UKTN | The Podcast

Immersive Labs CEO and founder James Hadley discusses the dangers of generative AI like ChatGPT in cybersecurity, the lessons learned from laying off 10% of staff, and cracking the cyber skills shortage.

Show Notes

Immersive Labs CEO and founder James Hadley discusses the dangers of generative AI like ChatGPT in cybersecurity, the lessons learned from laying off 10% of staff, and cracking the cyber skills shortage. 
 
Hadley founded Immersive Labs, a Bristol-based cybersecurity training platform, in 2017. The company’s platform creates cyberattack simulations to teach organisations practical IT security skills. The company has raised $189m in funding. Prior to founding Immersive Labs, Hadley worked as an analyst and security consultant for British intelligence agency GCHQ. 

What is UKTN | The Podcast?

Each week, Jane Wakefield sits down with some of the key movers and shakers from the UK tech ecosystem for the UKTN Podcast. Learn growth strategies from both seasoned and up-and-coming founders, hear market sentiments from investors, and understand the tech policy affecting businesses across the country.

The UKTN Podcast provides insight into the most influential people in the UK’s innovation economy, exploring their personal and professional journeys and hearing their views on the hottest tech topics of the day.

James Hadley 0:05
I think that what's probably quite terrifying is the speed of what AI can do and how it can be applied. And we've seen that through Chat GPT. It's no longer the sole responsibility of the geeks in the basement. The conversations are happening at board level. The lessons learned is there's no right way to do it, but there's definitely wrong ways to do it.

Jane Wakefield 0:28
First, a quick message from our sponsor, sourcing tech talent and delivering your software roadmap shouldn't be difficult. That's why dz connects high growth companies with some of the best pre vetted developers from across the world. Whether supporting your in-house team, building your dream dev squad, or delivering the project end-to-end Deazy's unique model is trusted by businesses globally, to help them rapidly execute software development. Deazy is offering all UK tn listeners a 10% discount on their first engagement. Go to Deazy.com/UKTN to access quality development teams today.

Hello, and welcome to the UKTN Podcast, a weekly conversation with founders of some of the UK's high-growth tech companies. Each episode will talk through the founder's personal journey, their vision for their business, and their views of the wider tech industry. I'm Jane Wakefield, and I've been a tech journalist for more than two decades. And joining me today is James Hadley, CEO of Immersive Labs. Thank you very much for joining me, James. Now first up, I just want to find out a little bit more about your journey as a founder and an entrepreneur.

James Hadley 1:41
Absolutely. My background is IT geek growing up, I played with the computers because I didn't have any friends. I then went on to join GCHQ, at about 18 years old, straight out of college and then worked there for about four to five years doing some really fun stuff in cybersecurity, and then spent 10 years in the London-based agencies doing something else, and then started to have a career change. So I helped to run the GCHQ cyber school. And the purpose of that cyber school was to upskill people into cyber jobs over 10 weeks. So day one how do you spell cyber, day 50 reverse engineering malware, sort of a zero to hero course. And it was during that time I kind of realised hang on, you can't really measure the knowledge, skills and judgement of people that have sat in a classroom or have watched a video or passed a multiple choice exam.

And actually cybersecurity moves so quickly, the idea that you can solve for the cybersecurity skills shortage in a traditional setting like a scheduled classroom, kind of felt like that that wasn't the way forward. So I had the concept of the idea that you could create software that would not necessarily train people, tell people what buttons to press, because cyber moves really quickly, but instead put them in scenarios based on the latest threats where they kind of prove their capabilities through problem solving and troubleshooting and perseverance. And then in doing so they can then prove to their employer, our customers, that they have the necessary skills to help keep that organisation safe.

Jane Wakefield 3:05
You mentioned there that you went into GCHQ at 18. Obviously GCHQ is a fascinating subject. I'd like to talk about that a little bit more. And I don't know how much you can tell me. But just this idea that you leave school at 18 interests me because it seems quite a common thing among entrepreneurs. If you were to do the same again, would you recommend that would for for youngsters looking to set up businesses? Would you say you know, don't worry about going to university, if you've got a good idea, just get on and do it if you're able?

