The UKTN Podcast is back for season two, featuring more conversations with founders of some of the UK’s high-growth tech companies. Each episode will talk through the founder’s personal journey, their vision for their business, and their views of the wider tech industry.
In the first episode, UKTN Podcast host Jane Wakefield – a technology journalist with over two decades of experience – speaks to James Hadley, the CEO and founder of Immersive Labs.
Hadley founded Immersive Labs, a Bristol-based cybersecurity training platform, in 2017. The company’s platform creates cyberattack simulations to teach organisations practical IT security skills. The company has raised $189m in funding and has contracts with large enterprises and public sector organisations such as the Ministry of Defence.
Prior to founding Immersive Labs, Hadley worked as an analyst and security consultant for the British intelligence agency GCHQ.
During episode one of the UKTN Podcast, the Immersive Labs chief discusses the dangers of generative AI like ChatGPT in cybersecurity, the lessons learned from laying off 10% of staff, the risks of geopolitics in cyber and cracking the cyber skills shortage.
Listen to the full episode here.
A full transcript of the episode, which has been lightly edited for brevity and clarity, is available below.
UKTN Podcast with Immersive Labs founder James Hadley
Jane Wakefield: Thank you very much for joining me, James. Now first up, I just want to find out a little bit more about your journey as a founder and an entrepreneur.
James Hadley: Absolutely. My background is IT geek growing up – I played with computers because I didn’t have any friends. I then went on to join GCHQ at about 18 years old, straight out of college, and then worked there for about four to five years doing some really fun stuff in cybersecurity. I then spent 10 years in the London-based agencies doing something else and then started to have a career change. I helped run the GCHQ cyber school to upskill people into cyber jobs over 10 weeks. So day one, how do you spell cyber, day 50 reverse engineering malware, a sort of a zero to hero course. And it was during that time I kind of realised hang on, you can’t really measure the knowledge, skills and judgement of people that have sat in a classroom or have watched a video or passed a multiple choice exam.
And cybersecurity moves so quickly, the idea that you can solve the cybersecurity skills shortage in a traditional setting like a scheduled classroom, it kind of felt like that that wasn’t the way forward. So I had the concept of the idea that you could create software that would not necessarily train people, tell people what buttons to press – because cyber moves really quickly – but instead put them in scenarios based on the latest threats where they kind of prove their capabilities through problem-solving and troubleshooting and perseverance. And then in doing so they can then prove to their employer, our customers, that they have the necessary skills to help keep that organisation safe.
JW: You mentioned that you went into GCHQ at 18. Obviously, GCHQ is a fascinating subject. I’d like to talk about that a little bit more. And I don’t know how much you can tell me. But just this idea that you leave school at 18 interests me because it seems quite a common thing among entrepreneurs. If you were to do the same again, would you recommend that for youngsters looking to set up businesses? Would you say don’t worry about going to university if you’ve got a good idea, just get on and do it if you’re able?
JH: Yeah, I think entrepreneurship, to set up a company, it’s just get up and go. You’re going to learn more through trialling, failing, in a real company that you’ve started than you are on the theory, I believe, in a university. That said, I went to university later in life for a master’s, to kind of get the chip off my shoulder a little bit around having not been to university and there were still barriers in place for jobs, where you couldn’t get a certain job unless you had a degree or above. So I think those traditional academic prerequisites are starting to go away. And we’re starting to see people hired based more on capability and speed of learning, etc. So I think universities should be about what it is you want to do. I think if you want to become a vet or a doctor, university is probably a great way to go. Because of the subject matter, you need to learn it and become qualified, whereas if you’re doing something outside of those sort of jobs that have that deep level of knowledge background, like entrepreneurship, then I don’t really see the value necessarily in going on a three or four-year degree.
JW: And what can you tell us about GCHQ? I’ve often tried to talk to people at GCHQ. And I’m told we can’t really tell you anything – not even necessarily the colour of the sky right now. But what can you share about your experiences there?
