With their head in on the block, any IT manager would be quick to point out that no system can be 100 per cent secure. Whilst Wood accepts this, he argues they can be "adequately secure" and businesses should be proactive, rather than reactive.
"What most firms struggle with is protecting information or data in proportion to its value or sensitivity," he said. The idea is to protect the most important data with stronger controls and use less protection on less sensitive data, to avoid unnecessarily slowing down essential day-to-day business.
If IT security adds barriers, staff will find ways to work around it, and that's where problems set in.
Security is meant to help a business make money, not get in the way. The best way to ensure this is to keep your house in order.
Wood advocates regular independent analysis to help identify the most important issues. But he also recommends writing and strictly implementing a wide-ranging security policy.
"Best practice is always going to go out the window at some point," he said. "While it sounds reactive to have a series of reviews that you take action upon, it secures a business better than most other solutions."
Getting 'em when they're young
Mike McLaughlin is a young hacker on Wood's team. He loves his work.
"The average day would involve going on site, all over the country somewhere, hooking myself up to their network and seeing what secrets I can steal," he explains.
"To go in, plug in your laptop and own everything within 10 minutes isn't unheard of at all. Nine times out of 10 we get into their system at some kind of level. When you go somewhere and they say you won't be able to do it' and then you do it, that's where you get the thrill."
McLaughlin's background isn't IT. He studied chemistry for a bit. Dropped out. He worked in bars in Spain. His interest in hacking was piqued when Wood offered him an apprenticeship. He studied for a year before joining the team.
"When I tell people what I do they all think it's like top secret CIA agents, all undercover there's a certain aura around it," he said.
"People seem to associate what we do with what they read in news stories but a lot of what we do is not really that difficult the papers just make it out to be like some sort of mystical Ninja force. It is a bit cool I guess."
McLaughlin and Wood use the same methods as genuine hackers. They launch attacks across the internet, break into a network masquerading as an employee with system access, gain access through third parties like data centres and can recreate insider attacks.
When I tell people what I do they all think it's like top secret CIA agents, all undercover there's a certain aura around it.
"There's a set route but we deviate off it," McLaughlin said. "A lot of the time you've got to be creative with what you've been given. So you've got a set list of tasks and each task can be completed by five or six methods but then if you can think of another method you stick that in."
But once the fun and games are over, and the pretense of the malicous hacker is dropped, the job is all about providing feedback to the client.
"We try and be as open and honest with them as we can and tell them what we did, how we did it, why we did it, and what they can do to remediate it," McLaughlin said. "Some people do get a bit funny about it but we do try our best to be seen as a help rather than embarrass people."
RSAC Conference 2025: AI and quantum complicate security
RSAC Conference 2025 was a sobering reminder of the challenges facing cybersecurity professionals
"There needs to be an order of magnitude more effort": AI security experts call for focused evaluation of frontier models and agentic systems
Cyber defenders need to remember their adversaries are human, says Trellix research head
RSAC Conference day two: A focus on what attackers are doing
RSAC Conference Day One: Vibe Is 'All In' on AI for Security
RSAC Conference 2025 live: All the latest from day three
