The London Office for Rapid Cybersecurity Advancement (Lorca) is brand new, but cyber security innovation is nothing new in the UK. It has been part of the country’s history at least since the work done by code-breaking pioneers at Bletchley Park during the Second World War.
Cyber security is a significant part of the UK’s history and it should be a key element to the country’s future, according to former digital secretary Matt Hancock. “Seizing new technology can be the basis of the UK’s success after Brexit and the rest of the 21st century,” he said at the official opening of Lorca before the cabinet reshuffle that saw him moved to the Department for Health and Social Care.
The UK is in a good position to capitalise on the growing international cyber security market, said Hancock, with the world’s highest investment in tech after the US and China, and London again ranked as Europe’s leading tech hub.
Significant change has taken place in the past 10 years in the cyber security industry and in terms of opportunities to build businesses in the UK, says James Chappell, one of the founders and chief innovation officer at London-based cyber security ramp-up Digital Shadows.
Chappell says this favourable business environment can be traced back to the government’s introduction of the Enterprise Investment Scheme (EIS) and, more recently, the Seed Enterprise Investment Scheme (SEIS), which provide tax breaks for investors as well as other measures to stimulate the economy.
There are also several government match funding grants, as well as grants through the Centre for Defence Enterprise and Innovate UK. It was through Innovate UK’s Smart Awards that Digital Shadows was able to secure match funding to develop initial product prototypes.
The positive effects can be seen on the UK tech sector in general and cyber security in particular, says Chappell, because of the additional boost due to the fact that cyber security underpins most of the new ways of doing business being enabled by digital transformation.
“In the past, graduates would be competing to get into the big four consultancies, but now they are increasingly choosing to spend time instead in fast-growing technology companies because there are some really exciting opportunities in the tech sector,” says Chappell.
Ambitious individuals are also turning to tech talent development firms such as London-based Entrepreneur First for support to start their own business, find partners and connect with investors.
Wide range of initiatives
There is a wide range of initiatives specifically around cyber security in the UK, says Chappell, including the Cyber Growth Partnership, which supports fast-growing security companies. “There are some great opportunities is this sector, which is partly due to our UK heritage going back to Bletchley Park,” he says.
The UK also benefits from having top students from all over the world who come to further their education, a thriving financial sector and a strong defence sector. “We are lucky to have this heady mix of components that create an environment where it is great to be building a business,” says Chappell.
Also, thanks to the likes of companies such as Message Labs and Sophos, the UK has useful templates or archetypes for fast-growing successful businesses that startups can draw upon, he adds.
The growing number of incubators is also creating opportunities for cyber security innovators, with Lorca being the latest to join its sister centre in Cheltenham, the NCSC Cyber Accelerator, CyLon and its HutZero bootcamp for entrepreneurs.
“You can have the best technology in the world, but if you can’t connect to a customer, you don’t have a business”
James Chappell, Digital Shadows
So while there is growing support for cyber security entrepreneurs to get their innovations to market, perhaps the biggest opportunity for startups in this sector is the market itself.
“There is a lot of demand for cyber security products and services,” says Chappell, echoing former GCHQ head Robert Hannigan, who told Computer Weekly that the market is “massive” because there are many economies that are some way behind the cyber security technology front-runners that are looking for solutions.
“There is massive potential,” he says. “We have got some great companies, the UK has a good reputation and we should capitalise on that because if we put all that together and get it right, we will have a booming cyber security export industry.”
Adding to that demand, says Chappell, is the recent introduction in Europe of the General Data Protection Regulation (GDPR) and the Network and Information Systems (NIS) Directive, which the UK has adopted and will continue to apply post-Brexit.
“Cyber security-related regulations are driving up the demand and a growing number of entrepreneurs are looking for innovative ways to serve that demand,” he says.
Unique cyber security requirements
Opportunities are also being created by the fact that just about every business type has a unique set of cyber security requirements to cater for different types of risk.
“So there is an opportunity to focus on specific business types because, unlike the old days when everyone bought antivirus software, businesses are now realising that they all have different needs, which means consumer businesses are looking for something different to industrial banks, builder’s merchants and airlines,” says Chappell.
“There is now a demand for different aspects of security, so for example Digital Shadows focuses on everything beyond the perimeter of a network, including digital footprints, and while we are relevant to enterprises with a few hundred employees wanting to protect their brand, we probably wouldn’t be relevant to consumers looking to protect their laptops.”
Chappell says there is a perfect storm created by rising demand from businesses and individuals for cyber security products and services in combination with increased support and funding from investors who see opportunities for good returns on their investments because of the need to counter cyber crime, which has also been enabled by the increased digitisation of society.
“When we started, there were no specialist cyber security investors in the UK, but that is changing and we are seeing businesses that are either specifically investing in cyber security or we are seeing long-standing venture capital firms adding that to their portfolios, which is creating a lot more opportunities for entrepreneurs in this sector,” he says.
At the same time, says Chappell, investors have become a lot smarter and investing in specialist cyber security skills, so startups can expect potential investors to ask much more relevant, pertinent and probing questions.
“Investments are much more well considered and well thought out than they were in the dotcom era, for example,” he says. “Investors are only investing where they can see evidence that an idea is good. They want to see real results rather than just investing blindly in the latest buzzword.”
According to Hannigan, cyber security innovation should be focusing on identity management, patch management and configuration management. He also believes security for the internet of things (IoT) and cloud computing are important areas.
Identity is one area where the UK is particularly strong, says Hannigan. “Identity is key to cyber security, and if we can get a product out there that beats the others, the sky is the limit, especially for the export market, and it will be about who gets there first with a viable solution,” he says.
