Market Analysis
BUSINESS CYBER SECURITY IN THE UNITED KINGDOM
(UK)
Number of cyber security firms in the United Kingdom, by size of company 2021
Number of cyber security firms in the UK, by company size 2021
1 200
1 051
Number of companies
1 000
800
600
447
400
200
184
156
0
Large (250+ employees)
Medium (50-249)
Small (10-49)
Size of company*
Note(s): United Kingdom; February 2021; Businesses with at least one member of staff
7 Source(s): Ipsos MORI; Perspective Economics; Department for Digital, Culture, Media and Sport (UK); ID 1227895
Micro (1-9)
Estimated revenue of the cyber security sector in the United Kingdom from 2017 to 2021 (in billion
GBP)
Estimated revenue of the cyber security sector in the UK 2017-2021
12
10,15
10
8,9
Revenue in billion GBP
8,3
8
6
5,7
4
2
0
2017
2019
Note(s): United Kingdom; February 2021; Estimate based on 1,838 cyber security businesses in the UK*
Further information regarding this statistic can be found on page 34.
Source(s): Ipsos MORI; Perspective Economics; Department for Digital, Culture, Media and Sport (UK); ID 1227894
2020
2021
0%
Share of registered cyber
security firms in the UK in
2021, by type of service
• Note(s): United Kingdom;
February 2021; 1,838 respondents;
Companies
• Source(s): Ipsos MORI;
Perspective Economics;
Department for Digital, Culture,
Media and Sport (UK); ID 1227892
10%
20%
30%
40%
50%
60%
70%
Cyber professional services
75%
Network Security
65%
Endpoint Security
57%
Threat Intelligence, Monitoring, Detection and
Analysis
54%
Information Risk Assessment and Managament
52%
Incident Response and Management
33%
Training, Awareness and Education
17%
Identification, Authentication and Access Control
IoT
SCADA and ICS
80%
15%
4%
2%
United Kingdom (UK): How much money did your organization
lose as a result of a breach? (in British Pounds)
United Kingdom: Money lost in organizations due to cyber breach 2021 (in GBP)
25%
23%
21%
20%
Share of respondents
18%
15%
14%
11%
10%
8%
5%
4%
1%
0%
Less than 5,000 GBP
5,000-9,999 GBP
10,000-49,000 GBP 50,000-99,000 GBP
Note(s): United Kingdom; April and May 2021; 1,000 respondents; senior IT decision makers*
Source(s): Sapio Research; Keeper Security; ID 1255353
100,000-499,999
GBP
500,000-999,999
GBP
More than 1 million
GBP
Don't know
A diversified cyber security ecosystem
Market Overview –
Demand Side
• Related PACs market competitive analysis by Pierre
Audoin Consultants identifies four key distinct buying
groups in the security (and privacy) domain, each with
significantly different security requirements,
buying/pricing points and purchasing behaviours
[PAC13]. These four identified categories are:
• 1. Defence and Intelligence, specialist defence and
intelligence agencies which are a specialised subsegment of the wider public sector cyber security
segment.
2. Government (other than Defence and Intelligence) –
this includes central and local government, publicly
funded agencies and so on.
3. Large Enterprises – i.e. private firms with more than
250 employees.
4. SMEs and Consumers – which account for the
remaining private sector buyers, and buyers in the
general public.
Segmenting the buyer needs
Buyer Sub-Category Overview of Sub-Segment
Defence and
Intelligence
Government
Large Enterprises
SMEs and
Consumers
•Most mature security market segment, tend to buy the most expensive and complex products.
•Invest in solving the most complex PACs R&D challenges.
•Highly trusted relationships with PACs vendors and service providers, who are typically small in number and are required to have top security clearance levels.
•Long sales cycles typical (years rather than months).
•SMEs suppliers do not typically access this market easily; when they do it is usually via larger product and service providers.
•Broadly can be referred to as the “rest of the public sector”.
•Key sub-segments within this group include (1) larger “central” government agencies covering key ministries (e.g finance, social protection, pensions, justice etc) (2) Law
enforcement groups focused on cybercrime dimension of PACs, (3) agencies operating at regional or local government level – e.g. local government agencies, universities,
health trusts etc).
•Broad spectrum of PACs requirements can exist within the government category. (1) Central agencies will often have the most sophisticated PACs requirements, often as
part of larger organisational or ICT transformation programmes. (2) Law enforcement will have specific requirements to help them identify and prosecute perpetrators of
cyber-attacks, fraud, and other serious cyber-crime offences - defence contractors participate alongside enterprise PACs players here (3) smaller regional government
entities will have varying PACs requirements that will overlap heavily with a broad portion of the enterprise segment.
•Key differentiator between government and enterprise buyers is the need for Government agencies to follow specific procurement procedures and tendering processes,
often supported by specialist online portals.
•Tend to have broadly similar PACs requirements as the central government agencies above, but often are supported by more developed in-house IT skills and
resourcing.
•Will also have different procurement procedures to government agencies.
•Certain enterprise segments are more vulnerable than others to attack due to several motivations, for example financial players (e.g. financial reward), pharmaceutical
players (e.g. IP theft), and IT service providers (e.g. reputational damage). Pivotal IT players with broad global infrastructure footprint (e.g. Google, Amazon, Rackspace,
etc) would also have highly advanced PACs requirements.
•Other industries would typically have a lower risk profile rating (e.g. manufacturing and retail), and would typically spend much less on security. For example online
retailers are particularly careful in ensuring that security measures do not negatively impact customer experiences and online conversion rates.
•Understanding the industry-specific nuances of individual verticals and implications for implementing appropriate levels of PACs are crucial in serving each segments,
particularly around industry-specific legislation and compliance mandates that may complement broader government-mandated legislation.
•Viewed as the least mature segment with the strongest growth potential in the long term.
•Have much smaller budget availability but collectively expected to form a larger addressable market opportunity in the future, especially as SMEs are now being
breached more frequently than in previous years.
•Consumers and (most) SMEs have a very different PACs buying behaviour to larger enterprises, do not have dedicated cyber/IT security skills, and tend to buy their IT
from low-touch channels, i.e. resellers, high street retailers, or via the web, and increasingly via cloud services.
•Like to “outsource” security, and have it pre-packaged in the services they buy. Hence it is often bundled by default in widely used hardware and software. A lot of
freeware products serve this segment, making revenue potential and viable business models more challenging.
•From a supply-side analysis perspective at least, many SMEs (micro-SMEs in particular) would broadly have similar purchasing requirements as consumers. This is not to
ignore the great variation that will exist across SMEs and that exceptions to this rule that will exist, particularly for companies at the larger side of the SME definition
(~250 employees).
UK ‘s Position
• The analysis conducted for this report leads
PAC to conclude that the UK’s cyber security
sector is above average strength on the world
stage.. To use a cycling analogy, the UK is in the
leading peloton, but there is no overall leader.
SWOT Analysis
• The UK has world-class
knowledge and companies
• Large domestic market –
with financial leverage
• UK university R&D is world
class
• UK Aerospace
,Automotive& Defence
industry is an asset
• Good public/private cooperation
• Talent pool and supplier
community is limited in
size/number
• Limited links between
business and academia
• Many suppliers lack scale,
know-how and funding
• SMEs feel excluded from
the defense and general
public sector segments
• Many SMEs are services
businesses and find it hard
to scale






