This article is part of our Essential Guide: Information security in 2022 – managing constant change

The Security Interviews: Building the UK’s future cyber ecosystem

As the government lays out the next iteration of its Cyber Security Strategy, we speak to Plexal and Lorca’s Saj Huq about his work building a cyber ecosystem to support the UK’s future ambitions

The website of the firm of architects that created the 66,000ft2 Plexal innovation centre as a legacy of the 2012 London Olympics speaks of a “contemplative place to work”, a “bustling entrance for visitors”, “flexible hot desking” and “a café zone”. On my last visit, pre-Covid, the place felt every inch the hipster tech hub, a fitting home for the creatives of the young, dynamic East London tech scene. There was even a falafel stand.

Two years later, on a brisk, bright day at the end of November 2021 (even as news of a concerning new variant of Covid-19 called Omicron begins to trickle out of South Africa) the place is so empty and cavernous that, depending on one’s risk appetite, it feels quite safe to dispense with a facemask.

But that’s not to say Plexal has been gathering dust since March 2020. Indeed, as we tread the complex’s “High Street”, peering in at a series of rooms where small knots of people cluster intently around their workstations, Saj Huq, cyber security lead and CCO at Plexal, says that even though it’s not busy as such, the hands-on nature of technology development means that even in the darkest depths of lockdown there was still loads going on here.

And regardless of whether the pandemic lasts a few more months, another year, or longer, it’s going to get busier still. Just a few months ago, Huq onboarded a staggering 107 cyber security startups and scaleups to a new Cyber Runway programme, a tech accelerator focused on addressing the most pressing cyber challenges – ransomware, fraud, and the like – that the UK currently faces.

It’s the largest cohort of new security businesses ever assembled in the UK, and by some margin the most diverse – with 45% of the firms led by women, and 52% by people from black, Asian and minority ethnic (BAME) backgrounds.

It’s also more regionally diverse than ever before, with half of the companies based outside of London and the South East. Huq says that for many of them, the Plexal facility – which is very handy for trains, just eight minutes from Stratford to St Pancras on HS1 – can serve as a perfect base camp to establish their presence in the capital, with all the opportunity that affords.

“We see an opportunity to work much more regionally, specifically to try to join up key nodes in the cyber security sector in the UK, between London, Cheltenham and Manchester, for various reasons,” Huq tells me.

“London is part of the global technology ecosystem – a lot of global industry is based here, and it’s a gateway to the rest of the world. Cheltenham, because of the government capability there and the specialist ecosystem of SMEs and partners that exists around it, with depth and expertise in cyber. Manchester marries both aspects of London and Cheltenham, in our view, with an existing tech ecosystem, and a huge movement of government there wanting to plug into that ecosystem.”

From national security to cyber security

You might be forgiven for thinking that Huq, who at one time trained to fly with the RAF, trod the standard military path into cyber security – through signals intelligence, GCHQ, and so on. But in his case, the path was less obvious – an unscheduled career change first saw him move into consultancy, where he ended up working on technology projects at the likes of Deloitte and PwC.

“I had a burgeoning interest in cyber security and I supported a number of large cyber security transformation programmes, typically in financial services,” he explains. “Coupled with that, I had always had an interest in innovation and entrepreneurship.”

Huq graduated from advisory work to take on operational responsibility for a major digital transformation project, a large part of which was cyber-related. From there, the combination of experience made it an easy jump to Plexal, and ultimately Lorca within that.

“What personally motivates me is I’ve always been a mission-oriented person,” he says. “It was actually something I found difficult to square when I left the military and joined the commercial sector, but the work we do here is very mission-oriented.”

More latterly, the worlds of national security and cyber security have met head-on with the emergence of digital, tech-enabled warfare capabilities, and threat actors backed (covertly and openly) by nation states considered hostile to the UK and her allies. With a foot in both worlds, Huq spies opportunity here.