JH: I can share my experiences. It was a fascinating place to work and given the size of that organisation – I think it’s true in very large corporates as well – you can change your job every three to four years. You can take on different roles, different posts, and continuously upskill yourself to do different things and obviously the great thing about working for any sort of UK department like that, especially the intelligence agencies and defence, is the mission is the thing that keeps you going to work every day and getting out of bed is to help keep the country safe, both physically, but also now increasingly online as well.
JW: How how did you go from that – GCHQ – to the founding of Immersive Labs?
JH: I was very fortunate, I had peers of mine and friends who had been more commercially minded and been doing the business side of the house. And they also had cybersecurity startups. So I got to learn through a sort of osmosis, the journey that they’d been on. And I was incredibly excited so, I want to do something very similar. And when it came to Immersive Labs, it was kind of stuck in my head, and I couldn’t get it out. And at the time I was trying to take it to my employers and say, ‘hey, I’ve got this idea that we should do this’. And being told, ‘no, it’ll never take off, that won’t work’. So eventually, the only way I could see the vision come to life was to actually go and start the company and start that journey.
JW: You’ve talked about the importance of people, and people are often seen as the sort of weakest link in organisations when it comes to cybersecurity. You can put up walls and walls and walls, but if somebody clicks on a dodgy email, then that could bring all those walls tumbling down immediately. So talk me through how Immersive Labs takes into account this weakest link, which is people?
JH: We talk about that a lot, in that we’re helping enterprises turn what is traditionally labelled as their weakest link – not that I buy into that – but turning it into their greatest asset. So all of the technology and process in the world won’t help when an individual either makes a mistake, or you need people to help you get out of a hole because you’ve had a security incident. And a lot of organisations we talked to have spent all this money investing in technology. But if they’re asked the question, how do you know you’re okay, how do you prove it? That’s really hard. So traditional certifications or like an audit being done by a ‘Big Four’ every two years, it’s quite dated. And it’s really just asking multiple-choice questions like, ‘do you have this in place’?
So the real value behind what we do and why we get up every day is that we help organisations prove it. We put teams through simulations, both non-technical users and technical users, that put them into scenarios. And then based on how they do in those scenarios, we can say ‘here is your team are really strong, and here’s why there might be areas for development’. And then we benchmark that to the industry. So they can see the industry standard for cyber capability.
JW: And how willing are businesses to take part in that process? Because often I think they just want you to deal with cybersecurity, that’s not our problem. So how do you persuade them that this is something that the organisation has to put some effort into themselves and not just outsource it, as it were?
JH: Yeah, that’s a good point. I think it depends on the maturity of the organisation and the sector they’re in. So traditionally, where cybersecurity is seen as a strategic asset, which is very much large financial services, regulatory bodies, government, defence and law enforcement and technology industries, they understand the value of cybersecurity. It’s no longer the sole responsibility of the geeks in the basement. The conversations are happening at board level. And there’s increasingly more regulation coming out now, especially in the US around companies, especially public companies, having to evidence that their board has cybersecurity knowledge, skills and judgement at that level, and be able to prove that in order to help keep their customers’ data and day-to-day operation safe.
JW: And it is a crowded market, isn’t it? There are an awful lot of cybersecurity products out there. So how do you sort of put yourself above the parapet? What’s your unique selling point?
JH: Absolutely. I think there are over 3,000 venture-backed cybersecurity companies. And especially in today’s market with a recession, every large enterprise is looking to reduce the number of suppliers and vendors they have. Because they’ve traditionally bought lots of technology, but they might not have the right number of people and skilled people to help take advantage and feed and water that technology. So we’re quite fortunate, we’re not your technology play, we’re not putting in another firewall or on identity management or some antivirus – that is a very supplier-heavy market.
We’re taking a very different angle, which is yeah, you’ve got this technology, it’s great. But what about your people? How do you prove your people have got the right skills, ranging from a non-technical person around cyber hygiene to developers? How do we prove those developers can write secure code to stop introducing vulnerabilities all the way to the boardroom, in a particular scenario or crisis? What decisions do the board members make, with what levels of confidence, and how do those decisions affect things like regulatory compliance and press relationships?
JW: The UK and Europe and indeed the world is facing a skill shortage. It’s particularly big in tech and particularly in specialisms like cyber. How do you think that we deal with that problem?