James Hadley 3:34
Yeah, I think entrepreneurship to set up a company, it's just get up and go, you're going to learn more through trialling, failing, in a real company that you've started than you are on the theory, I believe, in a university. That said, I went to university later in life to a master's, kind of get the chip off my shoulder a little bit, around having not been to university and there were still barriers in place for jobs, where you couldn't get a certain job unless you had a degree or above. So I think those traditional academic prerequisites are starting to go away. And we're starting to see people hired based more on capability and speed of learning, etc. So I think universities should be about what it is you want to do. I think if you want to become a vet or a doctor university is probably a great way to go. Because of the subject matter, you know, you need to learn it and become qualified, whereas if you're doing something outside of those sort of jobs that have that deep level of knowledge background, like entrepreneurship, then I don't really see the value necessarily in going on a three or four year degree.

Jane Wakefield 4:30
And what can you tell us about GCHQ? I've often tried to talk to people at GCHQ. And I'm told 'we can't really tell you anything, not even necessarily the colour of the sky right now'. But what can you share about your experiences there?

James Hadley 4:42
I could share my experiences. So it was a fascinating place to work given the size of that organisation - I think it's true in very large corporates as well - you can change your job every three to four years. You know, you can take on different roles, different posts, and continuously upskill yourself to do different things and obviously the great thing about working for any sort of UK department like that, especially the intelligence agencies and defence, is the mission is the thing that keeps you going to work every day and getting out of bed is to help keep the country safe, both physically, but also now increasingly online as well.

Jane Wakefield 5:12
We'll talk a bit about that in a bit as well. But how did you go from that - GCHQ - to the founding of Immersive Labs?

James Hadley 5:19
Essentially, I was very fortunate, I had peers of mine and friends who had been more commercially minded and been doing the business side of the house. And they also had cybersecurity startups. So I got to learn through a bit of sort of osmosis, the journey that they've been on. And I was incredibly excited, that I want to do something very similar. And when it came to Imersive, Labs, it was kind of stuck in my head, and I couldn't get it out, you know, and at the time, was trying to take it to them by their employers and say, 'hey, I've got this idea that we should do this'. And being told, 'no, it'll never take off, that won't work'. So eventually, the only way I could kind of see the vision come to life was to actually go and start the company and start that journey.

Jane Wakefield 5:56
And you've talked about the importance of people and people are often seen as the sort of weakest link in organisations, when it comes to cybersecurity. You can put up walls and walls and walls, but if somebody clicks on on a dodgy email, then that could bring all those walls tumbling down immediately. So talk me through how Immersive Labs kind of takes into account this weakest link, which is people?

James Hadley 6:20
Yeah, so we talk about that a lot, in that we're helping enterprises turn what is traditionally is labelled as their weakest link - not that I buy into that - but turning it into their greatest asset. So all of the technology and process in the world won't help when an individual either makes a mistake, or you need people to help you get out of a hole because you've had a security incident. And a lot of organisations we talked to have spent all this money investing in technology. But if they're asked the question, how do you know you're okay, how do you prove it? That's really hard. So traditional certifications or like an audit being done by a 'Big Four' every two years, it's quite dated. And it's really just asking multiple choice questions like, 'do you have this in place'?

So the real value behind what we do and why we get up every day is that we help organisations prove it. We put teams through simulations, both non-technical users and technical users, that put them into scenarios. And then based on how they do in those scenarios, we can say, here is your team are really strong, and here's why there might be areas for development. And then we benchmark that to the industry. So they can see the industry standard for cyber capability.

Jane Wakefield 7:22
And how willing are businesses to take part in that process? Because often I think they just want you deal with cybersecurity, that's not our problem. So how do you persuade them that this is something that the organisation has to put some effort into themselves and not just outsource it as it were?

