntarily — after a major data breach speaks for itself. CEOs cannot afford to be complacent about security, and that means everyone in the ‘C-suite’ has a role to play. If there’s a disconnect, the CEO must send a clear signal that all parties are to work out their differences — or in some cases their indifference — to own up to their responsibilities and help lead the organisation toward a healthier cybersecurity.” BUT UNDERLINING Boam’s point
that it is not all just about technology, earlier this month, the Scottish Business Resilience Centre (SBRC) highlighted a report by the City of London Police National Intelligence
Bureau. Fraudsters have recently taken to targeting affluent residential areas, mainly in London but according to the SBRC the threat is valid across the UK, and criminals have been stealing post to identify senior executives within companies and organisations. “Once the fraudster has stolen the mail, open source research is conducted to identify if the victim works within a suitable position to ultimately become a target. The fraudster uses social engineering to gather information on them and their employer and then contacts the organisation, purporting to be the victim, to carry out mandate and payment diversion fraud on the company,” it said. Boam says awareness of the risks, taking responsibility from the top down and giving employees the confidence to challenge what could turn out to be breaches of security are key to securing a company’s assets. But even being proactive does not always bring with it good news. Boam related one case in which a company called in Net-Defence to consult on its security. A routine check of its server logs revealed it had unwittingly been the victim of a data scam for the past five years.
‘If information about your business is for sale on the dark web you really ought to know’ BY PAUL BOAM What is a cyber threat? It’s a simple enough question with a hundred different answers reported daily with increasing sensationalism by the media. Where does it come from? Is it reclusive teenagers in their bedrooms? Is it Chinese or North Korean hackers? Or is it the people with the white masks? What do they want to do? To attack critical infrastructure, steal company data or empty bank accounts? What is cyber, and what is the dark web? It is human nature to gloss over the things we do not fully understand, to ignore or play down a threat in the hope it is never carried out. Organisations that sensationalise
these attacks and their impacts are also to blame, because we become desensitised to what is around us. However, there are two key, impartial, indicators that we should recognise. The first is that the UK government is spending significantly in this area. The second is that insurance companies are splitting cyber insurance from other types of risk, to protect themselves from claims from victims of cyber-related crime. So what, as a business or organisation, can you do that is sensible and achievable? The first step is to cut through the noise and understand the facts as they relate directly to you and your organisation. You will have a unique threat
profile that depends on what you do, where you do it, how you are funded and how you operate. If information about your business is for sale on the dark web – content on the internet not visible using traditional browsers – you really ought to know, in much the same way that you should be aware if a particularly aggressive competitor has been targeting your clients. The threat should be explained in plain English, with no acronyms, and be supported by evidence. It is not your job to understand the technology, but it is your job to manage real risks to your business. Paul Boam is technical director of Net-Defence net-defence.com
14 FUTURESCOT
TECH HUBS
28 April 2016
Edinburgh’s Quartermile development reflects a city that is a vibrant location for both innovation and culture
How did Edinburgh become a tech hub to rival London? The answer: collaboration A dynamic partnership involving businesses, universities and government is driving the capital’s success BY MARCUS FORD Scotland is setting the pace in the fast-evolving technology sector with a flourishing growth rate that is helping to drive Edinburgh’s emergence as a key hub to rival London. With more than 50 years of technology manufacturing experience, Scotland continues to forge a global reputation for innovation, and for excellence. This is an encouraging success story that is rooted in a dynamic collaboration between business, universities, and the Scottish government; partnerships that are underpinning a sector in the business of generating success. There have now been around 3,000 start-ups in the last five years, and Scotland’s wealth of talented people and world-class universities, together with support for research and access to funding, is spawning some of the most exciting businesses in the global technology market. At the heart of this burgeoning sector is Edinburgh, one of only a few UK cities outside of London that is