JH: I think it’s changing over time. So one of the things that we pioneered across the UK and US and other countries was our digital cyber academy, which is a free version of our platform to help individuals get into cyber jobs based purely on skill that they could develop through the platform to remove traditional prerequisites like academic degree, certifications, and years of experience. We do that today for students and military veterans and neurodiverse individuals. I think when we started that five years ago now, as part of our founding mission, organisations weren’t really ready to drop the paperwork side of the job application process, very much sticking to a computer science 2:1 degree to help plug that cyber skills gap.
Now, there aren’t enough computer science grads with an interest in cybersecurity to plug the cybersecurity skills shortage and nor is that a diverse talent pipeline with a range of different experiences. I think now we’re starting to see enterprises look outside of those traditional hiring funnels for talent, as well as identifying hidden talent. One of my favourite case studies that shows our journey is when Hamilton Capital gave a licence to the janitor who was coming through the security operations centre. And that person then upskilled themselves in cyber and applied for a job with the company and got it. So a transition from being a janitor to a security analyst by using the platform. There’s a lot of talent out there. And we’ve got to help people get into the industry by not making it this weird sort of techno black magic kind of barrier in cybersecurity.
JW: Now, last year, Immersive Labs laid off 10% of its workforce, one of many companies to have to do this amid the worsening economic crisis. But what did you learn from that experience? It’s not pleasant, is it? It’s something that lots of companies have got to do. What would be your advice about how you go about doing that in the best possible way?
JH: Yeah, there’s no perfect way to do it. And like other tech companies adapting to the economy, we made the changes to position the company for long-term success by accelerating our path to cash flow, breakeven and really focusing on high-growth opportunities in those proven markets and segments. I think that the lesson learned is there’s no right way to do it but there are definitely wrong ways to do it. And I think trying to be as transparent as possible, and fair to people and communicate the ‘why’, and what the opportunities are ahead. I think doing that, again and again, is probably the most important thing in helping the business mature through what has been a tech boom for 10 years. And now there’s been a correction happening the market. And if we didn’t correct. And the implications or ramifications could be much worse later on.
JW: Now, you’ve spoken before. And this actually quite surprised me about artificial intelligence being one of the technologies that you would perhaps put back in the bottle if you could. Do you still stand by that, and why? Because for lots of companies, AI is seen as a really important tool in helping with cyber and general security of their companies.
JH: I wouldn’t necessarily put it back in the bottle. I think at the time when AI was being touted to help solve the shortage of cyber talent, I think it’s going to exacerbate the cybersecurity skills shortage. And the reason for that, and it’s an analogy that I think I’ve used in the past, is when cars came out, however long ago or when my dad had a car, you could open up the bonnet and you could kind of reverse engineer, look at it, figure out and try things to help fix your car. So people could upskill themselves in mechanics by opening the bonnet of their own car. Now, if you open the bonnet of your car, it’s a computer chip interface, which means the ability for people to upskill themselves to fix that car is becoming much more limited and more specialist.
Likewise, if we remove what I call the traditional tier one level of people working in cybersecurity, or on the basics of networking and operating systems and databases, and instead we just removed that and we put this AI layer in there, that’s going to automate defences and things like that, the gap to go from an entry-level to the tier two above the AI to help programme and manage that is going to be so great that I think we’re going to lose a lot of people on that upscaling journey. Because it’s just become much, much, much harder because of that reliance on AI. So I think AI has lots of opportunities for both attackers, and we’re already starting to see some research come out, and defenders. But I worry about it being labelled as the fix for entry-level talent into the cyber market because I think it will then exacerbate the jump from entry-level to someone that can be of real value within a security centre.
JW: When I speak to our AI experts, they always talk about the need for AI to work in tandem with the human, which seems to be exactly what you’re saying there. But the difficulty seems to be making that happen. Again, it’s like there’s a wall between the two. Would you say that there’s a specific way that we can get those two things working together, because they both seem to be very valuable?
