Empowering Cyber Startups in the UK

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 165 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

London has, for centuries, enjoyed its status as one of the cornerstones of the global economy. So it makes sense that it would also be a beacon of innovation and investment in cybersecurity.

Our guest today is Jonathan Luff. He’s the co-founder of Epsilon Advisory Partners and CyLon, an incubator for early-stage cybersecurity companies based in the United Kingdom. He discusses his story of his early career in public service, sharing his talents and expertise around the world, his transition from public servant to entrepreneur, and why he believes the U.K. is well positioned for leadership in the growing global cybersecurity industry.

Jonathan Luff:

I'm not by background a tech person. I come from a liberal arts background. I studied politics and languages at university, and I was fascinated by international affairs. I was always interested in history and politics, and that developed into a study of international relations. So, I studied at two universities in the U.K., Newcastle, which is in the north of England and a master's degree at Bristol University in the south.

It was really while I was at Bristol that I developed an interest in joining the foreign service. I sat the exams for the foreign service while I was at university there, and I joined the British foreign office in 1998. And that took me on a fascinating professional journey. I had the opportunity to study Arabic while I was in the foreign office. And that took me to the Middle East, where I had a couple of postings, including some time spent as advisor to U.K. and U.S. military forces during the Iraq War in 2003.

And over the course of my government career, over the course of my foreign office career, I increasingly focused on national security issues. So, things like counter-proliferation, counter-terrorism, and cybersecurity. And so that really took me further towards the work that I now do. But really, my leap into the startup space and the work that we now do with cybersecurity companies, that was triggered towards the end of my government service.

I spent a couple of years as an advisor at Downing Street, our prime minister's office. That was 2010, 11, 12. And around that time, there were a number of reviews taking place into U.K. national security. And out of that flowed some very interesting work around cybersecurity as a tier one national security threat. I was involved in some of that work, and after leaving government, decided to make it one of the things that I would focus on.

Dave Bittner:

What are you involved with today? What is your day-to-day like these days?

Jonathan Luff:

Well, since 2015 with my cofounder, Grace Cassy, who was another friend of mine from foreign service days, we wanted to put in place a way to support entrepreneurs in the difficult early days of establishing a cybersecurity company. We had seen in our time in government that this was one of the most important challenges and opportunities of the decade. And we felt there weren't really any systems or structures in place to provide the support that was needed. This is a fascinating but complex area of technology and business. And while there were some fantastic institutions in the U.K., there were already a number of significant companies operating this space. We couldn't see the number of innovative new companies emerging that we expected to see and that you found in somewhat more mature ecosystems like the U.S. and to some extent, Israel.

We started CyLon, and CyLon was in its early days an experimental accelerator modeled to some extent on programs like Y Combinator, but dedicated to cybersecurity. We initially ran a three-month program in London, and it's really grown from there. And over the last five years, we've run 10 programs in London and four programs in Singapore, and we've had upwards of 100 companies come through those programs. So, we spend our days running those programs, finding and supporting those entrepreneurs. And then continuing that support once they leave the program.

Dave Bittner:

Can you give us some insights on the state of cybersecurity and entrepreneurship there in the U.K.?

Jonathan Luff:

Yeah, well, I think it's developed significantly, certainly over the ten years that we've been really focusing on this. And definitely we've seen that over the five years we've been running CyLon. There really wasn't a community of cybersecurity startups here in the U.K., back in the first part of the last decade. We've helped to catalyze that community here and there is now a thriving startup ecosystem right across the range of technologies, but definitely in cybersecurity.

And I think there are some really quite successful companies that have been set up and developed here over the past five years. And it's now very much part of a broader technology ecosystem here in the U.K. And part of the reason for that is that the U.K. has a good reputation in this space, but it's also a good place to set up a business. If you're from somewhere else, historically, it's been a draw for talent globally. And we certainly saw that in cybersecurity, we could see the talent in cybersecurity was very much distributed around the world. It wasn't just in isolated pockets. And we found many people wanted to come and join our program and get their business started in the U.K. And, as a result, there are now tens, if not hundreds of interesting small companies in this field.

Dave Bittner:

Is there even a geographic advantage of being where you are? I'm thinking you're equidistant to some of the other important centers of cybersecurity.

Jonathan Luff:

There's no question. I think Greenwich Mean Time has been a competitive advantage for the U.K. in many different areas of business and finance over the centuries. I think it gives us a genuine advantage being, as you say, in time terms, equidistant between the economies of the Americas and those of the Middle East and Asia. And that definitely helps. Having the economies of Europe on our doorstep and over the last 40 years, at least strong connections to those economies has been helpful.

London has been a melting pot for anybody trying to start a business and seek finance. And I think the world does come to London, or at least it did until we were hit by the pandemic. I think it will nonetheless emerge from the current crisis as one of the world's great global cities. Geography matters in business and it's certainly been helpful to the development of the cyber ecosystem here.

Dave Bittner:

Can you describe for us some of the things that you witnessed as cybersecurity grew in importance when you were a part of that diplomatic area of the government? When you're doing that sort of work. What are some of the things that you saw as cyber took its place?