home to technology ‘unicorns’, where businesses have been valued at more than $1bn (£700m), with predictions for that number to grow as technology industries continue to develop their international muscle. Edinburgh’s existing unicorns are digital big-hitters Skyscanner, the flight comparison website, and FanDuel, the fantasy sports website, and with overseas investor interest on the up, the potential for international growth is clear. The role of the University of Edinburgh’s research and innovation unit, Edinburgh Research and Innovation (ERI), remains key to developing this success. ERI is one of the UK leaders in the successful commercialisation of the intellectual property generated from the university’s world-class research, through licensing technologies to existing companies, and new university spin-outs. IN THE last five years, the university
has supported the start up of more than 180 new businesses in the area, with 44 helped by ERI in the past year alone. Edinburgh’s technology hub is now made up of fast-growing start-ups such as Cortex, pureLiFi and Pufferfish, in addition to the established international companies Microsoft, Apple, and Amazon. Edinburgh also hosts business-based assets such as Codebase, the UK’s largest incubator, CodeClan, Scotland’s Digital Skills
Academy, and Informatics Ventures, the Edinburgh-based commercialisation support mechanism. The university is also working with Scottish Enterprise’s High Growth Spin-Out Programme to build Scottish companies that have the potential to achieve a
“Edinburgh is now one of Europe’s most successful technology clusters” David Smith, Director of Technology and Engineering at Scottish Enterprise
£5m turnover or a commercial investment of £10m within five years, with projected continued growth. Another important aspect of making Scotland, and Edinburgh in particular, so attractive to investors, in addition to the quality of research and projects, is the entrepreneurial culture surrounding its world-renowned universities. It’s also significant that the higher education system, where Scottish university and college students do not have to pay course fees, results in the creation of highly-trained individuals who are not carrying the levels of debt that may burden graduates from other areas, and are therefore more inclined to take a chance on a start-up rather than look immediately for the security of employment. EDINBURGH CAN also offer an affordable and attractive quality of life, and this overall vibrancy in terms of entrepreneurial culture is helping to fuel the levels of success, with students in this city immersed in an environment that is alert to the potential of innovation and commercialisation. Investment in Scottish technology has increased in each of the past three years, up by 45 per cent in 2014 against the previous year, with the amounts invested also rising by more than 20 per cent, and with a particular surge of interest in ICT. Total investment is now close to its highest level of £250m
which was reached in 2001. David Smith, Director of Technology and Engineering at Scottish Enterprise, says Scotland’s capital is providing a platform for the upsurge in Scotland’s new and innovative companies. “There’s a real buzz around the Edinburgh technology scene which is growing in prominence as one of the leading European tech cities due to years of sustained investment in talent and innovation,” he says. “Edinburgh is now one of Europe’s most successful technology clusters, built around an impressive collection of entrepreneurial talent, science and innovation assets.” Playing a significant role in helping to attract and encourage overseas interest is Scottish Development International (SDI), the international arm of Scottish Enterprise and Highlands and Islands Enterprise that helps overseas businesses to tap into Scotland’s world-class capabilities in innovation and commerce, and also works to help Scottish companies to do more business overseas, while also promoting this country as a good place to live and work. For potential investors, who will be able to access an extensive range of opportunities in funding, the message from Scotland’s thriving technology sector is one of opportunity, and connectivity: to education, to skills, to innovation, and to markets.
BIG DATA
28 April 2016
FUTURESCOT 15
The Netflix approach to retail marketing The decades-old audience segmentation model for marketing is broken, says the co-founder of Big Data for Humans. Welcome to the era of the ‘networked customer’ BY KEVIN O’SULLIVAN Midway through our conversation Peter Ellen pauses to read me a quote. It’s from Todd Yellin, Vice President of Product Innovation at Netflix, who said: “Geography, age and gender, we put that in the garbage heap. Instead, customers are grouped almost exclusively by common taste.” This is part of a new way of thinking in the world of customer marketing, an approach in which Edinburgh and Paisley-based Big Data for Humans is carving a niche for itself. ‘Martech’ – marketing technology – is busy turning decades of customer segmentation learning (classifying people into groups by labels such as ABC1/C2DE which indicate the top and bottom socio-economic tiers) on its head. Instead, marketers are starting to pay very close attention to data, and how it can unlock much greater insight into their customer base. Who would have known, for