Cybercrime vs. Cybersecurity: A $10 Trillion Battlefield - And DarkTrace Is In The Middle Of It
This is the Three Data Point Thursday, making your business smarter with data & AI.
This is a quick celebration: Three Data Point Thursday just reached 1,000 readers! Welcome to all of you. Please recommend this to everyone you know who’d love it.
FWIW: I thought about monetizing this newsletter but figured that knowledge should be free, so let’s keep it free. But you can buy me a coffee to let me continue spending lots of hours each week reading, studying, and writing about the data space :-D
Actionable Insights
If you only have a few minutes, here’s what’s going to make your business smarter:
Cybersecurity will be democratized, but cybercrime will be personalized soon. Machine learning and AI will make us all targets and businesses way less secure. However, AI will help bring cybersecurity to everyone, including you and me, thanks to so-called “AI leapfrogging.”
DarkTrace is a British, Cambridge-based company that is tackling that exact challenge. Led by Poppy Gustafsson, the company is pushing every edge imaginable.
Democratizing a certain software industry is hard work. But Poppy and her team are all in, creating a diverse team, making it crossfunctional as much as possible, betting on hard research, and doubling down on simplicity.
While data isn’t simple, it can be made simple to use (at first), and simple to understand (although not easy).
“If packaged intuitively, AI can go where no software has gone before.” - AI Leapfrogging
Let’s play an evil game. Imagine you just entered a gambling parlor where you can bet on tons of evil things, including what will harm the economy the most over the coming decade.
The villains driven by today's news might suggest the usual culprit: war. It’s always easy to bet on war, as it brings great harm to everyone involved. And while many lives are lost unnecessarily, economically, wars cost around $1-2 trillion USD. A global GDP of $100 trillion USD makes for 1-2%.
Cleverer villains would bet on another recent newcomer: pandemics. While we have no idea whether a new pandemic will sweep across our world, the economic cost of one would indeed top a war, with something like $9 trillion USD over two years estimated. That makes up to 10% of a long-ranging pandemic like COVID-19.
Both bets are fair enough, but if you want to pick a winner, you gotta look no further than into your laptop: Cybercrime is already causing damage of $8-10 trillion USD per year, steadily growing! Compared to COVID-19, cybercrime would cause damage of 30% of a year’s GDP.
While experts value the cybersecurity market roughly equal to the AI market and 10x the VR market, they miss the potential that already exists today. While AI gains still have to be realized, the damage to the economy is being done as you read this article.
There’s only one thing left to do to unleash this huge business opportunity: democratize cybersecurity. That’s exactly what one of the only Cambridge-based (and UK-based) unicorn companies is doing—and it’s called DarkTrace, led by Poppy Gustafsson.
While we can learn a ton from Poppy’s journey, one key idea stuck with me: Poppy realized that it’s not the industries closest to software and AI that are the likeliest to be disrupted by AI; quite the opposite.
“Founders are eager to apply AI to digitized industries that seem ‘the most ready for it.’ But that’s not where we’re going to make the biggest impact.” - Explanation of the idea of AI Leapfrogging
Poppy and DarkTrace are using AI as a vehicle to democratize cyber security. It is important to bring security to everyone, especially to industries and individuals far away from the everyday use of it.
And they have something to show for it: Poppy and Darktrace CTO Jack Stockdale was awarded the Order of the British Empire for services to cyber security in 2019, she received the CEO of the Year award, and the company listed on the London Stock Exchange back in 2021.
Let’s see how that got started.
Of newspapers and farms
Poppy Gustafsson was born and raised in Cambridgeshire, the county surrounding the famous university city of Cambridge. But unlike what I’d imagined, she wasn’t raised by two academics but rather by two hardworking, hands-on parents. Her mother was a journalist for the Farmers Weekly, while her father owned and ran a farming business.
What she took away from her childhood was a hands-on approach to life displayed by her father and a gift for explaining things simply, just like her mother did every day at her job at the newspaper.
She went to the University of Sheffield to study mathematics (yay!) and started working as a kitchen cabinet builder, extending her hands-on mentality while combining it with an academic and exploratory spirit.
Deloitte and the founding team
A year after finishing college, Poppy scored a job as an accountant at Deloitte, at the intersection of mathematics and business. She stayed there for four years, learning to dig through complex numbers, think analytically, and translate seemingly boring number sheets into an easy-to-understand story for others.
