Posted on 27/07/2017 by Gary Fay
Data protection and information security are big news, with high profile cases like the 2017 ransomware attack on the NHS placing cybersecurity even more in the public spotlight. According to the UK Government, however, around 80% of cyber attacks could be prevented if businesses put basic cyber security controls in place.
London-based CyberSmart is a startup whose automated compliance platform, CE Smart, helps organisations to identify and fix system weaknesses and gain the Cyber Essentials (CE) certification. Their package also offers a year of ongoing support, regular security briefings, and cyber insurance.
Ex-Olympian Thomas Seidling is CyberSmart’s Relationship Manager: his role encompasses everything from building relationships with government partners to meeting with potential clients, and working with partners to ensuring users are comfortable when they sign up to the platform. We spoke to Thomas to understand how CyberSmart evolved, the challenges faced by security businesses today and his thoughts on recruitment.
Identifi Global: Where did it all begin for CyberSmart?
Thomas Seidling: CyberSmart is a spin-off from a boutique cybersecurity consultancy we all worked at in London. When you work at a consultancy, it can get repetitive: in Cyber Essentials, GDPR planning to an extent, or even ISO, you often repeat the same mundane tasks over and over again for different clients.
We got bored with it, so we thought, “is there a way we can automate things?” That was the starting point. We decided to focus on Cyber Essentials because it’s such an important scheme, and one the government will mandate more and more.
We sat down and programmed the platform and we got accepted into the GCHQ Cyber Accelerator which of course was a great push. That’s where it all started really.
IG: How big is the team at CyberSmart?
TS: Our core team is four people but we have six more working as contractors - a couple of programmers, some social media guys, that kind of thing. The core team is Mariella [Thanner], Jamie [Akhtar], Paul [Sideras] and me. To be honest the team is one of the reasons why I really enjoy working here.
Jamie is our tech genius. He’s been running the business for the last 10 years and he does all the tech stuff. Mariella is the CEO, and very much into compliance procedures. On one side Paul is very much into compliance, specifically ISO, but he also takes care of customers coming onto the platform. He does the immediate customer support, FAQs, that side of things. He also has a good eye for design.
Then finally there is me. I was working for embassies and was the president of the student union: I love connecting with people and helping people connect with each other. It feeds into my role, which is finding government partners, talking to them, finding customers and partners.
IG: That’s a small, agile team. Is it a close knit group?
TS: Well, when we went to Cheltenham for the GCHQ Accelerator, we all lived together in the same house; a real startup experience! We had to, though; when you start you have limited means. The only way we could really save money and be efficient was to live together.
I think that really helped us to function better as a team, though, because when you are all under the same roof you have to learn to take care of each other and to respect each other’s quirks. If you have a person that needs an hour by themselves every morning from 6am to 7am then you figure a way to do that. It was a bit like college, but way more intense. We worked 12-16 hours a day and we’d then go home and one of us would cook and we would eat, and then in the morning we’d play sport, then work. It was really intense, but exciting and great.
IG: They say you don’t know someone until you live with them...
TS: To be honest I was really worried about that at the beginning: living with your colleagues, if you screw something up you can screw up the whole work relationship, but it was a really good experience and very valuable. I’m very happy to have been able to do that.
IG: Can we talk a bit about the GCHQ Cyber Accelerator itself? How did you get involved and what was the experience was like? You mention on your blog that you were next to Airbnb. What was the general vibe in there, and what did you get out of it specifically as a business?
TS: At the beginning we were quite worried. GCHQ is a highly secret organisation. They’re behind the barbed wire, they don’t talk to others, they don’t tell you their names; they just keep themselves to themselves. Then on the flip side of that, the company that helped them run the accelerator was WAYRA; an accelerator run by Telefónica. They’re really outgoing and outward facing - everything must be posted on LinkedIn and Twitter, that kind of thing. So you would imagine when these two organisations work together there would be a huge clash. But it really worked.
