PACS stakeholders can also be categorised with regards to their role in the overall innovation process, and can be distinguished across four key categories:
- “Innovators”: individuals or companies that are looking to bring ideas in the PACs domain to market. Sub-categories include researchers, vendors, service providers, integrators and infrastructure providers;
- “Enablers”: individuals or entities who are responsible for supporting individuals or companies in being more innovative and in commercialising technology;
- “Influencers”: individuals whose professional mandates influence or impact on the ability of PACs Innovators or Enablers to bring technologies to market;
- “End-Users”: individuals or organisations leveraging PACs technologies and services to improve resilience of their own infrastructures, or technologies they provide to others.
Different organisations and individuals may fall into multiple stakeholder categories under this scheme, depending on factors, particularly their relationship with the product lifecycle, as illustrated in the different innovation stakeholders.
Key and Emerging Players
For an overview of PACS key and emerging players see market theme.
Key PACs Buyer Categories
PACs market competitive analysis by Pierre Audoin Consultants identifies four key distinct buying groups in the security (and privacy) domain, each with significantly different security requirements, buying/pricing points and purchasing behaviours [PAC13]. These four identified categories are:
- Defence and Intelligence, specialist defence and intelligence agencies which are a specialised sub-segment of the wider public sector cyber security segment
- Government (other than Defence and Intelligence) – this includes central and local government, publicly funded agencies and so on
- Large Enterprises – i.e. private firms with more than 250 employees
- SMEs and Consumers – which account for the remaining private sector buyers, and buyers in the general public.
Players across several of these sub-segments operate in relatively distinct silos, for example target stakeholders in the Defence and Intelligence segment would typically operate in a completely different community to those serving the Large Enterprise segment, with significantly different product requirements and selling protocols in each. Also, many bespoke solutions developed for Defence and Intelligence purposes will be too advanced for many target buyers in enterprise segments, while in turn, solutions for the mass market segment are unlikely to be powerful or configurable enough for Defence industry purposes. Sales cycles in the Defence industry may take many years to develop, resulting in an organisational culture that would operate very differently to those that serving more fast-moving enterprise and consumer markets. Also, selling to SMEs and consumers requires a low-touch multi-channel approach (typically combining online and offline elements), which can be quite different to selling to large enterprises where more consultative and integrated ways of working with clients are essential. There will also be strong channels alliances between vendors, partners and customers within each segment, creating strong entry barriers to those crossing over from one sub-market to another. Further characteristics of these four buyer groups are highlighted in Table 1.
Overview of Sub-Segment
Defence and Intelligence
- Most mature security market segment, tend to buy the most expensive and complex products
- Invest in solving the most complex PACs R&D challenges
- Highly trusted relationships with PACs vendors and service providers, who are typically small in number and are required to have top security clearance levels.
- Long sales cycles typical (years rather than months)
- SMEs suppliers do not typically access this market easily, when they do it is usually via larger product and service providers
- Broadly can be referred to as the “rest of the public sector”
- Key sub-segments within this group include (1) larger “central” government agencies covering key ministries (e.g finance, social protection, pensions, justice etc) (2) Law enforcement groups focused on cybercrime dimension of PACs, (3) agencies operating at regional or local government level – e.g. local government agencies, universities, health trusts etc).
- Broad spectrum of PACs requirements can exist within the Government category. (1) Central agencies will often have the most sophisticated PACs requirements, often as part of larger organisational or ICT transformation programmes. (2) Law enforcement will have specific requirements to help them identify and prosecute perpetrators of cyber-attacks, fraud, and other serious cyber-crime offences - defence contractors participate alongside enterprise PACs players here (3) smaller regional government entities will have varying PACs requirements that will overlap heavily with a broad portion of the enterprise segment.
- Key differentiator between government and enterprise buyers is the need for Government agencies to follow specific procurement procedures and tendering processes, often supported by specialist online portals.
- Tend to have broadly similar PACs requirements as the central government agencies above, but often are supported by more developed in-house IT skills and resourcing.
- Will also have different procurement procedures to government agencies
- Certain enterprise segments are more vulnerable than others to attack due to several motivations, for example financial players (e.g. financial reward), pharmaceutical players (e.g. IP theft), and IT service providers (e.g. reputational damage). Pivotal IT players with broad global infrastructure footprint (e.g. Google, Amazon, Rackspace, etc) would also have highly advanced PACs requirements.
