Some months ago, the chief financial officer of a Mumbai-based healthcare company received a strange message on his mobile phone. It wasn’t a usual text message; rather, it was an over-the-air or OTA message, which meant there was no sender’s number. The message simply warned the CFO of his son’s addiction to television.
Since it was an OTA message, it vanished before the man could respond. He didn’t think too much of it and went about his life. A few days later, when he was making dinner plans with his wife, he got another OTA message. This one asked if he wanted to make a reservation at his wife’s favourite restaurant. Assuming that his phone had been hacked, the puzzled and annoyed CFO changed his number and handset. And got an OTA message on the new phone, which complimented him on the new instrument.
The CFO was now scared, and filed a complaint with the police, who could do nothing about it. He changed his phone again. And again. And yet again. The messages simply did not stop. Worse, they began referring to secret sensitive business information that only the CFO had access to. This time, the CFO went to his company’s tech department, who called in Saket Modi, co-founder and chief executive of Lucideus, a cybersecurity firm.
Modi had been taking care of the cybersecurity for the healthcare company, so knew something about its functioning. It took him a couple of days to discover that the CFO’s connected devices—handsets, broadband modems, and smart TVs—had been hacked. His living room had become a public space, with the hackers aware of everything going on there, including top-secret, out-of-office company discussions.
It’s like something right out of a crime thriller and I’m fascinated; of course, I ask for the details, but Modi refuses to divulge any more. What he does say is that this kind of story is not rare. Most of us know that earlier this year, Facebook lost over $42 billion after analytics firm Cambridge Analytica disclosed that it stole data from over 50 million Facebook users to push targeted advertising for Donald Trump’s presidential campaign. But Modi says this is not something confined to more mature markets; it happens in India, more often than we’d like to think. You may remember that a recent cyberattack on Pune’s Cosmos Bank led to some ₹ 94 crore being stolen. Corporate data worth millions of dollars can be, and often is, stolen in a few seconds, says Modi.
“Hackers are changing fast. They are no longer what earlier used to be a 15-year-old sitting in a garage and trying to hack you. It has now completely changed into a corporate- and state-sponsored hacking machinery,” Modi tells me. He knows what he’s talking about; an ethical hacker himself, Modi co-founded Lucideus in 2012, when he was still in college. Six years is a long time in the cyber world, where technologies change and are changed at warp speed.
So, what does Lucideus do apart from securing company secrets? In a nutshell, it provides cybersecurity training, services, and products. It also has a growing risk assessment business, fuelled by the sharp rise in online digital payments.
Over the past three years, Lucideus has been responsible for the end-to-end cybersecurity assessment of the BHIM payments application launched by Prime Minister Narendra Modi and the UPI (Unified Payments Interface) library that is today embedded into the mobile banking applications of almost all banks in the country that have a mobile banking facility for transfer of money.
What that also means is that Lucideus has the highest market share (more than 60%) for the cybersecurity assessment of UPI-enabled applications in India. Some of the apps in this category whose complete security assessment has been done by Lucideus include WhatsApp, Google Pay, MiPay, BookMyShow, Yatra.com, Truecaller, and Dish TV.
We found a massive requirement for cybersecurity professionals across industries. We will be addressing this demand-supply gap with this partnership and help create an army of cyberwarriors.Vidit Baxi, co-founder, Lucideus
Fighting cybercrime is no easy business, but Modi has managed to come out winning. And his successes have caught the attention of Silicon Valley legend, John Chambers. The former chairman and CEO of Cisco Systems has led a $5 million Series A funding round for Lucideus. Through his recently launched JC2 Ventures, Chambers has pumped in $4 million, while a handful of angel investors put in the rest.
While the ticket size isn’t staggering (typically Series A cheques in India are in the range of $2 million to $5 million), the investment is crucial as it highlights the potential that investors like Chambers see in cybersecurity in India, and the opportunity that may exist for enterprise service and product providers like Lucideus globally.
For Chambers, who is the chairman of the U.S.-India Strategic Partnership Forum (USISPF), India has been a market of interest since his Cisco days. He made India Cisco’s second head office 12 years ago. He now intends to work closely with entrepreneurs, business and government leaders in France, India and the U.S. to foster entrepreneurship and innovation. With JC2 Ventures, the focus is on digital innovation, though the company has invested in other innovations that could lead to market transitions, such as its portfolio firm Aspire Food Group, which develops insect farming technology for applications in food, including manufacturing of food products from crickets. Even before he set up JC2 Ventures, Chambers had invested an undisclosed sum in Chennai-based speech recognition software startup Uniphore; that’s now a JC2 Ventures portfolio firm.
This seems like a good time to focus on cybersecurity as a business. According to Nasscom, the Indian IT industry is set to reach a size of $350-400 billion by 2025. The country can build a cybersecurity products and services industry of $35 billion by 2025 and generate a skilled workforce of one million in the security sector.
Globally, the cybersecurity market is expected to grow from $152.71 billion in 2018 to $248.26 billion by 2023, at a compound annual growth rate (CAGR) of 10.2% during 2018-23, according to a new market research report by MarketsandMarkets. The major forces driving the growth in the space are strict data protection directives and rising cyberterrorism. The cybersecurity market is growing rapidly because of the rising need for cloud-based cybersecurity solutions among enterprises and small and medium-sized enterprises (SMEs) alike.