example, that for one client of Big Data for Humans – a leading department store – that their most valuable customers for fashion retailing were men? Women account for more in terms of sales volumes but the most value came from discerning male customers. “The really interesting stuff when we do work with the clients – there’s usually some quite big surprises as to who their customers are,” says Ellen. “The problem with the idea of a typical customer is that it’s usually a stereotype. The real customer is never as trite and stereotypical as the initial assumption is. “What we did in Big Data for Humans was that firstly the methods for understanding who your customers are were broken for lots of enterprises. So essentially, in order for an enterprise that trades across channels to build a traditional customer insights stack, they need to go and write out
million-dollar cheques with big IT firms and then hire IT experts to do the job. And then often typically those projects take very long periods of time to come to fruition. Sometimes they never come to fruition.” ELLEN IS the former founding MD
of Fopp, the record store chain, and says his interest in customer data began when he was able to get his electronic point of sale (EPOS) systems networked, allowing the business to analyse its stock, sales and supply chain in “immense detail”. He also might be partly responsible for getting Cuban band leader Perez ‘Prez’ Parado to Number One with Mambo No 5 in the late 90s, but that’s a story for another day. He went on to co-found Maxymiser, a firm that specialises in optimizing web and mobile customer experiences, sold last year to Oracle for hundreds of millions of dollars. Ellen is not allowed to put the actual figure on record, only to say that it was a “big exit”. With Big Data for Humans he has just completed the first round of investment funding, raising £1.5m, with three institutions and four angel investors behind the company, including the Scottish Investment Bank (the investment arm of Scottish Enterprise). The firm is halfway through the second round of funding and also took part in the Techstars start-up accelerator in London. With around 150 meetings in 12 weeks, the experience was full-on, but the aim is to get a year-and-a-half down the line in that time, to get an ‘unfair advantage’ over potential competitors. THE PRODUCT itself, the Customer
Graph, is a software-as-a-solution (SaaS) platform, which enables retailers and travel businesses to log on and build a customer marketing programme within seconds, by an automated process. The principle goes back to the idea that Ellen is keen to reiterate, that the old way of segmenting audiences into group stereotypes is no longer fit for purpose; the future is in building and understanding networks of customers who are similar to each other, who instead can be thought of as ‘archetypes’. “What you end up with is a simple map which shows you exactly who the customers are by group and how they are connected to each other,” says Ellen. “It’s something anyone can under-
Big Data for Humans founders Steve Rose, left, and Peter Ellen stand and the benefit of that method is it doesn’t squash anyone into groups in which they don’t belong.” Ellen explains that archetypes are “extreme versions” of everyone else in a network, who if understood properly can be used to determine marketing strategy: i.e. how to sell them more of something. “Let’s imagine in a supermarket I’m a weekly shopper and I do my shopping online and have it delivered to my house,” says Ellen. “In that weekly shop I buy a range of products. In those products I might be particularly over-represented in chilled foods or might be 10 times more likely to buy that than other people. It doesn’t mean by volume I am the biggest contributor by sales but it means I’m more likely to buy them than everyone else. So then you start to learn what makes me different from other people. So if an archetype changes their behaviour that behaviour will start playing out with other customers soon. With a stereotype you won’t know that until it’s too late.”
“What you end up with is a simple map which shows you exactly who the customers are by group and how they are connected to each other” Peter Ellen
The results are starting to pay off for the company, which Ellen co-founded with Steve Rose, the CTO. They have worked with a furniture retailer to cut their direct mail bill by £150,000, after being able to determine which customers would go on to make a purchase with or without a letter through their front door. After bootstrapping themselves for the first 10-12 months, to make sure the code worked, the firm started trading proper at the turn of the year and are growing by roughly one client per month, with five now on the books. Ellen views his company and product as solving a market problem, and therefore by its nature Big Data for Humans will be a global company. “Fundamentally we are UK focused at the moment but you have to think globally immediately; we have one client based in the UK which sells to 160 countries and we’re about to sign a client from Malaysia. If it’s a market problem you’re addressing it needs to be massive, and you need to know that.”
