startups - RiskInsight

The 2020 French Cyber-Security Startups Radar: our analysis (2/2)

Gérôme Billois — Mon, 23 Nov 2020 08:00:52 +0000

In a previous article, we shared an initial analysis of the dynamics of the cyber security startup ecosystem in France. The panorama of startups remains constant, with newly created startups already showing great promise. Others, with already several years of activity to their credit, have continued to grow, to the point that we had to create a new category: scale-ups. However, this ecosystem is facing two major adversities, such as the current health crisis and the resulting slowdown in international trade. We have therefore tried to envisage the necessary evolutions for this startup ecosystem.

The health crisis: an activity slowdown but not a halt

Despite a major health crisis having a major impact, the vast majority of startups remain confident about their future (more than 80% of the startups surveyed). Some client companies have even prioritized their cyber security activities to strengthen their position in this unprecedented context.

Thus, 34% of the startups surveyed stated that they were balanced in terms of business opportunities, with those lost since mid-March having been able to make up for those lost. 21% of them have even seen an increase!

A reassuring figure, to be put into perspective, as more than a third (37%) of them have suffered losses in market share, notably due to investment halt for certain clients. Some still have trouble giving their opinion due to a lack of commercial visibility (8%).

On this last point, the relevance of the sector of activity of these startups to the new challenges brought about by the health crisis is probably related. The majority of those who resist are in fact addressing issues raised by the forced generalization of remote access to information systems: data protection and secure exchanges, monitoring and protection of assets, and access management. The reorientation of their commercial efforts towards resilient sectors, such as healthcare, is probably another factor in these results.

75% of the startups surveyed also took advantage of the period to refocus on R&D or their products marketing.

These figures demonstrate the ability of startups to cope with the crisis, despite the adversity and uncertainty it brings, through their great flexibility and responsiveness capabilities. It also highlights the cybersecurity sector resilience, as it remains a key challenge for companies. Even in this period of economic crisis, they continue to seek ever more relevant and effective solutions to guarantee their security.

A particularly visible slowdown in fund raising

We compare here two fundraising periods on the whole ecosystem (cybersecurity startups and scale-ups): period 2019-2020 (from July 2019 to June 2020) and period 2018-2019 (from July 2018 to June 2019).

The qualitative resilience of the ecosystem noted above masks a more negative situation on fundraising. The 100 million euros raised in cyber security over the period 2019-2020 is far less compared to the more than 260 million euros raised in the previous one, 2018-2019.

However, the 2018-2019 period had been exceptional: 7 radar startups had raised around 10 million euros, 2 were close to 200 million euros alone. Fundraising in previous years had never reached such levels.

2019-2020 has been exceptional as well, but in a very different way. Great fundraisings took place until February: the top 4 was achieved over this period. Unfortunately, the activity was quickly impacted by the health crisis. Several surveys planned between February and April were postponed.

However, a restart was observed in April (Stamus Networks) and interesting fundraisings followed in June (e.g. Didomi, Quarkslab). These results point to a more successful end of the year.

As also foreseen by ACE-Management (please find here the interview), a lag effect of a few months in investments seems to be emerging, rather than a decrease, once again highlighting the dynamism of the cybersecurity market.

Another interesting aspect of the 2019-2020 period is that weaker fundraising is on the rise. 7 startups have raised between 2.5 and 5 million euros compared to only 3 in the previous period. Is this a potential indicator of the growing willingness of startups to raise funds early in order to accelerate their development? Or perhaps we are witnessing the preparation of the next generations of scale-ups? In any case, it is a very positive sign for ecosystem dynamic.

Given the exceptional characteristics of the two periods, it sounds difficult to draw a definitive analysis. We hope to see you next year, as it will be necessary to put those findings in perspective.

Developments needed in all facets of the ecosystem to ensure its success

Clients: take the risk of going beyond POCs

Clients also have a key role to play in the development of French startups.

In this respect, we see that companies increasingly trust French startups and support them while testing them: 70% of them carry out “Proof of Concepts” financed by their clients against 67% last year. An increase that we can only welcome, as these investments allow French gems to develop faster.

However, to continue to support this ecosystem development, it is also necessary to accept the risk of transforming the trial by contracting with the solutions tested. This year, companies are finding it harder to do this quickly: 30% of them may take more than six months to sign a contract after a POC, compared with 25% in 2019. The health crisis may partly explain this situation.

Working with a startup can certainly be risky, but it is also a gamble on the future. They can provide solutions to problems to which the “traditional” market has not provided answers for many years, enable you to remain at the cutting edge, or even provide greater support for business innovation (e.g. by securing new uses), and ultimately provide major differentiators. Some countries are keen to take this type of risk, and this is less the case in France, but nothing is stopping us from transforming ourselves.

Startups: know how to identify the next gems from your clients!

Even if it seems trivial, it is important to remember how crucial for a startup to position itself on issues that have few or no satisfactory answers on the “classic” market.

To do so, it is essential for startups to be attentive to the needs of their future clients and to position themselves on their crucial issues.

The identification should not only be technological but should also take into account criteria such as the difficulty of integrating the technology into the client’s information system, the existence of established competition or the willingness of the main principals to invest in a new technology. It is the combination of these criteria that makes it possible to identify the topics that will be the most successful on the market!

