Could a rapidly growing cybersecurity firm be Scotland’s next tech unicorn? Federico Charosky likes to think so
For all its ill effects on business and wider society, cybercrime is undoubtedly a big opportunity for the companies engaged in protecting us from online harms.
None more so than for Edinburgh-headquartered Quorum Cyber, which has been on an extraordinary growth trajectory since it was formed in 2016.
Now in its seventh year, and having navigated the headwinds of a global pandemic, the firm set up by Federico Charosky is enjoying a period of rapid expansion. It has secured investment from private equity giants Maven and Livingbridge, enabling it to go on an “aggressive” hiring spree during Covid, and has opened offices in London and Tampa, Florida.
“We want to be a unicorn company,” says Charosky, pointedly. “That’s the goal.”
With over 200 employees, Charosky, founder and CEO, is well positioned to do just that. He considers his company – in digital economy parlance – at the ‘scale up’ level, but is aiming for unicorn status within the next three years.
It seems like an ambitious timescale, but Charosky, an Argentine, is motivated and clearsighted on what he needs to do to get there. From day one, he has been focused on revenue, and not losing sight of what many startups fall foul of, which is making sure there is a market for their product or service. The investment, too, has helped the company to take some risks, and create the headroom to grow.
“There is not currently a Scottish or UK unicorn for cybersecurity, and we want to be the first,” Charosky says. “So that is the game plan. How do we get there is a collection of different questions, but at the heart of it is continuing to do what we do, which is to keep our customers happy. We have grown organically to here, so it’s a question of whether we continue to grow organically to a billion. I think we can, but there also may be M&A [mergers and acquisitions] in the future. And that’s something we will keep our options open for. The one thing I’m sure of, though, is that we need to keep true to our values to in order to get there.”
On the M&A front, Charosky says over the last year Quorum Cyber has professionalised considerably, and would now be ready for an acquisition for a company with the right profile. There is a great deal of market consolidation already, he says, and he says Quorum Cyber is ready to “ingest” another company, operationally speaking, were such an opportunity to arise.
“We’ve just opened in the US, so there’s a natural position to accelerate our internationalisation, or new regions, if we start going to the Nordics or the Middle East,” he adds.
One thing is for sure. The expansion will be based on a rock solid ‘gold’ partnership with Microsoft. The company has developed considerable in-house expertise to help large organisations who use the tech giant’s enterprise software to best utilise its infrastructure, safely and securely.
It is an official Microsoft Solutions Partner for Security and member of the Microsoft Intelligent Security Association (MISA). And in 2022, it became the first cybersecurity company headquartered in the UK, and one of the first few worldwide, to be verified by Microsoft for its Managed Extended Detection & Response (XDR) service.
Given that most large organisations use Microsoft for its enterprise software, the company has shrewdly judged the direction of the market. Charosky insists that he saw early on that the tech giant was going to be the dominant player in cloud enterprise-level software and he positioned the company to take advantage of that coming “wave” of global adoption.
Many of those adopters, of course, are in Scotland where Quorum Cyber has a large customer base, in both private and public sectors. It already works with numerous public sector bodies including the likes of South Ayrshire and Renfrewshire councils, to bolster their cyber defences, and also with oil and gas firm Capricorn Energy. The services it offers include managed detection and response, overseen by a 24/7 security operations centre, but it also has experience of dealing with the aftermath of live incidents. In one case, it helped a university recover from a cyberattack that crippled its systems and helped prevent further intrusions by enhancing its Azure deployment.
The firm also has a strong focus on community. In March this year it gathered its customers together in Edinburgh for the first annual Quorum Cyber Summit Edinburgh. Charosky says the meeting was important not only to provide important updates about the company’s security approach, but also to instil a sense of belonging around a shared set of values. Much of that is tied to its mission of “fighting bullies and helping good people win”, but Charosky equally thinks it’s important to move away from the sometimes negative framing of cybersecurity.
“From day one, we have tried to be a company that doesn’t just talk about this piece of technology, or this gadget, which can do X, Y or Z, and a big long list of risks that you are mitigating for. Talking about risk all the time is a relatively negative conversation because you’re focusing on all the things that can go wrong, and trying to build a strategy for each of them.”
He adds: “For me, that’s like trying to put your fingers in a dam. You’re not going to stop everything, so you need to accept that it’s about resilience and how you react to getting hit. I think the idea of resilience is that you don’t care where the punch comes from. Because you can take it and can reposition, and stay on your feet. If we can get our customers to the place where they can absorb the blows and still thrive, I think that’s a fundamentally different and much healthier mindset. And it’s a much nicer conversation to have, because we’re talking about how they improve their balance – because there’s no such thing as a boxer who doesn’t get hit.”
The metaphor makes sense. Recent exploits like the MOVEit file transfer vulnerability, which has affected 455 organisations globally, show how even the biggest brands in the world can be impacted by threat actors targeting weak points in network infrastructure. Charosky says the conversation post MOVEit is moving increasingly towards data security, rather than the network. If you come from the position that even the best protected networks are susceptible to third party supplier vulnerabilities, the focus then falls on how do you lock down the data within the network when an intrusion occurs.
“Don’t get me wrong, you still need to have good inventory around your systems and know who has access to what,” he says. “That’s fundamentally good management, in my view. But we need to be better at securing the data. We’ve been very good as an industry selling firewalls, and VPNs, antivirus and EDRs [Endpoint Detection & Response] and all the technologies that reassure us that our servers are not going to get hacked. But if they do, what happens to the data within them? This is something we’ve been really terrible at as an industry. Part of the reason we’re in the Microsoft ecosystem is that they are leading the charge on data security.”
As such, Charosky says his firm’s managed data security practice is currently one of the biggest growth areas. “Microsoft Purview is flying off the shelves for us at the moment,” he says. “So once you’ve got XDR and MDR protecting the infrastructure layer, and identity security is protected, customers then have time to look at their data.”
He adds: “And they can put security countermeasures within that data so that if your supplier does get breached, and your data gets taken with it, you’re not out of control, you still have something around that data that you can action on. But that’s relatively new. Most businesses and most organisations aren’t at that level of sophistication. So we’re trying to accelerate them to get there.”
Charosky also believes we need to embrace the coming wave of generative AI. A lot of the focus, again, has been around the potentially negative effects of AI on the cybersecurity industry, with fears that a new legion of non-expert hackers will be able to create malware, adding to an already crowded threat landscape.
“I think AI is a force multiplier,” he says. “What it gives defenders is an incredible amount of power that can be harnessed for good. Now the challenge for me is that as an industry I think we are seeing a lot of resistance to AI, and a certain amount of, “Well, we’ll see how it evolves, and we’ll maybe adopt it when it’s ready”. I think that’s fundamentally the wrong approach.
“I think AI is a capability that we need to run towards, even if we’re uncertain of the boundary conditions of it, even if we don’t have a complete picture for it yet. The benefits that can be unleashed by properly harnessing the power of AI, I think outweigh some of the risks and the unknowns. The winners of this particular race I think are going to be the firms that run towards it.”