16 FUTURESCOT
SKILLS
28 April 2016
Prewired is a weekly programming club for under-19s hosted at Codebase in Edinburgh
Hey teacher, leave them kids alone. Why children are better off left to learn coding by themselves The co-founder of a volunteer-staffed programming club explains why they take a different approach to the curriculum BY FREDA O’BYRNE I hear discussions about who or what or how we should be teaching ‘kids’ to code and I can’t help thinking to myself that it would be much quicker if we just let the children get on and learn – that we should allow them, in fact support them, to teach themselves. We seem to have to find ‘someone who knows’ first and this seems to me to be inherently inefficient. Many young people do have skills they can share, a group can start
from where they are and, by learning as they go, pushing boundaries, stretching for things that they need to learn, they can soon move from ardent amateurs to capable young programmers. Of course we should be training teachers, and running large-scale ‘teaching to code’ events, roadshows and workshops, but a myriad of small scale community-embedded projects will achieve far more, more quickly, at the point of need than waiting for skills to percolate into the classroom and down to our children. Prewired, one such project, is a weekly programming club for under 19s. It is organised and run by volunteers – all mentors are volunteers – it is hosted by Codebase and the children do not pay to attend. It runs all year round with some week-long projects running in the school holidays. An average of 47 young people turn up each
week having registered online, sign themselves in and sort themselves out with either their own laptops or one of the donated ones that Prewired owns. They then sit down to work. WHEN CHILDREN start they often
feel that they don’t know anything, feel awkward and maybe even a bit intimidated. The first thing we do is to chat to them about their interests, about the kind of things they might like to try. If it is appropriate we might introduce them to another young person working on a similar project, or we may get them set up with an online learning resource like Codecademy or Scratch. Some young people have projects on the go that they want to work on and are quite happy to get themselves set up and get going. If a child is finding it difficult to get to know other children we will see if we can help to make up a mutually supportive group project.
We often ask more experienced young people to help a less experienced colleague out with a problem - not only to solve the issue but also to build relationships within the group. Participants are supported in learning popular programming languages including Python, Scratch, Java (especially for Minecraft modding), C++ (especially for Arduino control) and HTML/CSS. In addition, volunteers offer a number of dedicated teaching sessions, workshops and projects. Past topics include: Arduino kits, Lego MindStorm robots, Scratch, mobile apps with Android, website development, Git and GitHub, Raspberry Pi and machine learning in Python. MENTORING IS a delicate process. It is not really about showing how things are done, it is not about solving the problems for young people, it is more about listening to what they have to say about the work they are doing, being interested and guiding them to find solutions if they get stuck. Mentors come mainly from Edinburgh University, Codebase and its community, FanDuel, Scott Logic and, like myself, the community at large. Mentors ask participants to explain what they are doing and how they are doing it. This is a two-way process: mentors are learning skills around listening and explaining complex concepts simply, whilst young people are getting used to speaking to people with differing levels of understanding and ability, to be non-judgmental and to share their knowledge and skills. Young people are also learning that it is alright to not know the answer, it is alright to ask for help, and it is definitely alright for to fail in a task. It is a pleasure to see a child progress from blaming the laptop for the failure of an idea to realising that the process of testing, refining and testing again
results in pure joy at the moment an idea works. Many years ago I made theatre for young people. I found that the shows we made were better if we involved young people at an early stage - talked to them, in fact, listened to what they had to say and involved them in the creative process. Their responses were stunning, inventive, funny, relevant and so, so much better than we could have imagined. I HAVE learnt a lot from working with
children and one of the main things I have learnt is that they are at their most engaged, most excited and most motivated when they are doing something they want to do. Pretty much the same as we adults are, in fact. So, if you visit Prewired, you won’t see 20, or 10, or possibly even five children engaged
‘A myriad of smallscale community embedded projects will achieve far more, more quickly..than waiting for skills to percolate into the classroom and down to our children.’ Freda O’Byrne, Prewired
SKILLS
28 April 2016
FUTURESCOT 17
The retention approach to executive search: how one recruiter has created talent communities for its clients Denholm Associates is applying consumer marketing techniques to recruitment search BY KEVIN O’SULLIVAN
on the same project. Prewired is not about bringing all participants through a curriculum at the same pace, at the same time, producing the same work and coming away with the same skill set. You will see each participant engaged with their own learning, in their own way at the pace they want to pursue it. You will see young people between the ages of seven and 19 working on projects that they have initiated, and you will also see them taking time out, chatting, playing games - looking
for all the world like members of any tech start-up in this glorious city. Prewired was founded in 2012 by Ewan Klein, Freda O’Byrne, Amy Guy, Kit Barnes and Stuart Anderson. It is managed by a voluntary committee and is run by Rikki Guy, Cameron Gray, Freda O’Byrne and Helen Williams. Freda O’Byrne is also chair of playbase. org.uk, an online learning platform for early years parents and carers.