Products that require the installation of elements on many IS equipments (e.g. a new security agent on workstations) are particularly difficult to “sell” to large companies that are already equipped. More passive approaches are more attractive to them. This can be done even more easily for still rapidly evolving themes such as surveillance or analysis of IS logs.

Competition from large, well-established players can be difficult for a start-up to overcome. This is the case in the EDR market, for example, where strong differentiating arguments will be necessary to break through against major players that are already recognized. Conversely, themes such as cyber-resilience and cryptography, for example, remain under-addressed in relation to market expectations, and would therefore be easier to break through from this point of view.

Finally, the investment willingness of the principals should also be considered. Regarding cryptography, for instance, the arrival of quantum computers is still too far away for it to be part of their imminent concerns, as the horizon in the private sector is certainly around 2023/2024. Data anonymization, while keeping anonymized databases consistency (synthetic data), Data Leakage Prevention or Passwordless are also major concerns for companies, which still do not have satisfactory answers on the market. The rationalization of CISO tools, which are currently more in search of optimization than investment in nth security solutions, is a topic that will be much more considered in the short term.

Startups: don’t forget to take advantage of financing and support opportunities!

This year, another 32% of the startups surveyed do not plan to raise funds, and more than half of them have never been supported in their development.

Financing and support are nevertheless interesting accelerators, even more in the extremely fast cybersecurity market, where speed of market conquest is a crucial asset.

This lack of willingness to accelerators, which has been observed for several years, can partly be explained by a historical lack of specialized cybersecurity structures in France, making it more complex for startups to exchange information and to make the most of them.

However, the situation has improved and the consideration of cybersecurity at the national level is particularly accelerating this year:

The State is mobilizing funds for innovation, particularly in the cybersecurity sector, for which the economic recovery plan provides at least 136 million euros;
A major challenge dedicated to cybersecurity has been launched, the publication of its roadmap in July this year was followed by a call for projects from BPI France with investments of several tens of millions of euros;
The French fund Brienne III, officially launched in June 2019 with a first round of financing at 80 million euros and managed by ACE-Management, specializes in cybersecurity. Other investors do not hesitate today to finance initiatives in this field.

So many opportunities to be used for the startups in the ecosystem, and it would be a shame to do without it today. Current events highlight even more the fact that now is the right time to turn to these accelerators, as cybersecurity appears to be an essential part of the “new world”, where teleworking will remain a long-term phenomenon.

Ecosystem: let’s catalyze and amplify these promising initiatives!

As we have seen, initiatives for the development of cybersecurity are springing up: the State is mobilizing (cyberdefense factory, grand défi, sector contract, cyber campus…), investors and incubators are also launching private initiatives.

The state is opening up widely thanks to these initiatives and is adopting an increasingly innovative stance. We hope that this will encourage employees of concerned entities to embark on the entrepreneurial adventure. Indeed, our cyber state actors have unparalleled visibility of the threat and use tools or approaches that would be beneficial to offer to the private sector in the short or medium term. The creation of spin-offs is still too small in France compared to other countries, such as Israel and the United States, where state entities are among the first providers of startuppers.

The challenge now will be to make the most of this diversity of potential energizers of the French cyber ecosystem. The risk would be that these means of supporting the market would compete and disperse, operating in silos, to the point of causing confusion and “blurring” the messages to the players in the ecosystem.

And that would be really damaging. We are at the dawn of a pivotal year for our ecosystem: all the components seem to come together to achieve its transformation and allow it to scale up. The question now seems to be: will we collectively succeed in making this movement a reality? Because in order to do this, it seems essential to us to join forces in presence, to catalyze them towards this common goal. A role that the cyber campus could play?

And that would be really damaging. We are at the dawn of a pivotal year for our ecosystem: all the components seem to be coming together to achieve its transformation and allow it to scale up. The question now seems to be: will we collectively succeed in making this movement a reality? In order to do so, it seems essential to join forces and to catalyze them towards this common goal. Is it a role that the Cyber Campus could play?

2021: the year of fulfillment?

Despite the impacts of the global health crisis, cybersecurity remains a resilient sector, as the ecosystem of French startups in this field has also demonstrated. Their development projects are sometimes delayed, but they remain confident about their future despite the challenges they have faced and will continue to face.

In this context, it remains essential to continue to support the ecosystem development. Many specialized support services are being created, and 2021 will be a pivotal year for the transformation of our ecosystem and for raising it to an international level.

Cet article The 2020 French Cyber-Security Startups Radar: our analysis (2/2) est apparu en premier sur RiskInsight.

The 2020 French Cyber-Security Startups Radar: our analysis (1/2)

Gérôme Billois — Mon, 23 Nov 2020 07:00:59 +0000

Towards realization despite adversity?

Last year marked the beginning of the French cybersecurity startups ecosystem transformation. This year, many questions are being asked: has the momentum continued despite the health crisis? How has the ecosystem responded? What actions would support it towards scaling up?