James Hadley 7:38
Yeah, that's a good point. I think it depends on the maturity of the organisation and the sector they're in. So traditionally, where cybersecurity is seen as a strategic asset, which is very much large financial services, regulatory bodies, government, defence and law enforcement and technology industries, they understand the value of cybersecurity. It's no longer the sole responsibility of the geeks in the basement. The conversations are happening at board level. And there's increasingly more regulation coming out now, especially in the US around companies, especially public companies, having to evidence that their board has cybersecurity knowledge, skills and judgement at that level, and be able to prove that in order to help keep their customers data and day-to-day operation safe.

Jane Wakefield 8:19
And it is a crowded market, isn't it? There's an awful lot of cybersecurity products out there. So how do you sort of put yourself above the parapet? And what's your unique selling point, I guess?

James Hadley 8:30
Yeah, absolutely. So I think there's over 3,000 venture backed cybersecurity companies. And pretty much especially in today's market with a recession, every large enterprises looking to reduce the number of suppliers and vendors, they have. Because they've traditionally bought lots of technology, but they might not have the right number of people and skilled people to help take advantage and feed and water that technology. So we're quite fortunate, we're not your technology play, we're not putting in another firewall or on identity management or some antivirus - that is a very supplier heavy market. We're taking a very different angle, which is yeah, you've got this technology, it's great. But what about your people? How do you prove your people have got the right skills, ranging from a non-technical person around cyber hygiene to developers? How do we prove those developers can write secure code to stop introducing vulnerabilities all the way to the boardroom, around in a particular scenario or crisis, what decisions that the board members make, with what levels of confidence, and how those decisions affect things like regulatory compliance and press relationships,

Jane Wakefield 9:28
The UK and Europe and indeed the world is facing a skill shortage. It's particularly in tech and particularly in specialisms like cyber, how do you think that we deal with that problem?

James Hadley 9:40
So I think it's changing over time. So one of the things that we pioneered across the UK and US and other countries was our digital cyber academy, which is a free version of our platform to help individuals get into cyber jobs based purely on skill that they could develop through the platform to remove traditional prerequisites like academic degree, certifications, and years of experience. We do that today for students and military veterans and neurodiverse individuals. I think when we started that five years ago now, as part of our founding mission, organisations weren't really ready to drop the paperwork side of the job application process, very much sticking to a computer science 2:1 degree to help plug that cyber skills gap. Now, there aren't enough computer science grads with an interest in cybersecurity to plug the cybersecurity skills shortage and nor is that a diverse talent pipeline with a range of different experiences. I think now we're starting to see enterprises look outside of those traditional hiring funnels for talent, as well as identifying hidden talent. One of my most favourite case studies show our journey as Hamilton Capital gave a licence to the janitor who was coming through the security operations centre. And that person then upskilled themselves in cyber and applied for a job with the company and got it. So transition from being a janitor to a security analyst by using the platform. There's a lot of talent out there. And we've got to help people get into the industry by not making it this weird sort of techno black magic kind of barrier in cybersecurity.

Jane Wakefield 11:06
A quick message from our sponsor, access to high quality and cost effective talent is one of the biggest growth obstacles facing companies. Deazy exists to solve this problem. In a challenging market, businesses need to focus on reducing overheads, all while pushing for meaningful growth. Deazy's one to many model provides access to an ecosystem of handpicked development teams engaged on a flexible basis and at competitive rates. Visit deazy.com/UKTN for an exclusive 10% discount for all podcast listeners.

Now, last year, Immersive Labs laid off 10% of its workforce, obviously one of many companies to have to do this amid the worsening economic crisis. But what did you learn from that experience? It's not pleasant, is it? It's something that lots of companies have got to do. What would be your advice about how you go about doing that in the best possible way?

