Cyber-security start-ups in France, a booming ecosystem (2/2)

Posted on

 

After a first article on the cyber-security start-ups radar, this second article is about which means these start-ups can use to properly develop. How to acquire customers among large corporations? How to develop abroad? These are one of the many challenges to face. 

Corporate accounts: essential but complex targets

The economic fabric of France relies heavily on big groups that have substantial investment capacity. For start-ups seeking to market their cyber-security offers, these are the prime customers. However, the rigid and complex processes of these large companies constitute a major obstacle for start-ups.

After all the pitfalls involved in identifying the multiple budget holders in the structure (ISSM, architect, expert, IT Manager, purchasing, etc.), it remains very difficult to sign the first contract. The purchasing process can take from three to six months, and is too complex for the way that start-ups operate, with them being asked for proof of profitability, years and years of experience, and references from other customers – impossible for the first contracts.

This situation is exacerbated for cyber-security as start-ups often cannot count on the innovation hubs created by the corporate accounts to facilitate their exchanges with the innovation ecosystem. On the one hand, because start-ups struggle to convince businesses of the benefits provided by their proposed solutions, and on the other because the innovation teams have difficulty understanding the practical benefits given the specific nature of the issues. Feedback on successes shows that cyber-security departments in the corporate accounts often have to be the driving force, or even develop the relationships with the cyber start-ups themselves.

Attitudes that must change within the large companies

Once contact has been established, there remains the step of carrying out tests in live conditions (Proof of Concept). It’s an example of the difficulty that start-ups have in competing with the established cyber-security developers in the corporate world. These tests are needed to evaluate the effectiveness of the new solution. The big developers, with substantial financial resources, offer ‘PoCs’ free of charge to their customers, who in turn have become used to these ‘free’ tests carried out for their benefit.

For start-ups, however, the situation is different as their working capital requirements are acute and carrying out such tests free-of-charge can endanger their very existence!

It is therefore necessary for the big groups to have suitable budgets, often in the order of only a few thousand euros, to test the innovative solutions proposed by the start-ups.

Positive feedback from interactions between start-ups and corporate accounts in France

However, successful collaboration between start-ups and corporate accounts shows that these two worlds can work together. And the effort made pays back in a big way. Start-ups like Alsid and Idecsi thus benefit from the testimony of large customers that are in a position to reassure other companies and the investors.

A French cyber-security ecosystem that values innovation

In France, the presence of an ecosystem that regularly promotes innovation by including corporate accounts and start-ups is highly visible: the “Assises de la Sécurité” with the Prize for Innovation, the International Cyber-security Forum (FIC) with the Innovative SME prize, and the competition devoted to cyber-security in the banking industry, jointly organized by Société Générale and Wavestone. These initiatives help to highlight cyber-security innovations, as well as promoting direct contact between the different players. They contribute to creating the relationship of trust needed for the corporate accounts to invest in the solutions proposed by start-ups.

The importance of having a French offer for digital sovereignity

Cyber-security is a global issue but also affects national security. The benefits of having reliable products in this area is obvious.

Even if much remains to be done to guarantee digital sovereignty, the initiatives of certain French start-ups have made it possible to import concepts that initially existed only in other countries. This is the case, for example, with Bug Bounty’s platforms. In France, three start-ups, Bug Bounty Factory, Bug Bounty Zone and Yogosha offer services in this field. Over time, this could make it possible to retain knowledge of sensitive vulnerabilities within Europe or indeed in France.

It is important to note that the French domestic market for cyber-security is largely driven by players in the defense sector, both public and private, who invest and help start-ups to grow. But these growth opportunities are, at the same time, an obstacle to exports and make it more difficult to communicate references.

Tomorrow, successfully growing beyond national borders

The research sector is becoming structured

Research in cyber-security is also very active in France with many  laboratories being involved and some leading-edge initiatives. The Allistene grouping, which includes INRIA, CEA, CNRS and a number of higher education institutions is just one example. Prominent chairs have been devoted to cyber-security issues and its practical applications, for example for autonomous vehicles. Together with the initiatives launched the big companies, this all adds up to the creation of fertile ground for numerous start-ups to bloom and grow.

Overcoming purely French considerations to grow internationally

France has much talent in terms of cyber-security, fertile ground to facilitate the emergence of start-ups, and a market that can support these structures. But this very positive situation must not be allowed to mask the principal difficulty currently faced by our start-ups: achieving international success and growth.

Apart from a few success stories, such as Qualys in the past, and more recently Linkurious in the United States, French start-ups struggle to go beyond their own borders. They face barriers in terms of their ability to communicate effectively in English, the weakness of French customer references, legal issues, and also psychological barriers to expatriation. Whereas the quality of French cyber-security specialists is widely acknowledged, the quality of the start-ups remains unknown.

Breaking through this glass ceiling requires joint initiatives with the government, large companies, and the strong entrepreneurial spirit of start-up founders.

Let’s start working together, pooling all our strengths, so that this becomes a reality in years to come.