PACS stakeholders can also be categorised with regards to their role in the overall innovation process, and can be distinguished across four key categories:
- “Innovators”: individuals or companies that are looking to bring ideas in the PACs domain to market. Sub-categories include researchers, vendors, service providers, integrators and infrastructure providers;
- “Enablers”: individuals or entities who are responsible for supporting individuals or companies in being more innovative and in commercialising technology;
- “Influencers”: individuals whose professional mandates influence or impact on the ability of PACs Innovators or Enablers to bring technologies to market;
- “End-Users”: individuals or organisations leveraging PACs technologies and services to improve resilience of their own infrastructures, or technologies they provide to others.
Different organisations and individuals may fall into multiple stakeholder categories under this scheme, depending on factors, particularly their relationship with the product lifecycle, as illustrated in the different innovation stakeholders.
Key and Emerging Players
For an overview of PACS key and emerging players see market theme.
Key PACs Buyer Categories
PACs market competitive analysis by Pierre Audoin Consultants identifies four key distinct buying groups in the security (and privacy) domain, each with significantly different security requirements, buying/pricing points and purchasing behaviours [PAC13]. These four identified categories are:
- Defence and Intelligence, specialist defence and intelligence agencies which are a specialised sub-segment of the wider public sector cyber security segment
- Government (other than Defence and Intelligence) – this includes central and local government, publicly funded agencies and so on
- Large Enterprises – i.e. private firms with more than 250 employees
- SMEs and Consumers – which account for the remaining private sector buyers, and buyers in the general public.
Players across several of these sub-segments operate in relatively distinct silos, for example target stakeholders in the Defence and Intelligence segment would typically operate in a completely different community to those serving the Large Enterprise segment, with significantly different product requirements and selling protocols in each. Also, many bespoke solutions developed for Defence and Intelligence purposes will be too advanced for many target buyers in enterprise segments, while in turn, solutions for the mass market segment are unlikely to be powerful or configurable enough for Defence industry purposes. Sales cycles in the Defence industry may take many years to develop, resulting in an organisational culture that would operate very differently to those that serving more fast-moving enterprise and consumer markets. Also, selling to SMEs and consumers requires a low-touch multi-channel approach (typically combining online and offline elements), which can be quite different to selling to large enterprises where more consultative and integrated ways of working with clients are essential. There will also be strong channels alliances between vendors, partners and customers within each segment, creating strong entry barriers to those crossing over from one sub-market to another. Further characteristics of these four buyer groups are highlighted in Table 1.
Overview of Sub-Segment
Defence and Intelligence
- Most mature security market segment, tend to buy the most expensive and complex products
- Invest in solving the most complex PACs R&D challenges
- Highly trusted relationships with PACs vendors and service providers, who are typically small in number and are required to have top security clearance levels.
- Long sales cycles typical (years rather than months)
- SMEs suppliers do not typically access this market easily, when they do it is usually via larger product and service providers
- Broadly can be referred to as the “rest of the public sector”
- Key sub-segments within this group include (1) larger “central” government agencies covering key ministries (e.g finance, social protection, pensions, justice etc) (2) Law enforcement groups focused on cybercrime dimension of PACs, (3) agencies operating at regional or local government level – e.g. local government agencies, universities, health trusts etc).
- Broad spectrum of PACs requirements can exist within the Government category. (1) Central agencies will often have the most sophisticated PACs requirements, often as part of larger organisational or ICT transformation programmes. (2) Law enforcement will have specific requirements to help them identify and prosecute perpetrators of cyber-attacks, fraud, and other serious cyber-crime offences - defence contractors participate alongside enterprise PACs players here (3) smaller regional government entities will have varying PACs requirements that will overlap heavily with a broad portion of the enterprise segment.
- Key differentiator between government and enterprise buyers is the need for Government agencies to follow specific procurement procedures and tendering processes, often supported by specialist online portals.
- Tend to have broadly similar PACs requirements as the central government agencies above, but often are supported by more developed in-house IT skills and resourcing.
- Will also have different procurement procedures to government agencies
- Certain enterprise segments are more vulnerable than others to attack due to several motivations, for example financial players (e.g. financial reward), pharmaceutical players (e.g. IP theft), and IT service providers (e.g. reputational damage). Pivotal IT players with broad global infrastructure footprint (e.g. Google, Amazon, Rackspace, etc) would also have highly advanced PACs requirements.
- Other industries would typically have a lower risk profile rating (e.g. manufacturing and retail), and would typically spend much less on security. For example online retailers are particularly careful in ensuring that security measures do not negatively impact customer experiences and online conversion rates.
- Understanding the industry-specific nuances of individual verticals and implications for implementing appropriate levels of PACs are crucial in serving each segments, particularly around industry-specific legislation and compliance mandates that may complement broader government-mandated legislation.
SMEs and Consumers
- Viewed as the least mature segment with the strongest growth potential in the long term.
- Have much smaller budget availability but collectively expected to form a larger addressable market opportunity in the future, especially as SMEs are now being breached more frequently than in previous years .
- Consumers and (most) SMEs have a very different PACs buying behaviour to larger enterprises, do not have dedicated cyber/IT security skills, and tend to buy their IT from low-touch channels, i.e. resellers, high street retailers, or via the web, and increasingly via cloud services.
- Like to “outsource” security, and have it pre-packaged in the services they buy. Hence it is often bundled by default in widely used hardware and software. A lot of freeware products serve this segment, making revenue potential and viable business models more challenging.