A dynamic ecosystem where some startups are reaching maturity

An ever-changing panorama of startups

Our radar now lists 152 cybersecurity startups, which represents 18 more startups than in June 2019, representing a 13% growth. Regarding their size, there has been a sharp increase (73%) in the number of “medium-sized companies”, while the number of “very small companies” and “small companies” remains stable, which is a sign that the market is becoming stronger. In total, startups represent more than 1,400 employees, 17% more than last year, a figure that has increased for the 4^th year in a row.

In terms of geographical distribution, the findings are is quite similar to 2019: Paris remains the main hub (more than 60% of the radar startups have headquarters there). Rennes region comes in second position and continues to grow in volume to reach 10% of representativeness. Bordeaux region comes third, with 4% of startups.

Still promising startup creations

The radar shows 16 young startups created between early 2019 and August 2020. Among these startups, we can see that:

More than a quarter focus on data protection topics: Olvid, Protected, Pineapple Technology, BusterAI
Nearly another quarter on vulnerability management and operational security activities: Patrowl, V6Protect, Purplemet.
Endpoint protection (Nucleon Security, Glimps) completes the podium of the main themes addressed by these new startups.

We want to raise your attention to Malizen, a startup which is positioned on threat hunting and assistance to investigations by incident response teams, a topic that is still little represented in today’s ecosystem. Moabi’s position on firmware security auditing (embedded software) is also interesting in terms of connected objects security.

These new startups most often originate from the identification of a gap in the market by one of the founders during a previous professional experience. This year, however, two companies, Malizen and CryptoNext, have emerged from research projects. This is a small but interesting figure compared to previous years, especially in a French context where the world of research and that of cybersecurity are still too separate.

Only 38% of French startups position themselves on emerging themes

The startups relationship to innovation remains stable compared to previous years. 30% of startups are disruptive and create new security solutions and 8% secure new uses (IoT, Cloud, etc.). However, the majority (62%) of startups reinvent existing solutions by proposing improvements. Despite the lack of direct innovation, these startups can be very successful if they demonstrate business agility. A perfect example is Egerie Software, which quickly tackled the issue of digitizing the Ebios Risk Manager risk analysis method developed by ANSSI.

In terms of innovation, we can emphasize cryptography, as current encryption methods are threatened by quantum computing. This is precisely the aim of Cryptonext, a startup committed to providing robust encryption solutions in the face of these new threats, as it is focusing on post-quantum cryptography. Another startup, Cosmian, is focusing on the “confidential computing” trend, which makes it possible to encrypt data stored in the cloud using a homomorphic encryption algorithm, and then use encrypted data in the cloud without having to entrust the key to the service provider. Scille is another one to follow, as it introduced the CYOK concept (Create and Control Your Own Key) through its Parsec solution, that makes the user workstation the only trusted entity that automatically generates encryption keys.

Still at the center of the CISO’s concerns, the user is offered new innovative means of being made aware of security, with Cyberzen’s augmented reality, or HIA Secure’s new authentication methods using “human intelligence”, where the user himself generates single-use codes after solving challenges consisting of a sequence of symbols and characters.

With the generalization of teleworking for all employees, the health crisis of Covid-19 has also reinforced the need to secure the terminals. New French Endpoint Detection and Response (EDR) solutions continue to emerge, such as the Nucléon startup. Some are even going further regarding innovation, such as Glimps (created by four former DGA – the French Defence Procurement Agency – employees), which is trying to revolutionize malware detection and analysis by conceptualizing the compiled code, which allows them to free themselves from the modifications induced by the compilation, the target architecture and thus detect unknown threats on non-standard systems.

Many companies want to democratize the use of agile methodologies, while integrating security into these processes remains a real challenge in most cases. Intuitem tries to remedy this by providing the necessary tools to monitor their Agile Security Framework.

Finally, with the emergence of connected objects, the need for a secure IoT platform is more important than ever, this is what Tarides proposes through its OSMOSE solution.

As some startups are becoming more mature, the first « scale-ups » are being identified

20 startups are leaving the radar this year, 6 less than last year. Of these exits, 5 are very fast growing (exceeding 35 employees in less than 7 years of existence) and 1 is due to a buyout. This continuity compared to last year demonstrates a growing capability of the French startup ecosystem, as some “scale-ups” are emerging in the cybersecurity field and can expect to attract the largest buyers or larger funds. As such, we are launching, together with BPI France, a first non-exhaustive monitoring of this category. The aim will be to complete the scale-ups list with the startups that will leave the radar in the coming years, due to very rapid growth.

A smaller proportion of startups are removed from the radar solely because of their seniority (20% this year compared to 37% in 2019). This year, we are seeing the first projects put “on hold” (20%, unrelated to the health crisis) and those shifting from cybersecurity to other fields (20%).

An ecosystem in full renewal

International: a growing reality for startups

The health crisis does not seem to have shaken the willingness of startups to internationalize: this year, nearly 63% of the startups say they have customers abroad compared to 50% one year ago and 13% of the startups are thinking about going abroad. Cybersecurity is indeed a global issue and going international may prove to be an opportunity for startups, with countries where cybersecurity market is more mature or important than in France.

Regarding startup expansion targets, 55% want to expand beyond European markets. The US market is the preferred target for a third of startups wishing to expand on an international scale, and some French gems like Sqreen or Alsid have already taken this direction.

