The UKTN Podcast is back for season two, featuring more conversations with founders of some of the UKâs high-growth tech companies. Each episode will talk through the founderâs personal journey, their vision for their business, and their views of the wider tech industry.
In the first episode, UKTN Podcast host Jane Wakefield â a technology journalist with over two decades of experience â speaks to James Hadley, the CEO and founder of Immersive Labs.
Hadley founded Immersive Labs, a Bristol-based cybersecurity training platform, in 2017. The companyâs platform creates cyberattack simulations to teach organisations practical IT security skills. The company has raised $189m in funding and has contracts with large enterprises and public sector organisations such as the Ministry of Defence.
Prior to founding Immersive Labs, Hadley worked as an analyst and security consultant for the British intelligence agency GCHQ.
During episode one of the UKTN Podcast, the Immersive Labs chief discusses the dangers of generative AI like ChatGPT in cybersecurity, the lessons learned from laying off 10% of staff, the risks of geopolitics in cyber and cracking the cyber skills shortage.
Listen to the full episode here.
A full transcript of the episode, which has been lightly edited for brevity and clarity, is available below.
UKTN Podcast with Immersive Labs founder James Hadley
Jane Wakefield: Thank you very much for joining me, James. Now first up, I just want to find out a little bit more about your journey as a founder and an entrepreneur.
James Hadley: Absolutely. My background is IT geek growing up â I played with computers because I didnât have any friends. I then went on to join GCHQ at about 18 years old, straight out of college, and then worked there for about four to five years doing some really fun stuff in cybersecurity. I then spent 10 years in the London-based agencies doing something else and then started to have a career change. I helped run the GCHQ cyber school to upskill people into cyber jobs over 10 weeks. So day one, how do you spell cyber, day 50 reverse engineering malware, a sort of a zero to hero course. And it was during that time I kind of realised hang on, you canât really measure the knowledge, skills and judgement of people that have sat in a classroom or have watched a video or passed a multiple choice exam.
And cybersecurity moves so quickly, the idea that you can solve the cybersecurity skills shortage in a traditional setting like a scheduled classroom, it kind of felt like that that wasnât the way forward. So I had the concept of the idea that you could create software that would not necessarily train people, tell people what buttons to press â because cyber moves really quickly â but instead put them in scenarios based on the latest threats where they kind of prove their capabilities through problem-solving and troubleshooting and perseverance. And then in doing so they can then prove to their employer, our customers, that they have the necessary skills to help keep that organisation safe.
JW: You mentioned that you went into GCHQ at 18. Obviously, GCHQ is a fascinating subject. Iâd like to talk about that a little bit more. And I donât know how much you can tell me. But just this idea that you leave school at 18 interests me because it seems quite a common thing among entrepreneurs. If you were to do the same again, would you recommend that for youngsters looking to set up businesses? Would you say donât worry about going to university if youâve got a good idea, just get on and do it if youâre able?
JH: Yeah, I think entrepreneurship, to set up a company, itâs just get up and go. Youâre going to learn more through trialling, failing, in a real company that youâve started than you are on the theory, I believe, in a university. That said, I went to university later in life for a masterâs, to kind of get the chip off my shoulder a little bit around having not been to university and there were still barriers in place for jobs, where you couldnât get a certain job unless you had a degree or above. So I think those traditional academic prerequisites are starting to go away. And weâre starting to see people hired based more on capability and speed of learning, etc. So I think universities should be about what it is you want to do. I think if you want to become a vet or a doctor, university is probably a great way to go. Because of the subject matter, you need to learn it and become qualified, whereas if youâre doing something outside of those sort of jobs that have that deep level of knowledge background, like entrepreneurship, then I donât really see the value necessarily in going on a three or four-year degree.
JW: And what can you tell us about GCHQ? Iâve often tried to talk to people at GCHQ. And Iâm told we canât really tell you anything â not even necessarily the colour of the sky right now. But what can you share about your experiences there?