In quick succession, she left Deloitte for a year at Amadeus Capital and then moved to HP Autonomy in 2009, where she finally got her first contact with deep technology. With her thirst for knowledge, Poppy became more and more interested in digital data processing and information generation.
Finally, by 2011, after a successful completion of her maths degree and 7 years of professional work, she had collected a ton of business experience, a broad general understanding of technology, business and finance, and realized her thirst for an entrepreneurial venture and deep and complex topics.
A Side Hustle on Maternity Leave
One topic in particular caught her eye, cyber security. Cyber threats seemed to increase both in frequency and in the damage they could do. They already posed a serious threat to businesses and after long discussions with her colleagues, Poppy came to realize that cyber security could be revolutionized by using AI-aided systems.
So, while being on maternity leave, she decided to join up with a colleague about to start a company in that sector, “What else are you gonna do?” It was a side hustle.
But nevertheless, the team was an amazing team, including Dave Palmer, Emily Orton, Jack Stockdale and Nicole Eagan as founders. They lead a group of world-class mathematicians and AI experts, working on ground-breaking applications of AI to cybersecurity. They basically decided to use a certain piece of research, that came out of a Cambridge PostDoc research group on unsupervised learning to cybersecurity.
The idea was simple: Why fend off attackers using logic and encoded rules when you can use unsupervised learning to let systems identify suspicious behavior on their own?
A simple idea but hard to execute.
Diversity and Super Brains
DarkTrace is betting hard on R&D, and it has to, like any large, successful technology company. Google was founded on the research of its founders on ranking algorithms and Databricks on the research of parallel computing; scientific progress is the cornerstone of many modern-day companies.
DarkTrace now has a large R&D lab inside London and is getting the best and the brightest on board. “At its heart, Darktrace is a company that uses advanced mathematics to solve real-world problems.” one of their investors, Talis Capital, writes. In my opinion, “advanced mathematics” is an understatement. Machine Learning might break down to linear algebra, but we’re also talking about the very leading edge of science, the not-yet-published research, new inventions, and millions of research money.
“We had the leading mathematicians from Cambridge University and an amazing product from the very beginning, as well as cyber intelligence experts, but we knew that was not a scalable hiring model against the backdrop of a well-documented global cyber skills shortage.”
Poppy bet on diversity in all forms early on, driven by the diverse culture inherent to an academic hub like Cambridge. And it paid of early on, In an CNBC interview she describes how at a meeting about their proof of value’s it took the young graduate in the room to ask “why are we doing them in 3 months, why not 3 weeks?” That suggestion changed the way the company did business, and they never looked back.
I think, the unique setting of the creation of this company, so close to Cambridge University, made it so diverse. And in a weird sense, it’s one of the pillars of success for the company - because to drive democrartization in any field, you need diversity. After all, to bring cyber security to everyone, you at first, need to understand basically everyone. What better way is there than to start out with the most diverse team you can?
UI and Hands-on On Selling
Poppy’s unique combination of an understanding of complex topics and yet a hands on mentality drove her to see the challenge of democratization: Making the complex simple, simple to use.
I recently talked to a founder of a data company, and we discussed perceived complexity. Lots of people would like to make data simple. Yet the data world isn’t simple! Neither is the cybersecurity world. So, all efforts to make it simple will fail. However, making it simple to use is a whole other story, and Poppy excels at that.
In Poppy’s words, “Complex technology should be simple to use.”
She placed multiple bets on this approach. First, the company hired a game designer to come up with a great intuitive UI. Second, they started to use a lot of visual images and the metaphor of the immune system to help explain the use of their product. Third, they started to use a hardcore “show, don’t tell” approach.
It is their now famous “show, don’t tell” approach, that landed them their first big client. The team simply deployed DarkTrace free of charge for the prospet, and showed threats in real-time being caught by the system. A pretty hard selling point.
“Our technology was designed to be intuitive — anyone from deeply technical security analysts to a non-technical member of the c-suite can understand the findings of our AI — so we are able to train these graduates in house relatively simply.” - Poppy.
In a video interview, Poppy shares a story she experienced earlier that underpins her approach (and one I can attest to as a math Ph.D.): Lots of people assume they will never understand math because of the complex language of formal proofs. But, if you go back a couple hundred years, you’ll stumble over a book by Euclid full of proofs of important theorems. The catch? The book by Euclid contains merely a few words, and all the proof is presented entirely visually! Easy to understand and straightforward.
Similarly, the Nobel-prize-winning economist Amartya Sen had a great social economics book where all proofs were written down as plain stories.