It was incredible how they managed it, because we got access to people and information that nobody else would, people whose names we didn’t even get. You would sit down with them and you’d say ‘So what do you do?’ and they would tell you, ‘I work in high-speed computing’ or ‘I do psychology stuff.’ They wouldn’t tell you any detail about themselves, but they would give you their expertise and incredible insights. If you had questions about security features or something they would be there to help.
For us that was really valuable, and specifically with Cyber Essentials we could talk to the very people who drafted and wrote the standard. Sitting down with them helped us to get the information and the intention behind CE, which helped us create a better product.
IG: So you had help with product insight, but the accelerator offered you connections and relationships as well?
TS: Yes, although I think ‘relationship’ is a word that can be construed in a negative way. It’s important to point out that this is nothing to do with favouritism. There were, I think, 700 companies or so who applied and only seven got through, so this accelerator was not something taken lightly.
Yes, we had a mentor there, but do we get any favours? No. In fact we get even fewer favours than others because the government wants to make very certain that the question of conflicts of interest doesn’t come up. We got technical information and information about cybersecurity, but we don’t receive any help in a commercial sense.
IG: What about the other six businesses that were in there? On the accelerator website they say they’re looking for startups that are challenging real world cybersecurity problems. What depth and range of businesses does that cover?
TS: You had basically two streams of concept. One stream was simple products that make things more efficient and more secure, like our product. The product doesn’t look sophisticated or complicated, but what it does is very useful.
The second stream is this next generation tech - AI, that kind of thing.Basically, super smart companies who are doing often very secretive research. Some of them are really high-end companies used by banks and major organisations so they keep a lot of their technology under wraps.
We were the only one focused on automated compliance. The only other customer-focused company was Verimuchme who have developed a vault where people can store their personal data and share it, securely, with organisations.
Alongside that we had another company that detected employee behaviour, using AI to look for internal threats. We had two companies that did predictive stuff, analysing information and providing better readable outputs like security reports.
Last but not least there was a company who created a sophisticated deception network where, instead of having a real company with real devices. they would fake all of it, attracting hackers into the fake funnel and then analysing them. So it was a real mix. I could talk about each of these companies for an hour to be honest.
IG: Talking more broadly about the security industry and the business IT space, what do you think are the biggest challenges at the moment?
TS: Well, firstly, it’s great that we recognise that there is a cybersecurity problem; if you go back two or three years the awareness was not there. Now the challenge is complexity; the world is getting more and more connected, which makes it more difficult for us humans to understand the interactions between devices.
If I told you five years ago that a light bulb would attack a Fortune 500 company you would have laughed at me, but today this is reality. If you have a thing that you can program to start a denial of service attack that’s all you need, and it can be anything from a light bulb to a vending machine.
The human factor is another challenge. Imagine the scenario: you have a company with 10,000 employees and if just one of these employees clicks on a phishing email and you’re not secure, the entire organisation can be screwed. Statistically it is very hard to make sure that not a single one of 10,000 will click on such an email.
IG: We read yesterday that 90% of cybersecurity frauds and hacks are caused by humans...
TS: Yeah, of course. It’s a self-fulfilling prophecy; humans are dealing with computers, we are the ones using them, we’re the ones not catching the attempted hacks. Most of it is human, but the more complex the systems get and the faster things work, the more we need to be aware of security and the more we need to think about how we can use technology to make things more secure.
IG: And that’s where CyberSmart comes in.
TS: Exactly. I mean, we talk to large corporates, even in the IT industry, and their compliance processes in-house are good, but their compliance checks for small companies down the supply chain are not. They send out a form for the supplier to fill out or they ask for a certificate from them once a year. Imagine a small company of 50 people supplying, say, rivets for the fuselage for an aircraft or tank. In a year so many things can change in the configuration, and so many new attack factors can be opened and discovered.