Jonathan Luff:

Yeah, that's a great question Dave, because interestingly, I think this is one of those areas of technology. There are others, but let's just look at this one. It's one of those technologies where, for a number of reasons, particularly reasons of national security, that advances in this area of technology have for a considerable period been the preserve of national governments and for the organizations that serve them. Certain areas of technology were preserved, and certain areas of technology were given investment and support. Cybersecurity was definitely one of them.

I think for a long period, the government was more advanced in this area than the private sector, at least in certain areas it was. And that's not necessarily the norm. You often find more innovation or more advanced technologies in other areas of the economy or our lives. I think because of its place in defense and security, cyber has been well understood. And the technologies that underpin cyber have been very much a part of government work.

Now, I think what we've seen is a transition over the last 20 years where cybersecurity has emerged from that niche within defense and security and government, and has emerged as an absolutely essential part of all our lives. So, I think there has been a transition where innovation no longer is the preserve of certain sensitive or secret or specialized parts of the public sector. Much more often these days, innovation is found in the private sector in cybersecurity, but there's still a very important relationship between government and the private sector in this space. So, it's a fascinating sector to explore. Quite a lot of investment dollars and pounds is still going into companies established by people who have experience in the government sector or working in defense or security precisely because there are some rather unique skills developed in those organizations.

Dave Bittner:

What are the things that you're looking for from the companies that you're supporting in your incubator space? What are the elements that a company needs to have in order to catch your eye?

Jonathan Luff:

We operate at a very early stage. Many of the entrepreneurs, or many of the companies that join CyLon, are right at the start of their journey. That means we are really looking for talent and potential, and we have taken from the outset, an approach that differs from some other programs by not seeking to prescribe, not seeking to be too prescriptive, rather, about the technologies that we're looking for. We are defining, or we have always defined cybersecurity broadly. We've defined it as anything that really contributes to the resilience and security of the digital economy. And that encompasses a broad range of technologies.

So, rather than say that we're looking for something particularly interesting in this area of security or that area of security, we've asked founders and entrepreneurs to tell us what they think is interesting, and to convince us that it is. What that really comes down to is a combination of talented founding teams with a passion for the technology and the business idea that they're working on. And from our perspective, a sense that it has something or that they have something with the potential to scale. If we can see those things, talented founder and founding team, a technology which they are passionate about and which interests us, and the potential for it to scale or have scalable impact. Those really are the things that we're looking for.

Dave Bittner:

I'd like to get your perspective on threat intelligence and what part you think it plays in an organization's security.

Jonathan Luff:

Well, that's a great question. Threat intelligence has become an enormously important part of the armory of organizations, large and small. And the way I think about it is perhaps conditioned by the work that I did earlier in my career, working in government and thinking about not just threat intelligence, but intelligence in the round. It's absolutely vital for an organization to operate in its optimal state to have intelligence at the right time from the right reliable sources and relevant to its business or its operations so that it can make good decisions, so that it can optimize the deployment of resources, and so that it can free up a talent to work on its highest priority challenges. For me in cyberspace, I mean that's what threat intelligence does from my perspective in a cybersecurity context. It is allowing organizations to focus resources where it's most needed. And that's absolutely critical for any high performing organization.

Dave Bittner:

You mentioned at the beginning of our conversation that you came into tech from a non-traditional direction. Do you suppose that that has benefits for you now that that has paid off, that you can look at things with a different perspective?

Jonathan Luff:

I hope so. I hope that a combination of interest in technology and an understanding of its impact, allied to experiences and capabilities built in other parts of a career, that's a good combination. And across our team, we have a mixture of skills and experiences. And I think that's something you find in all good organizations. If you are too narrow, I think you can miss opportunities, and you can sometimes fail to perceive strengths and weaknesses. You can fail to adapt effectively to challenges.

I hope that having had a rather weird and wonderful career through public service, and spending time in different countries, learning different languages and working with them for some really amazing people, has helped. And I hope that what we also try to do is to understand where our limits are and what our need for external and partner input also is. Because I'm not a technologist. I don't pretend to be one. And this is a very, very complex and challenging area of technology. You must have good people around you who understand those things that are beyond you. And if you can marry those two things together, then I think that's a decent recipe for success.

I think we are like everybody at the moment, adapting to new circumstances. We have historically run in person, physically co-located accelerator and incubator programs. We have gathered talent together from all around the world, and we've felt that to be a real value. Getting people around a table from different backgrounds, different companies, sharing ideas and experiences. That's been a core part of our offering over the past five years. And, clearly, we've had to adapt to new circumstances.

At the moment we're running our first fully virtual program. We have companies participating from their homes all around the world, and we're doing that all via video conferencing. There are literally hundreds of Zoom calls taking place every week to support those companies. So, that's been a new experience for us, but it's been revealing and it's been heartening to discover how much we've been able to transfer from program version 1.0 into version 2.0.

It's also revealing to us some of the things that are still needed and will be needed in the future. The shift to virtual learning, the shift to virtual working, the shift to virtual healthcare. All of these things are rapid and transformational changes, and none of them are going to work effectively without really good security. We're very, very interested to identify and work with the emerging companies and the entrepreneurs who are specifically building tools to enable that virtualization of work and learning and healthcare and other things too, of course. But, those three things stand out for us as places where adaptive cybersecurity is going to be extremely important.

Dave Bittner:

Our thanks to Jonathan Luff for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.