Challenges in the cyber analytics business

How does the "Get it done" mindset operate in the cyber world of remote work, self-care and human-first working culture?
19 October 2023

Does a military mindset help you in the analytics business?

• The cyber analytics business poses a number of challenges.
• Companies need to get work done, but also to meet Gen Z expectations.
• Is generative AI being used more effectively by bad actors than by companies?

In our ongoing quest to meet and explore the issues facing founders on this year’s UK Cyber Runway accelerator, run by Plexal to specifically champion and progress cyber-based businesses, we met with Jonathan Wood, CEO and founder of security and compliance company C2 Cyber.

When we spoke to Emma Humphrey of secure cloud specialist Kuro, her military background and the mindset that goes with it had greatly helped her in cyber, and she’d become passionate about getting more veterans into the industry.

Clashing mindsets in cyber analytics business?

Jonathan had a background in intelligence, so we wondered if he had found similar benefits to his background that he’d applied to the cyber analytics business.

JW:

It’s probably been more of a hindrance, to be honest.

THQ:

Oh.

JW:

In C2, I hired 12 veterans, and there are five still here. Coming out of the military, they do some courses to give them a kind of “soft landing” in civilian life, so we’ve done quite a few of those, which is part of that spirit of giving back that Emma mentioned.

But I’m not the CEO anymore, because actually, the background of “just get it done” that the military instils in you means that I got thoroughly confused whenever I encountered people that didn’t understand we simply needed to get it done.

My reaction to these people was fresh out of the military intelligence box, and we deal with people who don’t get it done in a fairly compelling way in the military, too.

Turns out, you’re not allowed to do that.

Meeting Gen Z expectations.

So yes, some of the time, the military attitude is helpful, some of the time, I think there should be a course to help you whwen you encounter radically different mindsets, or at least an “Are you planning to be a founder, rather than a corporate drone on exit from the military?” conversation. And if yes, you probably need to go on this two-day realignment course, where the principles of Gen Z are explained to you.

Things like “I want to work from home,” “I want to do three days in the office,” “I want you to pay for my dog grooming” and “I’d like to receive a director’s salary as a new entrant to the industry.”

The analytics business seldom stops for breaks.

Issues can arise when a “Get it done” mentality meets the 21st century.

All of those things came as a massive surprise to me. I don’t have a list by the way, I made those examples up just now. I’m sure there are probably five more. And as I say, they came as a massive shock. We’re founders, so we’ve generally got an equity stake. We’re getting out of bed for slightly more than the end of month payroll. And so that keeps you going through the minor blips where it’s not all positive.

We go through this cycle. In fact, that’s been a very useful thing about being in a cohort like this one on the Cyber Runway. One of the people who runs the courses put up an image, a graph of an employee, and it had ups and downs across the year – performance feedback, do they get a bonus, do they have disciplinary issues, etc.

That’s how employees’ annual cycles go, and they’re understood. But founders very rarely have anyone to tell them how they’re doing, or to compare against, so this cohort’s been great – we’re all able to talk about the issues that affect us as founders, which sometimes, we wouldn’t even tell our spouses, because they’re either business-specific or role-specific, you know?

There was something in a meeting recently that said the ups are great, and I can cope with the downs too, but why do they have to happen on the same day?! No one else particularly gets that, so having other founders to share this stuff with has been very valuable.

THQ:

Did you say you’re no longer going to be the CEO?

JW:

Yeah. I haven’t got rid of being the reason that the business exists, or being a subject matter expert, or being the founder. But after encountering all of the management challenges I mentioned, I thought it was probably a good idea to hire a professional CEO who has done this before, who runs businesses professionally. He’ll keep me out of all the places I don’t want to go. Like tribunals or prison.

The cyber analytics business – where does it fit?

THQ:

Well, we’d hate to keep you from any appointments, but before you go anywhere, let’s talk analytics. How do you feel risk analytics fits in the overall cybersecurity picture that organizations need these days?

JW:

Well, my new business development operation, also known as “the Russian government,” is making risk analytics fit in just about everywhere right now. For instance, there are a lot of CFOs panicking about unpaid payroll data, because the payroll provider that was breached a month ago took the payroll data of 42% of the FTSE 100 into the public domain. Which is a bit awkward all around.

THQ:

Maybe just a touch, yes.

JW:

And that was the tip of the iceberg, right? They were doing a lot of stuff in the US. And so we’ve got CFOs suddenly saying “Oh, please go spend some money on protecting our supply chain.” That’s where I see it fitting – it’s an enabler of security.

The challenge of scale.

How do you buy security tools and security propositions from vendors if you don’t know that they’re actually safe? We’re an enabling part of the industry, we’re not at the sexy end, we do risk management. But we do it really well. And if you don’t manage the risk your data is exposed to when you give it to somebody else, you are going to get caught out. So yeah, we do that.

The analytics business depends on finding - and eradicating - weak links.

Got a weak link somewhere in your supply chain? You’re gonna need some better analytics.

THQ:

How do you deliver risk analytics at different scales to meet the needs of clients from large enterprises to small organizations?

JW:

By adding varying levels of involvement of human analysts. My cybersecurity analyst team is applied at different layers of the assurance chain depending on the budget resources and the complexity of the customer.

Some of them are fully SaaS, which means we never technically need to talk to them, which in turn makes upselling and cross-selling harder. I’m always telling the team to please talk to them anyway, even though they’re fully SaaS.

But yeah, by using varying levels of automation and various levels of analyst involvement, we can deliver at scale. Next though, we’ll be deploying GenAI and actually trying to introduce some errors into the GenAI so that that they look more human.

THQ:

It’s funny you should say that. We’ve spoken to people who have been doing cyber research on the dark web, trying to get ahead of developing threats, and they say that GenAI is the phisher’s best friend, because it can craft phishing emails without the trademark typos.

JW:

Yeah, it’s actually being used much more constructively by the enemy than it is by corporations so far, because they’re also trying to decide what to do. Criminals are just deploying it, and doing it really professionally as well.

 

In Part 5 of this article, we’ll talk to Lorna Armitage, co-founder of cybersecurity education organisation CAPSLOCK, about the barriers that currently stop people getting into the cyber-sector.