Accelerating Great British Cybersecurity Startups

Written by

Successful businesses are all different, but the problems that start-ups face are, if not exactly alike, common. Challenges include turning ideas into marketable services or products, finding seed money, acquiring first customers, creating and managing growth, and the mechanics of finding office space. Numerous cybersecurity accelerators, each with their own focus, business model and goals, hope to fill this need. In terms of investment spending on cybersecurity, the UK is third in the world, behind the US and Israel.

James Chappell, CEO of Digital Shadows, highly recommends participating in cybersecurity accelerators, based on his experience (see sidebar). “Definitely participate in these programs,” he advises.

CyLon, which focuses on enterprise security and protecting data, provides £15,000 in return for 3% equity. It also operates HutZero, which is sponsored by the Department of Culture, Media and Sport (DCMS) and is intended to enable individual entrepreneurs to turn the ideas they have into reality. GCHQ Accelerator takes no equity and provides no money, but matches new businesses to in-house technical expertise to expand its mission “beyond the wire.” Cyber39 is made up of 26 cybersecurity-oriented businesses within Level39, a subsidiary of the Canary Wharf Group aimed at building an ecosystem of successful businesses; it offers reasonably-priced, flexible office space, infrastructure and a community of other start-ups at various stages.

A Variety of Backgrounds

“Most people who join us have been through academia, but will have generally had some background in business,” says Michael Francoise, CyLon's program director, noting that its cohorts are increasingly global.

CyLon hosts a new cohort of eight companies every six months and provides in-house mentoring from CyLon’s team, its founders and others with experience in the information sector or the operational world of startups, including CISOs and investors. Francoise believes most join for the mentoring program, and says the £15,000 is “just enough to make them commit fully to the program while they’re here.” Most join just before they reach “minimum viable product.”

The DCMS-sponsored HutZero, which CyLon runs in collaboration with the Centre for Security Information Technologies at Queen’s University Belfast (CSIT), is more like CyLon was at the beginning: a week-long bootcamp followed by three months of occasional mentoring, Francoise says.

Of the 45 companies that have finished CyLon’s program, 41 were selling and growing, and a few were growing very fast.

James Hadley, CEO of Immersive Labs, an immersive cybersecurity training platform, was accepted to both CyLon and CSIT.

Based on his experience as an instructor at GCHQ’s summer school, he found that “academic background had little impact on the ability to pick up cybersecurity skills.” More important are abilities in problem-solving, troubleshooting, analytical thinking, perseverance and research. When he applied, he was still a solo founder in his spare room.

“Academic background had little impact on the ability to pick up cybersecurity skills”

A Shove in the Right Direction

“The main benefit in being accepted onto the programs was that it made you decide to do it and put everything possible into it,” he says. Being accepted also felt like a “shove in the right direction that I was onto something.” Joining CyLon meant leaving his young family for most of the 13 weeks, but it also meant he could concentrate on the business.

He did the two programs simultaneously; CSIT is longer, free and non-residential – it aims to match businesses up with those working and studying at Queen’s. “So we got an engineer dedicated to our project to help fix problems at no extra cost.”

Experienced hands typically warn newcomers to hoard their equity. Hadley says it depends on the stage of the company. “In our case, the value was fantastic. We wouldn’t be where we are today.” Immersive Labs now has 20 staff and paying customers in six countries; with TechVets it has launched a digital cyber academy for veterans transitioning out of the military.

GCHQ Accelerator derives from years of government cybersecurity strategies. The accelerator is a partnership between GCHQ, the DCMS and Telefónica’s accelerator, Wayra, which provides office space and administers and selects the cohorts. GCHQ’s goal is to take its own expertise “beyond the wire” and work actively with outsiders.

“We believe we have two things,” explains Chris Ensor, deputy director for cyber skills and growth at the National Cyber Security Centre. First, he lists “insight into the problem space,” because GCHQ itself sees the problems infrastructure organizations and government face. Second, it has experts with ideas about how to solve these problems, but who may lack the entrepreneurial and business skillset necessary to make them into marketable products and services.

Accordingly, GCHQ Accelerator partners its own people with small companies, hoping to be able to cross problems off its list. The accelerator takes no equity, but provides both technical expertise, guidance and a proving ground to test and validate new ideas. “We have a lot to learn about how we do this kind of thing,” Ensor says. “The emphasis for me is about getting new companies out there, but also behavior change for us as an organization – doing new things in different ways.”

