Phil Muncaster investigates how to make it big in a sector already worth billions
The UK government is betting big on cyber. Post-Brexit, the country’s fortunes increasingly rest on the ability of ambitious entrepreneurs to turn innovative ideas into multibillion-pound companies. Yet when it comes to cybersecurity, there’s another goal: making the country the safest place in the world to live and work online. The government’s hunch is that this will attract more inward investment and help to stem losses to cybercrime – a type of crime that makes the UK and virtually every country in the world poorer every year.
It’s a sector already estimated to be worth nearly £9bn – one that employs 50,000 people and contributed over £4bn to the economy in 2020. In fact, despite the pandemic, the industry attracted a record £821m in investment across scores of deals, more than doubling the amount recorded in 2019. Yet this doesn’t make it any easier to launch a successful start-up. In fact, it’s harder than ever to get a foot in the door and find the right partners to grow a company.
NCSC for Start-Ups
In June 2021, the government upped the ante with the launch of NCSC for Startups. A successor to its popular NCSC Cyber Accelerator program, which helped more than 40 tech companies raise over £100m in external investments, the new initiative is open to start-ups at any stage in their journey. The hope is that access to National Cyber Security Centre (NCSC) technical expertise will help focus ideas and mature products.
Saj Huq is head of innovation at Plexal, one of the organizations helping to run the initiative. He argues that accelerators of this sort are hugely important, as even the most successful businesses in the world rarely make it on their own.
“Start-ups can create a virtuous cycle by working with industry and the government early on to gain insights that will help them build solutions the market needs, as well as pilot solutions to show how the technology can be used in the real world. This can lead not just to contacts, but to investment. It demonstrates to investors that there are demand signals – especially for pre-revenue start-ups – and therefore a market need for a start-up’s product,” he tells Infosecurity.
“Start-ups can create a virtuous cycle by working with industry and the government early on to gain insights that will help them build solutions the market needs"Saj Huq
“Start-ups at the early stages are most vulnerable and have most to gain from taking part in accelerators and playing an active role in the cyber ecosystem. As they build their technology, they also need to build their networks and access support, with everything from how to navigate a government contract to how to communicate what they do effectively – something many in this sector struggle with.”
David Woodfine, co-founder and MD at consultancy Cyber Security Associates (CSA), agrees that the NCSC program provides an “excellent opportunity” for start-ups to gain a foothold in the marketplace. However, he questions whether it goes far enough.
“Attracting new investors will, of course, be underpinned by the products and services a cyber start-up has to offer, but it is their strategic business plan which will attract interest,” he tells Infosecurity. “It is not about where the start-up is now, but where it will be in five years. Advice and support that enables the start-up to build its vision and objectives over this period will prove invaluable.”
It should also be remembered that VC funding doesn’t have to come from the UK, or even Europe, adds former start-up entrepreneur Ian Pratt, now global head of security for personal systems at HP Inc.
“You don’t need to restrict yourself to local firms. In fact, my last two companies were funded by Silicon Valley VCs,” he explains to Infosecurity. “Knowing your audience, the problem you are solving and who it will be most useful to is essential. The marketplace is crowded, and as a start-up, you must be laser-focused. Focus is the start-up superpower, and you have to make sure you don’t squander it by getting distracted.”
A Foot in the Door
So once you have the focus, the strategic business plan and the ambition, how can you turn that into meetings with prospective investors, customers and partners? Plexal’s Huq warns that the industry is saturated with smaller players, making the job for potential technology partners of finding the right start-up for a specific challenge akin to finding a needle in a haystack.
HP’s Pratt argues that credibility and thought leadership are vital for any start-up founder.
“When targeting enterprise businesses, it’s about finding the forward-thinking CISOs that want to escape the status quo and are willing to try new things. This is a particularly good strategy in security, where doing something different often has benefits. With many security technologies, being an early adopter gets you the biggest win, the benefit diminishing over time as the approach becomes more popular and the bad guys invest to work around it,” he explains.
“Security is typically a top-down sale, which begins by talking to the CISO or CIO – although that isn’t ideal for a start-up. Getting in front of CISOs is tough, especially since the pandemic. So, start-ups should consider creating a go-to-market strategy based on grassroots ‘bottom-up’ adoption, if possible, although this approach typically hasn’t fit with many security solutions.”
For Mykolas Rambus, co-founder and CEO of cybersecurity start-up Hush, local angel investor networks, founders of large security companies and accelerators are all good places to start. However, he warns that raising capital is a numbers game, whereby founders need to be introduced to “high double-digits” of potential investors before even securing meetings.
“Raising money is a full-time job. For customers, it’s key that cyber start-ups understand their buyer’s mentality and that they are one of many companies pitching for an organization’s business,” he tells Infosecurity.
"To cut through the noise, a cyber start-up’s marketing outreach needs to be sleek and concise. In addition, those efforts need to be targeted at cyber industry visionaries – who are often highly visible with speaking engagements and content they’ve published and open to finding the next great solution.”
Making an Impact
Once in the room, how do you impress? Dan Patefield, head of program, cyber and national security, TechUK, urges start-up founders to keep it simple and not get lost in technical detail.
“The key here is to create the clearest possible value proposition and outline how people can harness the product to provide a better business outcome,” he tells Infosecurity. “What problem is the product solving? Why does it solve it better than alternatives? More broadly, we have to look at cybersecurity as a key business enabler, underpinning everything organizations do.”
Plexal’s Huq agrees, adding that successful entrepreneurs often working at the cutting edge need to focus on helping investors and customers expand their understanding of the problems they’re working to solve.
“They should never over-promise and under-deliver. Be pragmatic when it comes to timescales and set clear KPIs as this will build trust and help everyone understand what success looks like. Investor risk appetite is traditionally cautious in the UK compared to the US, so outlining your proposition clearly and making sure you have the basics in order is important,” he concludes.
“Finally, establishing your business as one that follows good practice in areas such as corporate governance, sales processes, security posture and people management can be a real differentiator.”
The market’s sheer size also makes interoperability an increasingly important concern, argues techUK’s Patefield.
“Organizations are relying on an ever-widening number of technologies for their cyber postures, meaning collaboration amongst vendors is critical,” he notes. “We often see SMEs engaging with larger corporates and between themselves to compliment capabilities and create clearer, more compelling offers for the market.”
That seems to perfectly sum up the mind-boggling blend of sometimes conflicting traits expected of the modern start-up founder: single-minded determination mixed with a willingness to collaborate; a laser-focus on technical detail, combined with an ability to simplify. Perhaps most important of all, however, is a healthy handful of luck.