Q&A: Saj Huq, director at LORCA

We spoke with Saj Huq from the London Office for Rapid Cybersecurity Advancement (LORCA) about the UK’s booming cybersecurity start-up scene and what part the industry will play in economic recovery

Posted 2 September 2020 by Christine Horton

Can you explain a bit about what LORCA does?

LORCA is a public-private collaboration between the UK government and private sector, as well as academia and start-ups and scale-ups. Since we launched two years ago, we’ve created an ecosystem where you bring together all the different parties that exist across the cybersecurity landscape in the UK.

Saj Huq, programme director at LORCA

The emphasis is on quality and growth and technology advancement, through the medium of supporting start-ups and scale-ups, to bring to market new products and services that solve some of the biggest problems that the UK industry is facing in security.

We run the UK’s largest accelerator programme for start-ups. Every six months we bring in a new cohort of promising businesses that we’ve selected against a set of requirements that industry partners have told us are the big problems they’re facing. And we help to support them over a 12-month period, with everything from developing products, how to pitch and present and access new customers, to how to expand in the UK and internationally.

When we launched the programme in June 2018, our original targets were to attract up to £40 million of investment into the sector, through supporting 72 start-ups and growing to 500 direct jobs. What we’ve done today, is supported some 72 start-ups through five cohorts – they’ve collectively raised in excess of £150 million pounds. So, 380 percent over target, which is a good indicator for the UK sector, over the last couple years. And we’re on track to achieve a job creation, number of 865 jobs by 2022.

Those record levels of investment were highlighted in your recent report. But what do you think are some of the challenges in 2020, and how has the pandemic changed that situation, if at all?

It’s been a tale of two halves in some sense. Security obviously over the last couple of years has been rising up the agenda – in the boardroom, in society, you can see in the news more high-profile breaches and so forth. Then equally our society has seen such an evolution of technological change that inherently pushed forward the importance of cybersecurity. With that in mind, given the fact we’re all working at home and that overnight major industries had to completely pivot their business models to be fully digitally enabled, it’s probably never been a busier time to work in cybersecurity.

From a start-up perspective in this space there are probably positives and negatives. Their relevance in in the marketplace has certainly increased. A number of our businesses have continued to expand and attract investment and to win customers in this time, which can’t be said from other industry areas of technology.

But then, investment into UK security start-ups was up by 940 percent, but actually less than one percent of all of that investment has gone to early stage start-ups who are raising capital for the first time, which is something that worries me and my team a lot. We see so much talent coming forward but there’s a risk that capital is not going to go equilaterally into all areas of need. Because obviously the economic factors at the moment in the UK are such that people’s risk appetite to invest is maybe declining. And while we’re not necessarily seeing the impacts of that in our portfolio of start-ups, I still think it’s too early to see the long-term effects of what’s happening.

There is a lot of uncertainty now – especially as we have just entered recession. That must be another challenge?

Clearly across the employment sphere in our economy, it’s been a challenging time – you see a lot of people on furlough, people losing their jobs. I think there is an opportunity for the cybersecurity industry to really help and lead the way as part of the economic recovery. Because this is a growing space, and it’s a growing area of need. I think it’s got a really important role to play going forward as part of the wider UK economic recovery.

A lot of the interventions that have been put in place to try and attract people into cybersecurity specifically has been focused on the earliest stages – so attracting new school leavers and university leavers.

But we have a latent talent pool at the other end of the spectrum, people who are later career changers who may have a lot of value to add in this space, and a lot of experience so they would be very relevant. But then also, this wider economic displacement that’s happened means there is an opportunity for re-skilling…and that’s where novel applications of technology and business models might be able to kind of catalyse that to bring more people into the sector as a whole.

If I were a CEO of a start-up right now, I would be looking at that sector and I’d be quite excited about some of the talent I can access. There are individuals that have been displaced from jobs, and therefore, as a fast growing business you’ll have an opportunity to engage [with candidates] whom you may never have had the opportunity before, because they may have gone to a much bigger company or industry incumbents. So, you’ll see this kind of displacement lead to opportunity.

By nature, start-ups and scale-ups aren’t encumbered by the legacy of old ways, whether that’s technology, whether that’s culture. From a diversity standpoint, they really can make progress as they’re not encumbered by some pains of the past. I’m excited when we’re talking to our companies, about how they can move that needle forward.

I think there is a need to mature the ecosystem a little bit around cybersecurity and make it much more accessible and much more relatable and demystify it a bit.

Are there any emerging cybersecurity technologies you’ve seen that have excited you?

A domain which we’re excited about is zero trust. That’s been a bit of a buzzword in cybersecurity for a while. It’s the concept of moving away from building a big wall around the perimeter of an organisation. That’s gone now and you’ve got so many different types of devices both trusted and non-trusted devices connected to your network. You have to take the approach of not trusting any interaction with the data that sits within your network, and always interrogating any interaction to ascertain whether it’s right or not.

It’s complicated to implement in a large organisation – and certainly organisations with legacy technology and processes. That’s been a dis-enabler of zero trust over the last couple of years because of the level of complexity to bring it forward.

However, the need for it has massively increased because we are all connected by our laptops and the notion of having a perimeter around organisations has completely gone. Therefore, this is on organisations’ priority lists, and they have to make fundamental changes to their security strategy.

We’ve also got some interesting companies that are applying innovative techniques to train people in different ways or influence behaviour. They, they use AR and VR to create immersive experiences, which help shape how people understand security understand risk. They really learn about the importance of security. We’re really excited about those kinds of technologies and how they can play a role in kind of upskilling people going forward.

We spoke with VMware Carbon Black recently about the need for collaboration between the private sector, government departments and law enforcement to promote sharing of information to fight cyberattacks. Is that something that we might see more of moving forward?

That’s a core element of what we do. We kind of act as a bit of an integrator across industry, academia, innovators, government and policy. We run various forums and consultations with eminent organisations and experienced practitioners in cybersecurity to get a view from the frontline of what’s happening. We look at where there are the gaps from a technology standpoint and where are the problems that need to be solved. What we do is translate that into challenges that we ask start-ups to solve.

A lot of what we see in emerging technology innovation is technology-led – you get interesting intellectual property that’s created out of research, which then gets turned into a product. It then gets taken to market in search of a problem to solve. But we bring the problems closer to that technology development. That means is a commercial outcome for everybody. On the buyer side you’re having a problem solved, and from the development side you’ve got a relevant product to sell and you can grow the business.

I think collaboration is so important to security, probably more so than many other industries because it’s such a complicated area. No one’s got all the information. No one’s got all the answers. And not one viewpoint is necessarily the predominant prevailing viewpoint, and therefore you need to bring different aspects together to create the whole picture.