Is There a Trans-Atlantic Cyber Divide? The 5 Things That Differentiate Us Can Make Us Stronger
December 06, 2018
Having just returned from the U.S. to Europe, we recently met for breakfast around the corner from the new London HQ of Optiv Security, a market-leading provider of end-to-end cyber security solutions, in which KKR invested in early 2017. While the intended purpose of our meeting was to discuss Optiv's European expansion, quite quickly the conversation turned to the rapidly evolving nature of the cyber security market and its profound impact on people's digital lives and corporate security strategies on both sides of the Atlantic.
In fact, as we discussed this further, it became clear that while there are some strong similarities between the European and North American cyber security markets, there are also interesting and significant differences. We believe that these differences, when bridged and learned from, can strengthen our common cyber security posture.
So what are the top 5 main observations?
1. The rise of the board-level and business-minded CISO
Cyber has been a board level concern for U.S. organisations for many years - almost 50% of Fortune 500 CISOs have MBAs, evidencing the need to focus on the business outcomes of security alongside the technical aspects. Security programs and potential risks are being discussed by a large majority of U.S. public boards on a regular basis. By contrast, it is estimated that less than one third of UK boards are involved in making security decisions today.
According to a recent study from Vodafone - U.S. organisations exhibit a higher level of cyber readiness than their European counterparts, whose cyber readiness is only described as 'reactive'. It is estimated that European organisations will have spent $25bn on security in 2018 compared to U.S. organisations investing more than twice that at $50bn, with comparable GDP, and the EU having a far greater population.
At KKR, we conduct an annual cyber security evaluation, assessing our portfolio companies on the state of their cyber security operations. The results and recommended actions are discussed at the portfolio company boards as well as at KKR. Companies can also share learnings and best practices among each other, benefiting from a trusted network of fellow CISOs, across both sides of the "pond". Similar industry-wide forums like this could increase mutual learning and sharing of best practices.
European organisations need to raise the level of cyber discussion and awareness to board level, using business and risk-based decision making.
2. Litigation vs. legislation
Litigation and a related focus on the financial damage incurred through cyber breaches have driven the U.S. organisations to increase their maturity and insurance coverage. The U.S. has the world's largest cyber security insurance market worth $2bn today, and growing at almost 40%, while in Europe it lags at only ~10-15% of that total. Allianz projects that the global cyber insurance market could reach $20bn by 2025. At KKR, as part of the annual cyber security assessment, we have developed a global cyber insurance program that our portfolio companies can take advantage of to improve their posture and mitigate risks further.
In Europe, a growing security awareness has been supercharged by growing regulatory powers and the introduction of GDPR in May of this year. GDPR puts individual digital rights and privacy at the heart of the most significant pieces of cyber legislation so far. We are starting to see signs of these powers being used more aggressively as the threat of direct fines has become more significant. By comparison, in the U.S., the voluntary NIST Cybersecurity Framework aims much more at the deployment of cyber capability and maturity, rather than mandatory compliance requirements. While the NIST Framework is garnering worldwide appreciation for its standards and best practice, its implementation is hampered by a matrix of federal and state laws, and disparate regulations and policies. One of the key aspects of Optiv's European growth is to advise its clients on how best to approach this changing regulatory landscape.
A common and strong cyber approach can galvanise digital security efforts and help organisations understand their obligations. In the meanwhile, organisations need to understand their obligations on both sides of the Atlantic.
3. Innovation ecosystem
While Europe has a rich history of invention and engineering, it has only recently started to wake up to the power of a vibrant and well-funded tech sector. Even a quick glance at the relative size and volume of new cyber businesses and their funding tells a stark picture. In 2017, ~700 cyber companies in the North America received a total of $6.5bn in investment and growth capital, vs less than $1bn across 400 fundraising rounds in Europe and Israel combined.
What these financial statistics do not convey is the vibrancy of ideas, exchange of personnel and growth opportunities that the more mature U.S. venture capital and private equity-backed players have fuelled. There are highly innovative companies in Europe, notably in London, Berlin, Paris, and the Nordics, and across the sea in Israel, but most of these remain subscale, or have been swallowed by the U.S. players early on.
We have been fortunate to be in a front seat at this innovation race, and have tried to do our (small) part to contribute. KKR has backed some of the leading security innovators on both sides of the Atlantic, with Cylance, Ping Identity and Forgerock in the U.S., and Darktrace in Europe. Optiv screens ~100 new cyber vendors annually to bring the most innovative companies to the market and to its clients.
