TREND: Tech/security bubble - Investment community placing larger bets in security innovation

Overview: Several recent high-value deals involving players the PACS space have made commentators question if there is a security bubble happening at present. While there is evidence of a wider tech bubble, it is still believed fundamentals of many high profile security players still remain strong [STI14], [ACK14].

Also there is increased emphasis on privately-backed PACs-specific funding schemes being developed in Europe and beyond - for example in June 2014 C5 Capital announced the launch of the first PACs-specific investment fund in Europe, raising $125m to support such aims [BUS14].

While some commentators in the investment community will have a vested interest in talking up the market, other less biased commentators agree that security fundamentals are strong among several key vendors, such as Fortinet, Palo Alto, and Barracuda among others. That said, the wider perceived tech bubble may inflate certain valuations, as perceived with the FireEye-Mandiant deal in January 2014 [FIR14].

Impact: driving investor sentiment and increased financing of privately-funded PACs innovations, supporting faster development of necessary PACs technologies. 

TREND: Economic incentives and disincentives having a strong influence on PACs innovation and technology uptake

Overview: PACs policymakers increasingly recognise the need for development of both mandatory and voluntary incentives to support improved privacy and security in the value chain.

EU’s new cyber security strategy

1. Improvements in data breach notification procedures.
2. Clarifying property rights around personal data.
3. Development of trust marks.
4. Promotion of cyber insurance.
5. Increased tax incentives/credits around security/privacy related investments and research.

Impact: Improved implementation of economic incentives would increase uptake of PACS technologies, and development of more robust solutions, and facilitate PACs innovators in bringing PACS products and services to the marketplace.

TREND: Market dynamics driving “security roll-up” occurring within PACs space and with wider ICT product/service marketplace

Overview: Several factors are driving increased consolidation of security products in the marketplace – these include economic conditions and a maturing PACS/ICT marketplace, in tandem with new technology enablers driven by new categories of emerging ICT infrastructure.

Specific PACs examples include:

1. Convergence of physical and logical access control technology towards unified identity management.
2. Convergence of security log management and threat intelligence in next stage SIEM solutions.
3. Convergence of SOC and NOC platforms for increased correlation
   
4. Convergence of security-focussed GRC with IT-specific and enterprise-level GRC solutions.

However, this is contradicted by difficulty in converging different PACs technologies in portfolios acquired by organisations - the siloed nature of some of the larger PACs players (such as Symantec’s acquisition portfolio) being case in point.

On a broader dimension, security services are increasingly being merged into a wider ICT solutions sale. As PACs tech is increasingly sold as part of wider ICT offering, technical details are distanced from end-user, in line with shifts towards Security-as-a-Service (SECaaS).

Impact: More important for PACs innovators than ever that their proposed innovation offerings can either compete or integrate effectively with the wider incumbent PACs ecosystem, particularly the strategic aims of large enterprises, both those actively competing in the PACs domain, and as end-user clients across all industry verticals.

TREND: Need for developers of technology products to be more accountable for the economic externalities around security/privacy risk that they create at present

Overview: At present, it is believed that there is an unacceptable transfer of risk from ICT vendors (both h/w and s/w) to their clients/end-users in relation to security and privacy risks around their products.

There is an economic need to balance this risk equation by making vendors more accountable for the level of security they implement in their products. Today’s principle in ICT solutions is one where the buyer is expected to beware, and users are expected to accept  continued flaws and failures in systems and services. While this debate is only beginning, over the last couple of years there is a changing trend towards all suppliers in the value chain to change this principle, resulting in principles such as software and privacy by design, but also for all component providers to mitigate liabilities up and down the value chain. Achieving this accountability in practice is therefore still an open debate - while regulation is one avenue, it is also believed that government leadership in procuring ICT services can place increasing demands on ICT vendors to integrate a measurable standard of security and privacy-by-design into their products.

Impact: Increasing product assurance requirements would improve the accurate economic allocation of security costs across the PACs and wider ICT value chain, as well as incentivising vendors to integrate PACs concerns to an ever-increasing standard, thereby increasing PACs assurance and innovation. 

TREND: Potential economic impacts of emerging EU privacy legislation are complex and still in consideration

Overview: Assessing the potential economic impact of increased regulation on PACs innovation and wider ICT innovation is still a complex challenge and open discussion.

Official impact assessments (IAs) around implementation of the EU Data Protection Directive only considered innovation impacts from a limited perspective [DPR12] - for example, (1) assessment of costs to firms of implementing the directive is only focussed on compliance costs, but not on other forms such as costs of acquiring and using relevant data, and costs of providing privacy-enhancing services to end-users (2) analysis did not compare variation of impacts on different organisation types, for example commercial vs non-commercial firms, large vs small firms, European firms vs non-European etc. Analysis also focussed on impacts in European markets, but not on a wider global scale, particularly the ability of European vendors to compete in a wider global context.

Impact: Perceived benefits to firms that comply with emerging EU legislation include lawful access to markets and to business transaction and interoperation possibilities to improved reputation and trust on the part of customers. Perceived benefits to customers include benefits to customers of privacy protection range from freedom from harms associated with invasion of privacy to new opportunities to obtain better services (from more efficient searches to personalised products) and to control the use of information in order e.g. to exchange it for other things of value.