Related PACs market competitive analysis by Pierre Audoin Consultants identifies four key distinct buying groups in the security (and privacy) domain, each with significantly different security requirements, buying/pricing points and purchasing behaviours [PAC13]. These four identified categories are:

1. Defence and Intelligence, specialist defence and intelligence agencies which are a specialised sub-segment of the wider public sector cyber security segment.
2. Government (other than Defence and Intelligence) – this includes central and local government, publicly funded agencies and so on.
3. Large Enterprises – i.e. private firms with more than 250 employees.
4. SMEs and Consumers – which account for the remaining private sector buyers, and buyers in the general public.

Players across several of these sub-segments operate in relatively distinct silos, for example target stakeholders in the Defence and Intelligence segment would typically operate in a completely different community to those serving the Large Enterprise segment, with significantly different product requirements and selling protocols in each. Also, many bespoke solutions developed for Defence and Intelligence purposes will be too advanced for many target buyers in enterprise segments, while in turn, solutions for the mass market segment are unlikely to be powerful or configurable enough for Defence industry purposes. Sales cycles in the Defence industry may take many years to develop, resulting in an organisational culture that would operate very differently to those that serving more fast-moving enterprise and consumer markets. Also, selling to SMEs and consumers requires a low-touch multi-channel approach (typically combining online and offline elements), which can be quite different to selling to large enterprises where more consultative and integrated ways of working with clients are essential. There will also be strong channels alliances between vendors, partners and customers within each segment, creating strong entry barriers to those crossing over from one sub-market to another. Further characteristics of these four buyer groups are highlighted in Table 2.1.

Table 2.1 - Key PACs Buyer sub-segments (adapted from Pierre Audoin Consultant analysis, 2014)

Buyer Sub-Category	Overview of Sub-Segment
Defence and Intelligence	Most mature security market segment, tend to buy the most expensive and complex products. Invest in solving the most complex PACs R&D challenges. Highly trusted relationships with PACs vendors and service providers, who are typically small in number and are required to have top security clearance levels. Long sales cycles typical (years rather than months). SMEs suppliers do not typically access this market easily; when they do it is usually via larger product and service providers.
Government	Broadly can be referred to as the “rest of the public sector”. Key sub-segments within this group include (1) larger “central” government agencies covering key ministries (e.g finance, social protection, pensions, justice etc) (2) Law enforcement groups focused on cybercrime dimension of PACs, (3) agencies operating at regional or local government level – e.g. local government agencies, universities, health trusts etc). Broad spectrum of PACs requirements can exist within the government category.  (1) Central agencies will often have the most sophisticated PACs requirements, often as part of larger organisational or ICT transformation programmes. (2) Law enforcement will have specific requirements to help them identify and prosecute perpetrators of cyber-attacks, fraud, and other serious cyber-crime offences - defence contractors participate alongside enterprise PACs players here  (3) smaller regional government entities will have varying PACs requirements that will overlap heavily with a broad portion of the enterprise segment.    Key differentiator between government and enterprise buyers is the need for Government agencies to follow specific procurement procedures and tendering processes, often supported by specialist online portals.
Large Enterprises	Tend to have broadly similar PACs requirements as the central government agencies above, but often  are supported by more developed in-house IT skills and resourcing. Will also have different procurement procedures to government agencies. Certain enterprise segments are more vulnerable than others to attack due to several motivations, for example financial players (e.g. financial reward), pharmaceutical players (e.g. IP theft), and IT service providers (e.g. reputational damage). Pivotal IT players with broad global infrastructure footprint (e.g. Google, Amazon, Rackspace, etc) would also have highly advanced PACs requirements. Other industries would typically have a lower risk profile rating (e.g. manufacturing and retail), and would typically spend much less on security. For example online retailers are particularly careful in ensuring that security measures do not negatively impact customer experiences and online conversion rates. Understanding the industry-specific nuances of individual verticals and implications for implementing appropriate levels of PACs are crucial in serving each segments, particularly around industry-specific legislation and compliance mandates that may complement broader government-mandated legislation.
SMEs and Consumers	Viewed as the least mature segment with the strongest growth potential in the long term. Have much smaller budget availability but collectively expected to form a larger addressable market opportunity in the future, especially as SMEs are now being breached more frequently than in previous years. Consumers and (most) SMEs have a very different PACs buying behaviour to larger enterprises, do not have dedicated cyber/IT security skills, and tend to buy their IT from low-touch channels, i.e. resellers, high street retailers, or via the web, and increasingly via cloud services. Like to “outsource” security, and have it pre-packaged in the services they buy. Hence it is often bundled by default in widely used hardware and software. A lot of freeware products serve this segment, making revenue potential and viable business models more challenging.  From a supply-side analysis perspective at least, many SMEs (micro-SMEs in particular) would broadly have similar purchasing requirements as consumers. This is not to ignore the great variation that will exist across SMEs and that exceptions to this rule that will exist, particularly for companies at the larger side of the SME definition (~250 employees).

References:

 [PAC13] Pierre Audoin Consultants, Competitive Analysis of the UK Cyber Security Sector, July 29th 2013, https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/259500/bis-13-1231-competitive-analysis-of-the-uk-cyber-security-sector.pdf