2022 UK Cyber Security Start-up Radar

To ensure our analysis was comparable to our previous start-up radars, such as the recent France Cyber Security Start Up Radar, and the 2019 UK Radar, the criteria for cyber security companies to be included in the Radar was that they were established in the past 7 years, had a maximum of 35 FTE’s (Full Time Employees), and were domiciled and operating in the UK.

With help from ScotlandIS, Northern Ireland’s cyber security cluster and Plexal, we reached out to some of the most promising cybersecurity start-ups across the cyber innovation ecosystem. 57 start-up companies kindly dedicated their time to engage in first-hand interviews, which formed the basis of our analysis.

However, we know there are many more cyber start-ups in the UK ecosystem that we need to hear from! If you are interested in being involved in the next edition, please get in touch.

1. ‘Micro’ Start-Ups secure less investment despite dominating the UK’s Cyber Security Sector

According to the recent annual sector report, most start-ups operating in the UK are categorised as ‘micro’, consisting of less than 10 employees. Our analysis supports these findings, with the majority of Wavestone affiliated start-ups also consisting of less than 10 employees.

Micro start-ups typically adopt agile or lean approaches, meaning they are more readily able to respond to evolving threats. As organisations begin to seek innovative solutions to emerging threats, demand for Micro start-ups’ products will grow. However, these start-ups are usually in the early stages of development, and most are still attempting to define their product market fit, business model, or are operating in nascent markets.

Relative to their stage of development, micro and small start-ups are receiving less investment compared to medium and large start-ups. So, although Micro start-ups require the most support, they receive a disproportionately lower amount of investment.

Investors also recognised that smaller, early-stage start-ups are developing products at the forefront of innovation, but these companies are less able to reliably evidence potential growth or validate their business models or products, which tend to make them less attractive to investors, and slow their growth.

In previous years, start-ups have chosen to build their headquarters in London, hoping for improved access to investment, clients, accelerators and incubators. However, operating costs can be much higher in the city, which can impact early-stage successes. DCMS recognised that having a London-centric cyber innovation ecosystem may lead to regional imbalances in cyber security capabilities across the UK. For the UK to maintain its position as a cyber power, the ‘whole of society’ should have equal access to the cyber innovation ecosystem.

However, despite the increase in start-ups headquartered outside of London, and a record year of investment rising from £814m in 2020 to £1013m in 2021, reports show that nearly all investment is still going to companies located in London or the South East.

During 2021, 16% of start-ups headquartered both inside and outside of the UK, had developed an international presence, either through international exports or engagement in international markets, particularly in the EU and US.

When we broadened our analysis to include all international relationships, we found that this 63% of start-ups reported having an international presence concentrated in the EU and US.

The stark difference between the number of start-us with international relationships versus the number of start-ups who report having an international presence, exports or engagement with overseas markets, indicates that start-ups are struggling to translate their international relationships into established business, sales or trade.

It is possible that start-ups are experiencing a number of barriers to navigating international exports and markets. For example, smaller start-ups may be ill-equipped to manage challenges associated with international law, regulations and frameworks, and talent shortages, or they may require help adapting their products and services to suit unfamiliar markets or customers outside of the EU and US.

Start-ups stated that they expected incubators and accelerators to help them overcome challenges associated with uncertainty due to COVID-19, competing for cyber talent and insufficient scale to serve larger clients.

However, start-ups experienced limitations to the support provided by incubators and accelerators. For instance, the sectoral report found that while accelerators were valued for the support they provided with marketing, sales and networking, they were concentrated in London and offered a light touch approach.

To better understand the effectiveness of cyber incubators and accelerators, we asked companies to describe the challenges they were experiencing in growing their business. Most expressed difficulties ‘breaking through’ or ‘increasing their visibility’ in the market, as well as experiencing sales-related challenges, such as winning an audience with the right clients or attracting the right talent into the business. start-ups reported that accelerators did address their need for increasing visibility, but as reported previously, could do more to address their sales and marketing needs.

Notably, start-ups have consistently described challenges associated with attracting the right talent into their organisations. For many companies who are in the early stages of building the company, particularly those with less than five employees, a ‘bad hire’ can significantly impede business growth or impact operations. One start up told us that “We are competing with large businesses who are able to offer much larger salaries,” while another stated that “there are a lack of available skills.”

