Plexal is the innovation partner to the National Cyber Security Centre (NCSC), as part of which we deliver NCSC For Startups, our programme that connects innovative companies with NCSC technical expertise to solve some of the UK’s most important cyber challenges.
We proudly hosted the NCSC For Startups Showcase at our Plexal Stratford workspace at the end of last year to demonstrate the hard ongoing work of our alumni community over a series of panel discussions. And as we look into 2024 and beyond, we feel it’s an opportune moment to share titbits from the conversations had during the showcase to understand how the leaders from our ecosystem are working to keep the nation safe online.
Our CCO and Head of Innovation Saj Huq set the scene as MC for the day, first welcoming Chris Ensor, NCSC Deputy Director for Cyber Growth, to deliver a keynote address to our audience of founders, leaders, mentors, investors and innovation teams from across government.
Chris detailed how the NCSC For Startups programme came into existence, with an internal realisation that, following a series of cyber security strategies being introduced, a space was required outside of GCHQ to allow for more innovation and diversity of thought to solve the challenges the organisation had visibility of. “[We saw] opportunity to break out to people with great ideas,” Chris said, detailing a desire of “engineering serendipity” to create meaningful connections between peers.
After experimenting with different phases involving various Cheltenham locations and groups of collaborators, the NCSC For Startups programme we jointly deliver today was born – harnessing private and public collaboration to embody the NCSC’s mission of making the UK the safest place to live and work online.
Everything is an experiment
Joining our ‘Everything is an experiment’ panel, which was chaired by Monika Radclyffe, Director of Innovation Programmes at Plexal, we heard from leaders whose businesses have evolved significantly over time.
Having joined the programme when it first began six years ago, a lot has changed according to Chris Wallis, founder of Intruder, an attack surface management platform that finds weaknesses in customer systems before they get hacked. “When we were on the programme in 2017, we started with 12 customers and there were just three of us in the company. Now we have 2,500 customers, so big progress,” he said.
Experimentation was key to get there and with a stipend used to travel between London and Cheltenham, Chris was frugal with the rest of his funds, even sleeping in a friend’s shed, which eventually paid off as it meant Intruder could appoint a CTO.
That hire laid the groundwork for what would become another game-changing moment for the company, Chris revealed, as the CTO recommended a credit card payment system that would allow people to sign up themselves and instantly try their product. “My question to him was ‘Nobody has ever asked to pay by credit card, so why should we do it?’ And he said, ‘That’s the whole point, people don’t want to talk to you’,” emphasising the need customers have for convenience and immediacy.
The pair compromised with an experiment in the form of a ‘Click here to buy now’ button, which would either be considered a failure if nobody clicked it or a green light to move forward to full payment infrastructure if it was used. The latter took place and, from there, the business continued to grow its customer base upwards.
Also on the panel was Charlotte Slingsby, CTO at Nettoken, which creates a simplified digital life for households as the first passwordless password manager for everyday internet users, who has a background in robotics and wind energy harvesting.
Upon meeting her co-founder Simonetta, the pair sought to tackle high social impact problems. “We started looking closer to home at the things in our daily lives that impacted us [and recognised] we all have personal cyber security. So, when we looked at the cyber landscape, which had amazing products but were intimidating to most people, we took that as a design challenge and started experimenting.”
Having explored hardware, dived deep into cyber security research and blockchain, they eventually landed with full focus on their software management platform. “It really showed the massive scope of cyber security, that there’s so much exciting experimentation that can be done and also welcome people with diverse backgrounds.”
George Brown, CTO at Porgiesoft, a specialist in anti-fraud and SMS-phishing cyber security solutions, pivoted from edtech following horizon scanning that took him towards detection of cyber bullying in schools. And Exacttrak’s founder Norman Shaw had his head turned in a new direction following direct guidance during the programme, he recalled. “We make embedded data security and device security, which is not what we started [doing at launch], but a few ideas from GCHQ and we [chose] to pivot to our technology.”
