In this new normal, cyber is going mainstream: highlights from LORCA Live //21.09.20
LORCA Live was our virtual conference that united a global cyber ecosystem. Here are some of the themes and key discussions from our week.
Cybersecurity has emerged as one of the UK’s most successful sectors, and the pandemic has only served to crystallise just how central it is to national security, the economy and individuals.
Policymakers, researchers, innovators and business leaders reflected on the reach of security, but also disagreed on whether challenges like disinformation or digital ethics debates should sit within the realm of cyber. As the sector matures, our very definition of what cybersecurity means is now up for debate.
A report card from the government
Minister for digital infrastructure Matt Warman opened the event by saying that the “sector has demonstrated remarkable resilience and adaptability”, before praising industry for managing their cyber risks. Warman also heralded the success of the UK’s cyber startups and teased the results of the Department for Digital, Culture, Media & Sport’s next sectoral analysis, saying that “it is safe to say that 2020 so far has seen a significant growth in revenue, the number of firms and the number of employees”. And while COVID-19 may have reduced the figures for cyber, they are “in stark relief to the broader economic picture”.
But Warman also pointed out that there’s a lot more work to be done – namely to support startups, commercialise research and invest in game-changing security technology.
Enforced agility and collaboration is here to stay
The pandemic has changed the world of work, blurring the boundaries between home and the office and forcing unplanned digital decisions on organisations large and small.
New partnerships, tools and suppliers were brought in without the usual due diligence and the security landscape has changed – though how exactly is not yet clear. Attendees spoke about how we’re going to be unpicking the fallout from mass digital acceleration for some time.
Mivy James, head of consulting at BAE Systems, spoke about how remote working and an accelerated gallop to the cloud has made agility and collaboration a must for large enterprises. For example, the traditional way for large organisations to behave is to have a list of approved tools, but that rigidity just doesn’t work right now, she said. “We had to adapt very rapidly and come up with acceptable use policies,” she told attendees. “And we all know we’re never going to go back to where we were.”
BT’s Paul Crichard described this new normal as “slight organised chaos”. He believes there has been a fundamental change in perception as the sector moved from being on the constant defence to being “much more responsible and supportive” as well as human-centric. “Our world has changed from a world of networked traffic to understanding what people are actually trying to do, what applications they’re trying to access.”
Trends and tech on the watchlist of industry and investors
- AI and machine learning
- First principles: securing laptops, mobiles and wearables
- Ways of plugging the cyber talent gap within organisations
- Ransomware and DDoS attacks
- Operational resilience
- Supply chain security
- Securing remote workforces
- Cloud security
Cyber affects everyone and everything: rethinking national security
Awareness has been growing for some time that cyber affects people, whether it’s a remote employee or third-party supplier. But the pandemic has made that even more obvious – and shone a spotlight on its central role in national security.
As Lord Jonathan Evans of Weardale (former director general of the UK’s security service) put it, “the pandemic has forced us to break through the vanity of exceptionalism in national security”. The nature of the threat to national security has changed. It’s colliding with other areas of life such as the media or the digital infrastructure underpinning smart cities. And it’s become more personal. “We are seeing increasing amounts of political interference and misinformation, which has a national security impact on our democracy,” Lord Evans told us. Giving us an insight into thinking at a nation state level, he said that securing critical national infrastructure will be “a growing concern” and that there is a “growing nexus between state threats and organised crime”.
But protecting people from ideas and propaganda campaigns is a tall task, as Biome.ai co-founder Paul Dabrowa pointed out. “People haven’t really cracked humans and human stupidity,” he said. Dabrowa has spent years analysing the propaganda techniques of former KGB and Nazis operatives and believes that as those techniques become overlayed with the reach and power of Big Tech, the threat is becoming even more dangerous to society.
The human factor: towards more active digital citizenship
Our panellists also explored cybersecurity’s movement into the mainstream consciousness of people as the Internet of Things spreads into all corners of life – but not always with the right security protocols built in.
But Miribure founder Suki Fuller noted that even though cybersecurity now permeates every part of our lives, the sector has a “classification issue” to overcome. “There is this mindset issue of the classification of exactly what cybersecurity is,” she said. “It’s at the core of every industry, it’s at the core of our lives and people need to not think of it as an add-on.”