James Hadley 12:03
Yeah, there's no perfect way to do it. And like other tech companies adapting to the economy, we made the changes to position, the company for long term success by accelerating our path to cash flow, breakeven and really focusing on high-growth opportunities in those proven markets and segments. I think that the lessons learned is there's no right way to do it but there's definitely wrong ways to do it. And I think trying to be as transparent as possible, and it's fair to people and communicate the 'why', and what the opportunities are ahead. I think doing that, again, and again, is probably the most important thing in helping the business mature through what has been a tech boom for 10 years. And now there's been a correction happening the market. And if we didn't correct, then the implications are ramifications could be much worse later on.

Jane Wakefield 12:44
Now, you've spoken before. And this actually quite surprised me about artificial intelligence being one of the techs that you would perhaps put back in the bottle if you could. Do you still stand by that, and why? Because for lots of companies, AI is seen as a really important tool in helping with cyber and general security of their companies.

James Hadley 13:06
Yeah, I wouldn't necessarily put it back in the bottle. I think at the time when AI was being touted to help solve the shortage of cyber talent, I think it's going to exacerbate the cybersecurity skills shortage. And the reason for that, and it's an analogy that I think I've used in the past, is when cars came out, however long ago or when my dad had a car, you could open up the bonnet and you could kind of reverse engineer, look at it, figure out and try things to help fix your car. So people could upskill themselves in mechanics by opening the bonnet of their own car. Now, if you open at the bottom of your car, it's a computer chip interface, which means the ability for people to upskill themselves to fix that car is becoming much more limited and more specialist. Likewise, if we remove what I call the traditional tier one level of people working in cybersecurity, or on the basics of networking and operating systems and databases, and instead we just removed that we put this AI layer in there that's going to automate defences and things like that, the gap to go from an entry level to the tier two above the AI to help programme and manage that is going to be so great, I think we're going to lose a lot of people on that upscaling journey, because it's just become much, much, much harder because of that reliance on AI. So I think AI has lots of opportunities for both attackers. And we're already starting to see some research come out here and defenders. But I worry about it being labelled as the fix for entry level talent into the cyber market, because I think it will then exacerbate the jump from entry level to someone that can be of real value within a security centre.

Jane Wakefield 14:34
When I speak to our AI experts, they always talk about the need for AI to work in tandem with the human, which seems to be exactly what you're saying there. But the difficulty seems to be sort of making that happen. Again, it's like there's a wall between the two. Would you say that there's a specific way that we can get those two things working together because they both seem to be very valuable?

James Hadley 14:51
I think what's probably quite terrifying is the speed of what AI can do and how it can be applied. And we've seen that through Chat GPT and the headlines it's creating both in cyber and things outside of cyber. In cybersecurity, the impacts of a threat being realised, is unlike most other threats. When large financial services organisation do operational resilience exercises, they used to talk about terrorism and physical and weather being in particular places, whereas cyber can be everywhere all at once. Like, for example a successful ransomware attack. So I think it's the combination of the speed of AI and the impacts of cyber threats, which is probably makes for, you know, some gloomy outlooks where the threats are. I think it would just take us a long time to work out how to put people alongside AI to have really good outcomes, and how to prove that those outcomes are being realised because the technology is so complex. Underneath, the actual ability to verify that you are getting the outcome that you want, I think might be harder.

Jane Wakefield 15:47
We've sort of touched on this, but we are facing an incredibly complex and increasingly splintered world. The war in Ukraine, for example, has seen Russia distance itself from the global internet. We've seen state hacking rise exponentially, misinformation coming from countries like Russia. How big a threat is it? Do you think that we are now facing a situation where the global internet is no longer what it was conceived of when it was originally designed?

James Hadley 16:17
That's a big question.

Jane Wakefield 16:18
I realised that yes, I guess I'm thinking like cyber security threat specifically, you know. State hacking, is that something that we really need to get to grips with? And is it something that businesses might need to start thinking about because it feels like tech now is inextricably linked to politics. And we can no longer sort of see the two things separately.