JH: I think what’s probably quite terrifying is the speed of what AI can do and how it can be applied. And we’ve seen that through ChatGPT and the headlines it’s creating both in cyber and things outside of cyber. In cybersecurity, the impact of a threat being realised is unlike most other threats. When large financial services organisations do operational resilience exercises, they used to talk about terrorism and physical and weather being in particular places, whereas cyber can be everywhere all at once. Like, for example, a successful ransomware attack. So I think it’s the combination of the speed of AI and the impacts of cyber threats, which probably makes for some gloomy outlooks where the threats are. I think it would just take us a long time to work out how to put people alongside AI to have really good outcomes, and how to prove that those outcomes are being realised because the technology is so complex. Underneath, the actual ability to verify that you are getting the outcome that you want, I think might be harder.
JW: We’ve sort of touched on this, but we are facing an incredibly complex and increasingly splintered world. The war in Ukraine, for example, has seen Russia distance itself from the global internet. We’ve seen state hacking rise exponentially, misinformation coming from countries like Russia. How big a threat is it? Do you think that we are now facing a situation where the global internet is no longer what it was conceived of when it was originally designed?
JH: That’s a big question.
JW: I realised that, yes. I guess I’m thinking like cybersecurity threats specifically. State hacking – is that something that we really need to get to grips with? And is it something that businesses might need to start thinking about because it feels like tech now is inextricably linked to politics, and we can no longer sort of see the two things separately?
JH: I don’t know how I can ever envisage a world that doesn’t have just connected everything everywhere, internet, and that’s how we go about our daily lives and how business and commerce succeeds. The main risk that we have is what was traditionally viewed as state actors and state threats, advanced persistent threats, isn’t really the biggest issue in the room. Because obviously, there’s a small, very small quantity of those individuals. The bigger issue is cybercrime and fraud playing out at scale. You’re able to decentralise the act of the crime from the physical location and the actor and also the method by which are remunerated through anonymised currencies like on the blockchain.
That means anywhere with an internet connection and a keyboard – and people are willing to self-learn and use freely available tools – could conduct quite advanced cyber operations to the attacks, we’ve seen attacks on The Guardian. We’ve seen other ransomware attacks, most recently on Royal Mail. But again, we can’t really say who it is, all we know is that they’ve used tools that are available on the internet, and they’ve had a successful breach, which means now obviously, that’s impacting our critical national infrastructure. So I think it’s not so much the state threats, it’s the prevalence of anyone that’s maliciously minded, can upskill themselves in cyber, and then have some pretty devastating consequences for both public sector and private sector.
JW: And it’s big business now, right? With cybercrime, you can go onto the dark web and find people’s details for sale at a specific price. People can buy the tools they want to perpetrate a particular hack, and they can do it with no skills, as you say. So would you say that’s the biggest threat that companies face the fact that cyber has become a business? Or is there something else that you think businesses need to be really aware of in the cyber risk sphere?
JH: I think it’s acknowledging that it’s a risk, and it’s a highly likely risk to have an impact on the business. So it’s not a ‘we hope that doesn’t happen to us, we’ll get some insurance, and if the worst happens, we’ll react’. It’s part of business. We take health and safety for granted now, you have to have it and you have to have a fire drill. Of course you do. You just have to. And I think that’s how cyber is gonna play out, you have to run cyber tools, you have to test your systems, you have to test your business responses, your insurance responses, how you talk to the press. And I think we’ve seen through share prices and things like that, that when an incident happens, there is an immediate market action, but actually it course corrects pretty normally back to where it was.
So I think depressingly, even as consumers now, we probably all acknowledge that by using services – internet, online banking – at some point, our details are probably going to be compromised somewhere. But the impact of not having access to those services, online banking, etc, are so great that we are all accepting that risk implicitly, that by being part of the internet by being part of these systems, we implicitly acknowledge at some point, we’re gonna get an email to say ‘sorry, our systems are breached, that included some of your data and here’s what we’re doing about it’. It’s just going to become a normal part of business I don’t think it will ever go away.
JW: And to that point, have any of your details ever been compromised? Have you ever fallen for one of these increasingly sophisticated phishing emails, which I believe AI now is starting to write? Will you confess, James?
