Hiring & purpose

One of the implications of the phrase “every company is a technology company” is that suddenly it’s not just traditional tech companies that have to hire developers or data scientists. Yes, it is possible to outsource and use people as a service solutions; but in critical positions talent with a deep technical & business understanding are required. This is a significant problem for recruitment professionals - you’re now not just competing with your industry for talent, your competing with the some of the richest (and coolest..) technology companies in the world too.

One organisation that doesn’t have issues with hiring, despite being relatively small, is Aragon, a company co-founded by Luis Cuende, 20, that recently raised €25 million in 1.5 minutes by selling ANTs (Aragon network tokens). Aragon is a DAO (Digital Decentralised Organisation) - and described as a “Decentralised Infrastructure for Value Exchange”. In essence what this means is that it’s a way for founders to create companies that are stateless, with their cap table, by laws and corporate structures defined by decentralised smart contracts rather than a central (country) authority.

So what does this have to do with hiring? Well, in one sense Aragon isn’t particularly remarkable. There are lots of organisations that facilitate the creation of companies - in many ways Aragon shares a lot of similarities with multinationals like PwC and KPMG - both can establish and help you run a company. Admittedly the traditional players use centralised methods, but it seems like this is a change in the “how” not necessarily the “why”. Yet whilst traditional accountancy firms are struggling to hire the best people - Cuende has the opposite problem:


The easy answer to this question is to say that people want to work for Aragon because it’s a cool, small and young company. However, the real answer lies slightly deeper. When you look at the way that Cuende talks about Aragon it’s clear that he doesn’t see it as just another corporate services firm.


He’s written extensively about the ways in which he believes decentralisation will change the world, with blog posts that could might be considered slightly hyperbolic by some large corporate. Nevertheless, after reading the literature surrounding Aragon there is no doubt that the company is attempting to reshape and change the world to rid it from the tyranny of centralisation (and make a profit whilst doing so). Whether it succeeds in its mission is another question, but the clarity and ambition of the organisation is undoubtably one of the reasons why so many talented people want to be part of the company.

This purpose driven approach isn’t just applicable to small start ups - Kersti Kaljulaid the president of Estonia has presided over the Estonia e-residency scheme which has seen over 1,000 new companies and more than 2,000 entrepreneurs register to administer their business. Cynically speaking this could have a dramatic effect on the amount of tax paid to the Estonian government, but from a purpose standpoint Kaljulaid speaks in Cunde’s language: encouraging any entrepreneur who believes in a digital first future to sign up to the e-residency scheme and change the world for the better.

Purpose, like brand, is something easy to discount in the seemingly utility driven tech marketplace, but the most successful organisations are harnessing and communicating their purpose to attract the best and most innovative people to join them on their mission. An essential first step is to determine and agree on what that mission actually is.


Working with hackers

Of all the topics I speak about the one that provokes the most controversy is related to hackers. The idea that respectable companies would ever work with people who are good at breaking into systems is seen, at best, as a counter intuitive strategy, and at worst as a trivialisation of what may be the most significant problem facing the criminal justice system today. A comment I’m often surprised by is: “can’t we just lock them all up”?


This “lock them up and throw away the key” approach is shared by several governments around the world, including the United States. The FBI recently charged 22 year old Marcus Hutchins - the security researcher that accidentally stopped the spread of the Wannacry ransomware - with selling banking malware. There is a substantial amount of evidence to suggest that a number of years ago Hutchins may have been involved in this sort of activity (at the age of 17), and he now faces 40 years in a federal prison. The US government’s response to the challenging issue of cyber crime is to make examples of people they’re able to arrest or extradite - regardless of whether it takes almost a decade (in the case of Kim Dotcom, an eccentric billionaire charged with copyright infringement) - or if the sentence seems hugely disproportional to the crime. In the sentencing of Ross Ulbright, the creator of the drugs marketplace Silk Road, the judge explicitly referenced the danger that cyber crime poses to society as a whole, and handed down a more severe sentence than even the prosecution asked for: life without the possibility of parole. For the judge in Ulbright’s case, the issue was simply one of deterrence.

