Date: 02 Jul 2019
Interview with Geoff Leeming, Co-founder of Pragma
Building ‘Fintech in a Box’ — Pragma Co-founder Geoff Leeming shares his journey from financial industry CISO to helming his own multinational cybersecurity services company.
Pragma is a specialist cybersecurity consultancy founded in Singapore in 2016, focusing on risk assessment and strategy for companies. With a broad customer base of financial institutions, insurers, banks and fintech clients across ASEAN, Hong Kong, Australia, the UK and Europe, Pragma has carved out a niche in cybersecurity services and is growing fast.
“Essentially, we help companies work out where their security is now, where their security needs to be, and how to get from one to the other. In particular, we work with fintech firms who are hitting that maturity challenge — They’ve built out their product offering, and now they suddenly hit the step of trying to work out how to put bank level security onto their product and meet the requirements of regulators and their banking customers.”
Q: What’s your personal background and journey to founding Pragma?
Geoff: I’ve been doing cybersecurity for over 25 years. I started in the early ’90s in the British Ministry of Defence, then moved into running security teams for global investment banks. This is the third services company I’ve set up. The second one, I merged with my co-founder Manish Chawda to create Pragma. That depth of experience has really helped with this journey. Manish has a similarly deep knowledge and experience in cybersecurity, and we take our entire team from people who have that depth of expertise in security. This really helps set us apart from some of the competition. Even as a tiny company, we can compete really effectively with some of the biggest consultancies in the world , simply because we can put in more senior people with more expertise, at a lower price.
“The biggest lesson I’ve learnt — and I see a lot of people coming out of large corporations and not learning this — is don’t do it alone. Trying to set up a services firm as a one-man band is a uniquely hard thing to do. You need that team around you, you need that set of people with different and complementary skills, to really create an effective company that will fit your clients’ needs.”
Q: Why a cybersecurity services firm specifically?
Geoff: We saw a gap in the market. Most cybersecurity start-ups focus on product and scale, and there are a lot of companies that will sell you technology. But back then as a banking CISO, what I struggled to find was anybody who knew how to use that technology. There’s an enormous skills gap in cyber, it’s very hard for many companies to find the right people to come in, to implement and run their security over time. What we do is fill that gap by giving companies access to those specialist skills, at a price point where they don’t have to build out their own dedicated team of highly expensive security professionals. So we help fill that gap in the professional services market.
“For years, I was inundated with firms who were trying to sell me software. That’s not what we need. Software is never going to be the only solution in security. It’s the ability to deploy, to manage, to manage risk over time… that’s what large companies really need to solve their security problems.”
Q: How has the cybersecurity landscape evolved in Singapore, and where do you see it going?
Geoff: I’ve been here for 15 years now. When I came to Singapore, there wasn’t a start-up cybersecurity culture, and the country and the finance industry in particular was struggling to expand and to find those skills. It’s evolved very quickly, there’s a lot more focus on cyber in Singapore now; It’s front page news and most companies know that this is a problem they need to address and resolve, plus there’s a lot more access to skills in the marketplace. But we’re still very very short. Across the industry, everyone is facing a skills gap in cybersecurity. Luckily, we’re seeing a lot of fresh grads and undergrads coming out of places like NUS, who are learning a great deal about security and starting to specialize early in their careers, and that’s gonna help fill that gap in years to come. But right now, we’re struggling to find enough good people in Singapore.
Q: You’ve mentioned the importance of hiring the right people. What do you look out for when identifying the right talent?
Geoff: We’re not looking for people who can follow a checklist or process, and who have specific technical skills. Those specific skills we can teach.
“For us, the ability to think creatively and independently is the number one thing we look for.”
Our clients bring us difficult problems. If the problems were easy, they would either solve them themselves, or they would outsource it to somewhere a lot cheaper than Singapore. We need people who can find reliable, creative, technically rigorous solutions to those problems. When you come and work for us, you see different things almost every week. We’re looking for the adaptability to learn, to find those creative solutions to new problems.
Q: You were previously a CISO at a large financial organsation. Any advice for current CISOs or cybersecurity professionals in the financial sector?
“I think the biggest change that cybersecurity professionals in finance need to make is to learn to embrace the cloud. A lot of my industry sees cloud computing as a threat, a new technology that needs to be managed and controlled and restricted. We see it completely the other way around.”
Geoff: Cloud service providers, and AWS in particular, provide so much security functionality so cheaply, that I can design better security for a fintech on AWS, than I could ever provide for a tier one investment bank with an on-premise data centre. Security professionals need to stop seeing cloud as a threat, and see it as a marvelous opportunity. We can now build security that’s much more effective, reliable and cheaper than we could ever do on-premise.
Q: For you, what has been the biggest change from CISO to Co-founder?
“The biggest challenge for me in co-founding a cybersecurity firm has been realising that cybersecurity is only a small part of setting up a cybersecurity firm.”
Geoff: There are a lot of challenges in setting up a small business, from doing everything from legal to payroll to team management to finding the right facilities to physically moving offices… and it’s been a wonderful learning experience for me. We’re currently in the middle of international expansion, and the learning that goes into setting up a multinational organization is fascinating. It’s not easy, and nothing in my cybersecurity career in large corporations has prepared me for that, but it’s a journey I’m learning very fast and enjoying the whole way.
Q: It’s wonderful to have Pragma as part of our ICE71 Scale community of start-ups. What attracted you to it?
Geoff: The main thing that attracted me to the ICE71 Scale programme is being part of this cybersecurity ecosystem. We’re always looking for good people and good partner firms, and ICE71’s given us access to some of those firms. We’re already working with a couple of ICE71 Accelerate companies, in particular Blue Phish for web security awareness training, and GuardRails for continuous source code analysis. We like having that access to that ecosystem of new skills and talents.
Q: Any exciting plans to announce?
Geoff: Now is a very exciting time for Pragma. We’re opening overseas offices, and expanding our operations to Australia and the UK. We’ve already been servicing those markets remotely very successfully, but now we’ll have people on the ground in those countries. That’s given us a great opportunity to expand our company further and grow our client base.
“We’re also just putting our final touches to a new product launch, which is what we call ‘Fintech in a Box’. It’s an entire managed secure ecosystem on AWS that meets banking and regulatory standards.”
The idea is that when you hit those due diligence issues, when you hit that sudden need for maturity, you have a choice of either spending 6-12 months trying to hire those scarce resources and do it yourself, or you can come work with us. We will manage your environment for you entirely on AWS, make sure you are secure, and let you concentrate on your core business which is developing your product and keeping your clients happy.
Pragma’s always looking to talk to people who are interested in cybersecurity, whether that’s to work with us so we can help meet your needs, or whether that’s people who are looking to develop their careers in cybersecurity. Do reach out to me either through ICE71 or on LinkedIn!
Find out more about the ICE71 Scale programme and how it is helping later-stage cybersecurity companies grow.