Current program member John Fitzgerald, founder of Secure Code Warrior, a platform aimed at helping developers write secure code, says it takes substantial effort; all companies spend several days a week in Cheltenham throughout the program’s nine months. Afterwards, there will be continued support and regular meetings with other alumni to share experience. “I learn a lot whenever we engage.”

Cyber39 also takes no equity and has no fixed cohorts. Instead, says Asif Faruque, Level39’s head of content, it charges a monthly fee depending on the type of membership, and assesses applications as they come in. It offers reasonably-priced, flexible infrastructure. In its years there, Digital Shadows has moved from shared working space to private space to a mid-sized office, to a large office. It is now considering opening its own new and bigger office nearby.

“There are three things we say we provide,” Faruque explains. “Access to high-quality infrastructure; a really smooth, easy way to connect and engage with customers; and one of the best places for businesses to support and hire their talent.” Cyber39 often invites the companies’ customers to visit and mingle, and provides its members with workshops, seminars, delegations, meetings and client events. “There are very few places in London where there is such a regular stream of people with budgets, desires and needs who want to come and meet startups.”

Level39 looks for the ability to mix and work with its existing community, typically fintech, data enterprise technology or cybersecurity. Businesses also need to be able to show they can pay the bills, so they need some existing funding and backing from investors. “They often join after finishing an accelerator program,” he says, “when they decide they now have enough momentum and a little more cash.”

Getting the Best Out of Accelerators

“CyLon is the best thing that ever happened to us,” says James Hadle. However, making that dream come true required discipline. He advises to “be very structured in how you’re going to get the maximum value out of the process.” As the number of introductions and available mentors can become overwhelming, keep good notes, prioritize and decide how to divide your time among the many opportunities that present themselves. After CyLon’s speed mentoring day, “you need a process in place to follow-up with all the people you said you will.” If you don't, you risk both failing to follow-up on a potentially beneficial lead and being tagged as unreliable.

James Chappell warns that it’s crucial to keep your eye on your long-term goals. “Deliver value for shareholders, even if the only shareholder is yourself.” He also advises: “if you go in with a nine-to-five perspective, you won’t get the benefits.”

John Fitzgerald says it’s important to ask for what you need. “Good participants show up and say, ‘I need help here, here and here. Is it possible to make this happen? Who should I talk to?”

Hadley also notes that completing one accelerator program often leads to approaches from other accelerators hoping for more members. He warns, therefore, against becoming ‘accelerator junkies’. There are, after all, only so many times you can go through sales and marketing workshops, advice on research and development tax credits, product-market fit workshops and so on. “At some point you have to take ownership of your business and drive sales to sustain growth.”

None of the accelerators promise success on what remains a very hard road. However, “cybersecurity is different to the usual technology sector,” Francoise says. “Sales cycles are so long and the sector is so based on trust that it’s very hard to get the first few sales going. What we see is that when a company starts to sell and have regular recurring customers, they've made it. After that, it's all about scaling, growing, and staying ahead of the rest."

Case study: Digital Shadows

Digital Shadows, which monitors, manages and remediates digital risk across the visible, deep and dark web, went through four programs.

The first was InnoTribe’s Startup Challenge, a fintech-focused competition backed by SWIFT, the financial telecommunications network. The program required Chappell to learn to pitch the nascent service to investors and customers. Digital Shadows made the final 10, and came in fourth after presenting to an audience of venture capitalists, bankers and technologists. In the process, Chappel evolved the description of the service and improved the fit of some of the technology stack.

Next, Digital Shadows came in second in the Cisco Gateway British Innovation Awards. There, the company pitched to prospective partners and customers, and were mentored by experienced entrepreneurs who provided valuable feedback. Its second place showing helped the unknown company get valuable attention.

The experience Chappell now values most came next: the FinTech Innovation Lab, a program where Tier 1 banks mentor start-ups. This 12-week program provided a well-defined curriculum including briefings from experienced people on commercial, financial, legal and planning aspects of business. More importantly, Digital Shadows worked directly with security departments in four institutions, which allowed them to develop its web interface prototype in consultation with its user demographic. “The relationships we had from that turned into customers we still have today.” After that, the company had substantial revenues and backing from Passion Capital.

The FinTech Innovation Lab was the first program held at Level39, and Digital Shadows has been based there ever since, using its flexible arrangement to move gradually from a shared working space to a large office.

What’s hot on Infosecurity Magazine?