James Hadley 16:40
I don't know can ever envisage a world that doesn't have just connected everything everywhere, internet, and that's how we go about our daily lives and how business and commerce succeeds. The main risk that we have is what was traditionally viewed as state actors and state threats, advanced persistent threats, isn't really the biggest issue in the room. Because obviously, there's a small, very small quantity of those individuals. The bigger issue cybercrime and fraud, playing out at scale. You're able to decentralise the act of the crime from the physical location and the actor and also the method by which are remunerated through anonymised currencies like blockchain. That means anywhere with an internet connection, a keyboard - and people are willing to self learn and use freely available tools - could conduct quite advanced cyber operations to the attacks, we've seen attacks on the Guardian. We've seen other ransomware attacks, most recent on the Royal Mail. But again, we can't really say who it is, all we know is that they've used tools that are available on the internet, and they've had a successful breach, which means now obviously, that's impacting our critical national infrastructure. So I think it's not so much the state threats, it's the prevalence of anyone that's maliciously minded, can upskill themselves in cyber, and then have some pretty devastating consequences for both public sector and private sector.

Jane Wakefield 17:53
And it's big business now, right? You know, cybercrime, you can go onto the dark web and find people's details for sale at a specific price. People can kind of, say, the tools they want to perpetrate particular hack, and they can do it with no skills, as you say. So would you say that's the biggest threat that companies face the fact that cyber has become a business? Or is there something else that you think that businesses need to be really aware of in the cyber risk sphere?

James Hadley 18:22
I think it's acknowledging that it's a risk, and it's a highly likely risk to have an impact to the business. So it's not a 'we hope that doesn't happen to us, we'll get some insurance, and if the worst happens, we'll react'. It's part of business. We take health and safety for granted now that you have to have it and you have to have a fire drill. Of course you do. You just have to. And I think that's how cyber is gonna play out, you have to run cyber tools, you have to test your systems, you have to test your business responses, your insurance responses, how you talk to the press. And I think we've seen through share prices and things like that, that when an incident happens, there is an immediate market action, but actually it cause corrects pretty normally back to where it was. So I think to depressingly even as consumers now, we probably all acknowledge that by using services, internet, online banking, at some point, our details are probably going to be compromised somewhere. But the impact of not having access to those services, online banking, etc, are so great that we are all accepting that risk implicitly, that by being part of the internet by being part of these systems, we implicitly acknowledge at some point, we're gonna get an email to say 'sorry, our systems are breached, that included some of your data and here's what we're doing about it'. It's just going to become a normal part of business I don't think it will ever go away.

Jane Wakefield 19:32
And to that point, have any of your details ever been compromised? Have you ever fallen for one of these increasingly sophisticated phishing emails, which I believe AI now is starting to write? Will you confess, James?

James Hadley 19:47
Touch wood - I think it can happen to anyone. It happens to family and friends, especially where we have huge volumes of people actually texting and emailing people that work at Immersive Labs personal email addresses, which has nothing to do with their business record. But people have done the work on LinkedIn, found out the person's name and emailed them pretending to be me saying, 'Hey, I've got an urgent errand for you, I can't possibly talk on the phone'. And they're using your personal email address, it does catch people out where they don't look at the from email address. It's not me, James at Immersive Labs.com. They might actually just reply, and then that's the first sign that they've got an active, potential success route. But luckily, no damage so far. But whilst I haven't fallen victim to scammers yet, I think it's only a matter of time, because we all pay invoices online, we all get invoices from our builders and our solicitors, it's only a matter of time before one day, I'll send the money to the wrong person. But hopefully, because I've been sent being correct invoice rather than I've been duped by an email or a text message.

