Neil Costigan Sees the Human Side of Cybersecurity Neil Costigan and Behavioral Biometrics

Neil Costigan sat at his desk, tapping his fingers with nervous excitement. It was the morning of May 3, 2022. In mere moments BehavioSec, the company he had helmed for over a decade as CEO, would officially be acquired by LexisNexis Risk Solutions. As he waited for the press release to drop, he couldn’t help but reflect on the unlikely path he had taken over the past thirty years.

Born and raised in Ireland in the 80’s, Neil Costigan grew up with what was then an uncommon interest: computers. He eventually earned a BSc in Computer Science from Dublin City University then landed his first job as a software developer with a  a ‘skunkworks’ startup, a spinout of Irish national telecommunications that worked on network management systems.  

Costigan spent his days immersed in C, graphics, SQL databases, and TCP/IP. “As a new engineer, it was incredible to be thrown into the mix of what was then a cresting wave of technology during my formative years,” Costigan reflects. “To this day, I still say my trade is software development. If all else fails, I can always go back to being a C++ programmer.” 

Costigan spent two years with the company before pursuing another startup opportunity, this time in Sweden, where he spun out his own company Celo Communications (CeloCom). As CTO, Costigan continued writing code, overseeing work on a secure internet banking facility and secure web services. CeloCom soon moved its operations to Mountain View, California where the company would sign a pivotal contract with Visa, followed by a successful exit to smart card manufacturer Gemplus (now Thales DIS) in 2000.  

After the acquisition, Costigan stayed on with Gemplus for two years, moving to southern France to run R&D for the company’s banking and security divisions. Gemplus’ 8,000 employees gave Costigan his first taste of enterprise scale.

By 2002, just 10 years after graduating with his BSc, Costigan had started a company, managed an acquisition, and worked as a VP for a large global brand. Ready for a change, he decided to step back from the business world and head back to Dublin City University.

“’Dr.’ Neil was by accident- I initially intended to pursue an MBA, which turned into a master’s in security,” he says. “I hung around long enough that I ended up doing more advanced research and before long, the master’s led to a PhD track in Computer Science.” Costigan tested out ideas in identity-based encryption and elliptic curve cryptography, laying a deep foundation of technical expertise.  

In 2008, Costigan landed a guest researcher position at Luleå University of Technology in Sweden where he was introduced to Olov Rendberg, Peder Nordström, and Tony Libell, local entrepreneurs and recent Luleå graduates. They had just launched a startup called BehavioSec through the school’s Arctic Business Incubator. The company was commercializing behavioral research for business technologies. Intrigued, Costigan jumped in to help as an angel investor and advisor.  

Starting out with just the skeleton of a business plan and an application for a patent, Costigan and team began shaping BehavioSec into a full-fledged business. They built up their human capital first, with Costigan quickly stepping into a part-time CTO role. 

In the early years, BehavioSec’s team consisted of recent university graduates along with contacts from Costigan’s previous startup experiences including Ingo Deutschmann, a former CeloCom and Gemplus colleague. The environment was electric. “The enthusiasm, energy, and new skill sets the team brought were amazing,” Costigan reflects. “You don’t need a bunch of prima donnas in the early days of a startup- you need people you like working with who are prepared to wear multiple hats, do the time, and work together. That’s exactly what we had.”   

BehavioSec’s team was soon in the throes of developing a suite of unprecedented behaviometric tools for risk-based authentication. They wanted to help organizations detect unauthorized or compromised end users based upon behaviors (how they swiped, clicked, and typed on their devices). Unsurprisingly, they met their share of skepticism.  

As Costigan sees it, that initial resistance gave the team an opportunity to develop a collective culture of resilience. “I’m really proud of how we made the space our own. We didn’t use an existing standard or clone an existing product- there wasn’t one,” he says. “We were this small, stubborn Swedish startup that stuck with our vision.”  

Undeterred, BehavioSec developed a pragmatic approach that would worked in their favor. “We didn’t need to revolutionize everything all at once and tell clients to throw out their infrastructure- we just had to find a way to enhance what was already there,” Costigan Says.  

Skepticism turned to belief as BehavioSec received seed funding rounds in 2008 and 2011 (€400,000 and €1,000,000, respectively). Costigan stepped up to a CEO role as he, Rendberg, Libell, and Nordström led the company forward.  

A willingness to experiment fueled BehavioSec’s early expansion. “I remember when a bank who had taken a chance on us, without references or proof of value, rolled our product out to one million users,” Costigan says. The momentum continued as customers began recommending the company’s technology to others. BehavioSec soon became a well-respected name in the European banking scene, building out a committed customer base across The Nordics, Belgium, Switzerland, the Netherlands, and Germany.  

In spring of 2012, BehavioSec reached a new level during the Finnovate Conference in San Francisco when the team won  Best in Show over much more established companies.  

Around the same time, the company began working with DARPA, the Defense Advanced Research Projects Agency, the main research and development agency for the United States Department of Defense. This was in response to DARPA’s call for proposals based on the premise that behavioral approaches could move security beyond password-centric approaches.

DARPA’s endorsement bolstered Costigan’s team with technical credibility, a valuable network, funding for R&D and prototyping, and an opportunity to create product-market fit. “With something as innovative as behavioral biometrics, the quality and consistency of implementation and risk scoring is incredibly important to overcome the skepticism,” Costigan says. “DARPA helped us get to a point where our disruptive idea was practical and valuable at scale.”  

