Relentless increase in regulation and consequent costs of compliance failure
Most mature governments deem the free market to have failed at delivering the level of cyber resilience required. As such, mature governments are enacting strategies, which often involve two key priorities.
The first is the establishment of a central function or organisation for cyber defence within the national governance structure and protecting legislation in place. In the past year, we have seen the United States, Australia, Canada, and the European Union all do this. The roles of these organisations include capability capacity building, awareness raising and guidance on how to be cyber resilient, managing incidents of national significance and being the authority as to what good looks like in cyber.
The second is to embark on regulation, be it The Network and Information System (NIS) Directive, General Data Protection Regulation (GDPR), or sector specific regulation such as the 2017 New York State Department of Financial Services (NYDFS) cyber security regulations. Regulators are employing a variety of strategies including looking for evidence of the real-world resilience of an organisation as opposed to similar verification and paper-based audits. To collect this evidence regulators are increasingly stipulating advanced red-team engagements, which we offer.
It is also becoming increasingly clear that regulators are willing to issue material fines for failures with high profile cases coming to light. Our work in pre-close technical due diligence is showing heightened awareness of the risk of buying a breach and customers wanting to do more than a light touch due-diligence due to these regulations.
Owing to these four market drivers, aggregate demand for cyber services and products continues to grow. However, as a consequence, this attractive market is very busy having attracted significant investment from participants including system integrators, management consulting firms, defence contractors and private-equity or venture-capital-backed technology companies.
We have observed many clients – rightly – becoming frustrated with vendors offering 'magic bullet' solutions. As an antidote, we promote the development of 'cyber science', which aims to take the mystery out of cyber and replace it with evidence-based risk mitigations and performance quantification. We believe this professionalisation of cyber will enable organisations to engage much more easily and will clear the path for further market growth.
Finally, as a professional services firm in a technology-dominated market we observe two positive dynamics. First, what we offer is distinctive in that we are able to develop and maintain leading technical capability without investing massive amounts of capital expenditure. Instead, targeted research undertaken by skilled individuals continues to yield world-leading discoveries that we use to educate ourselves and engage with our clients. Secondly, it is clear that competitors continue to struggle to build and retain a critical mass of individuals even a fraction of the size of our talent pool let alone with the market diversity. Therefore, while we will continue to compete with an ever-increasing number of firms, we continue to provide a differentiated service that attracts clients and colleagues alike.