Making sense of the UK Cybersecurity Sector

Over the past couple of weeks I have been trying make sense of the changing UK Cybersecurity Scene, from reports on the threats we face (like the RUSI report on the impact of fraud on National Security), through analyses of our £8.9 bn  spend with private sector security providers (like that recently published by DCMS) to announcements of joined-up law enforcement programmes (Like Cyber Scotland) in order to help those planning what is likely to be the largest Cybersecurity Skills event of the year, taking place shortly after the forthcoming launch of the Cyber Security Skills Council .

The landscape looks very different, according to your standpoint as academic, businessman, consultant, director, insurer, parent, policeman, prosecutor, regulator, vendor, victim or warrior. And that is before considering the multiple confusopolies of acronyms, definitions, jargons, organisations, professions and trades. It feels as though only the organised crime networks have unified visions, for targeting and exploiting the victims of their choice, without suffering adverse consequences. Everyone else appears to be is is playing different games, with different “rules”,  on different pitches .

What is apparent is that the “issues” are finally being taken seriously. Even if few players agree what they are. Or the priorities between them. Perhaps the best indicator of how seriously they are being taken is the quality of the UK Cybersecurity Sectoral Analysis 2021 compared to previous collections of “evidence”. It is hard-going, but it makes a very good start point for a cold-blooded analysis of who is really doing what in order to help their customers respond to the changing threat landscape, including the priorities that they are addressing.

For those who find it too hard going, I have summarised the published analysis below. I also draw three conclusions. These are:

  1. Only 150 suppliers, employing 2/3rd of the work force, are large enough to provide realistic in-house work experience for trainees and/or apprentices. All the rest are to small to do without outside support. And there are only 66 specialist UK providers of cybersecurity training and awareness (other than Universities and Colleges) to provide this.
  2. If number of suppliers is a proxy for effort, then “Threat Intelligence” (632 suppliers) is getting far more than “Identification, authentication, and access control” (159 suppliers). Hence the vulnerability of those now dependent on home-based workers, outside the secure networks (355 suppliers) and end-point controls (482 suppliers) into which so much effort has gone.
  3. Almost all new investment over the past year has gone into growing existing product suppliers. Almost none went into services or start-ups. We can therefore expect things to get worse, perhaps much worse, before they begin to get better.

Next I intend to blog on the new UK policing partnership structures, (as they move towards joined up intelligence-led incident response) and how these map onto the emerging structures for skills partnerships.

UK Cybersecurity Sectoral Analysis 2021

Key Points

  • 1,483 firms, up 21% since last year
  • 46,700 employees, up 9% since last year, 65% in large firms (250+ employees).
  • Revenue £8.9 bn, up 9%, per employee £190,000 down 2%, Gross Value Added £4bn, per emp £85,700 down 3%.
  • Cyber Professional Services provided by 72% of firms.
  • Threat Intelligence, Monitoring, Detection and Analysis by 43%.
  • Endpoint Security (including Mobile Security by 33%.
  • SCADA and ICS by 7%, up from 3% from last year.
  • IoT Security by 3% up from 2% last year.
  • Main provision a service (54%), a product (29%), managed services (16%), reseller activities (1%)
  • £821m raised by dedicated cyber security firms across 73 firms, double previous year but mainly large scale investments in mature firms, very few deals led by early stage start-ups over last 12 months,

The analysis covers:  UK registered business with identifiable revenue or employment within the UK, which are not charities, universities, networks or individual contractors (non-registered) and which provide one or more of the following products or services: 

  • Cyber professional services, i.e. providing trusted contractors or consultants to advise on, or implement, products, solutions, or services for others (1,065 suppliers, 72%)
  • Endpoint and mobile security, i.e. hardware or software that protects devices when accessing networks (482 suppliers, 32%)
  • Identification, authentication, and access controls, i.e. products or services that control user access, for example with passwords, biometrics, or multi-factor authentication (159 suppliers, 11%)
  • Incident response and management, i.e. helping other organisations react, respond or recover from cyber attacks (322 suppliers, 22%)
  • Information risk assessment and management, i.e. products or services that support other organisations to manage cyber risks, for example around security compliance or data leakage (339 suppliers, 23%)
  • Internet of Things (IoT Security), i.e. products or services to embed or retrofit security for Internet of Things devices or networks (38 suppliers, 3%)
  • Network security, i.e. hardware or software designed to protect the usability and integrity of a network (355 suppliers, 24%)
  • SCADA and Information Control Systems, i.e. cyber security specifically for industrial control systems, critical national infrastructure, and operational technologies (109 suppliers, 7%)
  • Threat intelligence, monitoring, detection, and analysis, i.e. monitoring or detection of varying forms of threats to networks and systems (632 suppliers, 43%)
  • Awareness, training, and education, i.e. products or services in relation to cyber awareness, training, or education (66 suppliers, 4%

Collated Analyses indicate that:

  • 54% of businesses are mainly involved with cyber security service(s) i.e. the business sells a service to the market e.g. cyber security advisory services, penetration testing etc, generating £3.7 bn of revenue, employing 23,414.
  • 29% are mainly involved with cyber security product(s) i.e. the business has developed and sells a bespoke product (hardware or software solution) to the market, generating £3.3 bn of revenue, employing 15,278
  • 16% are mainly involved with the provision of Managed (Security) Services: i.e. the business offers other organisations some degree of cyber security support e.g. establishes security protocols, monitoring, management, threat detection etc – typically for a monthly or annual fee, generating £1.5 bn of revenue, employing 7,552.
  • 1% are resellers.

