Business in focus: Cyberfort Group
Interview with Andy Hague | September 2018
Andy Hague, CEO of Cyberfort Group, is a highly experienced data security and technology leader who is widely consulted on GDPR and cybersecurity. He sold his award-winning software and telecoms business XAL in 2006, then took NCC Group’s cybersecurity division from a fledgling £2m revenue business to the leading player in the UK market.
We caught up with Andy to discuss nuclear bunkers, his #1 business number – and why he doesn’t mind being disrupted.
So how did the business come about?
I’ve always had a background in mixed tech and cyber and data security, back to when I was involved in the rapid growth of NCC Group in Manchester. A few years back, as data privacy was getting more and more important – and you could see GDPR coming from at least 2015 – I drew a chart on a wall and said, ‘I think the market is going to need something like this.’ And that’s basically what Cyberfort is.
So what is the Cyberfort proposition?
With all the noise around GDPR, the Data Protection Act 2018 and the upcoming ePrivacy regulation, data protection has gone mainstream and cyber security will continue to move up business risk registers. Cyberfort is creating an end-to-end information security proposition across every aspect of data security by bringing together the four key pillars – protect, detect, advise and shield – in four businesses:
- an ultra-secure physical data centre, The Bunker, where data can be managed in a dedicated secure suite or via our own cloud storage, housed in a former nuclear bomb shelter
- offensive security and penetration specialists Arcturus, whose very clever people assess the current state of your systems to identify any security weaknesses
- cyber security consultancy Agenci, which provides strategic guidance aimed at getting company behaviours and processes compliant
- a defensive SIEM (security information and event management) solution – still to be acquired, but talks are in a very advanced stage now
Wait. A nuclear bunker?
That’s right. It’s a set of military-grade Cold War nuclear bunkers on land in Kent which we hold the freehold to. We’ve converted part of it to run as a data centre. As you can imagine it’s a very, very solid infrastructure – 3m-thick concrete walls and massive blast doors. It’s pretty sizeable down there, like a small town. You can walk for ages without seeing a server or another person. Not that you’d know from the surface – it’s all underground, up to 200 feet.
So your USP is the curating and scaling of these four businesses?
Correct. We’re bringing together – through acquisition and organic creation – four strategic capabilities in the fields of data security to create a truly end-to-end security proposition. Clients can use one service or a combination. Each company has competitors in its discrete marketplace, and each has its own brand and culture and processes. But they share common ownership, and no one else offers all four together under one roof.
What part has investment played in the Cyberfort story?
We’re backed by Palatine Private Equity. With their backing we’ve deployed a buy-and-build strategy – The Bunker was the platform acquisition that gave us the foundation on which to add and scale other acquisitions. A lot of cyber companies out there are dealing in speculative stuff that businesses don’t really have a need for yet – there are 100s of start-ups doing very specialised things around security but they’re difficult to scale and often hit a ceiling. Our vision was always to go for four solid traditional established capabilities. PE houses can only invest in established businesses of a certain scale, so with The Bunker in place it made raising cash for the other businesses less challenging.
Technology is very fast-moving. How do you guard against being disrupted yourself?
I think a certain level of disruption is inevitable, on a niche level. There are all sorts of weird and wonderful apps and widgets out there, many without an established commercial application as yet. But we feel there’s more than enough to go at just helping people to get the basics right: most people aren’t even buying services that are capable of being disrupted.
If you look at all the major security breaches of recent years, there isn’t one that wasn’t a cock-up of a very basic kind. There aren’t any where you look at think: ‘Wow! What a fabulously ingenious piece of hacking!’ They’re all down to people not doing the basics right. The likes of GDPR are a very good thing in my view because it’s given the industry a good kick up the bum – it’s made companies realise: you are responsible for any data you hold, right down the supply chain. So people are taking data a bit more seriously at last.
The vast amount of security breaches are physical in nature. There’s a phrase I use because it makes a good point although it’s a bit horrible: ‘There’s no patch for stupidity.’ You can’t talk about ‘guarantees’ in security – all you can do is mitigate risk. If you use one of our services, your odds of a breach are significantly reduced. And if you use all four, they are reduced very very significantly.
And the problem is likely to get worse before it gets better. The global obsession with the Internet of Things means individuals and companies keep finding millions more things to bring online. But of course, every time someone connects something they’re creating another point of weakness.
What are the key challenges of scaling a business?
Getting the quality and quantity of people. There’s a massive skills shortage, right across the board – from sales to engineers. In the last few years, market rate salaries for cyber security people have been pushed very high.
With all the businesses you’ve run, what learning would you pass on to an entrepreneur at the start of their journey?
I think, however clever what you’re doing is, you’ve got to keep your eye on the ball and get the basics right. So it’s about hiring good people, pointing them in the right direction, and supporting them as they do the right thing. If you’ve got a good product, good people and good processes, you’ll not go far wrong.
At the end of the day, you’ve got to make sure that you’re creating value and see that the numbers are going in the right direction. You’ve always got to have a really strong understanding of where your numbers are at any point. Beyond the balance sheet and forecasts and P&L, in any business I’ve run I always try and focus on one key number. So when I was in a start-up, it was ‘How much cash is in the bank?’ – because that’s how you make sure you pay the bills and the staff.
As you get bigger the number changes, as you look at scaling and taking further investment and taking on debt. The key number for me right now is sales growth. We’re looking to build recurring revenue, because the compound impact of renewable revenue initiated in 2018-19 sets us up for years 3, 4 and 5. That’s one of the attractions of platform acquisitions – PEs looks to support their businesses very heavily in the first two years because they wanting to see value in years 3, 4 and 5, when they’re looking to benefit. If you can underpin your P&L with good margin and revenue base from long-term contracts at a set cost base early on, you’re then freer to focus on other aspects of building the business.
So what drives you personally?
There’s a lot of satisfaction in getting stuff right, in building things from scratch. I like to be able to point at something and say – we did that. That was just an idea 4 years ago on a bit of paper, but now it’s a reality.