Much like the war on drugs, this deterrence led approach isn’t working. Last week Equifax announced they were subjected to a data breach affecting 143 million Americans (nearly half the US population), a systems compromise that is just one of many high profile hacks this year. Ironically too as the US attempts to lock up every hacker they can lay their hands on it’s estimated that Europe faces a cyber security skills gap of 350,000 workers by 2022.

The Catch Me If You Can approach

What do you do with the best bank forger of his generation? Let him rot forever in prison? At the end of the film Catch Me If You Can Frank Abignail is offered a deal: work with us to catch other forgers and secure bank systems and we’ll reduce your sentence. Unless you’re a hardline absolutist this makes a lot of sense - why waste a talent when you can use it to prevent more bad occurring?

Many companies and governments are going a step further than this traditional method of collaboration in their attempts to work with hackers. Tesla encourages and rewards hackers that compromise their systems, as long as they disclose the vulnerability. This year a group of Chinese hackers did just this - and Tesla were thrilled about it.


In a similar way GCHQ in the UK have begun to work out that treating hackers as run of the mill criminals may not be the most effective approach. They recently trialled a rehab camp where young hackers that had been caught would be given the opportunity to work with the security forces. One of the quotes from an attendee of the programme was that they didn’t even realise that working to prevent hacks was a real profession.

When a developer found several security holes in in HMRC’s website it was hugely challenging to even report the problems - not the best indication that the government is interested in any sort of collaboration with the security community - let alone young hackers in their bedroom.

Thinking differently

Even the US government is starting to think about different approaches to their cyber security problems - though their justice system doesn’t appear to be getting the memo. The US Army ran a scheme called “Hack the Pentagon” which encouraged ethical hackers to hack into the pentagon with a reward if they disclosed their exploits. It took just 13 minutes for the first issue to be reported.


One of the most interesting things about the “Hack the Pentagon” event was that generals admitted that it was actually quite difficult for hackers to collaborate with the US government.


There will always be hackers uninterested in collaboration & who will always aim to make money via illegal methods - this is criminal activity - but when companies or organisations make no effort to engage young hackers is it any wonder that they get drawn into the darker places on the web? There is another way; and creating a strategy and framework to allow external hackers to collaborate with you, rather than compromise you, has got to be the first step.


Mission Critical Low Priorities

Ask any CEO or leader of an organisation what their top worries are and they'll probably tell you that they're related to technological disruption or cyber security. In a recent PWC report, cyber security ranked in the top five concerns of surveyed CEOs. Yet despite the perceived importance of the issue, time and again it is the simplest vulnerabilities that catch companies out. Whether it's falling for an email impersonation or not patching systems, it's clear that talking about these issues is a lot easier than doing anything about them.

Costas Markides from the London Business School has talked about the problem of senior leaders saying "we need to do something about innovation". If you were at home and your partner said "we need to do the washing up" who exactly do they mean? The phrase is non-descript and non-directional, meaning that the dishes would inevitably languish in the sink. In these cases the rhetoric itself becomes dangerous. Rather than prescribing a course of action like hiring a Chief Information Security Officer or growing an innovation department, most companies default to continuing with business as usual.

Cyber security and innovation are hugely important but rarely acted upon

There are a number of reasons that I've seen which result in this behaviour. By recognising the common traps it becomes easier to align your areas of high perceived importance with your high priorities.

1. It won't happen to me

There is often an underlying feeling that instances of tech disruption or cyber security won't happen to you or your company. "My people are too smart to fall for a phishing attack" or "It's a hard market to break into really, what damage can a start up do?" Like global warming, it's only after the damage has been done that it becomes clear that these sorts of things can happen to anyone.

By creating scenarios about the future - as the packaging manufacturer DS Smith has done with their 2025 scenarios - you can bring some level of reality to these hypotheticals. Assessing what actual damage might be done, and documenting who would face the repercussions you can reframe the debate.

2. Where's the ROI?

The other problem about hypotheticals is that it's hard to build a business case around them. The recent WannaCry ransomware outbreak could have been prevented by a simple patch to NHS computers; yet justifying a significant spend on a security update is difficult when there are pressing funding needs in other areas of the organisation. Making a business case for an unknown is only possible when you accept that occurrences like a hack or disruption are not just likely but inevitable. To help stakeholders understand just how likely this is, things like company wide phishing tests can be used to demonstrate vulnerabilities.