The sector is very much more heavily skewed to towards large firms than the rest of the UK private sector.

The cybersecurity operations of about 20 very large telecoms, aerospace and defence providers and equally large consultancies account for most of the sector’s revenues and employment. Their revenues per employee are over double that for small and micro firms although their GVA is only 40% higher.

  • 144 (10%) have over 250 employees with combined cybersecurity revenues of £6.575 bn, employing 30,334 with an average of 211. Only 11% only derive 75% or more of their revenues, totalling £1.9 bn from cybersecurity products and services. The rest are divisions of telcos, consultancies, defence/aerospace suppliers etc.
  • 172 (12%) have 50 – 249 employees, combined revenues of £1.56 bn, employ 8,981 with an average of 52. 51% derive 75% or more of their revenues, totalling £1.33 bn, from cyber.
  • 327 (22%) have 10 – 49 employees, combined revenues of £527 mn, employ 4,979, average 15. 65% derive 75% or more of their revenues, totalling £.465bn from cyber.
  • 840 (57%) have under 10 employees, combined revenue £200 mn, employ 2,389 (an average of 3), almost all cyber.

(for comparison only 1% of UK businesses employ more than 250 and they account for under 50% of employees)

Geographic analysis

Like the rest of the IT industry, cyber is London-Centric.  53% of firms and 46% of offices are in London and the South East (down from 50% last year). The number of offices, estimated proportion of national employment, main centres, mentioned firms and cybersecurity clusters are:

London 875 offices, 27% of national employment, LORCA.

 South East 577, 18%, Oxford, Milton Keynes, Southampton, Reading, Portsmouth, and Brighton: Sophos, Carbon Black, Fortinet, and FireEye: South East, Oxford, Solent (Southampton) and Thames Valley Clusters.

 North West 276, 9%:  Manchester, Liverpool, and Warrington:  NCC Group, KPMG, BeyondTrust, and Secarma: North West Cyber Security Cluster, GCHQ (Manchester), the Greater Manchester Cyber Foundry.

 Scotland 283, 8%: Edinburgh and Glasgow, followed by Aberdeen: Sopra Steria, Adarma, Fortinet, and Quorum Cyber: Scotland IS.

 South West 252, 8% : Gloucester, Bristol, Bath, Swindon, Bournemouth, Exeter, and Plymouth: BAE Systems,  Immersive Labs: CyNam (Gloucester and Cheltenham) , Bristol and Bath, Malvern, North Somerset,  South West and West of England Clusters

 East of England 203, 6%: Cambridge, Norwich, Peterborough, and St Albans: Privitar, Trustonic, Mimecast, Cloudflare, Palo Alto Networks, Egress, and Nettitude. Cambridge and Norfolk and Suffolk Clusters

 West Midlands 164, 6%: Birmingham, Coventry and Worcester:Titania, IBM, CyberOwl, and Risk Evolves. Midlands Cyber Security Cluster.

 Yorkshire & Humber 142, 5%: Yorkshire Leeds, Sheffield, and York: Bobs. Business, KnowBe4, and Smoothwall.  Yorkshire Cyber Security Cluster.

 East Midlands 120, 4% : Nottingham, Derby, Lincoln, and Leicester: Intercede, Nexor, Secure Key Warrior, 4Secure and Redscan Cyber Security: East Midlands Cyber Security Cluster.

 Wales 105, 4%: Newport, Rhyl, and Wrexham: Airbus,Thales: Cyber Wales, South Wales and North Wales Cyber Security Clusters.

 Northern Ireland 90, 4%:  Belfast , Derry: Allstate, Anomali, Cygilant, Synopsys, Microsoft, Rapid7 and Imperva: NI Cyber Cluster.

North East 74 :, 2%   Newcastle followed by Sunderland and Middlesbrough. Firms include Accenture, Security Risk Management, and Waterstons: Dynamo North East, and Tees Valley and County Durham Cyber Security clusters.

308 UK registered firms have overseas offices, including 154 in the EU and 109 in the US. 259 overseas firms have offices in the UK, 167 from the US and 46 from the EU

New Investment is narrowly focussed on growing product suppliers which have survived start up.  

New investment is slewed towards a handful of large investments (e.g. One Trust, Snyk and Privitar which collectively raised £727m (89% of the total identified). Others include Ripjar (£28m), CyberSmart (£5.5m), Quorum Cyber (£2.7m), PQ Shield (£5.5m), Nu Quantum (£2.1 m) and CyberOwl (£1.8 m). Seed business(early stage start-ups were, however only able to raise a total of £12,8 million across 29 deals). 75% of deals and 99% of funds raised were for product, as opposed to service, providers.

Major investors include 24Haymarket, Accel, Amadeus Capital Parters, IQ Capital, KKR Private Equity,  Mercia Asset Management, Octopus Ventures, Scottish Co-Investment Fund managed by Scottish Enterprise,  TenEleven Ventures

The Government Support Programmes a quite small by comparison

Government and other Support Programmes: HutZero, Cyber 101, Cyber Security Academic Start-Up Accelerator Programme (CyberASAP), National Cyber Security Centre (NCSC) Cyber Accelerator, The London Office for Rapid Cybersecurity Advancement (LORCA) is a collaboration between Plexal, Centre for Secure Information Technologies (CSIT) and Deloitte, Tech Nation Cyber