- Other industries would typically have a lower risk profile rating (e.g. manufacturing and retail), and would typically spend much less on security. For example online retailers are particularly careful in ensuring that security measures do not negatively impact customer experiences and online conversion rates.
- Understanding the industry-specific nuances of individual verticals and implications for implementing appropriate levels of PACs are crucial in serving each segments, particularly around industry-specific legislation and compliance mandates that may complement broader government-mandated legislation.
SMEs and Consumers
- Viewed as the least mature segment with the strongest growth potential in the long term.
- Have much smaller budget availability but collectively expected to form a larger addressable market opportunity in the future, especially as SMEs are now being breached more frequently than in previous years .
- Consumers and (most) SMEs have a very different PACs buying behaviour to larger enterprises, do not have dedicated cyber/IT security skills, and tend to buy their IT from low-touch channels, i.e. resellers, high street retailers, or via the web, and increasingly via cloud services.
- Like to “outsource” security, and have it pre-packaged in the services they buy. Hence it is often bundled by default in widely used hardware and software. A lot of freeware products serve this segment, making revenue potential and viable business models more challenging.
- From a supply-side analysis perspective at least, many SMEs (micro-SMEs in particular) would broadly have similar purchasing requirements as consumers. This is not to ignore the great variation that will exist across SMEs and that exceptions to this rule that will exist, particularly for companies at the larger side of the SME definition (~250 employees)
For an overview of PACS Clusters please refer to the dedicated subtheme in the ‘market’ section of the framework.
Policy Framework, Standards and Legislation Actors and Initiatives
The Policy Framework and Legislation subtheme highlights key activities and initiatives around policy, legislation and standards within the PACs domain. Key PACs institutions and their interrelationships influencing overall cyber security at regional and global levels are highlighted and described – EU and US initiatives are given particular attention. Key PACs standards are legislation are broadly itemised and highlighted. A summary of various incentives available to policymakers to influence PACs outcomes is also provided.
European PACs Investment Context
Higher volume of digital attacks and increasing awareness among clients of the need to increase defences means innovative PACS organisations are in a good position to be acquired. In the US alone, estimates around the cost of organisational failures ranges from between $70 billion to $400 billion in IP Theft per annum [MCA14]. An estimated 1110+ startup companies exist globally in various segments of the security market, defending and protecting against advanced persistent threats. Many of these organisations present ideal targets for acquisition by larger PACs and ICT enterprises, if their niche offering strengthen their overall portfolio and meet their client’s broadening range of security and privacy issues. This view is being driven by the desire of corporate customers for a single source, end-to-end solution that takes charge and responsibility of all their security needs - which in turn is driving consolidation among providers of different types of security solutions [E&Y13]. A case in point was the acquisition of Mandiant by FireEye at the beginning of 2014 for just over $1 billion, fusing FireEye's advanced persistent threat technology with Mandiant's endpoint protection, offering corporate clients of either organisation a complete end-to-end security solution.
According to investment firm Allegis Capital, a number of key PACs solution requirement categories are in significant demand and are driving this investment growth trend [PEH13]. Key desired solution aspects achieving investment include:
• Active defense solutions to protect websites from Botnet attacks
• Security/authentication/identity access and management for mobile devices as enterprises increasingly let employees bring their own devices to work (BYOD)
• Securing communications piece of infrastructures more effectively
• Identifying and mitigating malware once it’s gotten inside the network
• Innovative “big data” solutions applied to cyber security threats
• Secure cloud computing solutions, a key requirement for enterprises to more broadly adopt cloud computing
• Integrated, enterprise-wide security solutions to replace collections of “point” products that solve a single problem
Rather than spending billions devising new technologies, larger organisations are starting to look at acquiring smaller, more agile organisations that have developed innovative technologies that can deal with these new threats. For the large organisation this can give them a cheaper and quicker alternative to developing in-house skills. For the smaller organisation, being acquired allows them to get their product to a wider corporate market.
It is traditionally accepted that the US has a more mature and established venture capital industry than its European counterparts at present. This is particularly reflected in more successful performance returns over time – while the US VC industry has achieved 13% returns since 1990, its counterparts in Europe have managed just 2.1% over that period [ECON14], with much returns in the latter sapped during the dot-com bust, followed by post 2008 stagnancy across Europe in recent years.