3. Innovation Stigma

"I'm just going to spend the next two hours doing some innovation." Imagine if one of your colleagues said this to you? You'd probably picture them sitting on a beanbag doodling on a pad of paper. Though innovation is critical to business today, finding the time and space to do it is difficult - especially when it's often not criteria in someone's performance review. It's only by promoting innovation as a tangible activity within a company - through a lab or investments for example - that "innovation activity" can happen without it looking like people are wasting their time.

4. Fear of failure

Underlying all of these issues is the problem that admitting to failure is incredibly difficult it today's business environment. Both innovation and cyber security have a high probability of failure - even if you invest significantly in both areas it's still possible that you will be disrupted and hacked. It's a game of probability, though, and therefore it's important to be transparent and communicative about the risks involved.


Taxing data

Recently Google has made a large push towards their photo sharing app, Google Photos. Offering unlimited high-resolution storage for anyone who buys a Pixel phone, and standard resolution for anyone who signs up, it seems like a deal too good to be true. Whilst signing up is easy, removing yourself from the service (as I tried to do a few months ago) is much harder. Photos can only be deleted in batches of 500, and the process will fail four out of five times. It’s the sort of dark user experience that you can see in other products, but it is a reminder of an important point: Google is a data collection company, and its value is dependent upon the quantity and quality of data that it can collect.

The problem with taxing technology

Historically tax has been used to collect revenue for the state by extracting a proportion of the value that businesses or individuals create. Taxation from Biblical times is described as

"When the crop comes in, give a fifth of it to Pharaoh.

Genesis, Chapter 47, verse 24

In this case, the taxation system is quite simple: whatever value you create (i.e crops), give 20% of it to the Pharaoh. Since biblical times this principle of extracting value from producers has been extended to value added tax (VAT), where every transaction that creates some element of value is taxed at a percentage. The bottom line of a capitalist taxation system is that where value is created it is only fair to take a proportion of that transaction as tax.

When it comes to technology companies, the value almost always sits in the data that they own. Citymapper, a UK based transport company is valued at over £250 million, despite the fact that it doesn’t make a profit. What it does have, though, is huge amounts of data about transport patterns in cities all over the world - often much more accurate data that municipal transport companies themselves have access too. It’s a similar story with Uber, which recently launched Uber Movement, a service demonstrating just how valuable their data collection of journey times has been.

Citymapper recently launched a pop-up bus service to demonstrate the power of the data they have access to

The issue with taxing these companies is that though an organisation like Citymapper is generating substantial value with the data that it’s collecting, there is no concrete monetary figure associated with it. Therefore, for most fast-growing startups the core of their value goes completely untaxed.

Where value goes, tax should follow

Over the past few years, the regulation on the collection and processing of data has become stricter. In order to collect data of any kind in the UK, you need to register with the ICO, and soon companies will have to comply with strict security legislation brought about by GDPR. Despite this regulation of data, though, there has been absolutely no attempt to tax the collection or processing of data.

Google’s search algorithm is improved with every search that is made. Though there is a monetary cost of providing the service, the benefit of having the most predictive algorithm is clear to be seen. Terms of service across any tech company that you care to mention includes clauses about using consumer data to improve the service for others. This may seem like an altruistic motivation, but in reality, it is anything but. Taking the insights from Google search and integrating it into Google Home, for example, allows Google to create a much more valuable product. Again, this value is completely untaxed.

Government & regulators are unprepared

The shape of the global economy has been dramatically transformed by technology, and yet the regulatory and taxation system has remained relatively static. As technology companies experiment with new ways to create value it’s the responsibility of government to experiment with new ways of taxing them. Sadly the exact opposite has happened. HMRC recently removed the flat rate VAT scheme benefit for what they call “limited cost business.” Typically these businesses are tech companies whose only capital expenditure are laptops at the beginning of the year. From then on they operate with limited costs - but this doesn’t mean that they’re not creating value.

Simply closing the option for companies to claim back flat rate VAT doesn’t solve the problem, it only seeks to demonstrate the difficulties of creating a fair taxation system where most of the value is invisible when measured with traditional metrics. We need a radical rethink of the way that value is measured and tax is administered, and this has to start with a technology first approach.