Case study: RailCode BY DAVID AND ANDREW FERGUSON The increasing skills gap in the technology sector has often been highlighted by initiatives such as Code Club, Hour of Code – and recently the BBC micro:bit. However, all these projects depend on self-interest. For them to be successful, young people must actively have a desire to learn programming. An alternative approach would be something that appeals to young people on the basis of a fun and engaging experience which teaches them to code at the same time. That was the premise behind RailCode, our upcoming app that was created last August at the Young Rewired State Festival of Code. There is nothing complex behind the concept of the idea: users are presented with an underground tube map, and have to direct a train from one station to another. This could quite easily be implemented in a non-technical interface, but instead users are required to code the train to its destination, using the inbuilt tutorial and help. What’s more, the premise of a
train requiring navigation through an underground map provides the perfect opportunity to teach the basic fundamentals of programming. Common programming constructs such as “if conditions” (splits in the track) and “repeat loops” (moving through multiple stations) can be taught without an emphasis on the technical nature of programming, to anyone who understands public transport. Adding a points-based ranking system not only encourages users to return and bring their friends, but also rewards examples of good quality code. To engage new talent in the technology sector, we must actively recruit those who have an interest – but just don’t know it yet. RailCode goes some way to solve this, but it is still only part of the solution. Who knows, perhaps the final piece in the puzzle will be found by someone whose interest was sparked by RailCode. David and Andrew Ferguson are Prewired members and winners of the Monster Sponsor Challenge at the YRS Festival of Code 2015
Over the last 10 years there has been an undeniable and marked shift in recruitment. The rise of technology has brought about a quiet revolution in the jobs market, with the digital space now beginning to dominate executive search. Recruiters themselves are also adapting to the way technology itself is changing market conditions: where once a recruiter might take the rather untargeted approach of placing ads on online jobs boards, the emergence of professional social networks like LinkedIn and a growing tendency of clients to in-house their hiring function have forced recruiters to become smarter and more agile in the way they approach their clients. “The days where the starting gun goes off and we all rush in to beat the competition to find a candidate are, for me, over,” explains Nicki Denholm, Chief Executive of Edinburghbased marketing search specialists Denholm Associates. “The old scattergun techniques are no longer fit for purpose. You could argue there is still a role for it but there has definitely been a squeeze, and we’ve largely withdrawn from that model; things like LinkedIn, in particular, have been a game-changer so companies like ours have to demonstrate that we know the candidates better than anyone. You can easily send a message randomly to someone you might want to target on LinkedIn, but if they’ve never heard of you, and with many other organisations doing the same, especially in the competitive digital market, where is the leading edge? I think it’s far better to create a relationship with that person.” IN THAT sense Denholm Associates
thinks it has hit upon the perfect solution. With its BrandBox tool – a resource which allows companies to create their own profiles on the recruiter’s website – candidates registered through the site are matched to clients looking to hire. And when the
successful applicant is chosen, those who are either ‘near misses’ or ‘ones for the future’ can opt into continued contact with the organisation, which allows the company access to a permanent, expanding talent resource as more and more people join. “The digital market, particularly in Edinburgh, is very heavily fished and I think anything we can do as a recruiter to enhance the experience for firms hiring and the candidates is all the better,” says Denholm. “With BrandBox we are applying consumer marketing techniques to the candidate market, creating a nice eco-system or ‘talent community’ who are engaged and warmed up about that company by the time we send out information on them. So yes, there’s a place for LinkedIn but we are a specialist in executive search, which can source the kind of candidates companies are struggling to find. Those candidates still need to be sold by someone who has a specialist, and therefore credible, voice in the sector.” THE EMPHASIS on selling is perhaps one that organisations looking to hire might often struggle to understand
or execute, particularly as the salary expectations rise towards and above the six-figure mark. A candidate with the right skills for a Head of Digital Marketing role in an established Scottish business, or even a fast-growing tech startup, might not necessarily be located in Scotland. They need to be identified from a global talent pool, and then persuaded to move to Scotland. “We are doing well with digitally native technology firms in Scotland, but we also need to improve candidate perceptions about opportunities here,” Denholm adds. “Although there may be fewer companies for a digital candidate to choose from than say in London or Los Angeles there are a growing range of exciting vacancies in digital marketing, and tech generally, amongst clients like Skyscanner, Blonde, Tesco Bank, Standard Life, DigitasLBi and many others. But amongst candidates from down south and beyond there may still be a perception that, ‘There’s not many companies doing what I’m doing in Scotland. What happens if I relocate and it doesn’t work out? I’ll be left high and dry’. “We have to address that and make candidates aware of the exciting developments happening in places like Edinburgh, which has become something of a case study for Scotland for tech companies, but it’s very dangerous to assume anyone south of Sheffield is even vaguely aware of it.” FOR DENHOLM, the emphasis more
“The days where the starting gun goes off and we all rush in to beat the competition to find a candidate are, for me, over,” Nicki Denholm, CEO, Denholm Associates
and more has become about not just the salary bracket, but the wider ecology of a place. The lifestyle options in Scotland, the proximity to the Highlands, the startups themselves being a conduit for new learning, are all points that a recruiter should be trying to get across to candidates considering roles north of the border. “Lifestyle aspects are featuring much higher than they previously did,” she says. “People want to live and learn in a nice environment with access to the mountains, fresh air and golf courses. These are the things that people increasingly want when they look for a new opportunity – companies need to be much better at getting that across as well as the details of the vacancy and the positive aspects of their brand.”
