artbase - stock.adobe.com
Security chiefs ‘too polite’ for startups, says cyber flywheel founder Alastair Paterson
Cyber flywheel initiative aims to nudge chief information security officers (CISOs) to join ‘design partnerships’ with startups to solve pressing cyber security problems
Britain’s corporate cyber chiefs are too polite when they deal with innovative startup cyber security companies. Chief information security officers (CISOs) prefer to be non-committal, rather than tell startup companies what is wrong with their product and why they won’t buy it – and that is not helpful for innovation.
That is the view of Alastair Paterson, CEO and co-founder of Harmonic Security, who is also the driving force behind the cyber flywheel, an initiative that aims to grow more successful cyber security startups in the UK.
CISOs tell startups that fail to impress, “maybe I will get back to you, I wish you the best of luck. Because they don’t want to say, ‘This doesn’t work for me’,” said Paterson. “What the startup needs to hear is, ‘I’m not going to buy this right now, but if you do A B and C, then I’ll be interested.’”
Paterson spoke to Computer Weekly following his second cyber flywheel event, hosted by the Foreign and Commonwealth Office in April. Around 150 people from venture capital companies and innovative startups, along with 50 CISOs, talked in person to see how they could work together to develop innovative technology.
Design partnerships
A closer collaboration between businesses, government and startups can often be found in places such as the US and Israel through design partnerships. It is common for CISOs to work with startups to help them develop solutions to their most pressing cyber security problems. Before Paterson founded Harmonic, a company which developed technology to secure use of multiple forms of AI in organisations, he spoke to nearly 50 CISOs to find out what they were struggling with.
“I didn’t tell them what I was planning to do at Harmonic, but I asked them a set of questions around the problem area of AI [artificial intelligence] adoption in the enterprise to try to understand their pain points,” he said.
At the end of the call, Paterson asked if they might be interested in a technology that solved those problems. He was looking for companies that were “jumping out of their seats” at the chance to get on board. “They are the ones that are going to invest the time with you and deploy the technology early,” he added.
How CISOs can benefit from working with startups
The UK, said Paterson, needs more design partnerships where companies and government work with startups to solve the cyber security problems that are not being solved by others, adding: “If there is one thing we can do to make things better, it would be to back our companies and foster those type of relationships in the UK, because that is where innovative solutions get created.”
He argued that CISOs and their organisations can benefit from working with a startup engineering team that is highly motivated to solve the security problems their organisations are facing. “The CISO personally can benefit because they are right on the bleeding edge and can understand what is possible,” he said. “It’s pretty cool if you have helped shaped early solutions and get known as an early adopter and an innovator.”
Companies that pitched at the Cyber flywheel in April
- Ossprey – detects and removes malicious code in open source software.
- Overmind – predicts and mitigates risks of infrastructure before it is deployed.
- Fortyx – AI powered data loss prevention.
- Refute – detects and responds to disinformation campaigns.
- Innerworks – AI powered security layer trained on real adversaries.
- Aisy.AI – prioritises fixing security vulnerabilities based on threat.
- Cofide – secures workloads and AI agents in any cloud environment.
There are notable exceptions but security leaders in the UK tend to keep startup founders at arms-length, making it difficult to develop collaborations. As a result, some UK startups have had to go to the US to find design partners. One reason is that, compared to locations where collaborations are the norm, the UK has a smaller number of cyber security startups for potential design partners to choose from.
The UK is around where Israel was 10 years ago, said Paterson, but he notes that it is changing fast as the UK produces more credible cyber security startups.
There can also be practical difficulties – for example, if organisations have sensitive data, such as healthcare records, they are probably not going to want to put that in a startup, which would more likely be an environment that has not been fully security tested.
But there are ways around that, such as by working with startups to develop proof-of-concept models and follow security standards such as ISO 27001, which provides a framework for organisations to protect sensitive data.
Top three problems for CISOs
If cyber startups are going to persuade companies to use their technology, they need to offer benefits that outweigh the disruption, effort and pain their technology takes to roll out. Most big business can run three proof-of-concept projects a year, so if they are to get a look in, startups need to solve one of the CISO’s top three problems.
“If it’s a top three priority and there is no solution on the market from the likes of CrowdStrike and Palo Alto, companies are going to want to engage with the startup,” said Paterson.
“The CISO personally can benefit because they are right on the bleeding edge and can understand what is possible”
Alastair Paterson, Harmonic Security
Government departments are engaging in the cyber flywheel and saying the right things, he added, but he would like to see more government CISOs forming design partnerships with startups.
At the meeting in April, 50 CISOs pledged to hold a 30-minute meeting with at least one of the startup founders present at the event. There were also spin-offs from the event, including a peer group where startups can come together and discuss the issues they are facing, and a WhatsApp group.
With Harmonic taking off – it has doubled in size to 80 people in six months and deployed its technology in more than 100 companies – Paterson has less time to run the cyber flywheel project, but he is hopeful that other people will step in.
“If you can get CISO’s agreeing, ‘This is our top set of five challenges that we are going to face over the next five years’, and then you put your challenges in in front of a bright, ambitious set of founders that want to go and build solutions, that would be a sort of magic,” he said.
Read more about the cyber flywheel
- Cyber flywheel aims to kick-start UK cyber security startups – Company founder rallies CISOs, venture capital funders and government leaders to back startups in cyber security
- Infosecurity Europe launches cyber security startups stream – Infosecurity Europe 2026 will feature a cyber security startup exhibition zone and a competition for business support, in conjunction with the UK cyber flywheel organisation.