Building on this, Tracey Follows, founder of the Futuremade consultancy, told us that with the rise of biometrics, the conversation has shifted from being “about phones and homes” to one about “flesh and bones”. Adding a word of caution to the debate, she posed some questions to our audience:
“Who is collecting that data? Where is it hosted? What’s being done with it? How is it being analysed? We are on the brink of everyday people becoming a lot more cognisant about some of the decisions that are going to be taken at a personal level.” Follows welcomes this awakening to the ethical considerations of personal data, and believes people will crave more information and education to enable them to play a more active role as a digital citizen.
But when it comes to the role of the tech sector as a whole to pursue responsible innovation and address these concerns, former GCHQ director Robert Hannigan believes it’s a social policy issue rather than a matter for cybersecurity. “Regulation and legislation hasn’t kept up with the pace of what the tech companies are doing,” he said. “We don’t really know what these companies are doing with data.” Hannigan said it’s “a matter of time before regulation hits the tech sector” as society figures out what they are prepared to trade in for their data but we need to “make sure it’s the right legislation” that doesn’t stifle innovation.
And Follows believes that this decision-making process should include digital citizens, citing Taiwan as a potential example the UK can learn from. Follows noted that Taiwanese citizens play an active role in technology debates and are even asked to upvote or downvote potential regulation on an online platform, vTaiwan. “It’s worth us thinking about a more decentralised and participatory way of involving the population,” she said.
But while Follows noted that this approach could help build more trust between the government and digital citizens, Dr Mariarosaria Taddeo, a senior research fellow at the Oxford Internet Institute, warned that trust in a cybersecurity context isn’t always healthy. “Too much trust may actually be very problematic,” she said. Taddeo believes that trust can equate to delegating governance and removing accountability from the creators of technology. When it comes to cyber hygiene, she doesn’t think individuals should be held responsible. Instead, she thinks that since data is now a public good, the state should play a leadership role by supporting cybersecurity startups.
Enter the cyber innovators
With both industry and society going through such disruption, our speakers recognised that we’ve never needed innovative cyber startups more.
Stephen Wray, director of Cyber Risk Services at Deloitte, noted that organisations “have had to respond with agile, scalable infrastructure” since the pandemic. This has opened them up to new cyber risks that will require new solutions from startups, he said. In world where a breach could spell endgame for an organisation, Wray thinks there is a golden opportunity for “cybersecurity to be bedded in at the heart of all of that change”.
Meanwhile Sonya Mathieu, director of data protection and cyber recovery solutions at Dell Technologies, has seen demand across sectors grow –particularly in the last two months as security budgets are getting pulled from 2021 to 2020. Mathieu says cyber is no longer seen as a non-revenue generating exercise at the board level. “It absolutely has changed; we are definitely seeing a change in attitude and more of a sense of urgency,” she said.
The good news is that the UK is producing world-leading cyber scaleups like Darktrace, Digital Shadows, Snyk and Privitar (a LORCA member) that Kenneth Pentimonti, principal at Paladin Capital, thinks they can pave the way for others. He predicts that “the next five years will be even more prolific and even more impactful than the last” when it comes to the growth of homegrown cyber companies.
Henry Whorwood, head of research and consultancy at Beauhurst, confirmed that investment into the sector is higher than the same time last year. And we’re also seeing startups like Think Cyber Security, SureCert and Zamna (all LORCA members) adapt to the challenges we’re facing to secure our health service, remote workers and transport systems.
But there is reason for caution. Our event highlighted the funding challenges early-stage startups are facing when trying to meet demand. Although investment into cyber is experiencing year-on-year growth (which contrasts with the decline in investment experienced by the wider tech sector) deals do tend to be concentrated on a few later-stage startups that have already been through funding rounds.
We heard from SureCert founder Ian Savage, who citied funding as the number one priority when trying to survive this period, while Think Cyber Security founder Tim Ward told us he’d like to see investors “take a bit more interest in some of the small, disruptive businesses rather than the safer bets further through their journey”.
Considering why investment tends to focus on later-stage companies, Karen McCormick, chief investment officer at Beringea, offered up a potential explanation: “Cybersecurity ranges from elegant solutions to everyday problems to really deep tech companies. And for most investors they don’t necessarily have a specific vertical in cyber with deep tech experts.” McCormick says that non-specialists find it hard to do their due diligence on deep tech solutions that haven’t been validated by the market, so they tend to back more established companies where you “can just see that the product works”.
But the good news for startups, McCormick says, is that cybersecurity “is a problem that is never solved”. “It’s constantly migrating and changing and moving.”
We’ll see you again for our third LORCA Live in March 2021, when we’ll take stock of how our sector has yet again evolved.
In the meantime, catch up on all the content from the event on-demand at lorcalive.co.uk