Denholm BrandBox Among organisations to use BrandBox are VisitScotland and Maxxium, which won last year’s Employer Brand of the Year at the Marketing Society Awards. Companies who sign up (it comes as part of the fee charged by Denholm Associates) get control of their own web page hosted on DA’s site, which acts as a information portal for poten-
tial recruits. Users who apply for roles at that organization then become part of a ‘talent pool’ attached to that company, and if not successful on the first occasion can be retained for future roles that they might be suitable for. The web user stats for the service prove engagement levels to be high with open rates on BrandBox email up-
dates – announcing a new marketing campaign or brand launch to interest potential candidates - at 90%. Denholm Associates is increasingly active in the digital market and has recruited for executive roles including: Head of Digital Marketing, Head of Digital Strategy, Digital Account Director, SEO Content Specialists and Social Media Managers.
18 FUTURESCOT
LEGAL
28 April 2016
The bank that likes to say: ‘Can we get more money for tech firms?’ Lots of money is flowing into the tech sector. But is it enough? The head of the Scottish Investment Bank is about to find out BY KEVIN O’SULLIVAN The Scottish Investment Bank has revealed plans for a market consultation exploring how the public sector investor can help tech firms seeking access to seed capital. The SIB, which is the investing arm of Scottish Enterprise, will go out to the sector in Q3/Q4 this year to discover how it can better assist tech firms needing finance to expand. Currently, the SIB takes a sector neutral approach when it invests in companies in Scotland, although it has given some specific support to life sciences and renewables. “We have a digital technologies team who from a sector point of view are constantly trying to work out what that sector needs,” says Kerry Sharp, head of the Scottish Investment Bank. “From an investment point we’re not taking a different approach to our generic co-investment funding because we’re not sure it’s needed just now but it is one of the areas we are about to consult with the market on what’s happening.”
She adds: “There’s still lots of money flowing in [into tech] but is it enough? And if not do we as the public sector need to be doing something else to finance it? I know there are a lot of individuals out there who think something more should be happening and that’s what we do, we keep our ears to the ground. If we find that people feel there might be something, then that’s when we go into a wider consultation; if it’s anecdotal it’s difficult for us to do too much about it.” The consultation is likely to be driven by Scottish Enterprise, initially with key market players, and Sharp echoes the investment community’s call to try and encourage more outward investment into Scotland. “We just want to make sure there’s not a glass ceiling there or that there are still more companies not getting the funding because it’s scarce. So we’re trying to work out whether there are other responses that we need to do like trying to encourage other VCs to move into Scotland, or whether we need to encourage funds to set up here that we can invest into.” In terms of risk capital the SIB runs two investment funds – the Scottish Co-Investment Fund and the Scottish Venture Fund, although it is more active in the former where it partners with many of the most established investors from the angel community. The model is built around joint publicprivate sector investment.
“We have a digital technologies team who from a sector point of view are constantly trying to work out what that sector needs” Kerry Sharp, Head of the Scottish Investment Bank Sharp says the SIB deals with more than 100 investors and recent analysis has shown in the last three years that 40% of investment has come from outwith Scotland. Sharp wants to increase that to 50 or 60%, giving Scotland’s economy the benefit of scale as well as international experience and knowledge; although she is cautious about not wanting companies to be “grabbed out of Scotland, and moved elsewhere”. “Although acquisition can be good for a company, and it allows them access to additional capital and allows them to grow, we want them to do that in Scotland.”