Compared to Europe, the European VC ecosystem is funded much more heavily by government participants, with 40% of available funding coming from them, up from 14% in 2007, with much of this coming from the EU-backed European Investment Fund (EIF), which contributed €600m to European startups across all domains in 2013. Mixed views exist on the impact of public funding on startup investment, particularly when it is used to match funding from a public source, particularly VCs. Some private investors fear that any strings attached to government money (e.g. to create jobs in certain countries, or focus on certain sectors) may limit outcomes from their investments. There is also a perceived lack of transparency in how EIF-backed investments have fared, with no data available on investment performance. There is also the perception that European funds backed by government money can cash in on successful investments too early, selling companies to boost short term returns that make it easier to get follow-up government funding, thereby losing out on huge gains that can arise by staying with longer term bets. Pan-European rules placing limits on allowed investment (to ensure a perceived level playing field across individual European nations) are also viewed as being restrictive versus the US model, where no such limits exist [WSJ13]. Getting later stage financing is also seen as a challenge in Europe, where as few as 20-30% of European companies funded at seed stage are able to secure follow-up investment. Labour laws in many European countries are viewed as prohibitive to encouraging start-up activity, for example making it harder for companies to pay staff with stock options, often a key carrot to encouraging employees to take risks on working with start-ups.
However, in the PACs context more explicit funding supporting PACs-based start-ups in Europe is now emerging. For example, in June 2014 London-based C5 Capital became the first focused cyber security investment fund in Europe, providing a $125m fund for PACs start-ups. So far two investments have been made, an $8m investment in monitoring provider Balabit, as well as investment in Qinetiq spinout Metrasens28. Managers of the fund now believe that European ICT and PACS companies are now at an increased competitive advantage in Europe as a result of recent NSA surveillance scandals in the US, as such firms are not subjected to the same levels of data collection as their US counterparts. Traditionally, EU PACs companies have sought expansion funding to expand into US markets by default, but other markets such as the Middle East and Asia are now also seen as attractive alternatives [SCM14]. Local European vendors will also always benefit from understanding the local needs of the region, often giving them a competitive advantage over US and other non-European vendors over others, but there is now increased demand for Europeans to provide alternative services to protect citizens and their embodied data in their own markets.
Innovation in an organization does not happen by coincidence or “magic”. Instead, there needs to be a systematic process in place that creates the right environment for innovation in an organization to arise (John Jeston, 2008). The view that large gains in efficiency and effectiveness can be gotten from adopting a process oriented approach has gained considerable influence in the past two decades. As described in (Hammer, 2007):
In virtually every industry, companies of all sizes have achieved extraordinary improvements in cost, quality, speed, profitability, and other key areas by focusing on, measuring, and redesigning their customer-facing and internal processes.
The Process theme consists of two parts. First, we provide an overview various innovation processes that exist outside of the PaCS Core Innovation Process. In this section we also introduce the notion of “lean” innovation as an alternative approach. In addition, we introduce those governance tools and activities that an organization can use to assure itself of the approach it has taken regarding the innovation process itself. Using this theme, an organization can assess its innovation process maturity level and indicate gaps between its current state and desired state.
INNOVATION MODEL PROCESS FLOWS
Given the proliferation in research and scholarly attention afforded to innovation over the last three decades, a diverse range of innovation modelling processes exist in the literature. The existing catalogue of process models of innovation can be generally subdivided into three umbrella categories: (1) Linear (2) phased models, and (3) non-linear, coupling, cyclical models.
LINEAR PROCESS FLOWS
Early models of innovation presented innovation as a linear phenomenon where each aspect was considered modular and unconnected to other parts of the innovation process. The linear model hypothesises that innovation starts with basic research, followed by applied research and development, and culminating with production and diffusion. The theory identifies two traditional linear underpinning approaches to innovation (Rothwell, 1994); “Technology push” and “demand pull”. Regarding technology push, innovation is seen considered to be driven solely by scientific advances whereas the latter demand pull approach views innovation as a response to demands for new products and processes. However, it was found early on that these models did not survive empirical scrutiny as this representation oversimplified the innovation process. Indeed, (Kline & Rosenberg, 1986) note that models that depict innovation as “…a smooth, well-behaved linear process badly misspecify the nature and direction of the causal factors at work. Innovation is complex, uncertain, somewhat disorderly, and subject to changes of many sorts”.