- From a supply-side analysis perspective at least, many SMEs (micro-SMEs in particular) would broadly have similar purchasing requirements as consumers. This is not to ignore the great variation that will exist across SMEs and that exceptions to this rule that will exist, particularly for companies at the larger side of the SME definition (~250 employees)
For an overview of PACS Clusters please refer to the dedicated subtheme in the ‘market’ section of the framework.
Policy Framework, Standards and Legislation Actors and Initiatives
The Policy Framework and Legislation subtheme highlights key activities and initiatives around policy, legislation and standards within the PACs domain. Key PACs institutions and their interrelationships influencing overall cyber security at regional and global levels are highlighted and described – EU and US initiatives are given particular attention. Key PACs standards are legislation are broadly itemised and highlighted. A summary of various incentives available to policymakers to influence PACs outcomes is also provided.
European PACs Investment Context
Higher volume of digital attacks and increasing awareness among clients of the need to increase defences means innovative PACS organisations are in a good position to be acquired. In the US alone, estimates around the cost of organisational failures ranges from between $70 billion to $400 billion in IP Theft per annum [MCA14]. An estimated 1110+ startup companies exist globally in various segments of the security market, defending and protecting against advanced persistent threats. Many of these organisations present ideal targets for acquisition by larger PACs and ICT enterprises, if their niche offering strengthen their overall portfolio and meet their client’s broadening range of security and privacy issues. This view is being driven by the desire of corporate customers for a single source, end-to-end solution that takes charge and responsibility of all their security needs - which in turn is driving consolidation among providers of different types of security solutions [E&Y13]. A case in point was the acquisition of Mandiant by FireEye at the beginning of 2014 for just over $1 billion, fusing FireEye's advanced persistent threat technology with Mandiant's endpoint protection, offering corporate clients of either organisation a complete end-to-end security solution.
According to investment firm Allegis Capital, a number of key PACs solution requirement categories are in significant demand and are driving this investment growth trend [PEH13]. Key desired solution aspects achieving investment include:
• Active defense solutions to protect websites from Botnet attacks
• Security/authentication/identity access and management for mobile devices as enterprises increasingly let employees bring their own devices to work (BYOD)
• Securing communications piece of infrastructures more effectively
• Identifying and mitigating malware once it’s gotten inside the network
• Innovative “big data” solutions applied to cyber security threats
• Secure cloud computing solutions, a key requirement for enterprises to more broadly adopt cloud computing
• Integrated, enterprise-wide security solutions to replace collections of “point” products that solve a single problem
Rather than spending billions devising new technologies, larger organisations are starting to look at acquiring smaller, more agile organisations that have developed innovative technologies that can deal with these new threats. For the large organisation this can give them a cheaper and quicker alternative to developing in-house skills. For the smaller organisation, being acquired allows them to get their product to a wider corporate market.
It is traditionally accepted that the US has a more mature and established venture capital industry than its European counterparts at present. This is particularly reflected in more successful performance returns over time – while the US VC industry has achieved 13% returns since 1990, its counterparts in Europe have managed just 2.1% over that period [ECON14], with much returns in the latter sapped during the dot-com bust, followed by post 2008 stagnancy across Europe in recent years.
Compared to Europe, the European VC ecosystem is funded much more heavily by government participants, with 40% of available funding coming from them, up from 14% in 2007, with much of this coming from the EU-backed European Investment Fund (EIF), which contributed €600m to European startups across all domains in 2013. Mixed views exist on the impact of public funding on startup investment, particularly when it is used to match funding from a public source, particularly VCs. Some private investors fear that any strings attached to government money (e.g. to create jobs in certain countries, or focus on certain sectors) may limit outcomes from their investments. There is also a perceived lack of transparency in how EIF-backed investments have fared, with no data available on investment performance. There is also the perception that European funds backed by government money can cash in on successful investments too early, selling companies to boost short term returns that make it easier to get follow-up government funding, thereby losing out on huge gains that can arise by staying with longer term bets. Pan-European rules placing limits on allowed investment (to ensure a perceived level playing field across individual European nations) are also viewed as being restrictive versus the US model, where no such limits exist [WSJ13]. Getting later stage financing is also seen as a challenge in Europe, where as few as 20-30% of European companies funded at seed stage are able to secure follow-up investment. Labour laws in many European countries are viewed as prohibitive to encouraging start-up activity, for example making it harder for companies to pay staff with stock options, often a key carrot to encouraging employees to take risks on working with start-ups.
However, in the PACs context more explicit funding supporting PACs-based start-ups in Europe is now emerging. For example, in June 2014 London-based C5 Capital became the first focused cyber security investment fund in Europe, providing a $125m fund for PACs start-ups. So far two investments have been made, an $8m investment in monitoring provider Balabit, as well as investment in Qinetiq spinout Metrasens28. Managers of the fund now believe that European ICT and PACS companies are now at an increased competitive advantage in Europe as a result of recent NSA surveillance scandals in the US, as such firms are not subjected to the same levels of data collection as their US counterparts. Traditionally, EU PACs companies have sought expansion funding to expand into US markets by default, but other markets such as the Middle East and Asia are now also seen as attractive alternatives [SCM14]. Local European vendors will also always benefit from understanding the local needs of the region, often giving them a competitive advantage over US and other non-European vendors over others, but there is now increased demand for Europeans to provide alternative services to protect citizens and their embodied data in their own markets.