Under the combined impact of digital transformation and the advent of new technologies, challenges related to identity and data protection, the emergence of new cyber threats, and a surge in cyber crime, cyber security has become a priority for both France’s government and her businesses. It now presents great opportunities for competition and growth. At the same time, several cases of espionage and state sponsored cyber attacks have made of cyber space a new strategic area likely to bring about new opportunities for French industry. In this context, it is worth analysing how the French market compares to world and European markets in terms of size and development, but also its advantages and vulnerabilities and how these could have an impact on future developments. Initiatives and efforts taken to mitigate potential adverse effects are also interesting, particularly those aimed at strengthening the cyber security industry and at better structuring the national cyber security sector.
A dynamic and fast growing market
When compared to world and European markets, France appears quite well positioned, and to feature similar trends in terms of growth and progress.
According to a study by Gartner (Forecast Analysis: Information Security, Worldwide, 2Q15 Update, Gartner, 2015), the world ICT market reached €3.2 billion in 2015 and is expected to reach €3.4 billion in 2020. 70% of this total revenue should flow from services, 20% from hardware and 10% from software. The same Gartner report shows that the world market for cyber security grew from €3.1 billion in 2004 to €67 billion in 2015, and should reach €152 billion by 2020.
In 2014, the value of the ICT market in France approached €105 billion after a 10% increase in size, and the cybersecurity market reached €1.8 billion in 2015, versus €1.6 billion in 2014, which is a 12.5% increase (Le marché français de la cybersécurité en France et dans le monde, Xerfi, 2015). While these figures show that France follows the global trend of further and faster digitalisation and cybersecurity, a closer look at the ICT/cybersecurity ratio tends to suggest that it is a little behind European and world cybersecurity markets. In 2014, cybersecurity only represented 1.7% of the French ICT sector when the world ratio was at 2.4% (Le marché français de la cybersécurité en France et dans le monde, Xerfi, 2015). But in the context of the continuous and ever faster growth of cyber security in both French and world markets, it is fairly reasonable to expect this gap to be filled very quickly, with France quickly catching up on world markets.
In fact, cyber security remains a very dynamic sector in France, as exemplified by its frequent and rapid developments (acquisitions, investments, significant increases in turnover, diversification, and so on). Driven by growing public procurement and new national and European regulations, cyber security has become a priority for many companies across all industrial sectors. For instance, the new Military Planning Law includes a cyber security section that requires critical national infrastructure operators to implement a series of protection and detection measures and processes. This is expected to bring about a significant increase in security spending and budgets in the coming years. The European Network and Information Security Directive – which aims at aligning member states’ obligations in terms of information systems protection – should also boost the French cyber security market.
But while the French market is undeniably following the same path as European and world markets in terms of growth and progression, it also features specific structural attributes that could impact future developments and that are likely bring about internal changes.
A diverse but fragmented sector
The French cyber security market is unquestionably diverse, encompassing a vast majority of cyber security products, solutions and activities across industry segments and business lines. Software and hardware products include surveillance and perimeter protection solutions, advanced threat and vulnerability detection and analysis tools, encryption tools, secure identification and authentication tools, and specialist tools (forensic, integrity checks, surveillance, etc). As for services, they range from audit, consultancy and governance, to integration and externalisation. Web hosting and Cloud services are other prominent areas, featuring a mix of hardware, software and services.
These industry segments and business lines are of course not evenly represented among the sector players. This is mostly due to the structure of the French market, which is extremely fragmented. It is generally agreed that about 450 organisations operate in this sector, either companies exclusively offering cyber security products/services, or companies that include cyber security among a wider range of products, solutions or services. After a more detailed analysis of these 450 companies we chose to consider 250 only, excluding local branches of foreign companies, recent acquisitions and buy-outs. These 250 companies generated a total turnover of about €2 billion in 2015 (Facts and Figures compiled by CEIS through internal market research and industry interviews).
A key element in understanding the structure of the market is the fact that, of these companies, only 26% (i.e. 25 companies) generate 75% of the total market turnover (€1.5 billion annually). Even more telling is the fact that only 30 of the remaining 225 SMEs exceeded €5 million annual turnover of a total €416 million in 2015 – that is 71% of the total annual turnover for the sector (Pipame, : Analyse du marché et des acteurs de la filière industrielle française de sécurité – Synthèse, November 2015). This is a significant demonstration of the polarisation of the French market, relying as it does on a very few big players on the one hand and a galaxy of small, to very small, companies on the other hand, with only a few medium sized companies.
Interestingly enough, none of the key players of the French cyber security sector are exclusively cyber security companies. Large players like Atos, Orange, Thales or Airbus come from a variety of sectors such as defence, specialised consultancy, telecommunications, digital security and so on. All have developed and included cyber security offers among an existing range of products but only a small proportion of their turnover is generated by these cyber security activities. In other words, the French cyber security market is dominated by non-cyber security players, subsidiaries or branches of large groups operating in very different – yet not unrelated – sectors and business lines.
