The market landscape in cyber resilience continues to be driven by four dominant factors:


The increasing number of connected devices and services

Owing to changes in underlying business models, and value now attributed to data, we see a drive towards pervasive connectivity and digitisation.

The dawn of 5G mobile networks, fibre-to-the-premises and waves of new communication satellites, launched by incumbent operators and start-ups alike, heralds the arrival of infrastructure required for the next wave of ubiquitous connectivity.

This connectivity is enabling paradigms in computing, processing and service delivery not previously possible, which further accelerates the rate of innovation. Innovation brings huge opportunity but also cyber risk that needs discovering, assessing, managing and maintaining.


Individuals, businesses and the growing dependence of society on this connected environment

Built on top of this foundation of communication infrastructure is a range of innovations, solutions, services and new technologies. All industries are being digitised and connected to deliver efficiencies and new ways of working that derive value from data: from education to smart cities, from government service delivery to customer service, from transport to healthcare, from agriculture to Enterprise Internet of Things (IoT), from the military to the broader industrial base.

As a result, society is becoming increasingly dependent on a connected world and not in an always-obvious manner. The complexity of this connectivity and interdependence means the risk of contagion from a breach leading to disruption in one part of a system affecting another has never been higher.


The proliferation of threats and threat actors

The first ransomware appeared only seven years ago and today ransomware forms the backbone of a multi-tens-of-billion dollar criminal enterprise that targets individuals, small through to large businesses (including listed multi-nationals) and government.

Coupled with new state and state-proxy actors, these organised criminal threats look to utilise cyber to augment traditional military and intelligence capabilities. They represent increasing numbers of bad actors looking for an edge and an opportunity to exploit weaknesses and leverage cyber against an ever-increasing set of targets.

The bar of entry to become a cyber-aggressor continues to fall while the level of cyber resilience and robustness has not correspondingly increased for the most part. While governments have, through international accords such as The Wassenaar Arrangement, tried to stem the proliferation of advanced capabilities, the reality is that advanced hacking today is simply too easy.


Relentless increase in regulation and consequent costs of compliance failure

Most mature governments deem the free market to have failed at delivering the level of cyber resilience required. As such, mature governments are enacting strategies, which often involve two key priorities.

The first is the establishment of a central function or organisation for cyber defence within the national governance structure and protecting legislation in place. In the past year, we have seen the United States, Australia, Canada, and the European Union all do this. The roles of these organisations include capability capacity building, awareness raising and guidance on how to be cyber resilient, managing incidents of national significance and being the authority as to what good looks like in cyber.

The second is to embark on regulation, be it The Network and Information System (NIS) Directive, General Data Protection Regulation (GDPR), or sector specific regulation such as the 2017 New York State Department of Financial Services (NYDFS) cyber security regulations. Regulators are employing a variety of strategies including looking for evidence of the real-world resilience of an organisation as opposed to similar verification and paper-based audits. To collect this evidence regulators are increasingly stipulating advanced red-team engagements, which we offer.

It is also becoming increasingly clear that regulators are willing to issue material fines for failures with high profile cases coming to light. Our work in pre-close technical due diligence is showing heightened awareness of the risk of buying a breach and customers wanting to do more than a light touch due-diligence due to these regulations.

Owing to these four market drivers, aggregate demand for cyber services and products continues to grow. However, as a consequence, this attractive market is very busy having attracted significant investment from participants including system integrators, management consulting firms, defence contractors and private-equity or venture-capital-backed technology companies.

We have observed many clients – rightly – becoming frustrated with vendors offering 'magic bullet' solutions. As an antidote, we promote the development of 'cyber science', which aims to take the mystery out of cyber and replace it with evidence-based risk mitigations and performance quantification. We believe this professionalisation of cyber will enable organisations to engage much more easily and will clear the path for further market growth.

Finally, as a professional services firm in a technology-dominated market we observe two positive dynamics. First, what we offer is distinctive in that we are able to develop and maintain leading technical capability without investing massive amounts of capital expenditure. Instead, targeted research undertaken by skilled individuals continues to yield world-leading discoveries that we use to educate ourselves and engage with our clients. Secondly, it is clear that competitors continue to struggle to build and retain a critical mass of individuals even a fraction of the size of our talent pool let alone with the market diversity. Therefore, while we will continue to compete with an ever-increasing number of firms, we continue to provide a differentiated service that attracts clients and colleagues alike.