However, the Asian market should not be forgotten, which, even if it is less successful (only 18% of startups interested), can prove to be promising. It is a large market, where a targeted approach is necessary. Indeed, it may be interesting to start by targeting the economic centers of Hong Kong and Singapore, known to be good bridges between Europe and Asia. Singapore is particularly dynamic in cybersecurity with a historic investor (SingTel) and incubation structures widely mobilized, such as ICE71 or the branch of the English incubator CylonLab. However, Hong Kong remains strong, with a significant number of acceleration programs such as Cyberport and the DIP (Design Incubation Program).

2019-2020: The Year of National Initiatives

The French cybersecurity ecosystem is in full renewal. Numerous initiatives were launched between 2019 and 2020.

In October 2019, the Ministry of the Armed Forces inaugurated the “Cyber Defense Factory“. It is a place for cross innovation between the civilian and military worlds. Based in Rennes, this facility enables startups, SMEs and academics to work together with DGA experts and military operational staff on cybersecurity issues. It will also provide access for selected companies to certain data from the government.

In addition, the Strategic Committee for the “Security Industries” sector has seen its strategic contract signed with the State. The latter includes a dedicated section for cybersecurity aimed at bringing out France’s potential in terms of cybersecurity by aligning and mobilizing the various players on policies for education, innovation and technological development. Concretely, it will promote the private/public relationships, as well as initiatives on the innovation front. The first major results are expected in 2021.

The Grands Défis initiative, which stems from Cédric Villani’s work on artificial intelligence, saw the publication of its cybersecurity roadmap in July 2020. With a 30-million-euros budget, it highlights key themes such as cybersecurity automation, SMEs security and IoT security. A call for applications has been opened by BPI France and will close in 2021. The roadmap also highlights the importance of cybersecurity, pushing for the creation of a dedicated structure to help entrepreneurs get started and support them as early as possible.

Finally, the Cyber Campus project has been validated at the highest level of the State. The creation of this emblematic site aims at bringing together the driving forces of French cybersecurity, obviously to better protect our country and its strategic assets, but also to develop its economy and promote France abroad on this theme. Innovation should be widely represented, with the presence of start-ups, demonstration areas and even initiatives to accelerate or incubate cybersecurity startups. It is scheduled to open in 2021.

This concludes the first part of our analysis of the dynamics of the cyber security startup ecosystem in France. The panorama of startups remains constant, with newly created startups already showing great promise. Others, with already several years of activity to their credit, have continued to grow, to the point that we have had to create a new category: scale-ups. However, this ecosystem is facing two major adversities, such as the current health crisis and the resulting slowdown in international trade. We will therefore see in a second part, what are the necessary evolutions for this startup ecosystem.

Cet article The 2020 French Cyber-Security Startups Radar: our analysis (1/2) est apparu en premier sur RiskInsight.

Interview with ACE Management – 2020 French Cybersecurity Startups Radar

Jules Haddad — Fri, 06 Nov 2020 09:00:03 +0000

Every year, Wavestone conducts an in-depth analysis of the ecosystem of French cybersecurity startups. In this context, our team has organized an interview with the private equity firm ACE Management and represented by Quentin BESNARD and François LAVASTE. Find the complete analysis here.

Cybersecurity fundraising are slowing down in the 2019-2020 fiscal year (from June 2019 to June 2020), how can this be explained?

There was indeed a sharp drop in the amounts raised by tech start-ups in France in March/April 2020. This is even more flagrant in comparison with the previous fiscal year, 2018-2019, which was particularly exceptional for the cybersecurity ecosystem (around €300 million raised, with great fundraisings, such as Vade Secure and Dashlane).

2019-2020 is, in our opinion, an extraordinary year in many ways:

Significant fundraising was carried out at the end of 2019 and early 2020: 33 million euros for CybelAngel, great fundraising also for Trust-in-Soft, Egerie, Dust Mobile and Quarkslab that we were able to support;
Those planned for the first half of 2020 were quickly impacted by the health crisis: several planned between February and April were postponed.

Nevertheless, a restart of fundraisings was initiated in mid-April at a steady pace, and we decided at the beginning of the year to invest in four new companies (three in France, one in Europe). Thus, even if the health crisis has led to a short-term slowdown, the end of 2020 should bring new fundraisings, and potentially reverse the trend, particularly in the field of cybersecurity, which is still growing despite the Covid-19 crisis.

Some start-ups decide not to raise any funds. What do you think about this?

It is possible to create an “organic” self-financing business, especially in the service industry, but its development will be much slower.

However, in the cybersecurity market, velocity seems to be essential for a startup: an innovative idea at a given moment can very quickly become obsolete and miss its chance on the market. We believe that fundraising is an essential step for a company with a software/SaaS offer in cybersecurity that wants to reach the critical size to be a leader in a market that is by nature very international.

From our point of view, the particularly technical topic that is cybersecurity requires a specialized fund with cybersecurity knowledge and therefore able to understand the issues, the technology, the market, to make the right investment choices and to be relevant in supporting companies. This makes ACE Management positioning even more relevant (for entrepreneurs) and differentiating on the market (for investors in our funds).