JH: I can share my experiences. It was a fascinating place to work and given the size of that organisation â I think itâs true in very large corporates as well â you can change your job every three to four years. You can take on different roles, different posts, and continuously upskill yourself to do different things and obviously the great thing about working for any sort of UK department like that, especially the intelligence agencies and defence, is the mission is the thing that keeps you going to work every day and getting out of bed is to help keep the country safe, both physically, but also now increasingly online as well.
JW: How how did you go from that â GCHQ â to the founding of Immersive Labs?
JH: I was very fortunate, I had peers of mine and friends who had been more commercially minded and been doing the business side of the house. And they also had cybersecurity startups. So I got to learn through a sort of osmosis, the journey that theyâd been on. And I was incredibly excited so, I want to do something very similar. And when it came to Immersive Labs, it was kind of stuck in my head, and I couldnât get it out. And at the time I was trying to take it to my employers and say, âhey, Iâve got this idea that we should do thisâ. And being told, âno, itâll never take off, that wonât workâ. So eventually, the only way I could see the vision come to life was to actually go and start the company and start that journey.
JW: Youâve talked about the importance of people, and people are often seen as the sort of weakest link in organisations when it comes to cybersecurity. You can put up walls and walls and walls, but if somebody clicks on a dodgy email, then that could bring all those walls tumbling down immediately. So talk me through how Immersive Labs takes into account this weakest link, which is people?
JH: We talk about that a lot, in that weâre helping enterprises turn what is traditionally labelled as their weakest link â not that I buy into that â but turning it into their greatest asset. So all of the technology and process in the world wonât help when an individual either makes a mistake, or you need people to help you get out of a hole because youâve had a security incident. And a lot of organisations we talked to have spent all this money investing in technology. But if theyâre asked the question, how do you know youâre okay, how do you prove it? Thatâs really hard. So traditional certifications or like an audit being done by a âBig Fourâ every two years, itâs quite dated. And itâs really just asking multiple-choice questions like, âdo you have this in placeâ?
So the real value behind what we do and why we get up every day is that we help organisations prove it. We put teams through simulations, both non-technical users and technical users, that put them into scenarios. And then based on how they do in those scenarios, we can say âhere is your team are really strong, and hereâs why there might be areas for developmentâ. And then we benchmark that to the industry. So they can see the industry standard for cyber capability.
JW: And how willing are businesses to take part in that process? Because often I think they just want you to deal with cybersecurity, thatâs not our problem. So how do you persuade them that this is something that the organisation has to put some effort into themselves and not just outsource it, as it were?
JH: Yeah, thatâs a good point. I think it depends on the maturity of the organisation and the sector theyâre in. So traditionally, where cybersecurity is seen as a strategic asset, which is very much large financial services, regulatory bodies, government, defence and law enforcement and technology industries, they understand the value of cybersecurity. Itâs no longer the sole responsibility of the geeks in the basement. The conversations are happening at board level. And thereâs increasingly more regulation coming out now, especially in the US around companies, especially public companies, having to evidence that their board has cybersecurity knowledge, skills and judgement at that level, and be able to prove that in order to help keep their customersâ data and day-to-day operation safe.
JW: And it is a crowded market, isnât it? There are an awful lot of cybersecurity products out there. So how do you sort of put yourself above the parapet? Whatâs your unique selling point?
JH: Absolutely. I think there are over 3,000 venture-backed cybersecurity companies. And especially in todayâs market with a recession, every large enterprise is looking to reduce the number of suppliers and vendors they have. Because theyâve traditionally bought lots of technology, but they might not have the right number of people and skilled people to help take advantage and feed and water that technology. So weâre quite fortunate, weâre not your technology play, weâre not putting in another firewall or on identity management or some antivirus â that is a very supplier-heavy market.
Weâre taking a very different angle, which is yeah, youâve got this technology, itâs great. But what about your people? How do you prove your people have got the right skills, ranging from a non-technical person around cyber hygiene to developers? How do we prove those developers can write secure code to stop introducing vulnerabilities all the way to the boardroom, in a particular scenario or crisis? What decisions do the board members make, with what levels of confidence, and how do those decisions affect things like regulatory compliance and press relationships?
JW: The UK and Europe and indeed the world is facing a skill shortage. Itâs particularly big in tech and particularly in specialisms like cyber. How do you think that we deal with that problem?
