Sergey Nivens - Stock.Adobe.com
Accidental heroes: How one scaleup pivoted to cyber
Simeon Quarrie designed his business using virtual reality and interactivity as a tool to tell stories that effect cultural change in enterprise environments – then a cyber criminal emptied his bank account
Vivida was never meant to be a cyber security business really, says founder Simeon Quarrie. A storyteller at heart, Quarrie founded and built his young virtual reality (VR) scaleup with the objective of using interactivity to change business cultures.
He saw some early success creating scenarios that put employees in situations that are impossible to replicate in reality, such as escaping a burning building for fire safety training, or being put in the shoes of a black man in a corporate environment for diversity training.
“I wasn’t born into it, right?” he says. “If I’m completely honest, the subject of cyber security didn’t mean that much to me – until my business bank account was emptied one day. I had some money in it, which was great, and then it wasn’t there.
“At that moment, I was thinking to myself: how did this happen, what was the motivation for doing it, what were the techniques that were used?”
Quarrie came to the realisation that although security was a subject that had not meant much to him before, it was one with which Vivida’s existing business shared some common ground in terms of improving enterprise resilience through training.
He describes what he does as using storytelling and innovation to reframe a subject and turn something mundane, or even dry, into a subject that people do care about. He credits his own experiences as a schoolboy who struggled with subjects that didn’t resonate until the right teacher came along.
“When people were able to take subjects and blend them with a story, then all of a sudden they became understandable and they became important to me,” he says. “And that’s essentially the approach that we take.”
Like VR had done for health and safety or diversity training, Quarrie clearly understood that the technology could serve to really bring things alive and make the message stand out from the mass of PowerPoint and clip art-based training still favoured by many security leaders. At best, these are soul-crushingly boring, and at worst, utterly ineffective and, in some instances, may even increase risk because they are such a turn-off.
Date with a cyber criminal
Vivida created its first piece of VR security training in collaboration with media giant Sky. In the experience – described as going on a date with a cyber criminal – trainees come face-to-face with a virtual malicious actor that they begin to engage with. As the date goes on, the criminal starts to break down their methodology, and their identity, as you go deeper into their world.
“We temporarily saturate, or hijack, the human senses,” says Quarrie. “We’re able to utilise nearly all of them with that story. It was really powerful, and seeing the response to it was great.”
A second engagement with Barclays saw the creation – recreation, rather – of the banking group’s security operations centre (SOC) in which trainees were placed to triage a breaking cyber security incident, and ultimately get things back under control. Another engagement saw the team build a dark web mission control centre, where trainees play the part of undercover “agents” infiltrating and disrupting a cyber criminal group.
“We were thinking to ourselves: do we create something that is based on real life?” says Quarrie. “But then we were like, well actually, because it’s VR, let’s give people an adventure – let’s send them to an environment so memorable that they’ve not experienced before.”
“Let’s give people an adventure – let’s send them to an environment so memorable that they’ve not experienced before”
Simeon Quarrie, Vivida
According to Quarrie, this kind of exercise is more effective at imprinting why security matters on trainees, so that even if they are subsequently forced to sit through a horrible PowerPoint compliance exercise, the subject then seems more immediate.
This approach also seems to stick, as well – a perennial issue with traditional security training, which tends to dribble out of your brain after a few weeks, leaving your employer in the same place they started. Not an issue here, says Quarrie.
“Having spoken to some people, in some cases a year after they’ve gone through that experience, they are still talking about it because it’s so memorable,” he says.
“What we did with the experience is actually help visualise the other side [ie a cyber criminal’s point of view] and show what’s behind the phishing email, what’s going on, let’s meet the individuals and understand their motivation.
“As a result, when you go through everyday working life you now have a mental hook that you automatically reference to.”
Then, in January and February 2020, news started to filter out of China of a novel, fast-spreading strain of coronavirus. By March, SARS-Cov-2, and the disease it causes, Covid-19, had become a full-blown global emergency, and on 23 March, the UK entered a full lockdown to contain its spread.
The transition to remote working was a problem for Vivida, as quite clearly, VR is very much a presence-based technology. “If I’m honest, we almost shouldn’t be here any more, because we’re working with a technology that is almost a contact sport,” says Quarrie. “The brilliant thing about VR is that you have people in the room and you’ve all got headsets on.
“Now, we will get back to using that technology in the fullest capacity, but what we needed to do very quickly was understand how the world had changed and what organisations were going to be struggling with – essentially, how do we get across information on their mobile devices and laptops?”
Even more importantly, this needed to be done in a way that did not add to the tension and fear that people are feeling living through a crisis that is unprecedented in living memory. After all, a lot of cyber security could be termed quite scary stuff, and moving it beyond the confines of the corporate network, where most people think of cyber risk as someone else’s problem (ie the IT department’s), to their kitchen tables or spare bedrooms shows that home is not a safe space either.
“We’re having to deal with balancing people’s mental health, so we knew we needed to get these things across to people in a way that they enjoy, but that is still impactful and memorable,” says Quarrie.
The big challenge in this exercise has been building a sense of immersion in the narrative, such as you might feel in a VR program.