Like their counterparts in global markets, larger players’ offers mainly consist of end-to-end services and solutions, combining the implementation of networks monitoring and protection strategies, steering and governance solutions, and identity access management related services. The prominence of services is also reflected at SME level, where they clearly prevail over software and hardware solutions with respectively 46%, 39% and 9% of the sector’s 225 SME’s annual turnover (Facts and Figures compiled by CEIS through internal market research and industry interviews). SMEs operate mainly in three sub-sectors: training, consulting and services (30% of the market’s players, 46% of the market’s annual turnover in 2015), encryption, signature and authentification tools (29% of the market players, 11% of the market 2015 turnover), and analysis, detection and mapping tools (23% of the market players, 17% of the market 2015 turnover). These three subsectors generated €453 million in 2015. In excess of this are only sectors such as hardware, CMS tools and infrastructure operators, and OS/ proactive combat tools.
Towards a structured and concentrated French cyber security industry?
A lot of work has been put into better understanding the causes of this situation: to raise awareness among public and private decision makers, and to recommend actions and solutions to initiate a proper structuring and an upscaling of the French cyber security industry.
The government sponsored PIPAME study lists the structural, behavioural and policy weaknesses that hinder the development of a strong and structured cyber security industry. In addition to those listed above, structural factors include a lack of skills, combined with inadequate training programmes, and the absence of shared practices (norms, processes and standards) and certification processes at the European level. Behavioural weaknesses range from a lack of confidence and ambition among SMEs themselves, to a certain unwillingness by major contractors to allocate enough resources to security and innovation, and to insufficient efforts at avoiding national champions from being acquired by outsiders. The lack of private investment represents another serious obstacle: private investors participate in less than 20% of the companies considered in the PIPAME reports, while external investment only amounts to an average of €3.1 million per company (Pipame: Analyse du marché et des acteurs de la filière industrielle française de sécurité – Synthèse, November 2015). Public investment remains equally limited, and the French sector suffers from a glaring lack of schemes and mechanisms aimed at supporting innovation on one hand, and substantial state subsidies on the other.
It can be inferred from the above that these structural and behavioural weaknesses can only be overcome if government agencies and private enterprises join forces to design and implement national strategies and dedicated public policies. What is required is a top-down process, launched jointly by industry and government decision makers, embodied in a strong and proactive industrial policy, aimed at upskilling national cyber security players, and at upscaling the cyber security market. The latter will have to include at least (but not exclusively) R&D, standardisation and certification, and export support.
In this respect, the role of ANSSI (the national authority in the area of cyber defence and network and information security) is instrumental. As part of its three core missions to prevent, defend and inform, ANSSI is ’responsible for creating the conditions for an environment of trust and security favourable to the development of the information society’ (http://www.ssi.gouv.fr/en/mission/audiences-and-activities/). The agency represents a key element in the promotion of national know-how, systems and technologies, and it contributes to the protection and defence of the economic potential of the nation. In fact, ANSSI plays a leading part in the development of a high-grade national product and service offer through different means, ranging from product and services specification to issuing licences and qualifications certifying that cyber security products comply with a set of technical specifications. By providing information and advice, and by playing a consulting and support role for government and critical infrastructure operators, ANSSI also helps local players to better adapt their knowledge of, and capacity to respond to, cyber threats, thereby further upgrading the national services and products offering. It also does so through continued efforts and initiatives aimed at steering French and European research.
Encouraged and facilitated by ANSSI and other relevant government departments and industry players, initiatives aimed at addressing these shortcomings are mushrooming. Concrete projects benefitting from government backing: support – and in some cases even funding – have already been set up while ad-hoc working groups have also started to write roadmaps in a variety of areas. One such was the objective of the cyber security working group set up by Allistene, a public research body, or the ‘Cybersecurity plan’ designed by ANSSI as part of the Ministry of Economy ’Nouvelle France Industrielle’ (New Industrial France) project. Other initiatives include the ’France Cybersecurity’ label or the Cybersecurity Observatory, among many others («Cybersécurité & Confiance numérique », by Systematic Paris-Region and Hexatrust, 2017). Clustering tech start-ups, research centres, and entities working in the field of cyber security is also a first important step towards a more coherent structuring of the industry in France. So far, seven clusters, totalling 263 members, with activities related to cyber security, had been set up by 2014, either with cyber security as their exclusive activity or as part of a wider range of activities (Pipame: Analyse du marché et des acteurs de la filière industrielle française de sécurité – Synthèse, November 2015).
Much still remains to be done but seeds have been sown and foundations laid, and there are many reasons to be optimistic. Boosted by willing decision-makers, proactive local authorities and industry groupings, and driven by a seemingly unstoppable digital transformation, chances are high that the French cyber security market quickly overcomes existing challenges to better exploit its assets and unlock its potential. Challenges ahead include fostering further cooperation, better coordination and more synergies between public and private bodies, defence players and critical infrastructure operators. Establishing a clear and assertive industrial policy aimed at enhancing the visibility of the sector’s start-ups both locally and on international markets, setting up export support schemes and innovation support mechanisms, and boosting R&D will lead to reinforcing collaboration and harmonisation at the European level and the ability to approach international markets from a stronger position.