JH: I think itâs changing over time. So one of the things that we pioneered across the UK and US and other countries was our digital cyber academy, which is a free version of our platform to help individuals get into cyber jobs based purely on skill that they could develop through the platform to remove traditional prerequisites like academic degree, certifications, and years of experience. We do that today for students and military veterans and neurodiverse individuals. I think when we started that five years ago now, as part of our founding mission, organisations werenât really ready to drop the paperwork side of the job application process, very much sticking to a computer science 2:1 degree to help plug that cyber skills gap.
Now, there arenât enough computer science grads with an interest in cybersecurity to plug the cybersecurity skills shortage and nor is that a diverse talent pipeline with a range of different experiences. I think now weâre starting to see enterprises look outside of those traditional hiring funnels for talent, as well as identifying hidden talent. One of my favourite case studies that shows our journey is when Hamilton Capital gave a licence to the janitor who was coming through the security operations centre. And that person then upskilled themselves in cyber and applied for a job with the company and got it. So a transition from being a janitor to a security analyst by using the platform. Thereâs a lot of talent out there. And weâve got to help people get into the industry by not making it this weird sort of techno black magic kind of barrier in cybersecurity.
JW: Now, last year, Immersive Labs laid off 10% of its workforce, one of many companies to have to do this amid the worsening economic crisis. But what did you learn from that experience? Itâs not pleasant, is it? Itâs something that lots of companies have got to do. What would be your advice about how you go about doing that in the best possible way?
JH: Yeah, thereâs no perfect way to do it. And like other tech companies adapting to the economy, we made the changes to position the company for long-term success by accelerating our path to cash flow, breakeven and really focusing on high-growth opportunities in those proven markets and segments. I think that the lesson learned is thereâs no right way to do it but there are definitely wrong ways to do it. And I think trying to be as transparent as possible, and fair to people and communicate the âwhyâ, and what the opportunities are ahead. I think doing that, again and again, is probably the most important thing in helping the business mature through what has been a tech boom for 10 years. And now thereâs been a correction happening the market. And if we didnât correct. And the implications or ramifications could be much worse later on.
JW: Now, youâve spoken before. And this actually quite surprised me about artificial intelligence being one of the technologies that you would perhaps put back in the bottle if you could. Do you still stand by that, and why? Because for lots of companies, AI is seen as a really important tool in helping with cyber and general security of their companies.
JH: I wouldnât necessarily put it back in the bottle. I think at the time when AI was being touted to help solve the shortage of cyber talent, I think itâs going to exacerbate the cybersecurity skills shortage. And the reason for that, and itâs an analogy that I think Iâve used in the past, is when cars came out, however long ago or when my dad had a car, you could open up the bonnet and you could kind of reverse engineer, look at it, figure out and try things to help fix your car. So people could upskill themselves in mechanics by opening the bonnet of their own car. Now, if you open the bonnet of your car, itâs a computer chip interface, which means the ability for people to upskill themselves to fix that car is becoming much more limited and more specialist.
Likewise, if we remove what I call the traditional tier one level of people working in cybersecurity, or on the basics of networking and operating systems and databases, and instead we just removed that and we put this AI layer in there, thatâs going to automate defences and things like that, the gap to go from an entry-level to the tier two above the AI to help programme and manage that is going to be so great that I think weâre going to lose a lot of people on that upscaling journey. Because itâs just become much, much, much harder because of that reliance on AI. So I think AI has lots of opportunities for both attackers, and weâre already starting to see some research come out, and defenders. But I worry about it being labelled as the fix for entry-level talent into the cyber market because I think it will then exacerbate the jump from entry-level to someone that can be of real value within a security centre.
JW: When I speak to our AI experts, they always talk about the need for AI to work in tandem with the human, which seems to be exactly what youâre saying there. But the difficulty seems to be making that happen. Again, itâs like thereâs a wall between the two. Would you say that thereâs a specific way that we can get those two things working together, because they both seem to be very valuable?