“It can be done in a couple of ways,” says Quarrie. “One is you can be immersive with the content so that you get drawn in, and that’s where the structure and science of storytelling come in. The other way is through the technology and being able to have interactions in the environment.”
Quarrie and his team addressed this by using the same tried-and-tested ingredients they used in their VR programs – storytelling, gamification and a sprinkling of humour. They created a Star Trek-style “holodeck” training simulator that loads different scenarios for trainees. One of these (pictured above), is a home office setup to explore the novel risks of remote working during the pandemic. Another is a phishing simulator.
They are accessible to customer users not on a proprietary platform owned by Vivida, but via the customer’s preferred learning system, and the hope is they will be just as engaging as the VR iteration.
“One of the hardest things for organisations to do is to get people engaged with content,” says Quarrie. “I think when you’re in a corporate environment, there is a certain ethos that means you might be more accepting of dry content. But when you’re at home and you’ve got Netflix, you’ve got your PlayStation, all of a sudden you expect the standard to resonate with that home environment, and that’s essentially what we’re now trying to do.”
Collaboration and support
During the course of 2020, Vivida has been supported throughout its development and pivot by the London Office of Rapid Cybersecurity Advancement (Lorca), a specialist security scaleup incubator, graduates of which have secured millions in funding over the past few years.
Young businesses moving through Lorca’s 12-month programme, which is currently working with its fifth cohort of 17 companies, get access to innovation and commercialisation consultancy, product development services and industry access, as well as partners including Queen’s University Belfast’s Centre for Secure Information Technologies (CSIT) and Deloitte.
It was a colleague who first brought the scheme to Quarrie’s attention, but at first, he says, scepticism kicked in. Would they want a percentage of the business? What was behind it? What were their motives?
“As a black entrepreneur, one of the things I have seen is you struggle sometimes to gain access to the right places, the right rooms, you’re not even sometimes aware of some of the rooms that exist, or some of the knowledge that’s there that you can tap into,” he says.
“Culturally, I was brought up with a sense that really no one’s there to help you. You need to just graft, and you need to work at it.”
Quarrie met with Lorca anyway, which put him in touch with one of his early clients, Lloyds Banking Group, for whom he created one of his original scenarios as a proof of concept exercise. Vivida ended up being invited to join what was then Lorca’s upcoming fourth cohort.
“I realised that, no, actually, these people are here to help me,” he says. “And that, for me personally, was a massive mind shift. It has really been beneficial.
“Before, everything was focused on the technology, but now we’ve also got an eye on scale and scalability and being able to get our content out there, and when the pandemic hit, to be in the middle of the programme and able to also pull on these resources like Deloitte, to get their insights, as we were going through that, was fantastic.”
Reflecting on his journey into the world of cyber security, Quarrie says he has been particularly struck by the collaborative nature of the sector. By its nature, he says, Vivida is a collaborative organisation itself – its training scenarios have been developed working alongside each client, to a specific brief.
“That’s why I’ve got some affection for these brands that we’ve worked with because each one of them has contributed to our journey, and in some way they’ve left this gift behind that enables us to keep growing and enables us to benefit other people,” he says.
“That’s what I’ve loved about the cyber security industry. It doesn’t feel like there are competitors. It feels like everyone’s moving together to work out how to overcome these common threats. I’ve really loved that. I’ve never moved into a new industry sector and been welcomed so warmly.”
Vivida’s online training platform was launched in September 2020, and interested parties can sign up for a full demo online.
Read more from The Security Interviews series
- Clinician and technologist Sam Shah helped set up NHSX in 2019. Now he’s helping advance digital transformation in healthcare from the outside, and a big part of that is addressing security in the sector.
- Crest president Ian Glover taught himself cyber security while working on government computing systems in the 1970s and 1980s. Now he is on a decade-spanning mission to change security consultancy models.
- Mike Lloyd, CTO at Redseal, holds 21 cyber security patents and a PhD in stochastic epidemic modelling from Heriot-Watt University in Edinburgh, so is probably the man to talk to when it comes to cyber security in the world of Covid-19.
- David Mudd of the BSI reveals how a pragmatic and realistic approach to security vulnerabilities underpins its internet of things kitemark, helping give users the confidence to buy smart devices safely.
- On the General Data Protection Regulation’s second birthday, Tim Hickman, a data protection lawyer and partner at White & Case LLP, discusses the regulation’s teething troubles and assesses how best to maintain optimum compliance.
- Alun Baker, CEO of Clario, is on a mission to rehabilitate the image of consumer security products and take the fear out of selling antivirus. We find out how things are changing.
- You may not make a million as a bug bounty hunter, but you might help remove some of the stigma that persists around cyber security, says HackerOne’s Shlomie Liberow.
- Check Point founder Gil Shwed discusses his Infinity Next concept and how he plans to remodel the world of cyber security in the next 10 years.
- F-Secure’s Mikko Hypponen discusses cyber weapons and nation-state threats, and explains why arms limitations treaties might one day expand to include malware and other threats.
- Ann Johnson, Microsoft corporate vice-president of cyber security, is on a mission to prove that artificial intelligence holds great promise for the security sector, and she has the analogies to back it up.