After nearly 50 years of membership, on 31 January 2020, the United Kingdom formally left the European Union (EU), some four years after the Brexit referendum. This extended period of regulatory harmony leaves the UK (for now) as the EU’s the most closely aligned “third country”, including from a cyber security perspective.
This common history leaves plenty of room for a collaborative future for the UK and the EU. For example, the UK has always been viewed as a global leader in tackling cyber crime and had an enviable track record of providing staff and expertise to Europol and the EU’s cyber security agency ENISA. The EU, meanwhile, has a track record acting as a pivotal regional hub for cyber security partnerships.
Following protracted negotiations around future relations, two key agreements came into operation in May 2021 to provide a framework for the ongoing cyber security relationship between the two parties. These encompassed trade and co-operation, and security of information (including) cyber security. Although these agreements have been seen as a positive steps towards a renewed age of collaboration, there remains considerable uncertainty surrounding the nature of the UK’s relationship with the EU from a cyber security perspective.
The UK faces a choice in terms of its ongoing cyber security relationship with the EU: to preserve its collaboration (and cyber-related trade) with the EU by adopting an aligned approach; or to adopt a divergent approach that opens the door to opportunities in the global marketplace, at the risk of sacrificing its existing relationships (and trade) with the EU.
UK market maturity
It is, of course, important that the UK weighs its future cyber security relationship with the EU carefully, asking whether it is a case of “better the devil you know” and preserving its existing ties; or whether to risk short-term pain in the search of (potential) future gain with a divergent approach. However, it must be acknowledged that the UK’s cyber security market has always sat on a different trajectory to that of other EU nations, which in turn have differences amongst themselves.
A key component of this pre-existing divergence is that the UK is a more mature market when it comes to IT in general, and particularly for cyber security. It has always been more open to US-based third-party technology vendors, from where many of the industry’s innovations originate, as well as to the concept of bringing in third-party specialists to deliver security capability.
So, for example, where the UK was a rapid adopter of managed security services (MSS), other EU geographies were slower to do so given their stronger concerns over retaining internal visibility and control. However, given the stereotypically “pragmatic” British approach, these concerns were overcome given the benefits of scale, expertise, flexibility, automation and resources that MSS providers (MSSPs) deliver in support of improved security outcomes for customers.
The latest iteration of this trend sees the UK at a transition point – UK MSS growth (and share of total security spend) is flattening, the focus shifting instead to consuming security from the cloud, according to April 2022 security forecasts made by IDC and Gartner. This is in the form of both cloud-based managed security services, but also software as a service (SaaS). The UK is ahead of its European peers in both these areas, not least due to the more pragmatic mind-set around data sovereignty in the UK compared to the EU.
Recent geo-political and economic headwinds such as the energy crisis, continuing inflation, the threat of economic recession and ongoing supply chain shortages are pushing organisations to cut budgets and re-prioritise projects. The Gartner and IDC data show we are seeing the UK starting to outpace the rest of Western Europe in a switch-back in emphasis and demand for security software. But, significantly, this growth in software demand comes particularly in the form of SaaS, i.e. cloud-based software.
Openness and ‘frictionless security’
A key ramification of Brexit is that, with new trade barriers erected where once there were none, many organisations are seeking to both re-build supply chains and address customer markets outside the EU in pursuit of free trade with the world. Combined with accelerating cloud adoption, mobility, and remote working, this places an added pressure on the UK’s security market to act as a secure enabler for the flexibility and scalability that UK businesses will need to capture opportunities as they emerge on the active, but competitive, global marketplace.
This has resulted in new opportunities for the UK security industry, which is being called on to support the goals of international openness and interconnectivity. The resulting economic opportunity is expected to result in the UK cyber security market perform better and grow faster than most of Western Europe, according to IDC and Gartner. This will be driven by opportunities in growth areas such as the secure access service edge (SASE) framework, zero-trust architectural initiatives, application security and securing cloud migrations.
In contrast, the EU is adopting a more inward-looking approach, focusing on shoring up in-region consistency around data sovereignty and associated data sharing initiative within EU member states. This is exemplified by developments such as the European Strategy for Data, the European Data Governance Act and the Gaia-X initiative.
While these three examples cover a lot of ground, in general they are demonstrating the EU’s focus on initiatives such as building a common data environment, as well as facilitating standards for and ease of data flow within its boundaries. It is important to note that the EU does acknowledge the importance of building mechanisms for data exchange outside the EU as well, although these are subject to adherence to regulatory equivalence.
To conclude
In summary, while the UK is yet to fully commit to either of the cyber security “paradigms” outlined earlier in this article (EU alignment vs. going it alone), it is already evident that the two sovereigns are on divergent trajectories. It appears that, as the result of the open and outward looking approach being adopted in the UK, there could be a real opportunity for security innovation. What UK firms and cyber security providers need to be mindful of, however, is ensuring that this new flexibility, openness and interconnectivity does not exacerbate exposure to risk.
The UK government’s response to this potential risk gap is that it has introduced the concept of “cyber resilience” as the second of five ‘pillars’ within its National Cyber Strategy for 2022-2030. This is aimed at achieving the right balance of driving economic growth through innovation and inter-connectivity, while also taking steps to mitigate the risk that this openness represents.
Just as important, though, has been the emergence in the UK of industry-specific guidance on the topic of cyber-resilience. A key example is provided by the Bank of England’s April 2022 proposals around operational resilience for the UK’s financial market infrastructure’ (FMI) firms
As we head into 2023, it is worth considering how security leaders can better position themselves as intrinsic to the realisation of broader business goals. If pursued correctly, this focus on more frictionless security could serve as a blueprint for a more symbiotic relationship between the two disciplines. In fact, frictionless security could represent the “connective tissue” that joins business and security leaders together in unified approach.
Quentin Toussaint is executive vice-president and Dominic Trott is head of strategy for the UK at Orange Cyberdefense.