In my experience, complex and complicated things can be made simple to use and simple to understand (but never easy), but it requires a lot of effort to get to that point!
Multidisciplinary approach
Companies like Stripe, Uber or Airbnb had a certain kind of arrogance that led them succeed early on. None of these founders where from the respective industries they disrupted, and most of these teams took years to hire anyone from the respective fields of finance, transportation and vacation rental spaces. And it is precisely this discarding of the known, that helped them succeed.
One might think, coming from an extremely diverse background, that DarkTrace would follow this path. But they don’t.
DarkTrace has a certain kind of humbleness, an interesting mix of ignorance of the actual cyber security space on the side of the founders, and a deep knowledge inside the team they hired. DarkTrace employs an extremely multidisciplinary team consisting of both AI experts and cyber security experts, people with a deep understanding of enterprise selling and connections into the military sector.
“Creative exploration is a team effort” - Poppy.
Cyber Security is Real (Time)
“Time is rarely on your side when dealing with computer-driven attacks, and action usually needs to be instantaneous to prevent the breach or damage.” (source) It is astonishing to me how many people think time is ever on their side when it comes to data. And yet, even I can’t deny there is a certain urgency when it comes to cyber-attacks.
Actions to prevent attacks need to be taken immediately; otherwise, the damage will be done. That means that three things have to happen almost instantaneously:
Capturing the relevant data
Alerting based on insights from the captured data
Acting and preventing damage, based on the insight
It’s a three-step process, and all parts need to function ASAP in order for any value to be delivered. It’s a complex problem to solve, and many solutions focus only on 1-2 parts of that problem, in effect rendering them worthless on their own. That’s the power of DarkTrace and its integrated approach. It is also what convinces customers after customers; they can see for themselves the system in action, capturing and preventing threads in real-time inside their own cloud.
“The analysis of data had to be real-time and continuous. This is critically important for Darktrace’s Continuous Cyber AI Loop. We always operate on real-time data that is continuously updated as things change; so does Cybersprint.
[] Built-in automation and integration. Cybersprint automates everything possible in Attack Surface Management and integrates with every external data source.” (Source)
Being at the Forefront & Leapfrogging Poppy, an Expert in Leapfrogging, without knowing it.
Looking at the story of DarkTrace, and the numbers behind the cyber security sector, it is mind boggling to me that not more founders decide to go into that sector. It’s literally a 30x opportunity waiting to be realized today. The damage done to the world’s economy is 30x the current value of the industry, and all that’s missing is to democratize cyber security.
Simple idea, hard to execute. But not impossible as the story of Poppy shows us. It just requires hard work.
DarkTrace still keeps on pushing its limits, with over 125 patents and counting in the areas of research. It pushes towards the safety of AI and democratizing cyber security more and more.
“But technology is always adopted quickly when people feel it’s safe and secure, [so] the fastest way to get that innovation into people’s hands is by making it safe. I don’t think technology adoption and safety and regulation are competing. I think there are two things that go hand-in-hand to make sure people can adopt AI securely.” (Source)
And it does look like we’re entering a new era of cybersecurity. Poppy thinks the arms race will continue, the AI innovation will get into the hands of every hacker, and every one of us will experience highly targeted attacks.
The question is, will the industry catch up? I wish for the former, as I’d rather not like to end up in the evil gambling parlor and stick to writing newsletters and building good things.
Resources
I sourced a ton of resources for this article. If you want to understand the idea of AI leapfrogging, I suggest you take a look into the NfX article on it.
The best comprehensive source on the story of Poppy & DarkTrace is the interview with the Founder Institute at Cambridge (video).
For a short intro, take a look at the CNBC mini video.
For a longer written piece, I’d suggest the one written by Talis Capital, which is a good introduction to the company and its journey.
Here are some special goodies for my readers
👉 The Data-Heavy Product Idea Checklist - Got a new product idea for a data-heavy product? Then, use this 26-point checklist to see whether it’s good!
The Practical Alternative Data Brief - The exec. Summary on (our perspective on) alternative data - filled with exercises to play around with.
The Alt Data Inspiration List - Dozens of ideas on alternative data sources to inspire you!
Thanks for the story!
> ... to come up with a great intuitive UI ...
The screenshots and videos showcasing the UI completely blew my mind. However, I can't shake the feeling that they might have overdone it.
Echoing your words, I want to say something like, "Yes, UI is hot, but so are the algorithms! Every $$$ you can pour into UI, you can also pour into software engineering teams."
But I should assume those visualizations are well justified. :)