04 Mar How Early-Stage UK Cybersecurity Companies Finally Upped Its Game

For years, the UK underachieved – laughably so. Then around 2010 something changed

A SPECIAL REPORT FROM THE EDITORS AT CYBERSECURITY VENTURES

The Cybersecurity UK Report provides an annual look at cybersecurity startups and emerging players, and trends in the United Kingdom.

– John E. Dunn, Guest Contributor

London – Mar. 9, 2017

For anyone involved with early-stage UK cybersecurity companies, it suddenly seems like a very different world.

It’s no exaggeration to say that a decade ago you could almost have visited the UK security startup sector in one afternoon. There had been a trickle of notable exceptions over the years such as Alex and Nicko van Someren’s late 1990’s encryption key management startup nCipher and, almost decade later, Oxford University database security spin-out, Secerno. By circumstance or design, both ended up as exits – ‘retreats’ if you like.

Cambridge-based nCipher had a successful IPO in 2000 that valued it at around the £375 million mark, about $570 million at the prevailing exchange. In 2008, it was bought by Thales for a bargain-basement £51 million. Secerno, privately-owned, was eventually bought by Oracle for an undisclosed but probably modest price tag in 2010, barely four years into its short life.

If you wanted to bulk the list you could point to the grand dame of UK cybersecurity Sophos, founded in 1985, the same year Back to The Future hit movie theaters. By the time Marty McFly travelled through time to 2015 Sophos had only just filed for an IPO three decades in the making.

It’s not that IPOs should be the measure of any company but they do signal something important that UK startups in the Internet era haven’t always seemed to possess when compared to their US and Israeli contemporaries – ambition.

A lack of ambition? That counts as strange for a country that still feels pleased with itself to have the world’s fifth biggest GDP and sees itself as one of the world’s bastions of entrepreneurship, creative industries, and free markets.

Hopefully, I’m starting to sound optimistic here because in the last five years or so there has been a fascinating and historically significant metamorphosis. Before identifying the causes of this change let’s trace its impressive scale.

A glance at the Cybersecurity 500 over the last year makes the case. The list has a lot of established companies – Sophos, BAE Systems, NCC Group, KPMG – but look a bit closer and other names appear, such as Becrypt (founded 2001), Avecto (2008), both of which have expanded rapidly in recent times.

The shooting star on the list is really Darktrace (2013), another Cambridge company that with $90 million in funding (a lot for the UK, even now) and business from telecoms giant BT can claim to be the first UK cybersecurity startup that looks and behaves like a US early-stage company on its way to being big and valuable.

“The UK has a rich legacy of cybersecurity companies. There are also impressive U.S. based cybersecurity companies with UK roots, which is a testament to the UK’s talent pool in our industry.”  – Steve Morgan, founder and Editor-in-Chief at Cybersecurity Ventures

But it’s when you get beyond this better-known layer that things start to get interesting.

Consider the rush of newcomers: Digital Shadows (2011), SiliconSafe (2013), Deep Instinct (2014), SQR Systems (2010), RipJar (2015), CyberLytic (2013), SaltDNA (2013), Corvid (2015), Post Quantum (2009), ZoneFox (2012), Wandera (2013), and GeoLang (2013).

A few of these names hail from Cyber London (CyLon), the UK’s first cybersecurity-specific accelerator (Alex van Someren, now at Amadeus Capital, being a backer), as do newer emerges such as Hook and CheckRecipient. The latter also spawned a cybersecurity bootcamp, HutZero. Telefónica’s Wayra UK accelerator, meanwhile, has popped out a small IoT security startup, Xanview.

Other names could be added but this isn’t supposed to be an exercise in empty national boosterism. Simply listing a dozen startups must look puny next to the cybersecurity Leviathans emerging from the US.

But what, then, do these companies have in common? Beyond enterprising founders, two themes emerge: a huge spike in interest by government and a concerted investment in university smarts.

The 2010 election of a new coalition government was the key moment, after which cybersecurity went from being almost invisible to a major priority overnight. Government has since invested once-unthinkable sums in UK national cybersecurity, including in a new 700-strong National Cyber Security Centre (NCSC) and reinforced its strategic focus on the GCHQ cybersecurity agency.

Skills were now in demand and the government was suddenly wiling to become a test customer for some of the companies mentioned above. University PhDs with a security concept who might need years to develop complex ideas were no longer laughed at. People now saw cybersecurity as lucrative and big enough to warrant patience.

It’s this long-term strategic interest in cybersecurity that increasingly defines the UK’s fascination with the sector. If it doesn’t resemble a centralised, state controlled initiative it has had some of the same outcomes.

Brits still wonder whether the country will ever come up with a company like Google, Facebook, or Uber. Personally, I doubt it. But enterprise cybersecurity is a different matter. The rise of British cybersecurity is for the first time more than a pipe dream.

– John E. Dunn is an editorial board member for Cybersecurity Ventures. He was previously Editor and co-founder at IDG’s Techworld.