BAE Systems Cyber Security Special Report
At a unique cyber-security round table, Chris Price hears that co-operation between the big players and start-ups will be key to beating the hackers
The cyber-security industry is thriving. Latest figures show the sector is worth £6 billion. But as the industry grows, so do the methods used by cyber criminals to try to avoid detection. “The rate of change of the cyber threat is so rapid that there’s no silver bullet. There’s no one company that is going to solve it alone,” Neal Watkins, chief product officer, BAE Systems Applied Intelligence told a panel of experts at a recent round table event, brought together by BAE Systems and The Telegraph.
Watkins explained that what are needed are partnerships of companies working together to tackle the ever more sophisticated cyber threat.
Particularly important is partnering with start-ups. One of the organisations working with BAE Systems is Cyber London (CyLon), Europe’s first accelerator dedicated solely to cyber security start-ups.
“The reason for setting up the programme was to enable companies doing something innovative and creative to find ways to go from a great idea to something that really makes an impact,” Jonathan Luff, co-founder CyLon told the panel. By partnering with large companies such as BAE Systems, start-ups are able to scale their businesses quickly using the expertise and experiences of a large company while BAE Systems gets to help bring the best of a “diverse set of ideas, talent and capabilities” to their customers, said Richard Wilding, director of new ventures, BAE Systems Applied Intelligence.
For Paul Manister, CTO and co-founder of start-up Fabric, the relationship with CyLon and BAE Systems has not only meant access to large companies in the marketplace, which it wouldn’t have achieved so quickly, but also the credibility of partnering with an established brand with cyber security experience.
However, he believes that one of the biggest challenges facing the entrepreneur in the sector is liquidity. “The cyber threat is moving at the speed of light, but access to funding through VCs and government is slow and arduous,” he told the panel. “What’s needed is a way of unlocking capital more quickly.”
Part of the problem is that while there is some capital available through tax breaks for angel investors and some government backed funds, there are relatively few VCs who understand the cyber security sector.
“There’s a challenge around the expertise necessary to get behind cyber security software: to validate whether it’s safe to deploy; if it’s likely to solve a problem, and frankly not just bamboozling the investors,” explained Alex van Someren, general partner, Amadeus Capital Partners. He believes governments can help by supporting investors with their own expertise.
Another issue is that while there is some funding for early-stage capital investment there is often a reluctance among financial institutions to fund later-stage investment in cyber security companies, especially since the dotcom bubble. Consequently, many businesses have had to move abroad to find further funding. “We need to change that with the support of larger businesses, but it can be difficult when you have shareholders and their return on investment to consider,” said Andrew Cooke, a director at Atkins Security.
“It’s not just a problem specific to cyber,” added Mr Watkins. “It’s a problem for all tech start-ups.”
But funding isn’t the only issue for cyber security set-ups. “The chief security officer (CSO) who you are selling into is often the most risk-
averse person in the organisation,” Matt Ridley, VP of Winton Ventures told the panel.
For David Garfield, CEO and co-founder, Garrison Technology, many cyber security start-ups in the UK simply lack ambition compared to other countries such as the US and Israel where there are billion-dollar cyber security businesses. However, there’s no shortage of cyber security research in UK universities, with £450 million having gone into funding in around 200 different projects over the past five or six years.
For Tom Ilube, founder and chief executive of, Crossword CyberSecurity, said the challenge is to get the technology out there in the market. His company recently took a group of university professors to the US to visit Berkeley, Stamford, MIT and Harvard universities to see how they funded cyber security. What they discovered was that the US government was far more geared up to deal with start-ups. Not only has the Department of Homeland Security set up a Silicon Valley office, it’s also able to offer a contract to a business within 30 days if it sees a solution it likes.
“It changes the perception of people dealing with government, because as a start-up you look at government and think it’s going to take 18 months for anything to happen,” Mr Ilube told the panel. But according to Amadeus Capital Partners’ Alex van Someren, it’s not always a bad thing for governments to have a long procurement process. “It can help businesses become a bit more grown up – and frankly after you’ve dealt with government it’s easier to deal with corporate customers around the world.”
Differences between the US and UK aren’t just down to the procurement process either. There’s also a cultural divide. “The attitude towards failure in the US is very different. At Stamford when they get people in, the first thing they do is tell them to write their “failure CV” so people get used to the idea of talking about what worked and what didn’t work,” said Mr Ilube. He said attitudes towards success vary too, with US entrepreneurs typically starting up new companies over and over again,compared to the UK where they often just do it once or maybe twice
According to Mr Ilube, mentoring also differs between the US and UK with MIT favouring group-mentoringand mentoring through the lifetime of the company, rather than just through the start up stage. “Our approach in the UK is that you need one guy to mentor the chief executive for six months and away you go.”
However, the panel agreed that it’s not just formal mentoring that cyber security entrepreneurs need. For Fabric’s Paul Manister, angel investors have proved invaluable when it comes to giving useful advice while Winton Ventures’ Matt Ridley reckons advice from peers is equally useful. “Sometimes the best mentoring comes from CEOs getting together and saying ‘how did you solve this problem?’” he said. Start- ups could also benefit from those in larger companies joining them on secondment, something which BAE Systems is currently exploring.
Although progress is being made, according to Mr Ilube there is also more we could be doing in the UK to make cyber security appealing to start-ups. “For tech entrepreneurs, cyber security looks much tougher and less attractive than other areas like FinTech (financial technology) or app development,” he said.
However, the flipside is that, because the barriers to entry are higher, if you do break into the market you are going to have “greater access and less competition” added Mr Watkins.
Gender inequality in cyber security is another challenge. “In common with many STEM subject areas there is a clear bias in favour of male participants, which means we are missing out on at least half of potential participants and the intelligence and diversity they can contribute,” Amadeus Capital Partners’ van Someren told the all-male panel. But Amadeus insists it leaves its “radar set wide” when identifying particular participants for investment.
One of the recent trends is around the human factors that play an important part in security, such as training people to recognise phishing emails using gamification.
“Cyber security isn’t just about technology, it’s also about psychology and sociology,” said Mr van Someren. “It’s easy for engineers to believe that the most important solution is the thing with the most flashing lights, but in the world of cyber security, it’s often the behaviour of people that actually determines the outcome.”