PHASED PROCESS FLOWS
Phased models (Figure 1) serve as a management tool to map, systemise, control and review innovation progress across the sequential phases involved in an innovation project (Hughes & Chafin, 1996). As illustrated in Figure 1 below, Inputs and outputs for each phase are defined with management reviews at the end of each phase to determine the continuation of a project (“go-no-go”). The advantages of such an approach is in reducing uncertainty and promoting completion of sub stages of the innovation process. Equally so, the phased approach deals primarily with the development phase, and fails to accommodate any commercialisation perspectives (Verworn & Herstatt, 2002).
Figure 1 Linear Phase Review Model
Source: (Hughes & Chafin, 1996)
The process model by Pleschak et al. (Figure 2) delves into more detail across each stage of the innovation process and introduces the role for external stakeholders. Of merit for framing the range of issues surrounding innovation modelling, the Pleschak model specifically accommodates “…the possibility of truncation during every stage of the innovation process due to the rejection of an idea, technical or economical failure similar to Cooper’s gates” (Verworn & Herstatt, 2002).
Figure 2 Pleschak Process Model
Source: cited in (Verworn & Herstatt, 2002)
The Stage-Gate process (Cooper, 1990) also represents distinctive and orderly phases (Figure 3). The innovation process, according to the Stage Gate model consists of a range of gates to evaluate the various stages in the innovation development journey.
Figure 3 Stage Gate Model
Source: (Cooper, 1990)
At gate 1, the idea is evaluated according to must meet and should meet criteria such as strategic alignment, feasibility or fit with company policies. (Verworn & Herstatt, 2002) describe the stage gates as follows:
• Stage 1 represents a preliminary assessment of the project in terms of market, technology, and financials.
• After passing a second gate, a detailed investigation follows during stage 2 definition. Output from this stage is a business plan which is the basis for the decision on business case at gate 3.
• Stage 3 contains the actual development of the product and a marketing concept. Deliverable of this stage is a prototype product.
• Gate 4 ensures that the developed product is consistent with the definition specified at gate 3. In-house product tests, customer field trials, test markets, and trial productions are typical activities during the validation stage 4.
• Gate 5 decides on production start-up and market launch, which follow during stage 5. Objective of a terminating review is to compare actual with expected results and assess the entire project.
(Ulrich & Eppinger, 1995) normative process model (Figure 4) resembles Cooper’s stage-gate-process through mapping activities each function carries out during the development of an innovation. The noteworthiness of this model for (Verworn & Herstatt, 2002) is “…the interdisciplinary point of view. Every function is weaved into each phase of the development process”.
Figure 4 Normative Process Model
Source: (Ulrich & Eppinger, 1995)
Reflecting a project management orientation focus in terms of innovation modelling, the development funnel metaphor has been incorporated by researchers to illustrate the process from idea to innovation execution (Wheelwright & Clark, 1992); (McGrath, 1996)). The wide element of the funnel, reflects the idea generation/concept development stage and the funnel narrows as ideas progress through corresponding development, test and release phases (as illustrated in Fig 5)
Figure 5 PACE NPD Funnel
Source: (McGrath, 1996)
The Innovation Pentathlon Model (Goffin & Pfeiffer, 1999) also incorporates a funnel approach and highlights five performance areas which must be prioritised and integrated for effective innovation (Goffin & Mitchell, 2005); (Oke, et al., 2007). The five interlocking elements referred to in the pentathlon are:
• Ideas Management & Creativity Management;
• Prioritization, Selection and Portfolio Management;
• Implementation Management (NPD etc.);
• Innovation Strategy;
• Human Resource Management (People and Organisation).
The pentathlon framework accommodates a wider range of soft organisational issues than the traditional linear innovation model. It overcomes the deficiencies of typical phased models by including: HRM, Creativity/Ideas Management, the selection of priorities, and the importance of market conditions (in respect of the products, processes and services). At the top of the model lies the role of an innovation strategy, which will dictate what is needed in terms of the focus and goals, communication, technology and the measurement of success. In the middle of the model, a flow is often conceptualised within a funnel, indicating a move of the ideas through a prioritisation process as and through to implementation and new product development interactions with the marketplace. Underneath this middle section, the model depicts the formalisation of the human element in innovation. The pentathlon framework (Goffin & Pfeiffer, 1999) is distinctive from earlier models in featuring the human factor in innovation; specifically, recognising how the people and organizational climate play a role, and consequently, the value of seeking a conducive culture, where people are motivated to innovate.
Mindful of the combination of technical activities occurring in the innovation process, the external forces of the market place, as well as the complex interac tions and iterations between the various stages of the process, researchers in the field of innovation have developed more complex and inclusive models based upon the limitations of linear and sequential models (Leger & Swaminatham, 2007).
