Running a startup today in India or overseas is a bit like swimming in a vast ocean with no anchors, life vests or shoreline in sight and several killer sharks coming at you from every direction.
This was the reality that faced Mathew John, 58, soon after he set up his social impact enterprise The Last Forest to help Adivasi and other marginalised communities take their forest and agricultural products to the market and the consumer, acting like a go-between.
Two decades of gathering valuable information and data through his not-for-profit Keystone Foundation, which works to achieve livelihood and food security for indigenous communities among a gamut of other development work was being put to good use in his new for-profit social enterprise but he often felt like he was in a home with no walls, open to theft, robbery and attack from every direction.
That’s when Mathew realised he needed to fortify himself against the world of cyberattacks, which could lead to him losing a treasure chest of data and insights accumulated over the years by rivals who want access to the same painstakingly gathered information but don’t want to spend the time, effort or money required to gather it. In many cases, the attackers hack in just to destroy what the founder has built, even if they don’t gain monetarily.
Three years ago, Founder and CEO of Pe Local Vivekanand Tripathi, 45, found himself in a similar rocky boat. As he started offering his cloud-based digital transformation services to large enterprises like the Delhi Metro, Mahanagar Gas and Indraprastha Gas, he realised that to provide the right certification and to ensure that his clients are not vulnerable to any cyberattacks through his services, he needed to up the ante and get a security partner who was able to provide high-quality security services but at a rate, his fledgling business could afford.
Both Mathew and Vivekanand knew that their ability to afford or absorb the complex solutions the biggies in the space have to offer would not work for them. That’s when both separately honed in on Sequretek, a company founded almost ten years ago by two IT sector professionals Pankit Desai and Anand Naik, to act as a lifeline in a vast and increasingly dangerous ocean.
The Upsides Of Risk
After finishing his engineering and earning an MBA, Pankit Desai joined CMC, a public sector company, based out of Ahmedabad and an early bird in the tech revolution that was yet to grip the country.
Contrary to what one has come to expect with PSEs, Desai found his experience with the company seminal to what would follow. It was at CMC he learned the art of negotiating when he was asked to take on assignments far beyond what his experience or expertise would qualify him for including submitting, winning and executing a project on voter identity conceived back then by the late TN Seshan. Pankit feels that while in any private company, he’d have been “another cog in the wheel”, CMC offered him a learning environment that was unparalleled and shaped him into what he is today.
In 2000, however, seeing all his peers head out to the US, Pankit joined the bandwagon and landed up in WIPRO’s Phoenix office where outsourcing was still an alien concept. After he managed to settle and establish himself in his first global exposure, he joined his WIPRO boss at a private equity company in the US as global sales and operations head.
This was where he got his first taste of the interplay between risk and disproportionate wealth creation. When the private equity firm sold the business they acquired at a sevenfold valuation, the lesson that stayed with him was that “risk-taking can create a big upside”, something a steady, salaried existence cannot equal.
Meanwhile, his co-founder Anand Naik was following his own career trajectory with companies like Sun Microsystems, and IBM and then eventually in the cyber security industry as the head of India and SAARC managing director for Symantec. He had noticed three major trends, all of which contributed to his eventually being bitten by the entrepreneurial bug but more on this later.
The Indian Landscape in 2012-13
In 2012-13, when Pankit returned to India for a variety of reasons including personal, he landed smack in the middle of the start-up euphoria that had gripped India and could see the struggles of the founders of the new enterprises.
Prior to that through his career in the US, he’d also been watching companies and CXOs across sectors, industries and geographies grapple with the increasing complexity of operating any business that thrives on technology. No new age business could run, grow or thrive without the aggressive use of technology and yet this was a double-edged sword: the biggest danger these newbies faced was from their forever increasing dependence on it. He could sense an opportunity here but had no direct experience himself in the security industry.
Call it luck or providence but this was the same time that his co-founder and brother-in-law Anand Naik, who had cut his teeth in the cyber security business and had gained experience with one of the larger global security companies had also reached a few conclusions of his own. One, digital was here and here to stay. Every aspect of life was taking on a digital form, something that had already happened globally but was sweeping through India a bit later. He could also see that India at the time lacked the kind of world-class security products needed to protect the country’s digital assets or identities.