JH: Touch wood, no. I think it can happen to anyone. It happens to family and friends, especially where we have huge volumes of people actually texting and emailing people that work at Immersive Labs’ personal email addresses, which has nothing to do with their business records. But people have done the work on LinkedIn, found out the person’s name and emailed them pretending to be me saying, ‘hey, I’ve got an urgent errand for you, I can’t possibly talk on the phone’. And they’re using your personal email address, it does catch people out where they don’t look at the from email address. It’s not me, [email protected] They might actually just reply, and then that’s the first sign that they’ve got an active, potential success route. But luckily, no damage so far. But whilst I haven’t fallen victim to scammers yet, I think it’s only a matter of time, because we all pay invoices online, we all get invoices from our builders and our solicitors, it’s only a matter of time before one day, I’ll send the money to the wrong person. But hopefully, because I’ve been sent being correct invoice rather than I’ve been duped by an email or a text message.
JW: To sum up, the world of cyber can seem like a really scary place. But also it feels like there’s a lot of complacency about it. Businesses seem to be fairly complacent about it, I think individuals can be quite complacent about their data. And yet these threats are increasing and getting scarier all the time. How do we sort of measure up those two things that on the one hand, we have these really worrying scenarios with what’s going on with cyber gangs. But on the other, there’s a degree of, ‘ah, well, I’m either not going to be a victim, or if I am, I’m not too bothered’?
JH: I think complacent isn’t a word I would use. So I think it depends on the size and the maturity of the organisation. So I think quite rightly if you’re a small-medium business, and you’re doing something which is traditionally not online, like retail, bakery, anything like this, then the actual just the likelihood of someone deliberately attacking you, you would hope is quite low. But unfortunately, the impact on those organisations, especially if they don’t have a huge amount of revenue, it could really cripple their business. But hopefully, if it’s not too reliant on data and digital technology, they could find a way to continue. And they might not actually have the resources and the investment and the skills to put money into cybersecurity at their size. They’ve probably got bigger problems to worry about, like revenue, top-line revenue, and staying afloat.
So I don’t think it’s complacency, but just probably not the closest shark to the boat. I think about large enterprises, they are investing hundreds of millions of dollars or more in helping to keep data safe, regulation, compliance and cybersecurity. The thing that makes it an impossible task is the size of their estates, the organic growth of those estates over 20 or 30 years. The complexity of that IT environment is huge. And the ability to protect all of it and update it, patch it, configure it, monitor it all at once, is nigh on impossible. So again, they’re having to place bets about where they focus their efforts. And I think we’re starting to see that play out now, especially in a recession, where I think a lot of our customers would rather have a simpler IT estate with fewer products and a good team, and keep it up to date – feed it, patch it, water it – than lots of technology, lots of connections, because it becomes too complex to manage. And with a high turnover of staff in cyber, by the time you’ve hired someone, validated their skills, then upskilled them in your technology stack, and then they leave to go and get a job elsewhere, that’s causing a big issue for many enterprise customers today.
JW: So do you remain an optimist about how we can stay one step ahead of cyber criminals? Or do you think that we do need to admit that it’s always going to be a game of Whac-A-Mole, and we’re never going to quite catch them?
JH: I think as long as they are incentivised for people to be able to conduct anonymised crime, it’s always going to be a Whac-A-Mole. We’ve always talked about how there’s got to be a silver bullet at some point, you know, single sign-on this and that. I think there’ll always be a way around a process or a human given that we all have flaws as humans, as well. I think they’ll always be a way in. So I think it will be forever a game of Whac-A-Mole. And I just think a lot of our time now will be focused on recovery, improving our ability to respond, rather than trying to stop it in the first place.
If we can minimise and reduce the impacts of negative cyber effects, then I think it will become less of an issue. The issue at the moment we do have is what can start off as a small attack or one email click link – we gave the example earlier – can bring down an entire organisation and that’s terrifying. So I’m cautiously optimistic that over time, the world we operate online will become secure and safer because there are these tried and tested methods of recovering and responding. And we don’t have these huge, massive shutdowns every time a cyber attack is successful.
The UKTN Podcast is sponsored by Deazy, a tech build platform enabling cost-effective, flexible and scalable development services.