SIB HAS INVESTED IN: l CLEAR RETURNS – software for retailers - £175,000 l CLOUDSOFT CORPORATION LTD – cloud application management - £1.5m l SUMERIAN EUROPE LTD – IT capacity planning - £3.2m l ADMINISTRATE LTD – Training company software - £900,000
l BIG DATA FOR HUMANS – Customer analysis software - matched funding with Techstars incubator l IMETAFILM – Digital film - secured £217,000 funding package from Kelvin Capital and SIB l BLOXX – real time Internet and email filtering – exited after shareholder sale to US-based Akamai Technologies Inc in October 2015.
Intellectual Property strategy for technology companies IP should be top of mind for start-ups who want to protect their returns BY ROBERT BUCHAN All businesses, and particularly new tech start-ups, have many competing demands and budgets to prioritise. When a new player has a bright idea to offer a new product or service which will disrupt existing technologies or undercut larger competitors, their main focus is always on developing the technology and getting their idea swiftly to market. While legal advice and input will probably be low on the
list of a startup’s priorities, Intellectual Property (IP) rights should be right at the top of it, together with a clear strategy to protect and maximise returns from IP from the start. In short, IP rights are a mix of valuable legal rights which can allow any business to create a monopoly for its products or services, exclude competitors from the market or at least charge premium prices as a reward for innovation. IP RIGHTS can include trademarks
for a brand, app or logo, a patent for a new product or manufacturing process or design rights for the shape of a product. They can also protect confidential information and know-how about how
the technology works or copyright in software code. As tech development is at the heart of all start-ups, IP will be created and used from the outset. Indeed, IP will usually be by far the most valuable asset for a tech company. When time and money are precious resources, all too often IP protection is either overlooked altogether as not relevant or put off as something to deal with later when more funds are available or the product has been further developed or road tested. But putting IP on the back burner can mean any legal protection is lost forever or its value undermined. IT IS VITAL to the success of any
business to have IP on the agenda to
ensure that all IP created is captured, protected and able to be fully commercially exploited. A clear strategy and/or portfolio of registered IP, such as patents or trademarks, not only provides the strongest basis to protect against copycat competitors, but will also be much more attractive to any potential investors or collaborators and, ultimately, any potential buyers. A key part of any due diligence, whether valuing the strength of the technology or the company itself, will test the strength and breadth of the IP owned or licensed. If there is no registered IP or IP strategy, questions will arise about whether there is any real commercial basis or value to invest in, work with or acquire a start-up.
It is also vital to check what competitor IP already exists to avoid infringement as well as to provide a clearer focus for your own research and development. Carrying out a freedom to operate/clearance search at the outset will be cheaper in the long run and avoid any disputes or being forced to stop use of your IP. Not having IP protection and enforcement at the top of the agenda is a false economy. Expert IP input should be obtained as a priority. Robert Buchan is a Partner in the IP, technology & outsourcing team at Brodies LLP. For more information, please contact Robert on 0131 656 0078 or at robert.buchan@brodies.com.
INVESTMENT
28 April 2016
FUTURESCOT 19
Eastern promise adds spice to investment showcase Now in its eighth year EIE has lured Chinese capital to its annual gathering of investors
The Engage Invest Exploit (EIE) 2016 event on May 12 is the biggest annual gathering of investors in Scotland; 60 tech companies will get the chance to pitch their ideas to the ‘dragons’
BY KEVIN O’SULLIVAN The head of a £500m Chinese venture capitalist fund will be among 250 investors at the annual tech investment showcase EIE in Edinburgh next month. Cocoon Networks, which is backed by China Equity Group and Hanxin Capital, will be represented at the technology investment pitching contest on May 12 in Edinburgh. John Zai, its CEO, launched the fund in London in January and is part of a growing network of Chinese investors with plans to become involved in UK and European start-ups. For EIE it is a major coup at the same time as the organisers themselves consider plans to host an event in China later this year. Gordon Stuart, Director of Operations at Informatics Ventures, which will put on the day-long event at the Assembly Rooms, said: “We are getting more and more people coming from further afield, from Europe, the States and this year we’re looking to get a few more from Asia, particularly from China, which is obviously a new area. And we are considering doing something in China later this year.” SIXTY COMPANIES will get the
chance to pitch their ideas to an investment community comprising high net worth individuals, at the lower end of the scale with an average £50,000 investment, to large multi-national venture capitalist funds, who may invest up to £2m or more. Pitches will be limited to just a few minutes, and
John Zai, CEO of Cocoon Networks, will attend the EIE firms vying for cash have been offered the chance to learn some stagecraft by Informatics Ventures, which aims to create a slick event. “We want them not only to pitch but to pitch in a way that’s impressive and entertaining and leaves an impression on the audience,” says Stuart. “If we manage to get people to come from far afield it’s very important we put on a bloody good show. That is not only content but also the capability of the
people to put over their proposition in a way that grabs the attention of the investors.” AMONG COMPANIES pitching are Ed-
inburgh Molecular Imaging Ltd, which has developed technology which scans the body for diseases in real time, and the Glasgow-based makers of Double, an app which allows couples on first dates to find each other in a way that is intended to make dating safer.
