Digital Catapult – Cyber Security Event, March 2016

by Dr. Matt Roach

I arrived at the Digital Catapult fresh off an early train from South Wales, on what seemed like the first bright sunny day in memory (or, of this calendar year at least).

The Digital Catapult space is very impressive; the glass floortiles afford glimpses of the kind of pervasive computing technology usually hidden from view in our daily lives. Here, the digital world is most definitely on display, with a raft of Internet of Things showcases, including, sensors in shoes, baby dummies and bus stops to name a few.

Tech isn’t the only inspiration , the space has a commanding view over the British Library and beyond into the heart of London. Soaking up the gentle Spring sunlight, I turned my thoughts to the topic of the day –  Cyber Security – or just ‘security’ as the techies like to call it.

matt cyber security
Matt with his lanyard at the Digital Catapult

If new computing and electronic sensing devices can be hacked and used for ill as well as good, how big is the risk? Just imagine how many hidden computing devices were contained within my view over what must of been half a square mile in central London?

The theme of the Digital Catapult Cyber Security day brought together a diverse group to discuss what could and should be tackled collectively. Debate centered around a response to the PaCCS – KTN policy briefing “Innovation challenges in cyber security”.

In this blog I relay the main themes and messages that I picked up from the sessions of the day.

The day was introduced by Paul Galwas, Security Architect of the Digital Catapult, who highlighted a number of hot topics within the community.

  • The use of machine learning in recognising behaviour and detecting outlying behaviour or more specifically behaviour that represents threats to systems. Interestingly, in the networking sessions I heard that Google are using deep Neural nets to automate pen-testing. If you can use them for pen-testing then you can also use them to discover vulnerabilities in for thought.
  • A second, related hot topic is automation that is taking the load off the individuals related to the comment in regarding automating some of the large scale testing that is required to understand the security active by the system.

The first main session was delivered by Dr Tristram Riley-Smith of Cambridge University and covered the “Innovation challenges in cyber security” briefing document. It is a quick and easy read that highlights a number of challenges and solutions. Points that struck me particularly were:

  • The seemingly obligatory skills gap when it comes to any kind of computing related discipline, a global shortage of one million cyber security professionals was quoted
  • A lack of clarity on long-term research direction, attributed to culture and systems that drive the culture in academia in not supporting, let alone instilling commercialisation
  • One of the most exciting positives for SMEs was the reminder of the relatively recent change in procurement legislation ‘innovation partnership 2014’ hopefully this can be implemented promptly and in a good way.

Cyber security: the Industry panel discussion

The Industry panel followed, offering up the opportunity to respond. This session introduced the stickiest (if you will) phrase of the day “kissing frogs”. By the end of the day the analogy had been taken to the enth degree, something you had to be there to appreciate, as you can imagine. “Kissing frogs” describes the process of SMEs looking for enterprise and prime customers, needing to talk a plethora of people from any given business only to find out they are the wrong person to talk to, so around one goes kissing frogs until, the saying goes, “you find the right business decision maker”… if you’re lucky.

Auriol Stevens explained that neither side particularly likes ‘puckering up’ (my words not hers) and explained how VTC Group & Partner takes time to understand the innovation requirements of their clients (Lockheed Martin), before going on to work with SMEs to ensure that they are ready to talk and work with these types of demanding customers and their often large, public-facing customer base.

Paul Galwas, Security Architect at Connected Digital Economy Catapult, described the nuanced levels of trust that must be build (true in all business sectors, but especially critical in the security sector). The key is understanding the level of trust that is required for each relationship.

John Bird from the EPSRC explained that they are supporting the sector in a number of ways perhaps the most predominant are the Trust, Identity, Privacy and Security (TIPS) invites with an open call recently closed and a number of fellowships to be supported, he also mentioned it was fun to rearrange the acronym 😉

All the panel were looking forward to the National Cyber Centre and were hopeful that they could support the coordination and provide direction for multiple independent challenges and initiatives.