On that topic, it is also important to note that if Brienne III is today the only fund specialized in cybersecurity in France, there are similar funds in other European countries, such as Germany, and the Netherlands, which are natural partners for us.

All investors have their own magic recipe for identifying gems to invest in, would you share some of yours with us?

Concerning the Brienne III fund, we are targeting startups that have already reached a certain maturity level and are looking to raise significant amounts of capital (at least €5 million, rather Series A or B).

Without revealing the whole recipe, here are some of the key elements we are looking for:

Ambitious management, knowing how to surround themselves with the right skills for the development of their structure;
A technically solid value proposition, potentially resulting from R&D funding from large groups or research laboratories;
In adequacy with the needs of the market, answering a recurring unaddressed problem or protection issues highlighted by recent attacks.

Speaking of market needs, what do you see as the next trends in cybersecurity?

Our discussions with several CISO during the health crisis and our analyses of the market and current events lead us to identify the following:

Workstations security is back in the spotlight, especially with the generalization of remote access;
Third party management in a more fluid way while remaining secure and limiting their access;
Sovereignty questions are more important, but, barring regulatory constraints, should not remain the main selection criterion;
It also seems to us that the trend towards using the SaaS (Software As A Service) model for security solutions has been passed for a certain number of structures, which are more mature on Cloud models, and have a much lower grasp of them. An element to keep in mind for our start-ups!

About Brienne III and ACE Management:

In June 2019, with an initial closing of 80 million euros, ACE Management launched the Brienne III fund, the first French investment fund dedicated to the financing of innovative cybersecurity companies and the largest in continental Europe. The initial subscribers to this fund are Tikehau Capital (a shareholder of ACE Management), Bpifrance, EDF, Naval Group, Sopra Steria and the Nouvelle Aquitaine region. Other strategic investors and institutions wishing to support the emergence of cyber defense solutions are in advanced discussions with ACE Management to participate in the second closing.

ACE Management, a Tikehau Capital Company, is a private equity firm specializing in the industrial and technology sectors, with €1 billion in assets under management. Founded in 2000, ACE Management invests through sector strategies, such as strategic industries, cybersecurity and trusted technologies. ACE Management has built its model on partnerships with major groups investing in its funds (notably Airbus, Safran, EDF).

Cet article Interview with ACE Management – 2020 French Cybersecurity Startups Radar est apparu en premier sur RiskInsight.

Citalid | Shake Up – Cyber Threat Intelligence for optimizing cyber budgets

Maxime Cartan — Tue, 03 Nov 2020 17:48:01 +0000

Citalid is a French tech startup founded in 2017 that provides CISOs and Risk Managers with a software for quantifying and managing cyber risk. Citalid‘s highly innovative technology enables its clients to benefit from simulations, metrics and recommendations that are directly operational to optimize their ROSI (Return On Security Investments) thanks to its unique ability to cross-reference technical, contextual and financial data. Citalid is part of Wavestone’s startup acceleration programme, Shake’Up.

For the time being less well known and less widespread in Europe than its sisters EBIOS RM & Mehari (among others), the FAIR risk analysis method nevertheless fills the gaps left by other approaches. Already highlighted by Wavestone in a previous article, its main assets lie in the perspective of data usually ignored by traditional risk analysis on the one hand, and on the other hand in its ability to generate metrics dedicated to strategic decision support and adapted to the language of decision-makers, such as Value at Risk.

Nevertheless, as this same article points out, this approach is a priori undermined by time, human resources and the multiplicity of knowledge required to carry it out. Therefore, although the concept is attractive, is it realistic to deploy the FAIR method? How can its nomenclature be translated operationally? What about its automation? More generally, does it provide enough added value to justify its use?

Despite its undeniable effectiveness in quantifying risks, such an approach requires both an appropriate technical system and functional support, which is essential in the collection of data. Quantifying its potential financial losses in the event of a cyber incident is not enough: it is also necessary to have the capacity to put them into perspective in an ecosystem of polymorphous and evolving threats. This is Citalid‘s innovation: to be able to carry out a dynamic quantification of cyber risk for decision-makers, by automatically crossing the reality of the threat that weighs on a company, its business context and its defensive maturity. And, above all, not to stop at analysis alone: to generate an action plan that reflects the optimal balance between efficiency and profitability.

Empiricism as FAIR’s automation framework

Contextualizing the external environment

As in any analysis, the objectivity of the observation increases with the number of parameters considered. If it is frequent, even usual, that the internal context of an information system is studied, it is rarer for the analyst to be interested in all the external dynamics that can influence the analysis. These dynamics, which can take on a variety of realities as we shall see, can however strongly influence the frequency and intensity of cyber threats. However, it is difficult to draw up an exhaustive typology of these data, and taking them into account is almost systematically a mixture of two ingredients:

Curiosity and the logical mind of the analyst (in fine, his capacity to project himself into / adapt to a context);
The good visibility of the person(s) responsible for the system and the activities within their perimeters;

Among the exogenous criteria that can influence the risk analysis are: the competitive environment, the company’s position on its market, its geographical locations, geopolitical dynamics, internal policies, the normative framework, the socio-economic climate, the diversity of its activities, etc.