It was a lesson Costigan hasn’t forgotten. “Crossing the chasm required execution, scale, references, proof points, integration points, and a strong V2 of the product,” he says, recalling one of his favorite business books Crossing the Chasm. “Now that we had product-market fit, we had to be disciplined and repeat the hell out of it.”  

Costigan argues startups should double down on what is already working rather than overextending into new verticles or industries. “Execution, not the on idea, will create 95% of your success once you have product-market fit,” he says. 

It was a strategy that propelled BehavioSec to new heights, garnering attention from the US defense industry, enterprises, and venture capital firms. BehavioSec had become one of the hottest new technology companies in the world. 

In 2014, on the tailwinds of a successful 2013, BehavioSec raised a €4 million Series A round. Costigan thinks back to how far the company’s technology had developed. “We had built a successful machine where we innovated and filed new patents nearly every quarter,” he recalls. 

BehavioSec’s consistent innovation created a formidable platform. Their technology was invisible to consumers and allowed banks and retailers to continuously verify user authenticity and detect potential fraud and scams. A sophisticated machine learning algorithm powered the platform, building behavioral profiles and tracking everything from users’ typing speed, the angles at which they swiped touchscreens, and the force they used to hit keys.  

By 2018, BehavioSec protected over 40 million users. They had truly crossed the chasm. 

2018 brought BehavioSec a successful $17.5M Series B round led by Forgepoint Capital, who Costigan had initially met after the DARPA project in 2012. The funding round supported successful expansion into North American markets and BehavioSec began building a Silicon Valley team focused on commercialization and go-to-market execution while the European team continued to focus on R&D. “The team in North America was tasked with making the product more easily consumable for secondary customers that weren’t early adopters,” Costigan says. “We wanted to give them an assembled product rather than the parts.”  

But BehavioSec ran into a new set of challenges: the scale and distributed nature of North American enterprise customers. Most of BehavioSec’s European customers served a few million users and had localized, close-knit teams operating within the same cities. In the North American market, some customers served over 100 million users with  larger teams scattered across the map.  

BehavioSec’s team adapted and delivered. Working with high-profile customers across the Fortune 500, the company continued to follow through on its promises and renew contracts. Their reputation as the only viable option for behavioral biometrics officially spread across North America. 

As the COVID-19 pandemic gripped the world, BehavioSec experienced a 300% year-over-year growth increase in 2021 and launched a series of carrier, systems integrator, and identity partnerships with companies including Deutsche Telekom. 

The company was also in the midst of navigating several acquisition offers. Costigan had always known the option to consolidate would present itself someday. “Somebody once told me that if you’re in a startup, when you say you’re not raising funding you’re lying,” he says. “I would say the same about considering acquisition while dealing with partners, bankers, and brokers- especially in cybersecurity.”  

The pandemic prevented most in-person meetings, adding new challenges to the process. “There were a lot of midnight calls for us in Europe,” Costigan recalls. Fortunately, the BehavioSec leadership team was eventually able to travel to Berlin for an in-person meeting with potential acquirer LexisNexis Risk Solutions. Through a four-hour workshop, Costigan and his team dug into the acquisition offer. It was a pivotal moment. “The overlap in technology, the vision, the complementary architecture designs, the team itself- everything just sparked,” Costigan says. BehavioSec had found its partner.  

Today, two years after the acquisition, Costigan is a Chief Architect at LexisNexis Risk Solutions BehavioSec. Sitting in his office in Luleå, Sweden- the city where it all began- he reflects on how BehavioSec’s initial mission played out globally. “Behavioral biometrics plus device identification and risk scoring is not just 1+1=2. It’s 1+1=5,” he says with a smile. “The performance levels and quality of risk scoring are so much better in our combined offering.” 

Costigan has spent much of the last two years helping his team successfully integrate into a large company. “It’s been great to watch our team fulfill the roadmap we set with BehavioSec,” Costigan says. “Now, instead of serving 10 different customers with 10 different deadlines and 10 different configurations, we’re delivering to one customer- the platform LexisNexis Risk Solutions runs and operates.” BehavioSec now works on a product within a business unit in an organization with over $10+ billion in revenue, a $75 billion plus market cap, and over 36,000 employees globally. 

With the acquisition in the rearview mirror, Costigan has started to get involved with a technology group under the CTO at LexisNexis Risk Solutions. Quantum security and cryptography in particular have been top of mind. “There is going to be a big shift in the near future, so we’re preparing for it now,” he says. It’s rewarding work for Costigan, whose passion for theoretical technologies remains alive and well.  

Costigan also keeps a close eye on AI innovations- familiar territory. “If you remember, BehavioSec was an AI company,” he says. ‘What we built was custom- not exactly like current ‘in vogue’ large language models- but like variants or internal versions of them.” Like many enterprises, LexisNexis Risk Solutions is leveraging AI to improve aspects of product development, security, performance, and delivery. 

Costigan also joined Forgepoint’s Advisory Council and has carved out time to share his perspective with developing entrepreneurs. “I’ve always relied upon other founders and journey people in this ecosystem,” he says. “If I can do the same for others, I will have done my part.” One piece of advice he often shares is the importance of financial governance. “It’s never too early to get a CFO on board as a startup,” Costigan says. ”Budgeting is one thing, but you quickly get into contracting, revenue recognition, and HR as you grow. Having an experienced CFO on your side early on lowers risks later.”

When asked to give one final piece of advice to company builders, Costigan pauses for a moment. “If you don’t enjoy the journey, you shouldn’t be doing this,” he says. “At the end of the day, the roller coaster ride, the war stories, the camaraderie, being David fighting Goliath- that’s what keeps you going.”