Using cryptography to secure communications is another area that is ripe for innovation, says Chappell. “We are seeing a lot of people looking at things like quantum key distribution, intrusion detection on communications and random number generation,” he says. “We are also seeing cryptography being applied to securing files, securing data in transit and used in combination with blockchain technology for integrity checking.”
Focus on internet-based security
Chappell’s own company, Digital Shadows, has chosen to focus on internet-based security. “We were interested in how security happens beyond the boundary of most businesses, and so we monitor online content – the digital footprints of businesses – looking for those risks and helping businesses remediate those risks when we spot them,” he says.
Chappell says that he and co-founder Alastair Paterson, now CEO of Digital Shadows, “had a hunch” in 2011 that this would be a good area of security to explore and started running a small consultancy looking at online content, which evolved into a service.
However, back then there were no specialist cyber security incubators in the UK, so Chappell and Paterson looked for help among the tech incubators that had been inspired by Silicon Valley’s Y Combinator . The first of three incubators was the Innotribe programme run by financial secure messaging firm Swift, in which Digital Shadows reached the final six.
“What was really useful about the Innotribe programme and the others we took part in was that they got us to do stuff that we really needed to do anyway, such as getting our pitch and communications right,” says Chappell. “You are continually pitching your product to get feedback on your message, to find out if your product will fit in the market and to work out what the opportunities are and risks are, as well as what your strengths and weaknesses are.”
Next, Digital Shadows took part in the 12-week British Innovation Game run by Cisco in 2012, emerging as one of the winners, but the incubator that Chappell believes made the most difference in its journey was the FinTech Innovation Lab.
“Again, this was a competition-style programme, so we were one of several hundred startups and were fortunate to win a place in the final six and got the opportunity to work with the innovation teams of eight tier-1 banks and do a deep dive with four of them,” he says. “Because we knew financial services was a target market for us, this was a great incubator to join to help us understand what the security teams in banks are looking for.
Robert Hannigan, former director of GCHQ
“It was a wonderful opportunity. We got lots of really good feedback on our SearchLight product that we could implement quickly. When we started the programme, we did not have a user interface, but by the end we had a working prototype, which enabled us to grow even more relationships.
“All this was validated by real users of the technology, which was incredibly valuable. And through the programme, we were able to secure some contracts with companies. Off the back of that, we were able to consolidate existing investments and launch our Series A round of funding.”
As a result, Digital Shadows went from Chappell and Paterson “working at the kitchen table” in 2011 and doing some consulting on the side to keep their heads above water, to being “just shy of £1m in revenue” in 2013 with the first eight team members in place.
Since 2011, there has not only been the introduction of incubators specifically for cyber security startups, says Chappell, but there is also a lot more support available for things like creating a network of people to ask for advice and help in addressing the export market.
The new London cyber security innovation centre, Lorca, in particular is expected to help drive UK cyber security exports, says Hannigan, who will lead Lorca’s industry advisory board.
In terms of advice to other entrepreneurs in cyber security, Chappell says it is important for tech developers to understand that their products and services will never exist in isolation. For this reason, they need to ensure that whatever they develop integrates easily into existing environments.
“Their technology should also be as complementary as possible,” he says. “So when we came to the market, there was lots of technology that looked at what was going on inside networks within organisations’ boundaries, so we developed something that looks at everything outside the network and beyond the boundary, so it is complementary to many existing technology investments.
“Interoperabilty is equally important because if you design something that operates in isolation and can’t talk to other systems, you are then on a hiding to nothing because you are just creating more work for security teams.
“So from the very early days, it was important to us that we could integrate with existing technologies so they can benefit from what we produce, such as Siems [security information and event management systems], firewalls, governance, risk and compliance systems and technologies designed to enable security automation.”
Technology isn’t everything
What advice would Chappell give his younger self? “That it is not just about technology,” he says. “Having world-leading technology is really important, but it’s not everything. Execution of the business around that technology is almost just as important.
“Startups should not forget that things like PR, marketing and communicating your idea to the market is nearly as important as having innovative technology.
“You can have the best technology in the world, but if you can’t connect to a customer, you don’t have a business.”
Another piece of advice for those just starting out is to begin by getting their ideas down on paper, says Chappell. “There are some really good things you can do for free, such as iterating the idea a few times with different stakeholders and using the business model canvas, which is a good way of exploring all the different aspects of a business and all the typical things you would find in a business case,” he says.
He also recommends investing in the Financial Times guide to business startup. “Once you have got something, there are some very early stage incubators that are worth looking at, such as CyLon’s HutZero, which is specifically for founders of businesses to find growth partners,” he says.
“Probably one of the most important things is just to do it. Start the journey as soon as possible to get feedback that will enable you to learn and adapt quickly, rather than trying to produce a fully fledged product in a vacuum. As many Silicon Valley startups would say, it is about failing often and failing fast, because every time you fail, you are one step closer to success.”
Look for investment
Once an idea has been validated by feedback and there is a clear market fit, Chappell says that is when entrepreneurs should start looking for investment. “Incubators can be helpful throughout that journey, no matter what level of maturity you are at, but you really have to throw yourself into the process to learn as much as you can,” he says. “You can’t really dabble. You really have to go for it to get the most out of it.
“I have seen many make the mistake of sending just one team member to the incubator, but they don’t get much value out of the process because they are not totally committed.”
Looking to the future, Chappell believes cyber security will be delivered through the software as a service (SaaS) distribution and consumption model along the lines of the initiative announced by Palo Alto Networks in June 2017.
“It might not happen immediately, but in the next five to 10 years, we are going to see this coming to fruition with cyber security businesses working with partners like Palo Alto and others to go to market,” he says.
“Security has already evolved from purely software-based products to the managed security services model and the SaaS model, where security components are plugging into an industry backbone, is likely to be the next step in that evolution.”