The UK is one of the
largest and most
sophisticated IT markets
Government and
commercial sector will
increase investment
Foreign direct investment
could boost the sector
SME sector potential
Potential to exploit UK
security expertise in
international markets
Potential opportunity to
exploit cyber liability
insurance





The biggest cyber security
firms are from overseas
Overseas investors are
better funded Proliferation
of overlapping
accreditation/ standards
International competition
Enterprise opportunity
driven led by overseas
decision-makers
Cloud-delivered services
are expected to displace
on-premise security
solutions
MARKET SIZING
• The market for Cybersecurity includes revenues generated in the three
security-related segments IT Services, Software, and Hardware. The
general aim of these products is the protection of computer systems and
networks against threats and vulnerabilities. Cybersecurity provides and
maintains confidentiality, integrity, availability, and privacy. This includes
measures to prevent and to respond to incidents, such as attacks and
disruptions, as well as tools to investigate and manage risks.
• Market values represent revenues paid to primary vendors at manufacturer
price level either directly or through distribution channels (excluding VAT).
Reported market revenues include spending by consumers (B2C),
enterprises (B2B) as well as governments (B2G). Revenues are allocated
to the country where the money is spent.
• Company examples: Cisco, Palo Alto Networks, Secureworks.
MARKET FORECAST
• Revenue in the Cybersecurity market is projected to reach
US$9.52bn in 2022.
• The market's largest segment is IT Services with a projected market
volume of US$5.67bn in 2022.
• Revenue is expected to show an annual growth rate (CAGR 20222026) of 9.29%, resulting in a market volume of US$13.58bn by
2026.
• The average Spend per Employee in the Cybersecurity market is
projected to reach US$269.40 in 2022.
• In global comparison, most revenue will be generated in the United
States (US$58,650.00m in 2022).
Competitor Analysis
•Our competitors are small to medium size MSSPs, most of them provide both managed
security services and security consultancy. Few medium size competitors:
•https://www.cyberproof.com/security-services/managed-security-services/
•https://cipher.com/
•https://kudelskisecurity.com/
Competitor Analysis
Company
Cyber Proof
Cipher
Kudelakisecurity
Revenues
Nb. employees
Customer Base (Size)
Costing Model
Quality of service
•
•
•
•
•
•
Sectors
Services offered

Managed Security Services







Security Event Monitoring
Managed Detection & Response
Use Case Engineering
Advanced SOC Services
Enhanced Services
Advisory Services
Azure Security Services







Financial
Mfg
Health care
Logistics
Gamin,
Energy & Utilities
Managed Detection and Response
(MDR)
Managed Security Services (MSS)
Cyber Intelligence Services (CIS)
Red Team Services (RTS)
Governance, Risk and Compliance
(GRC)
Cyber Technology Integration (CTI)
Cybersecurity for Internet of Things
(IoT)






Advisory
Block Chain
Managed Detection &
Response
Technology Optimization
Managed Security
Incident Response
Cyber Himal