Jane Wakefield 20:46
So I mean, I really just want to kind of sum up, you know, the world of cyber can seem like a really scary place. But also it feels like there's a lot of complacency about it, businesses seem to be fairly complacent about it, I think individuals can be quite complacent about their data. And yet these threats are increasing and getting more scary all the time. How do we sort of measure up those two things that on the one hand, we have these really worrying kind of scenarios with what's going on with cyber gangs. But on the other, there's a degree of, 'ah, well, I'm either not going to be a victim, or if I am, I'm not too bothered'?.

James Hadley 21:22
I think complacent isn't a word I would use. So I think it depends on the size and the maturity of the organisation. So I think quite rightly, if you're a small medium business, and you're doing something which is traditionally not online, like retail, bakery, anything like this, then the actual just the likelihood of someone deliberately attacking you, you would hope is quite low. But unfortunately, the impact to those organisations, especially if they don't have a huge amount of revenues, it could really cripple their business. But hopefully, if it's not too reliant on data and digital technology, they could find a way to continue. And they might not actually have the resources and the investment and the skills to put money into cybersecurity at their size. They probably got bigger problems to worry about, like revenue, top line revenue, staying afloat. So I don't think it's complacency, but just probably not the closest shark to the boat. I think about large enterprises, they are investing hundreds of millions of dollars or more in helping to keep data safe, regulation, compliance and cybersecurity. The thing that makes it an impossible task is the size of their estates, the organic growth of those estates over 20 or 30 years. The complexity of that IT environment is huge. And the ability to protect all of it and update it, patch it, configure it, monitor it all at once, is nigh on impossible. So again, they're having to place bets about where they focus their efforts. And I think we're starting to see that play out now, especially in a recession, where I think a lot of our customers would rather have a simpler ITestate with fewer products and a good team, and keep it up to date - feed it, patch it, water it - than a lots of technology, lots of connections, because it becomes too complex to manage. And with a high turnover of staff in cyber, by the time you've hired someone, validated their skills, then upskilled them in your technology stack, and then they leave to go and get a job elsewhere, that's causing a big issue for many enterprise customers today.

Jane Wakefield 23:06
So do you remain an optimist about how we can stay one step ahead of cyber criminals? Or do you think that we do need to admit that it's always going to be a game of Whac-A-Mole, and we're never going to quite catch them?

James Hadley 23:23
I think as long as they are incentivized for people to be able to conduct anonymised crime, it's always going to be a Whac-A-Mole. We've always talked about how there's got to be a silver bullet at some point, you know, single sign on this and that. I think there'll always be a way around a process or a human given that we all have flaws as humans, as well. I think they'll always be a way in. So I think it will be forever a game of Whac-A-Mole. And I just think a lot of our time now will be focused on recovery, improving our ability to respond, rather than trying to stop it in the first place. If we can minimise and reduce the impacts of negative cyber effects, then I think it will become less of an issue. The issue at the moment we do have is what can start off as a small attack or one one email click link - we gave the example earlier - can bring down an entire organisation and that's terrifying. So I'm cautiously optimistic that over time, the world we operate online will become secure and safer, because there's these tried and tested methods of recovering and responding. And we don't have these huge, massive shutdowns every time a cyber attack is successful.

Jane Wakefield 24:29
And that's a good point to end. That's all we've got time for on this week's edition of the UKTN Podcast. Thank you, James, for joining me on this cold dark January day. And thank you all wherever you are for listening. To keep up to date with the latest UK tech developments head over to www.uktech.news. Don't forget to follow UKTN on LinkedIn and Twitter and do get in touch with me via Twitter, @JaneWakefield with your comments and suggestions about the show. Until next time, it's goodbye from me.

A quick message from our sponsor. Access to high quality and cost effective talent is one of the biggest growth obstacles facing companies. Deazy exists to solve this problem. In a challenging market, businesses need to focus on reducing overheads, all while pushing for meaningful growth. Deazy's one to many model provides access to an ecosystem of handpicked development teams engaged on a flexible basis and at competitive rates. Visit deazy.com/UKTN for an exclusive 10% discount for all podcast listeners.