The under-exploited European cyber tech industry needs re-invigorating and can have a profound impact on our ability to combat cyber threats globally. Fostering new cyber tech and getting it to market is critical.
4. Cloud eager adopters
If we are to believe the hype, cloud adoption and SaaS services are becoming all pervasive. In the U.S., eager adopters are rushing to take advantage of the scale and flexibility that cloud, in its many guises, offers. However, we should be reminded that cloud still accounts for only 20% of overall IT spend. European organisations have typically been more cautious in their cloud investments - being restrained by data sovereignty, privacy concerns and a more holistic ROI calculation.
This cautious approach is starting to turn, as the availability of cloud datacentres and infrastructure in Europe is steadily increasing. OVH, backed by KKR, is a leader in hybrid cloud provision in Europe and expanding globally. Hybrid cloud deployments and the inevitable rise of SaaS will mean the underlying fabric of our technology provision will continue to change and adapt.
Security has been slow in responding to these shifts, both in cloud deployment of traditional security controls, as well as in the monitoring and measurement of cloud assets and behaviour. This is set to become the dual challenge for the next few years. On top of that, it is mobile and IoT that pose additional and perhaps more significant obstacles to security, as they bring higher velocity of adoption and radically different challenges.
As companies rush to the cloud, let's not lose sight of the traditional majority - the delivery of fundamental security controls across users and data, wherever they reside. That's what we are calling the cyber transformation challenge.
5. A service culture - how much should you tip?
As anyone who has travelled abroad knows, the tipping etiquette varies from country to country. It is generally accepted that North America is a service-based culture, while Europe is less so. This also rings true for the delivery of IT services.
North America has led the Managed Security Services (MSS) market for many years, evolving into a relatively commoditised and competitive market. European services adoption has developed much more along the consulting and professional services axis. Running security operations is not for the faint-hearted; it is complex, demands a focus on internal processes, and requires an almost clairvoyant ability to predict the next attack or vulnerability.
We are seeing a rapid evolution of the services model to reflect these unique challenges, calling for world-class cyber analysts using advanced tools to detect and respond to a range of threats. Most CISOs today are looking for a hybrid approach that leverages their particular organisational knowledge with external investment, best practice and importantly experience. Particularly in cyber, businesses are looking for enhanced capability, accelerated implementation of new digital processes, and access to scarce security talent.
The monolithic MSS model is being rapidly broken up into smaller chunks of actionable services, which integrate into a hybrid security operations framework. It is the a-la-carte menu, rather than a set meal, and European organisations are increasingly willing to pay the service charge - but only where they see the value.
It is vital that organisations use expert security services to maximise the value of their security operations. This needs to be done in a thought-through and clearly-articulated operational architecture, which can flex and respond to periods of heightened risk or business opportunity.
Paul Nicolas, Senior Director of Global Security Strategy at Microsoft, wrote in a recent article, "Cybercriminals and cyberattacks will inevitably be encouraged and enabled by serious divergence in approaches to cyber security, wherever in the world these occur. As such, it seems essential that steps are taken on both sides of the Atlantic to ensure closer harmonization, both to improve the situation of the U.S. and the EU and to set an example to the rest of the world."
Perhaps it is the similarities that we can build upon, knowing that the infrastructure which supports the growing digital economy is shared across the Atlantic. We rely on the same systems, software, and hardware, much of it supplied from outside the EU, and deployed across multinational organisations and global supply chains. These networks face the same vulnerabilities, the same array of technical exploits and malicious code, the same transnational cybercriminals, and the same nation-state actors. The solutions to these threats require the help of the best and brightest, regardless of which side of Atlantic they are located on.
KKR invested in Optiv in early 2017, and a key part of its investment thesis was to build Optiv into the first, truly global, and board-trusted cyber security solutions integrator. Optiv expanded to Europe in early 2018, rapidly scaling its team in London to 20 security professionals and long-term industry veterans, with the plan to triple the number next year. We believe that the combination of the U.S. presence and the local experience of our strong European team will help the company deliver a unique perspective and solutions to its global clients. The U.S. and EU markets are different, but regardless of where an organisation is located, it must build a sustainable, risk-centric foundation for implementing proactive and measurable security programs.
By learning from each other, we can all win.