Cyber challenges in the Internet of Things

Next-up was the Cyber challenges in the Internet of things session chaired by Craig Heath, Principal Consultant, IoTUK.

Given the broad title, there was one stand-out thread shared by the commentators that was that security is classically an afterthought. A member of the audience asserted that often companies build security in after a product has been developed. Charles Weir, Chairman and Technical Director of Penrillian further suggested that the main challenge is to get people to care about coding security into their products, before even beginning to deal with the concept of giving people the skills to code with security in mind from the outset.

Often in the Internet of Things, the deployment environment is constrained, thus making security requirements harder to achieve. The devices are constrained in processing power, battery power and bandwidth. A story from the audience was that in networking switches the management of the switch often took more power than the switching itself which led to the management being turned off entirely.

Block chain lawyer Adam Vazin, (coolest job title eva!) noted that block chain is open and collaborative and has been from the outset and therefore provides opportunity to move forward with transparency and openness. He also called not for blockchain technologies to be incorporated into legacy systems rather that legacy systems should be incorporated into new block chain systems.

This philosophy to open transparent coding that can be scrutinized by collaborative communities will work well with any technologies not just blockchain, though of course the distribute nature of blockchain has some nice inherent security properties i.e. if one part of the darted operation is comprised the rest of system is still secure.

Challenges of UK Small Business: SME panel discussion

The pertinent issue here was how to to help SMEs penetrate markets and raise money. One idea was for the Digital Catapult to hold an event exploring being successful in getting funding from Europe (the H2020 small business fund was mentioned).

In fact two of the SMEs on the panel had stories about failing to be able to extract grant money to support their activities, at least one of which had raised risk capital and was operating a business off a non-revenues based business model. (At this point I confess, the techie in me fails to understand why this happens, there must be a plan in the future to generate revenue but I don’t explicitly know that, a second thought is to sell it to an organisation to which it will be of value…dang,  wish I’d asked the question!).  

The second main theme in this session was that the report accused SMEs of not enough ambition. This was vigorously rebutted by all but one of the SME panelist, asserting (and I must say I agree and find it difficult to see how one could counter argue) anyone that is an entrepreneur and starts a business, is by definition ambitious.

The final panelist was a direct contributor to this finding of the report, as I inferred,  and eloquently refined the explanation of the lack of ambition, a brilliant example of the purpose of the day.

They clarified that it is not entrepreneurs as individuals who lack ambition, but other,mainly cultural forces that constrain the ambitions of UK based SMEs. Growth is directly related to the fertility of the ground.


 Cyber security: The Investor’s View

Auriol Stevens started the investor’s view session with a bullet point list of how to sell your company. I only wish here that I could be as comprehensive, concise and lucid in reporting it, instead I’m simply going to revert to the things that stuck…..

The main thing here, as I understood it, for the VCs is that valuation is key. That is the value of your company, the market place, combined with the non-exact art of guessing the likelihood of you making it. More than one of the panelists very explicitly said that the personalities, the people and their track records play are large part in that estimation. David Leftly called it the ‘rock star factor’,

Has the team got a leader?

A person who will take the company places?

Presuming the service/ product / technologies is up to scratch and delivers on a real issue, other things that VCs and investors look for are:

  • Distribution – is it being sold and/or can it be sold? The question here is can it get to market? Does the company already come with a clear way or connections or partnership that can deliver the solutions (usually at scale)?
  •  Brand value, in this context it does not mean the value of the brand’s recognition, rather, it references how well the brand positioning fits with the aspirations of the investor and the market. Does it resonate or enhance customers impressions?
  • Finally a word on ‘dumb money’, a phrase referencing what the money is required for and whether it is going to be spent wisely in an appropriate and prioritised way to achieve clear defined objectives. To achieve the kind of return on investment an investor is looking for, money for money’s sake is a definite no-go.

That concludes the day all that is left to do now is type my summary up on the train journey back to sunny Swansea…done.







Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s