So, while incubators and accelerators are offering the right services by increasing visibility and providing sales and marketing support, start-ups are calling for more in-depth support and a greater emphasis on attracting the right talent.

Key Barriers to Growth

To better understand the culture of start-ups in the UK’s cyber security sector, we asked the companies about female representation in leadership positions and their diversity and inclusion policies.

We found that 22% of cyber innovators were founded by at least one woman. Our findings are similar to those of Beauhurst, who also found that 26% of high-growth UK companies have at least one female founder. A lack of female representation at the founder level, may indicate that women experience barriers or challenges associated with female entrepreneurship and leadership in the UK’s cyber innovation sector.

Representation of Women in Leadership Positions across Cyber Start-ups and High Growth Companies

Although women are under-represented at the founder-level, 53% of our panel of start-ups reported having a diversity and inclusion policy in place, a plan to implement a policy when the company next recruits, or they had signed diversity pledges and charters. Some start-ups projected that they would need to grow to 30+ employees before they were able to begin implementing policies of this kind. High rates of commitment to diversity and inclusion at this early stage, may suggest that start-ups plan to address the underrepresentation of women in leadership positions through recruitment drives.

Incubators and accelerators could play a role in increasing the representation of women in cyber innovation. For instance, they could help start-ups break down barriers by increasing support for start-ups with diverse founders, or by helping existing start-ups to attract diverse talent. Wider initiatives that encourage female entrepreneurship in the cyber innovation sector may also prove successful, whereby increasing diversity and inclusion, not only for gender but equally for race and disability, is something that may need to be encouraged through greater outreach to minority groups and women.

Compared to established security companies, start-ups have the benefit of a ‘clean slate’. To understand how this affects their approach to innovation, we asked founders about their pursuit of security certifications and implementation of security frameworks across their organisation.

While we expected start-ups to be more readily able to implement security frameworks and certifications, they outperformed our expectations. Founders demonstrated a significant commitment to building secure services and products for their customers. For instance, 34% of the start-ups interviewed were already Cyber Essentials certified. In comparison, only 1.3% of cyber companies in the UK are currently certified.

Cyber Essentials certifies that an organisation has the capability to guard against the most common cyber threats. Start-ups, then, are positioning themselves as role models within this space and are demonstrating their commitment to remaining cyber secure as providers of cyber security products. One Start Up told us that “[Cyber Essentials] really offers added value and it is quite useful to have when there are specific requirements from Corporations.”

Cyber Essentials is also a requirement for government contracts, meaning that start-ups’ commitment to remaining cyber secure sets them apart from their competition in this space. Outside of government contracts, start-ups can also provide greater assurance to organisations that their supply chains are secure, where their uncertified, established competitors cannot.

To investigate start-ups’ position on innovation, we asked founders about their products. We found that most companies were developing products that re-imagine existing security solutions or they are developing solutions that challenge traditional approaches.

We have highlight two of them this year, and it was not easy to choose just one!

The UK’s Cyber Security sector is characterised by small, regional, early-stage start-ups. As these companies grow, they encounter barriers to attracting investment outside of London, recruiting the right, diverse talent, and navigating international markets and trade. Founders work tirelessly to breakdown these barriers with support from the cyber innovation ecosystem through accelerators, incubators and regional cyber innovation hubs.

Our analysis shows that the government’s efforts to regionalise innovation hubs and increase funding are driving the ecosystem in the right direction. However, cyber security is a ‘wicked problem’ that cannot be addressed by cyber innovators, security professionals and government support alone. A ‘whole of society’ approach is needed to progress the sector and maintain the UK’s position as a cyber power.

Individual customers, market leaders, investors, industry players and professional services organisations – to name a few – all play a pivotal role in helping start-ups to overcome these challenges. For instance, industry can work with early-stage start-ups to adapt their solutions, helping them to improve product market fit, and organisations with a global footprint could support piloting solutions abroad, helping them to translate their international relationships into international trade. Likewise, investors could embrace the regional shift and look for investment opportunities outside of the city. Meanwhile, professional services organisations, like Wavestone, can engage in pro-bono offerings to help support start-ups – we encourage our panel of start-ups to reach out for support!