However, it would be easy to get lost in this labyrinth of criteria. It is therefore necessary to support the decision-maker in the creation of a cartography of its environment in the most comprehensive sense of the term. It is therefore through exchange and collective intelligence that a first level of filter is created, by drawing up a perimeter of analysis that is both structured and flexible.

While defining the perimeter of the analysis makes it possible to establish a coherent framework, a multitude of risks can nevertheless be inserted into it. It should also be noted that the defined perimeter can itself be a component of a broader scope of analysis. In this sense, the various perimeters determined can be articulated in the form of a hierarchical tree, often tracing the internal organisation of the company (see diagram below).

Thus, in the example opposite, the group level is represented by the “Energy Company” perimeter, which aggregates the risk of all its “children” perimeters (here its “business units“). However, each perimeter has its own context and risks. This tree structure plays a predominant role in the construction of a relevant library of related risk scenarios. One could easily be tempted to go back up to the group level to globalize its scenarios, but this often de facto deteriorates the granularity, and therefore the quality, of the analysis due to the particularities of each perimeter.

Build a relevant library of scenarios

This framing work therefore conditions the choice and parameterisation of risk scenarios. This parameterisation and the resulting calculation is made complex by the number of criteria to be taken into account and the uncertainty inherent in cyber risk. Without going back over the FAIR methodology already discussed on this blog, it can therefore be long and tedious to build a large number of scenarios of risk while considering the specificities of each perimeter. A solution to this problem therefore lies in the construction of a library of scenarios that can be adapted to each business context and encompass several types of threats. Based on operators’ experience and accumulated data, Citalid now has several libraries of scenarios and losses, listed in ‘Business’ directories. These are easily exportable on the platform, while retaining a degree of flexibility that allows the scenarios indicated to adapt very precisely to the business context. Following on from the use-case used above, the image below illustrates a ‘fictitious’ library of scenarios related to the Energy sector. As this is a ‘Demo’ version, this panel is however not exhaustive.

Citalid‘s library of scenarios is thus part of a double dynamic that at first sight seems contradictory: capable of meeting the requirements of efficiency and automation of the analysis, it remains flexible enough to be implemented with precision and relevance in any context. Each typology of threat, combined with the characteristics of the perimeter analyzed, determines the frequency of occurrence and the financial losses, whether primary or secondary, inherent in the chosen scenario. In the case of an economic espionage scenario, for example, it is safe to say that there will systematically be a loss related to the remediation of the incident, a loss related to the exfiltration of data and a loss resulting from damage to the entity’s reputation if the attack were to become public.

In addition, for the quantitative parameters (frequency of the threat, IS resistance to the attack, frequency and magnitude of losses, targeted assets, etc.) of the scenario to remain relevant, they must be profiled on the characteristics of the target perimeter. Therefore, Citalid’s expertise lies in part in defining and keeping up to date – cyber threats and available abacus evolving rapidly – a library of templates from which the analyst must be able to draw to easily and automatically initiate his risk assessment.

Accumulating data on cyber threats and their impacts therefore makes it possible to calibrate scenario “templates” and thus gradually automate the FAIR analysis. By combining threat intelligence, technical models and abacuses from open source analysis and customer feedback to assist analysts, Citalid‘s award-winning innovation platform leverages collective intelligence to ensure scientific rigor and unparalleled accuracy in quantifying financial losses.

Putting risks in perspective with the defense ecosystem

The CISO as pilot of his IS

In terms of cybersecurity management, the CISO is, unsurprisingly, the focal point of the system. To do this, he must be able to quickly visualize the entire panorama of cyber risks weighing on his IS – a “cockpit” view, in order to then inflect orientations on a larger scale. He therefore needs a GPS to guide him in his decisions: how to take his IS from point A (current risk situation) to point B (desired risk exposure), taking care to optimize his trajectory (cyber investments) while avoiding obstacles (threats) that appear dynamically along the way.

Example of a risk dashboard, illustrating the ISSM’s cockpit vision.

Once the various scenarios have been established and the quantification carried out, the difficulty lies in the possibility of translating these “raw” risks into a strategic roadmap. The first step is to put these risks into perspective by comparing them with the current defensive infrastructure of the IS. Knowledge of its environment is a prerequisite for the CISO’s analysis. All the more so as, in terms of defensive infrastructure, two major options exist and sometimes complement each other: opting for a logic of defensive maturity based on compliance with one or more reference systems (ISO 27k, NIST, CIS, etc.) or carrying out – and then comparing with peers – an inventory and evaluation of all the security solutions deployed on the perimeter.

“A permanent confrontation between theory and experience is a necessary condition for the expression of creativity” [1]. 1] The aphorism could not be more revealing of the method described here: that of the confrontation between theory (raw risks) and experience (evaluation of defensive maturity based on a multitude of feedback and incidents) as a necessary condition for the creation of a roadmap. The confrontation makes it possible to obtain the “net” risk with which the company is really confronted, lower than the gross risk since it considers the defenses of the IS.