“Technology has become much more central to national security in terms of execution of operations, and as a result of that, technology becomes more centralised and there is greater opportunity for collaboration with the private sector. The integrated defensive security view talks a lot about that in terms of ecosystem engagement,” he says.

Indeed, Westminster’s new £2.6bn National Cyber Strategy comprehensively highlights the importance of the cyber ecosystem in helping meet government policy.

“That’s the role Plexal plays in terms of building those ecosystems, integrating public and private capabilities, and bringing the best people forward with the best products to meet the right opportunities, whether they’re in the public or private sector,” says Huq.

Inside the Plexal process

So what is the process of moving through a Plexal-delivered programme like as a cyber startup or scaleup? Huq sees its specialism as helping to shape an organisation’s innovation strategy and providing for them an ecosystem of other organisations and services to lean on as they aim to meet their strategic requirements.

“We help them shape that and then we can execute against that plan on their behalf,” he says. “We’re doing that at the moment for a number of large technology organisations in domains including not just defence and national security, but also space technologies or the health sector, all with a cyber security slant. We’ve worked with over 280 companies in various guises over the past three-and-a-half years.

“Startups are important for enabling the concept of secure by design because they’re typically starting from a blank sheet of paper, they’re not encumbered by legacy technologies. I want to ensure that we don’t create the legacy of the future by forgetting about security”

Saj Huq, Plexal

“As a result, we have quite a broad spectrum of companies across multiple stages, but also different category areas of products, and also different sets of focuses. That’s where we think we can help companies or startups if they come to us specifically, not just to receive benefits such as potential business opportunities, but also help them shape how they can potentially pivot into new markets as well, given our breadth.”

Huq speaks of an ongoing “horizontal polarisation” of security, with a growing need to embed security into pretty much every element of technology, which, in his view, makes it hard for entrepreneurs to zero in on areas of relevance and work out how to secure the increase in digitisation across sectors.

Plexal has a role to play here, Huq believes, by helping new business leaders understand concepts such as “secure by design”, particularly in sectors that may not have previously thought about cyber as core to their business.

“From an enablement perspective, it allows them to create better products, it allows them to launch new technologies, and it allows them to secure their own supply chain, because they can now understand these concepts in a way that is relevant to them,” he explains.

“What we’re doing to enable that is running events with a broader cross-section of industry, not just security companies. Likewise, we’re going to look to bring in programmes where we can pair security and non-security experts together around a broader digital proposition, or product, so that security can genuinely be thought about at the point of conception of new products and services,” says Huq.

“Startups are important for enabling the concept of secure by design because they’re typically starting from a blank sheet of paper, they’re not encumbered by legacy technologies. I want to ensure that we don’t create the legacy of the future by forgetting about security.”

Skills and education

Security being as much a human problem as it is a technical one, there is also a growing need for cyber startups to innovate around people, something Huq says may have been neglected until recently.

“We identified a specific company, Capslock, who were deploying a new type of business model aimed at helping people enter the sector or reskill from previous jobs, an absolutely brilliant business and we’re really proud of them in terms of how they’ve grown,” he says.

With cyber skills development having been traditionally focused on training platforms – which still have their uses – Capslock’s business model sets out to lower the barriers for people to enter the security sector if they come from a non-traditional background or lack the financial resources to get themselves started.

“They basically defer any fee structure, akin to a student loan, until you are earning over a certain amount after they’ve put you through a training process and placed you into an organisation,” says Huq. “I think they’re now the largest provider of income share agreements in the UK, after formal academic institutions. They’ve really helped diversify the supply chain of talent in the sector and, as a result, they’re forming partnerships with DCMS [the Department for Digital, Culture, Media & Sport] and other government departments that are amplifying what they do.

“So there is definitely a people aspect to the innovation process and I still feel that more needs to be done there – it’s great to see startups like Capslock doing really well.”

Read more from The Security Interviews series

Read more on Security policy and user awareness

Data Center
Data Management