BusinessReport.com

If you hire them, there’s a pretty good chance they’ll rob you blind.

“Our goal is to steal everything we can get our hands on,” Jim Stickley says.

But the strangest thing is you’ll probably thank them for it later.

They are TraceSecurity, a Baton Rouge company whose national exposure has shown the country the importance of protecting data. Trace has gone from its infancy at the Louisiana Technology Park to an industry leader in data security. Now its clients hire them with the hope that along with the security software will come tips and services to handle the human side of security.

Stickley is the face of TraceSecurity’s social engineering services. In less academic terms, he and his cohorts manipulate others to gain confidential information. Luckily, he’s one of the good guys, making the rounds on various news shows to highlight how businesses can recognize flaws in their data security.

Stickley acquired the tools of the trade at a young age. He began writing software at 12 years old, and as his skills progressed he began to see a lot of what could be done from a hacking perspective. Today, he spends much of his time trying to break into his clients’ systems (they know when he’s doing it and where he’s doing it from, so they can know if the system is being attacked by someone without good intentions) and rarely runs into an application he can’t hack.

Despite his skills, Stickley never felt any pull to get into unethical hacking. “There was nothing I saw I could gain from it,” he says.

That is not to say that Stickley was always a saint. One of his other skills that helps him with social engineering is his ability to talk himself into places. As a teenager, he talked his way into movie theaters and places like Disneyland and Sea World without paying admission.

While in college, Stickley was failing marine biology. He studied for the final, but by the time he reached the last essay question he knew his situation was bleak. So instead of answering the question, he wrote about “why I deserve to pass marine biology.” He made a “C” in the class.

Social engineering was meant to be an aspect of TraceSecurity from its inception, but proved to be a tough sell at first. Clients were confident the software they had in place was enough to protect their businesses, underestimating how much of a role human error could have in an information breach.

Trace offered its earliest social engineering heists for free, and the services took off from there. Companies quickly realized that the point made by hammering policies into people’s heads was dwarfed by the impact of walking into their office and leaving with their most vital data. Not only does it reach current employees, says Stickley, but it’s a great story to pass on to new employees being trained. “It’s the gift that keeps on giving,” he says.

A typical heist involves a company leader setting up the social engineering. That person selects a time and date, tells Trace whether to walk out with the data or to just leave a sticker on things that could have been stolen. The company leader then arranges his schedule so he or she is out of the office and unavailable during the time the heist is to take place.

Stickley, a coworker or a team of employees get into character as things such OSHA inspectors, fire marshals, pest controllers or air conditioning repairmen (one Trace employee has gotten into a government facility by posing as a Russian diplomat). The Trace employees show up at the business at the prearranged time, with all the necessary tools to do their pretend job. After being let into the building, they wait until they are unsupervised and go to work, either filling their work bags with things like backup tapes (the Holy Grail of social engineering) or placing stickers on items.

One of Stickley’s more memorable trips involved a government agency. He found out the name of the company that performed air-conditioning work at the building, then called the agency and scheduled an air-flow balancing. Despite the lucrative value of the inventory at the office, the TraceSecurity team had full run of the building without being bothered by an employee escort. “We just left stickers everywhere,” Stickley says. “We owned them.”

Despite the fun TraceSecurity employees have with robbing their clients, there is always a message behind the madness. No matter how secure your data and network appear to be technologically, procedures have to be followed by employees. “The key difference between what we do and what others do is we take a holistic approach to security,” says Robert Guba, co-founder and chief compliance officer. “People are the problem; technology does what you tell it to.”

Clients are prepared ahead of time for the reality that Stickley and company are going to come out with what they went in for, so the social engineering is meant to be used a learning tool, not a reason to fire someone. “When we do them, we expect to be successful,” Stickley says. “If we screw one person over, it just happens to be the person we hit. It doesn’t mean everyone wouldn’t have fallen for it.”

Tracing its roots

TraceSecurity was founded in 2003 with the combination of Blaze Technologies, run by Pete Stewart in Baton Rouge, and Austin, Texas-based PatchPortal, led by Stickley and Guba. The three had previous working relationships with each other by crossing paths at various times through Blaze, PatchPortal and security software giant McAfee.

Now they each fill a specific niche in the company. Guba brings concepts and ideas to the table while closely watching regulatory and other issues that drive spending toward Trace. Stickley, chief technology officer and vice president of engineering, builds the systems used by Trace and is renowned for his skills as an ethical hacker. And Stewart, president and CEO, heads the company with his past experience in growing other businesses.

It was no sure thing that Stewart’s Baton Rouge roots would be enough to bring TraceSecurity here. “It was very difficult to decide where the company was going to be,” he says. “It made a lot more sense to be in Austin or San Diego.”

At least, it seemed to. But the three co-founders debated, examined and re-examined the pros and cons of the possible locations for the company. Baton Rouge kept ending up at the top of the list.

One of the big factors that led to locating here was a business that is now neighbors with TraceSecurity, data-backup company Network Technologies Group. Being close to a tier-one data center was vital, since Trace could not afford interruptions in the delivery of its services.

The group also saw Baton Rouge as an opportunity to break away from the typical business practices associated with software companies. “We said, ‘Let’s not be the typical West Coast company that raises ridiculous amounts of money and you’re forced to do things you don’t necessarily want to do,’” says Stewart. Instead of being beholden to investors, TraceSecurity was built on a model of methodical growth through over-exceeding customer expectation.

The negative aspects that tend to follow Louisiana are sometimes an issue, Stewart says, but the governor and other politicians in the state have supported the company in ways that wouldn’t be likely to happen in other states.

The unique aspect of the business is also proving to be both a positive and a challenge. The natural life expectancy of a software company is seven to 10 years, so getting executive-level hires down here can be a challenge, when the industry has taught them to expect another move in a few years. “On the staff level, we’ve been very fortunate to be able to recruit,” Stewart says. “We do something that’s very sexy, so the IT people love to work here.”

TraceSecurity is coming into its own at a good time—security breaches of important data are becoming more publicized and industries and government alike are holding businesses more responsible for securing data.

Trace made its early inroads in financial services, since that industry is typically an early adopter for security standards. The health care industry is also a strong market for data security. Both industries must live up to certain security regulations—the Gramm Leach Bliley Act and the Health Insurance Portability and Accountability Act, respectively.

But now, led in large part to California’s SB 1386, more businesses are being forced to notify its customers when their private information has been compromised. “General business is going to have to start addressing [security],” Guba says. “And when they do, it’s going to be a cluster because they aren’t going to know how to deal with it.”

While it is Guba’s job to stay abreast of regulations and compliance issues that would drive customer spending to Trace, the company strives to operate at a best-practice level, so the vast majority of clients require little or no adjusting when new language is added to regulations. “Just because a new regulation comes out, that doesn’t mean you scramble to go address that one regulation,” Guba says.