Fueled by “actionable” metrics, the decision-maker will now be able to have visibility on his real risk in his own language, and consequently be able to arbitrate and determine its destination – his B point – according to his appetite for risk and the company’s policy. Which scenarios should be dealt with by investing to reduce the associated risk? Which ones should be maintained, given their low economic impact? Which ones to share with a cyber insurer? However, as we will see, the modelling of net risk described in the previous paragraph requires a consequent knowledge of the threat ecosystem in which it is embedded.

Cyber Threat Intelligence, a catalyst for optimal risk management

One of the main shortcomings of risk management in cybersecurity is the difficulty in deploying an approach that reflects the reality of the risk “on the ground”. The CISO or Risk Manager must therefore also have a radar to dynamically detect obstacles in his path (threats) and, as far as possible, anticipate and prevent impediments.

Thus, just as a rock slide on a road is the result of a conjunction of multiple factors (weather conditions, geological characteristics, human activity, etc.), an attacker’s action depends on many elements. These elements should, as far as possible, be observed and included in the risk analysis. Consequently, Cyber Threat Intelligence (CTI), a discipline dedicated to the study and contextualization of attackers’ operating modes, enriches and energizes traditional risk analyses. The mastery and inclusion of this discipline in cyber risk management is one of Citalid’s major differentiators and permeates its entire corporate culture.

How can CTI data be operationally and sustainably combined with the risk calculations announced in the previous paragraph? We can get an intuition of this by noting the following three facts:

The company’s market segment helps to determine the operating methods most likely to be of interest to the company;
The attack techniques used by these operating methods and their centers of interest within the targeted information systems make it possible to identify the most critical assets and to know how to improve their protection;
By comparing again the CTI data defined in the two previous points with its defensive infrastructure, the entity can identify which scope (in the sense of a security repository) or which defense solution is not cost-effective enough (reduction of the risk in relation to the cost).

The diagram above represents a concrete example of the application of CTI to risk analysis, acting as a real catalyst for drawing up guidelines. A modus operandi is technically expressed through its “Kill Chain”, i.e. the sequence of attack techniques it uses to achieve its objective. Citalid has mapped the links between these TTPs (Tactics-Techniques-Procedures) and specific points of different security reference systems (here the CIS20), the latter being the defensive measures best adapted to the TTPs defined in the diagram. On the first line, for example, the CIS 16.3 measure (among others) is sufficiently deployed at the target entity to limit the impact of the TTPs indicated at this stage of the Kill Chain. On the second line, on the other hand, the opposite occurs: the CIS 11.1 measure is not mature enough to provide effective protection against the sophistication of the attacker. It is therefore on this line that the defender potentially needs to concentrate.

The last line crystallizes the interests of the enrichment of the analysis by the CTI. The yellow square determines the maturity progression due to the implementation of security solutions relevant to the CIS 11.1 measure (e.g. a network device management system), which are automatically determined and recommended to the user in the case of the Citalid calculation engine. In other words, this differential indirectly expresses a path towards optimal maturity and resilience for this specific scenario, the starting point for the definition of a tailor-made cyber investment strategy.

Turning analysis into strategy

Formulate a cyber strategy aligned with group objectives

A successful and relevant risk analysis is characterized by the ease with which the observer can immediately visualize how to translate data into action. It must therefore be intelligible and coherent for the recipient, whatever his or her technical level and position in the organization chart. In other words, risk analysis alone is insufficient: it can only be truly useful if it gives rise to a long-term strategy.

This vision, strongly oriented towards the most strategic levels, marks the very DNA of Citalid. Behind the calculation of the risks (raw and real) and the most effective recommendations (referential as solutions) thanks to CTI, the objective is to be able to propose an indicator of the return on investment (ROI) of the security solutions. By visualizing his initial position (A), his desired position (B) and the different possible paths (defense investments), the final decision-maker must be able to compare the ROI of the different options and draw up a cyber investment strategy in line with his budget and real objectives.

Moreover, the objective behind this singular approach is twofold. Firstly, it is a question of accompanying our clients in the definition of their cyber security strategies and in the application of a co-constructed action plan, aimed at compensating for the flaws made visible by the analysis. However, in order to keep this strategy realistic, it is essential to ensure that it can be part of a global dynamic and therefore quickly assimilated by a higher hierarchical body (COMEX). To meet this need, Citalid has refined its service so that it is in line with the realities of the CISO:

By adapting the platform in terms of ergonomics, level of technicality and language, so that the dashboards are transparent and easy to interpret;
By assisting our clients in defining budgets and in their legitimization and justification (advocacy) in view of the reality of the threat.

By aligning cybersecurity strategies with broader investment strategies, in line with the objectives set by the group, Citalid intends to guarantee and reinforce the predominant role of the CISO in steering cyber resilience.

Capitalizing on the approach through the deployment of a risk index

The major advantage in choosing to take a global approach to security lies in its potential for aggregating risk at any level (group, business unit, application, project, etc.) and for standardization (comparison between perimeters and peers). Like rating agencies, this “scoring” of the entity, which takes into account not only its level of maturity on its exposed assets but also its risk management strategy, internal organization, the reality of the threat, its own business context, etc., can be transformed into a global risk index, symbol of the entity’s resilience and monitored by its management. This is truer since a scientific approach based on many heterogeneous parameters presents a desirable objectivity, for the entity as well as for its partners and collaborators.