JH: I think whatâs probably quite terrifying is the speed of what AI can do and how it can be applied. And weâve seen that through ChatGPT and the headlines itâs creating both in cyber and things outside of cyber. In cybersecurity, the impact of a threat being realised is unlike most other threats. When large financial services organisations do operational resilience exercises, they used to talk about terrorism and physical and weather being in particular places, whereas cyber can be everywhere all at once. Like, for example, a successful ransomware attack. So I think itâs the combination of the speed of AI and the impacts of cyber threats, which probably makes for some gloomy outlooks where the threats are. I think it would just take us a long time to work out how to put people alongside AI to have really good outcomes, and how to prove that those outcomes are being realised because the technology is so complex. Underneath, the actual ability to verify that you are getting the outcome that you want, I think might be harder.
JW: Weâve sort of touched on this, but we are facing an incredibly complex and increasingly splintered world. The war in Ukraine, for example, has seen Russia distance itself from the global internet. Weâve seen state hacking rise exponentially, misinformation coming from countries like Russia. How big a threat is it? Do you think that we are now facing a situation where the global internet is no longer what it was conceived of when it was originally designed?
JH: Thatâs a big question.
JW: I realised that, yes. I guess Iâm thinking like cybersecurity threats specifically. State hacking â is that something that we really need to get to grips with? And is it something that businesses might need to start thinking about because it feels like tech now is inextricably linked to politics, and we can no longer sort of see the two things separately?
JH: I donât know how I can ever envisage a world that doesnât have just connected everything everywhere, internet, and thatâs how we go about our daily lives and how business and commerce succeeds. The main risk that we have is what was traditionally viewed as state actors and state threats, advanced persistent threats, isnât really the biggest issue in the room. Because obviously, thereâs a small, very small quantity of those individuals. The bigger issue is cybercrime and fraud playing out at scale. Youâre able to decentralise the act of the crime from the physical location and the actor and also the method by which are remunerated through anonymised currencies like on the blockchain.
That means anywhere with an internet connection and a keyboard â and people are willing to self-learn and use freely available tools â could conduct quite advanced cyber operations to the attacks, weâve seen attacks on The Guardian. Weâve seen other ransomware attacks, most recently on Royal Mail. But again, we canât really say who it is, all we know is that theyâve used tools that are available on the internet, and theyâve had a successful breach, which means now obviously, thatâs impacting our critical national infrastructure. So I think itâs not so much the state threats, itâs the prevalence of anyone thatâs maliciously minded, can upskill themselves in cyber, and then have some pretty devastating consequences for both public sector and private sector.
JW: And itâs big business now, right? With cybercrime, you can go onto the dark web and find peopleâs details for sale at a specific price. People can buy the tools they want to perpetrate a particular hack, and they can do it with no skills, as you say. So would you say thatâs the biggest threat that companies face the fact that cyber has become a business? Or is there something else that you think businesses need to be really aware of in the cyber risk sphere?
JH: I think itâs acknowledging that itâs a risk, and itâs a highly likely risk to have an impact on the business. So itâs not a âwe hope that doesnât happen to us, weâll get some insurance, and if the worst happens, weâll reactâ. Itâs part of business. We take health and safety for granted now, you have to have it and you have to have a fire drill. Of course you do. You just have to. And I think thatâs how cyber is gonna play out, you have to run cyber tools, you have to test your systems, you have to test your business responses, your insurance responses, how you talk to the press. And I think weâve seen through share prices and things like that, that when an incident happens, there is an immediate market action, but actually it course corrects pretty normally back to where it was.
So I think depressingly, even as consumers now, we probably all acknowledge that by using services â internet, online banking â at some point, our details are probably going to be compromised somewhere. But the impact of not having access to those services, online banking, etc, are so great that we are all accepting that risk implicitly, that by being part of the internet by being part of these systems, we implicitly acknowledge at some point, weâre gonna get an email to say âsorry, our systems are breached, that included some of your data and hereâs what weâre doing about itâ. Itâs just going to become a normal part of business I donât think it will ever go away.
JW: And to that point, have any of your details ever been compromised? Have you ever fallen for one of these increasingly sophisticated phishing emails, which I believe AI now is starting to write? Will you confess, James?
