The growth of the sector has been driven by a rapid increase in cyber-crime, with cyber-attacks growing in both frequency (due to significant increases in available network attack surfaces and connected devices) and sophistication, as attacks are increasingly carried out by state-sponsored actors and highly advanced organised criminals focused on high-value targets.
The increase in the number and sophistication of cyber-attacks has generated greater attention from regulators, who are now driving the cyber security agenda and adopting a tough stance towards both cyber breaches and failure to protect client data. The focus of new regulation is bridging information gaps and ensuring higher minimum standards for compliance. This is being achieved through specialist programmes, such as those run by CREST and the Bank of England CBEST programme for systemically important financial institutions, which is now being rolled-out across other critical infrastructure sectors via TBEST (Telecoms), GBEST (Government) and NBEST (Nuclear) and in the EU as TIBER-EU.
This new regulatory landscape means that cyber security is widely accepted as a ‘board-level’ issue. There is significant reputational risk attached to cyber security failings – as well as huge potential monetary costs. As a result, businesses are investing heavily to protect themselves.
Cyber security spend is typically split between services (e.g. penetrating testing, information security consulting, compliance, incident response, managed services, etc.) and software (e.g. endpoint protection, access control, firewalls, anti-malware, intrusion protection / detection, ransomware protection, etc.). Both of these markets are becoming increasingly sophisticated on the back of a number of interesting developments.
Two key trends are emerging in the cyber security services space – a move to intelligence-led testing and the growth of managed security service provision (‘MSSP’). Intelligence-led testing has revolutionised cyber security by providing more effective, tailored protection. The premise is to leverage research (including ‘honeypots’ and open source intelligence) to identify vulnerabilities and attack formats specific to clients and industries and focus energies on protecting against the most likely attack types for the client rather than simply standard or undefined methods. Meanwhile, managed services are growing as businesses realise they require persistent, live cyber security solutions and cannot just ‘bolt-on’ software products or conduct point-in-time testing.
On the software side, recent developments have been characterised by advancements in terms of artificial intelligence and machine learning. While the success of these platforms us currently varied, the better technologies are being used to enable the quick and accurate identification of potential cyber-attacks.
Unprecedented levels of cyber security spending and increasingly sophisticated solutions makes for an exciting – and expensive – M&A market.
In 2017 alone there were over 200 transactions3 around the world as businesses sought to acquire cyber security capabilities. Highlights include Barracuda Networks being taken private by PE firm, Thomas Bravo, for $1.6bn, DigiCert’s $950m acquisition of Symantec’s website security and PKI solutions business, Synopsys’ acquisition of Black Duck for $565m and CyberArk’s $42m takeover of DevOps. Livingstone has been one of the most active advisers to this market managing the strategic sale of leading service providers ContextIS (to Babcock), Info-Assure (to BSI) and most recently, Nettitude (to Lloyd’s Register).