Using technology to make sure they are compliant and secure throughout the entire year is crucial because otherwise these kind of suppliers are easy targets and can be used to attack companies higher up the supply chain. This is usually how phishing usually works – hackers steal data from one or two suppliers – name of employees, email addresses, maybe some communication – and then use that to launch an attack on a supplier higher up the supply chain with the information they’ve gathered.
IG: The interesting thing is that as tech gets more complex, so technology is used to solve problems. In many ways it’s both the problem and the solution, which is quite an interesting dichotomy.
TS: We have to train humans to use technology better. It’s like having typewriters and then switching to computers. Everyone is talking about the skill shortage and yes, there is a skill shortage, but when computers came out there was also a shortage of people able to use computers: you retrained your workforce and now, today, everyone knows how to use a computer. If we retrain our workforce quickly and combine the human factor with technology, we can move forward.
IG: On the topic of the skills shortage, CyberSmart are recruiting. How do you choose new hires, what do you look for?
TS: For us, new employees just need to do the job. We don’t care about qualifications, we don’t care about where they worked before. They need to be of good character, obviously. We wouldn’t take someone who runs off with our bank or our computers, but, especially in cybersecurity, we have to get away from this formal approach of saying, “he studied at Cambridge therefore he will be a better penetration tester.” It’s nonsense. People from Cambridge have an advantage because they have the very best teaching there, but in the long run, and specifically in the high-pressure, fast-changing environment of a startup, it doesn’t mean that person performs best. We really need to see that the person can operate in our environment, and can deal with the stress involved.
If you have a startup, you can’t wait three months to roll something out: sometimes that means that you have a deadline of today. And if you don’t meet that deadline, the business is in trouble. So we look for anybody who wants to make a difference, wants to work hard for it and grow something.
IG: You don’t always get that agility and experience from a large corporate environment do you?
TS: We have a lot of requests from people coming from the corporate environment. Funnily enough, just last week we talked to a guy who wants to help us with our partnerships in a specific sector, who said ‘Sure, I earn my £60-70k in a corporate job, but I want to have something that I can feel.’ Sure, that’s hard work, but you’re personally more involved; you’re not just a cog in a wheel.
I think corporate people can work in a startup environment but it needs to come from their heart. Corporate people are very valuable because they have great experience, especially because as a startup it’s very difficult to do the whole ‘process’ thing.
IG: Are you guys always on the lookout for new hires?
TS: Yeah, we always look out for new hires: it’s very difficult to find a person that is suitable for this specific team. In a startup world you can’t say because you can work for startup A you are suitable for startup B. It’s very specific. It depends on the character of the person and the character of the business.
What we are looking for at the moment, quite aggressively, is partners. We are looking for people who want to offer basic cybersecurity or improve, and maybe don’t have the time or expertise to do stuff. They can use our platform and/or consultancies or managed service providers that already offer Cyber Essentials, but want to use a platform to make the whole process quicker, because for consultants and NSPs the issue is time.
If you implement Cyber Essentials, you can’t charge too much because it’s not a money winner for a company but you have to do it if the client wants it. It takes time, and time for a consultant is money. By using our platform the consultant can save time, which then can be used to either try and get more clients or to provide better personalised client service.
IG: One final question, what’s next for CyberSmart?
TS: I guess there are three dimensions to that question. First of all we’ll expand the controls that we measure and that we secure against, so that also means we’ll cover more standards and the whole platform will be suitable for an increasing number of industries and applications.
The second thing is that we are expanding the devices we’re covering. At the moment we’re just covering Windows and Mac. Soon we will cover mobile phones and we’re working towards IoT, too - that is the big deal. You have an office and you plug in a new coffee machine to the network or someone brings his digital camera and uses default usernames and passwords. That is a no-no because it’ll endanger the entire security of your network.
And the third dimension is that we’re thinking of potentially going abroad, but these plans are vague and will materialise more later on this year.