NON-LINEAR PROCESS FLOWS
Kline and Rosenberg’s Chain Linked innovation model (Figure 6) combines both market pull and technology push orientations, identifies five paths of innovation process (C): starting with the perception of a new market opportunity and/or a new science and technology-based invention; this is necessarily followed by the ‘analytic design’ (D) for a new product or process, and subsequently leads to development, production and marketing (Kline & Rosenberg, 1986).
Figure 6 Chain Linked Innovation Model
Source: (Kline & Rosenberg, 1986)
Earlier versions of Cooper et al.’s Stage Gate process models prescribed that the next phase can only start, if the project complied with all the requirements prior one. However, the stage gate process has evolved to incorporate feedback and spiral loops to address the limitation of a sequential pattern, as illustrated in Figure 7.
Figure 7 The Next Generation Idea to Launch System
Source: (Cooper, 2012)
Departing from a linear conceptualisation, Berkhout’s Cyclic Innovation Model (CIM) developed in the nineties views the innovation process as more than just technical invention and describes the innovation arena by a ‘circle of change' linking changes in science (left) and industry (right), and changes in technology (top) and markets (bottom) (Berhkout, 2000); (Berkhout, et al., 2007). As illustrated in Figure 8, the model architecture is not a chain but a circle: where ideas may start anywhere in the circle and proceed clockwise or anticlockwise. Equally, the model portrays a system of dynamic processes –with four ‘nodes of change’: scientific exploration, technological research, product creations and market transitions and between these nodes there are ‘cycles of change’ (Berkhout, et al., 2010).
Figure 8 Cyclical Innovation Model
Source: (Berkhout, et al., 2010)
Berhkout, A., 2000. The Dynamic Role of Knowledge in Innovation. An Integrated Framework of Cyclic Networks for the Assessment of Technological Change and Sustainable Growth. the Netherlands: Delft University Press..
Berkhout, A., Van der Duin, P., Hartmann, D. & Ortt, J., 2007. Connecting Hard Sciences with Soft Values Advances in the Study of Entrepreneurship, Innovation and Economic Growth, Amsterdam: Elsevier.
Berkhout, G., Hartmann, D. & Trott, P., 2010. Connecting Technological Capabilities with Market Needs using a Cyclic Innovation Model.. R&D Management, 40(5), pp. 474-490.
Cooper, R., 1990. Stage-Gate Systems: a new tool for managing new products. Business Horizons, Volume 33, pp. 44-56.
Cooper, R., 2012. What Next After Stage-Gate?. Research-Technology Management, pp. 20-31.
Goffin, K. & Mitchell, R., 2005. Innovation management: Strategy and implementation using the pentathlon framework. Basingstoke: Palgrave Macmillan.
Goffin, K. & Pfeiffer, R., 1999. Innovation Management in UK and German Manufacturing Companies. London: Anglo-German Foundation.
Hammer, M. (2007, April). The Process Audit. Harvard Business Review, 85(4).
Hughes, G. & Chafin, D., 1996. Turning new product development into a continuous. Journal of Product Innovation Management, Volume 13, pp. 89-104.
John Jeston, J. N. (2008). Business Process Management - Practical guidelines to succesful implementations (Second edition ed.). Oxon: Routledge.
Kline, S. & Rosenberg, N., 1986. An overview of innovation. In: The Positive Sum Strategy: Harnessing Technology for Economic Growth. Washington: National Academy Press, pp. 275-305.
Leger, A. & Swaminatham, S., 2007. Innovation Theories: Relevance and Implications for Developing Country Innovation., s.l.: Discussion Paper No. 743, DIW Berlin..
McGrath, M., 1996. Setting the PACE® in Product Development. Boston, MA: Butterworth-Heinemann.
Oke, A., Burke, G. & Myers, A., 2007. Innovation Types and Performance in Growing UK SMEs. International Journal of Operations and Production Management, 27(7), pp. 735-53.
Rothwell, R., 1994. Towards the Fifth-Generation Innovation Process. International Marketing Review, 11(1), pp. 7-31.
Verworn, B. & Herstatt, C., 2002. The Innovation Process: an Introduction to Process Models., s.l.: Working Paper No. 12, Technical University of Hamburg..
Ulrich, K. & Eppinger, S., 1995. Product design and development. Ney York: McGraw Hill.