Indian corporates alone face one of the highest cybersecurity threats in the Asia-Pacific region. Over 500,000 security alerts are reported in India on a daily basis, which is nearly three times the number of alerts faced by global companies, points out the Cisco 2018 Asia-Pacific Security Capabilities Benchmark Study released on September 19. According to the report, India leaves nearly 39% or approximately up to 200,000 alerts unattended due to lack of required skill sets.
This is the opportunity that Chambers is eyeing. According to him, the three main areas of focus for companies right now globally are growth, differentiation (and innovation), and cybersecurity. “I think cybersecurity is absolutely in the top three. Many companies do not talk about it, however, because they don’t have a good answer. If you ask a CEO, how would they evaluate their status of risk exposure to cybersecurity and what are they doing as key elements, it’s piecemeal. The CEO would probably struggle. And that’s what Modi got, that others didn’t,” Chambers told Fortune India over a Google Hangouts call from his Palo Alto office.
In fact, when they first met last year, Chambers asked Modi to explain his business in 15 seconds. Modi did, and Chambers was hooked.
Winning Silicon Valley’s praise is one thing. But can Modi keep his investors happy and turn in profits? The short answer to that is yes. While Modi doesn’t share financials, company officials say revenue has grown 300% year-on-year for the past six years. We also know Lucideus serves over 150 customers in 14 countries. In India, top clients include National Payments Corporation of India, ICICI Bank, HDFC Bank, Kotak Mahindra Bank, Delhi airport (GMR), Mumbai airport, Tata Sky, and KFC, and investors such as SoftBank and Helion Venture Partners.
“It’s a strong team of security professionals. It’s a compartmentalised team not a generalised one, so there are Android experts, iOS experts, IoT and blockchain experts, hence the focus is there,” says Sameer Ratolikar, executive vice president and chief information security officer at HDFC Bank. “We have a host of Internet-facing- and mobile applications and that’s why we wanted to go for the one who can offer specialised services, because only they can go into details to find vulnerabilities.”
Tata Sky was Lucideus’ first enterprise client five years ago, and remains a client. Harit Nagpal, chief executive and managing director, Tata Sky, says though the company has grown fourfold in the last four years and expanded services to include OTT and broadband, Lucideus has been able to match up to the challenges that come with such expansion. “He [Modi] is very agile and manages to deliver in an area that’s ever-changing. He has been able to remain one step ahead of those who can harm our structure,” says Nagpal.
While training brings single-digit contribution to its revenues, the company sees training as a way to build a pipeline of cybersecurity professionals, who are in short supply. Co-founder Rahul Tyagi leads the training programme at Lucideus. All courses are designed and delivered under his guidance. The startup has recently tied up with the University of Delhi to start the first orientation programme of its flagship postgraduate diploma in cybersecurity and law at Shaheed Sukhdev College of Business Studies. This is the first time the University of Delhi has tied up with a private entity for a cybersecurity course.
Rahul Tyagi, who co-founded, Lucideus with Saket Modi and Vidit Baxi in 2012, leads the training programme at the cybersecurity firm. All courses are designed and delivered under his guidance.
Lucideus has also tied up with Ansal University in Gurugram to offer a B.Tech course in cybersecurity. It is in talks for part time Ph.D programmes with NTU Singapore and Technion university in Israel. “We found a massive requirement for cybersecurity professionals across industries. We will be addressing this demand-supply gap with this partnership and aim to bring together our knowledge base combined with industry experience to help create an army of cyberwarriors, the engineers of tomorrow,” says Vidit Baxi, co-founder and partner, Lucideus.
It’s not just training and support. Lucideus has come up with a real-time cybersecurity assessment and monitoring platform for enterprises. Called SAFE, this product integrates with the existing technology stack of an enterprise to provide a real-time cyber-risk assessment at a macro level across the organisation that can be broken down into micro-level scoring individually for each asset. The product has already found its early adopters. Electrical equipment maker Havells was the first company in India to implement a real-time security analytics dashboard, helping it measure the maturity of its security systems. In its 2018 annual report, Havells reported that over 1.6 million leakage threats are prevented every month with highly advanced security systems.
Sri Shivananda, senior vice president and CTO, PayPal, who is an angel investor in the company, points out the risk in cybersecurity is mathematical, and a number can be put to it. “Think of it in the way one understands temperature, which is digitised. Lucideus is at the forefront of digitising risk, which can be driven down to quantifying and simplifying risks of cybersecurity.”
With Chambers backing it, Lucideus intends to look at exponential growth (4x to 5x) over the next few years. “Having an investor like Chambers has given us the ammunition to dream of being a $100 billion company. We don’t feel being a $1 billion company is the only place we can go to. He saw Cisco turning into a $500 billion market cap company at its peak. He has done it all,” says Modi.
But with hackers staying a step ahead of the cops, it’s not going to be an easy ride. Kulmeet Bawa, managing director, South Asia, Adobe, and an angel investor in Lucideus, explains: “It’s what I would call a dance. Whilemore and more security networks are coming into place, at the same pace cyber minds are working to break into those networks. There would be five more hacks and four more plugs coming in at the same time.” Lucideus has been named with that dichotomy in mind; it’s derived from Lucifer (the dark) and Deus (the light, or god).
Another challenge for young companies like Lucideus is that they could end up facing formidable competition from larger corporates like Cisco and IBM Security. Nothing stops these biggies from offering similar services and products. But Modi is not flustered. “We are in the business of trust, which takes time to build.” As long the trust can be built, the game is on for Lucideus.
(This story was originally published in the October 2018 issue of the magazine)