Meeting the mission
Our ‘Meeting the mission’ panel was chaired by Ruby Motabhoy, Innovation Lead at Plexal, and focused on a conversation with startups who have contributed to making the UK safer in direct support of government and critical national infrastructure organisations.
Daniel Ng, CEO at Cyber Owl, which helps asset operators in the maritime and critical national infrastructure sectors gain visibility of systems on their remote assets, covered his journey into the space.
“We were a piece of science that we needed to turn into technology that we needed to turn into product,” Daniel began. “Going from a problem that a scientific piece of research is trying to solve to a problem that an operation is trying to solve, there’s a huge bridge between those two things.” Acknowledging that “the programme has been a huge contributor to our success,” Daniel added that Cyber Owl today has a majority international customer base, given the nature of its work.
Further along commercialisation than the usual early-stage NCSC For Startups applicants, Ruby noted how Rowden, which manages digital fingerprinting of devices to help secure networks for government clients, already had an established customer base in place and queried why the company applied to the programme.
Pete Williams, General Manager at Rowden, explained there was a conscious decision to join the programme and experiment with the company’s business model in an incubated fashion. This meant adopting a small team approach to independently explore if there was a way to broaden the company’s product offering and make it more scalable, rather than undergoing a major organisational restructure to pivot Rowden without knowing if it was a practical step.
“Although part of a bigger, medium-sized company, I think we approached [NCSC For Startups] in a similar way to the rest of the cohort, which is why it was a great experience,” said Pete. “Rubbing shoulders with people, not just from inside the NCSC, but the founders, investors and other [ecosystem stakeholders], we hoped to stress test ideas and find something useful, and we did – it was really successful in that sense. We might be a slightly unusual candidate but I think that’s a really positive thing. We found having companies with different experience really valuable, so I think having a broader cohort is a really positive part of the ecosystem.”
Steering the conversation to compliance, a core – if less discussed – part of the mission, Ruby turned to Chris Clinton, CTO at Naq Cyber, which aims to make cyber security and data compliance easy, accessible and cost-effective. Having worked in the consultancy space, Chris saw that startups developing revolutionary products would have as many as 500 compliance-related questions to complete, which they’s be charged tens of thousands of pounds for by consultants, prompting Naq to automate that process for founders. And validating its work, the company has secured a €3m investment round in mid-January 2024, which follows on from a €1.4m injection in 2023.
“Our mission really is enabling businesses to take their innovation to the most complex markets like healthcare, defence, education and finance,” Chris detailed, “to bring them the innovation they need without compliance as a blocker. Compliance is massively increasing, whether it’s Cyber Essentials or NHS DSPT. [But] instead of increasing the security in the supply chain, it actually decreases the security of supply chain because [businesses] just don’t do it or can’t do it. So that’s where we come in to make security and compliance more accessible.”
The Human Factor
It’s often said humans are the weakest link in cyber security. So, discussing the role we all play within our respective organisations, Plexal Innovation Ecosystem Lead, Rob Kearney, led a session observing how complementary disciplines like behavioural science, AI and so on are making cyber more reflective of the human in the loop.
Kicking things off on whether the human factor is solved, Ben Graville, CEO at Visible, which empowers people to see their digital self, conceded that while businesses are more self-aware, it’s a different story for individuals.
“Cyber security isn’t sexy or something people talk about down the pub,” he said candidly. “It’s not something that excites people to want to make friends. So, the question in the consumer market becomes: how can we change the narrative?” He suggested the key is less about online safety education and incentivising people to understand the advantages, packaging up a protected online identity as something that can help an individual to be more successful, secure a new job, find a date and so on, with online safety an organic part of that. “So, you can lead with a message of hope and that should be something that people could be able to talk about.”
With organisations in mind, Tim Ward, CEO at Think Cyber, which applies behavioural science theory to deliver real-time, context-aware, on-device security interventions and nudges at the point of risk, is familiar with the traps staff may fall into. He noted that undertaking a compliance-based, tick box approach to security measures isn’t the best method, stating that many existing tools don’t solve the problem of behaviour – the real tripwire in his view.