Stuart believes the EIE, which also runs a smaller event in London, would benefit from larger investment groups setting up in Scotland. “The angel community in Scotland is very strong but what we are missing is the followon finance for companies that want to scale. A typical digital company can get up and running for around half a million pounds but if they really want to scale up around the world and recruit and open up offices outside the
“The angel community in Scotland is very strong but what we are missing is the follow-on finance for companies that want to scale” Gordon Stuart, Informatics Ventures
UK that’s going to cost a fair amount of money. People with that level of investment are mainly VCs and we just don’t have venture capitalists located in Scotland.” However Birmingham VC firm Mercia Technologies did open an office in Edinburgh in the past six months. Stuart also thinks if FanDuel or Skyscanner – the UK’s only ‘unicorns’ go for an IPO (Initial Public Offering), it will generate the level of interest that Scotland needs from the wider investment community. “It would be great for Scotland, but also a whole bunch of tech millionaires will be created and the impact of that will be that a lot of money will be recycled back into the local tech economy and that should allow more companies to start up and therefore more companies coming through. It’s a kind of virtuous circle.”
What makes the perfect pitch? Shaun Millican I recently assisted with the pitch panels for Engage Invest Exploit (EIE) 2016, Scotland’s premier annual investor showcase of high-growth technology companies. Each panel lasts for a half day with four companies pitching their
ideas. The panel isn’t told in advance which companies they’ll see so everything we learn about them is on the basis of their six-minute pitch along with the Q&A. It is always something I look forward to and it’s enlightening to hear the views of other panel members, particularly if they are investors. For 2016, all of the companies had an interesting proposition but some presented better than others. What then are the differentiating factors which can make the perfect pitch in the quest to secure investment? l GET OFF TO A GREAT START
At EIE 2016 companies have just six minutes to make their presentation so it’s vital to grab the attention of the panel quickly. A short elevator-style pitch which covers the how, what and
why of your proposition but avoids technical jargon is essential. Ideally, a nice clean visual aid which engages the audience also helps.
investors to adopt the ‘build it and they will come’ approach. You also need to be able to explain how you will generate revenues.
l ARTICULATE THE PROBLEM
l MARKET SIZE
The best pitches start with the problem from the customer perspective and go on to say how their solution would address it. If an investor doesn’t understand the problem, then they won’t buy into your solution no matter how impressive it is. Explain how your proposition is unique and the competitive advantage you’ll enjoy as a result. l BUSINESS MODEL
This was an area several of the companies struggled to articulate clearly, perhaps because of their relatively early stage. It won’t resonate with
Knowing the size and scope of your market should be a given. Investors want to put their money into companies which have a disruptive proposition in a big market, so providing an overview of the potential is imperative. l OTHER CONSIDERATIONS
Aside from the content, who presents and the style of presentation are important factors. The presenter should speak knowledgeably and passionately about the proposition. Visual aids are a double-edged sword: good ones help reinforce what is being said whilst
poor, overly detailed slides can distract and put focus on the screen rather than the presenter. The best pitch I witnessed featured a presenter who was personable, passionate about his company with engaging visual (and audible!) aids. This approach helped take us on a very short but captivating journey to explain his company’s proposition. As a proud sponsor of EIE16, Johnston Carmichael wishes the best of luck to all of the companies which are taking part in the event next month. Shaun Millican is Head of Technology & Life Sciences at Johnston Carmichael www.jcca.co.uk