Not only would Indian businesses remain susceptible, but in an increasingly polarised world, the country’s digital assets as a whole would remain at risk, unless it developed some expertise in-house whereas, in 2012, the security industry in India was at best in its infancy. Also, he could clearly see that the global biggies in the space had stagnated in terms of innovation and were increasingly relying on acquisitions to generate growth, rather than coming up with path-breaking technological advancements. Above all, their products were tailored to developed economy requirements and could not always be customised to fit Indian needs.
His varied experience had also shown him one thing: CEOs and CXOs across sectors were never at peace, spending many sleepless nights since security was often sold in silos (as opposed to end to end), always living in fear of cyber and data attacks, which could end up destroying carefully built up value in their businesses. Even the biggest in the business - like an HDFC in banking or an Amazon in retail - remained wary and fearful of cyber attacks.
Both the men, in their early 40s, were at stages in their careers where they felt they had a few years of solid, nose-to-the-ground hard work left to build something of value, go entrepreneurial, be their own bosses (which has many advantages), take a risk and hopefully reap the rewards, if all went as planned.
The fact that India at the time was practically a virgin market waiting to be tapped was staring them both in the face. India is home to 3.36 lakh small and medium businesses (SMBs), which account for around 38 per cent of the gross domestic product (GDP). Most of these businesses digitised during the pandemic to ensure continuity of operations and to keep in touch with customers. However, the security and safeguards of their IT infrastructure lagged, resulting in increased cyberattacks.
According to a survey by one of the giants in the space, Cisco, 74 per cent of the SMB respondents from India experienced a cyberattack in 2020-21, of which two-thirds suffered a loss of over Rs 3.5 crore. The average cost of recovering from a data breach in India in 2022 was in excess of Rs 17 crore, while that of a post-breach response was Rs 7 crore. For SMBs, whose annual turnover is between Rs 10 crore and Rs 250 crore, this damage can even be an existential threat.
Unsurprisingly, there was and is rising awareness among SMBs about the risks of cyberattacks, and a greater willingness to spend on cybersecurity tools and products. But a majority still suffer from several gaps, such as a lack of skilled manpower in cybersecurity teams, a lack of solutions directed towards them specifically, slow response time to a cyber incident and ever-increasing compliance requirements.
A One Stop Shop Or On Demand Helpline
Now that Pankit and Anand had identified a niche, they had to find a differentiator between them and the rest of the folks out there, many of whom were already very established and with powerful backers. That’s when they decided to structure their offering differently.
What they realised is that even though there is slow but rising awareness about the importance of being safe online, the SMBs and start-ups often suffer from attacks and losses due to a multiplicity of factors.
One, they buy security products - and at times the wrong one - but don’t have enough talent in-house to patch them properly and respond to incidents when needed. Moreover, as and when they do splurge on an expensive security product from an established player, they face a lack of attention and poor support from global or large cybersecurity providers as they are not their primary customer. Smaller local players offer lower or sub-par services or when the managed services are up to standard, they remain unaffordable. As a result, quite often a cyber attack in the early days meant virtually the end for the enterprise in question.
Also, since many start-ups were already up and running, they saw that they had to offer a range of products that could be incorporated by these SMBs without discarding their previous investment in technology as all start-ups would have made some initial investments, even if not always the right ones.
Pankit cites one instance where an Indian pharma company was merging with a UK firm and in the state of flux and transition that ensued, the former was subject to a cyber attack. The attack led to a loss of $1.5 million over three transactions and happened over a period of three months. “Often such attacks can imply the end of the business as recovery is too expensive and quite tedious,” he explains.
What the partners also realised is that these challenges often demotivate SMBs from adopting cybersecurity solutions altogether. So if they had to break into this segment, they had to do something like what Hindustan Levers did back in the day with its shampoo sachet revolution: offer a high quality product at a pricing that would be affordable.
This is what the Sequretek team developed in its early days, focussing on mid to small traditional businesses that are digitising and need security solutions for compliance and minimisation of business risk. Such enterprises, with small teams and budget constraints, require a one-stop, efficient, comprehensive automated product which can solve each of these challenges without taking too much time, energy and bandwidth of the senior management. Most of their clients do not have the time to negotiate or renegotiate contracts based on complicated security jargon and pricing structures.
Finally, to compensate for the lack of internal skills and capacity of the clients, Sequretek offers 24x7 support for its products, so SMBs can reach out to them with ease. “Our main message to those we work with is: you focus on your business, let us focus on your IT and tech needs”, explains Pankit, arguing that their services are more in the nature of a partnership than a one time sale.