“In reality, the way we behave is driven by the context we’re in,” said Tim, detailing that this isn’t just a knowledge and education issue. “If even an expert can fall for something or make a mistake, not because they don’t know, but they just click automatically because of a heuristics effect, then their knowledge is irrelevant. So, organisations need to rethink the way they’re tackling this to take a more behaviour-centric approach.”
Regarding staff specifically, Berta Pappenheim, founder of CyberFish, which has developed technology that plays out risk scenarios in a safe environment, draws on her experience of running exercises with over 1,000 cyber security professionals in the UK, Europe and Brazil. And she concluded: “There’s a huge issue in terms of what cyber awareness means after tech is compromised. How do you deal with that breach? How do you communicate? How you make decisions and move on?” Berta reasoned that soft skills around a cyber security event are often forgotten but can be as valuable as a well-planned technical response.
Fellow panellist Rachel O’Connell, CEO at TrustElevate, which offers a privacy platform for handling children and young people’s data, cautioned the rise of AI and children’s access to the technology requires major consideration. “As a society, we have a lot of difficult questions to ask ourselves. You know the philosophy of move fast and break things, it’s like break what? Society? Childhood? Wellbeing? It’s very multifaceted and complex.”
Possessing an ambition to change how parents and children engage with companies online, thereby removing parental fear, Rachel hopes to shift the balance for more corporate responsibility. “Instead of people saying, ‘parents, you have to watch your child’s every move online,’ companies need to know age bands of users and create age-appropriate spaces to minimise and mitigate the risk,” she said, likening this to installation of bouncy tarmac in playgrounds for better regulation and accountability.
The Road Ahead
Plexal CEO Andrew Roughan led the final discussion of the Showcase, reflecting on the progress of the cyber ecosystem we’ve successfully built with the NCSC through NCSC For Startups while simultaneously looking to the future of the community we’ve grown together. “It feels like we got to a good place in 2023,” Andrew stated. “And when we look forward to an equivalent timeline in the next five years, I think there’s even more to come.”
Pointing to Cheltenham as a prime example and the opportunity Golden Valley presents, with its hyper-local community in tandem with national characteristics, Andrew added this combination positions us well for global organisations to explore the innovations we’re working on.
For Simon Arnell, CEO at Configured Things, which specialises in cross-domain configuration management, to safely build systems with trust boundaries, he’s already found that working with the NCSC in Cheltenham means he has access to a rich blend of partners, from government teams to industry and academia. “There’s a uniqueness to come together to solve mission problems and for me and what can happen with Golden Valley, I see that as a massive scaling up opportunity.”
Acting as the genie of the lamp, Andrew presented his panel with the opportunity to reveal what they’re looking for on the road ahead, enabling them to make their one wish known to the world.
Giles Watkins, CEO at Cyntegra, which enables complete recovery from ransomware and cyber attacks, opined: “I think the people in government infrastructure don’t realise how valuable they can be to organisations like us. The doors they can open to new conversations are immensely valuable and all it takes is a little email introduction. That would be my one wish: that people would open their black books.” Andrew countered this by encouraging Giles and other founders to also be bold and ask upfront for connections, aware that many members of industry would be all too happy to share their details.
Meanwhile, Vivian Dufour, CEO at Meterian, which gives continuous protection from cyber and IP breaches caused by software vulnerabilities, would wish for a guardian angel to act as an ever-present advocate. “I think NCSC and Plexal have done a great job [of creating access]. I never thought I’d be working so closely with government addressing national security issues and real problems.”
Noting that people changing roles and responsibilities within large organisations can lead to a breakdown in communication, Vivian pointed to the power of advocacy. “We’re making change and the more we can help each other and band together, I think the bigger impact we will have,” she added.
Closing with his dream, Simon detailed: “It’d be ensuring that other [NCSC For Startups] alumni have the same collaborative spirit. What we’re doing is great – but what I’d like to see is the opportunity for UK society. We’re all here to try and make the UK the safest place to live and work online, then that’s something we’ll have to come together to do.”