JH: Touch wood, no. I think it can happen to anyone. It happens to family and friends, especially where we have huge volumes of people actually texting and emailing people that work at Immersive Labsâ personal email addresses, which has nothing to do with their business records. But people have done the work on LinkedIn, found out the personâs name and emailed them pretending to be me saying, âhey, Iâve got an urgent errand for you, I canât possibly talk on the phoneâ. And theyâre using your personal email address, it does catch people out where they donât look at the from email address. Itâs not me, [email protected] They might actually just reply, and then thatâs the first sign that theyâve got an active, potential success route. But luckily, no damage so far. But whilst I havenât fallen victim to scammers yet, I think itâs only a matter of time, because we all pay invoices online, we all get invoices from our builders and our solicitors, itâs only a matter of time before one day, Iâll send the money to the wrong person. But hopefully, because Iâve been sent being correct invoice rather than Iâve been duped by an email or a text message.
JW: To sum up, the world of cyber can seem like a really scary place. But also it feels like thereâs a lot of complacency about it. Businesses seem to be fairly complacent about it, I think individuals can be quite complacent about their data. And yet these threats are increasing and getting scarier all the time. How do we sort of measure up those two things that on the one hand, we have these really worrying scenarios with whatâs going on with cyber gangs. But on the other, thereâs a degree of, âah, well, Iâm either not going to be a victim, or if I am, Iâm not too botheredâ?
JH: I think complacent isnât a word I would use. So I think it depends on the size and the maturity of the organisation. So I think quite rightly if youâre a small-medium business, and youâre doing something which is traditionally not online, like retail, bakery, anything like this, then the actual just the likelihood of someone deliberately attacking you, you would hope is quite low. But unfortunately, the impact on those organisations, especially if they donât have a huge amount of revenue, it could really cripple their business. But hopefully, if itâs not too reliant on data and digital technology, they could find a way to continue. And they might not actually have the resources and the investment and the skills to put money into cybersecurity at their size. Theyâve probably got bigger problems to worry about, like revenue, top-line revenue, and staying afloat.
So I donât think itâs complacency, but just probably not the closest shark to the boat. I think about large enterprises, they are investing hundreds of millions of dollars or more in helping to keep data safe, regulation, compliance and cybersecurity. The thing that makes it an impossible task is the size of their estates, the organic growth of those estates over 20 or 30 years. The complexity of that IT environment is huge. And the ability to protect all of it and update it, patch it, configure it, monitor it all at once, is nigh on impossible. So again, theyâre having to place bets about where they focus their efforts. And I think weâre starting to see that play out now, especially in a recession, where I think a lot of our customers would rather have a simpler IT estate with fewer products and a good team, and keep it up to date â feed it, patch it, water it â than lots of technology, lots of connections, because it becomes too complex to manage. And with a high turnover of staff in cyber, by the time youâve hired someone, validated their skills, then upskilled them in your technology stack, and then they leave to go and get a job elsewhere, thatâs causing a big issue for many enterprise customers today.
JW: So do you remain an optimist about how we can stay one step ahead of cyber criminals? Or do you think that we do need to admit that itâs always going to be a game of Whac-A-Mole, and weâre never going to quite catch them?
JH: I think as long as they are incentivised for people to be able to conduct anonymised crime, itâs always going to be a Whac-A-Mole. Weâve always talked about how thereâs got to be a silver bullet at some point, you know, single sign-on this and that. I think thereâll always be a way around a process or a human given that we all have flaws as humans, as well. I think theyâll always be a way in. So I think it will be forever a game of Whac-A-Mole. And I just think a lot of our time now will be focused on recovery, improving our ability to respond, rather than trying to stop it in the first place.
If we can minimise and reduce the impacts of negative cyber effects, then I think it will become less of an issue. The issue at the moment we do have is what can start off as a small attack or one email click link â we gave the example earlier â can bring down an entire organisation and thatâs terrifying. So Iâm cautiously optimistic that over time, the world we operate online will become secure and safer because there are these tried and tested methods of recovering and responding. And we donât have these huge, massive shutdowns every time a cyber attack is successful.
The UKTN Podcast is sponsored by Deazy, a tech build platform enabling cost-effective, flexible and scalable development services.