Founded in 2013, the company has been growing at a compounded annual rate of 50 percent and ended the last fiscal at Rs 38 crore, with a total of 170 customers and a team of over 450 employees and has raised around Rs 100 crore in funding since its inception.
In 2019, even as things were proceeding smoothly, the two co-founders could see that to expand internationally and offer its products in a market that was already quite familiar with cyberattacks, one of the two would have to relocate. Anand moved to the US in 2019, moved back during COVID and relocated for good in June 2022. He now has a team of 18 in the US to focus on the American market, which is 46 percent of the overall security market. It is now looking to grow at a compounded rate of 50 percent annually and is hoping to be in the Middle East and European markets, besides India and North America.
In the last few years, the company has diversified its marketing efforts and has recently signed up with Ingram Micro, the world’s largest technology product distributor to distribute its solutions more widely, including for the North America region. As of now, 70 percent of its customer base falls in the mid-sized segment - companies with 500 to 15,000 employees - although it has clients on both ends of the spectrum, including very large companies like Axis Bank, Sun Pharma, DMart and Reliance Capital among others.
In India alone, according to Nasscomm, the BFSI sector spending on cybersecurity rose by 35 percent in 2023 over 2019 (from $518 million to $1738 million). In some countries, financial services companies are being encouraged or even mandated to spend almost 25 percent of their IT budgets on security. It is not out of the realm of possibility that such mandates could begin to apply in India too, a country where phishing is turning into a national cottage industry.
Cat, Mice And Not Everything Nice
While there are a host of challenges for any start-up in the tech arena today, perhaps the biggest one in security remains the lack of awareness. How does one save someone who doesn’t sense they are in danger?
This, says Shilpa Kumar, ex IIM Kolkata alumni and partner, Omidyar Network India (one of the investors in the business) is the crux of the challenge facing startups like Sequretek. A lot of smaller businesses and startups remain unaware of the possibility, nature, and risks associated with cyber attacks, let alone how to fend them off. “Growing the market while trying to capture is the biggest hurdle before the team. A lot of MSMEs are not even aware of the possibility or possible damage due to cyber attacks so explaining how essential such security products might be to their existence is not easy”, she argues.
While large companies might have many vendors advising and helping them protect their technology warchest right from start to the end point, smaller players often lack both the knowledge and the wherewithal to protect their business.
What makes the space trickier is that the attackers are almost always a step ahead of their prey. “It’s like a cat and mouse game and for a small startup, a cyber security attack can have serious financial, business and reputational repercussions”, argues Shilpa, who also heads the impact company’s privacy portfolio.
At some stage, Omidyar Network India saw that unless SMBs had almost like an “on demand helpline”, many of them would fail to fend off or survive such attacks. Like many other sectors, the cyber security industry at some level ends up getting divided into the world of “haves” and the “have nots” where the top 10 % of the customers have access to know-how, resources and attention whilst the balance 90% neither have the resources or financial wherewithal to understand what they need, why they need it, what works best for them, how to make the right decisions and then be able to live with it.
For companies like Sequretek - which is trying to make its mark as a cybersecurity partner - experts in the tech industry say that there is zero room for error, a bit like one crash can mark the end of an airline.
In this business, attackers are always on the prowl so at any point those vested cannot afford to take their eye off the ball. Pankit says that since security is an ever changing landscape, the company needs to constantly invest in updating the threat content, algorithms as well as incorporating the changes in the customers technology landscape. At any point, about one-third of the team of the firm works on this.
This is something the founders are well aware of : cybersecurity is a dynamic, 24X7 business, where one always needs to be two steps ahead of one’s enemy and to chase the threat actors in an ever changing landscape with no room for error, complacency or indifference. To make sure the Mathews and Vivekanands of the world can go about their business unharmed, fearless and with no sleepless nights, the Sequretek army has to always be on high alert to keep them protected and on a constant vigil to seek out more Mathews and Vivekanands. In today’s world of shifting sands and instant gratification, everyone has the will to win but very few have the will to prepare to win.
(Note to Readers: This content was commissioned by Omidyar Network India. We are bringing readers an abridged version of the original.)
(Anjuli Bhargava is a senior writer and columnist based in Goa.)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)