This time, it is no longer just a question of positioning oneself in one’s environment, but of positioning oneself in relation to possible peers (comparison) and partners (guarantees). A risk index reflecting high resilience and sound risk management will ensure that its suppliers or end customers have optimal security and respect for their data, while reassuring investors that their funds are being used correctly.

Examples of risk indices produced by Citalid: in this case, a ‘Cyber Weather’ that identifies variations in a client’s media exposure.

Other players could also benefit from such an index: the insurance industry, and cyber-insurers. The quantification of cyber risk remains an obstacle for them, as traditional actuarial approaches are limited by the lack of historical cyber security data. Citalid’s model, presented here, combines threat expertise, advanced probabilistic models and innovative attack-defense simulations to overcome this lack of data. Our scoring and metrics, based on risks rather than on a simple level of defense, allow us to refine the insurance model to be as close as possible to the real needs of our clients.

Thus, quantifying cyber risk and the return on investment of security solutions is one of the biggest challenges facing today’s CISOs, Risk Managers and insurers. Through its innovative approach, Citalid responds to this need to reposition cyber security at the heart of corporate strategies and to optimize its action plans and investments.

^[1] Attributed to Pierre Joliot-Curie

Cet article Citalid | Shake Up – Cyber Threat Intelligence for optimizing cyber budgets est apparu en premier sur RiskInsight.

Banking Innovation Awards: together they are building the bank of tomorrow!

Alfred Briand — Mon, 12 Oct 2020 07:00:39 +0000

More than 60 startups and SMEs participated in the fourth edition of the Banking Innovation Awards (BIA), formerly the Banking CyberSecurity Innovation Awards (BCSIA). Cybersecurity, artificial intelligence and data are the key words of this startup contest organized each year in a collaborative way by Wavestone and Société Générale. On October 6, 2020, the award ceremony allowed a high-profile jury to reward 4 startups among the 8 finalists of the competition. The 4 winning startups will now have the opportunity to integrate Shake’Up, Wavestone’s startup accelerator program, and to test their solution within Société Générale.

For more information, watch the video presentation of the contest.

For the fourth edition of the contest, data and AI come along with Cybersecurity!

While previous editions of the competition rewarded only startups specializing in the field of cyber security, the 2020 edition has broadened its scope to include new topics, such as artificial intelligence and data, which remain key components of the cyber ecosystem.

All the participating startups, of French or European origin, were able to share all the richness of their diverse technological expertise. Below are the top 5 topics covered by the participants this year:

Fight against fraud
Digital identity protection
Development of artificial intelligence for business
Data integrity protection
Detection of incidents and vulnerabilities

A high-profile jury, with analyses and strong messages!

This ceremony was obviously intended to reward the big winners of the 2020 edition, but not only. It was also an opportunity for all the jury members to share their analyses of the current startup ecosystem.

This year, the jury was composed of Claire Calmejane (Group Innovation Director – Société Générale), Christophe Leblanc (Group Digital Resources and Transformation Director – Société Générale), Pascal Imbert (Chairman and CEO – Wavestone), Reza Maghsoudnia (Strategic Development Director – Wavestone), Guillaume Poupard (Managing Director – ANSSI), Jamal Attif (Professor at Dauphine-PSL, head of the MILES team) and a college of experts (Thierry Olivier, Christina Poirson, Julien Molez, Gérôme Billois, Ghislain de Pierrefeu and Severine Hassler).

Lessons and perspectives of the crisis

Although this health crisis is not yet over, it seems in any case a little bit better controlled than in March, when this disease was still unknown to all of us. On that topic, Pascal Imbert and Christophe Leblanc brought their analysis of this crisis and its impacts.

According to them, this crisis has revealed the fragility of both the companies and of our current economic models, but it has also accelerated the trend, with digital technology recently taking an even more important place. This makes the transformations deeper and faster. However, it is not without consequences for companies, which are seeing an acceleration of their transformations, with the need to integrate new factors, such as a better balance between efficiency and resilience, together with a major focus on technology, which represents an economic, technological and sovereignty challenge. According to Pascal Imbert, the startup environment, which is being honored with this competition, is one of the key elements that should enable us to regain control over technology and how it is used.

This crisis is both a factor of digital and strategic transformation, of which data and cybersecurity are an integral part, a factor of agility, with the acceleration of teleworking and the necessary adaptation of IT security rules, and a factor of “stress-testing”, for our economic and technological models.

Artificial intelligence and data at the service of the crisis

Jamal Attif reminded us all from the start: “the value is in the data”. However, according to him, AI as we know it today is unable to solve this crisis. It can help fight it, for example by using bibliographic data mining algorithms to understand the effects of certain drugs. It can also speed up and improve medical diagnostics, through image recognition, but it cannot predict what has never been seen before, such as this epidemic, which has grown very rapidly.

The startup ecosystem today has a real impact on our business models, but he deeply thinks that it is important to combine all the forces, whether from the world of research, large companies or startups, in order to achieve breakthrough innovation that will enable us to respond to such issues.

Cybersecurity: evolution of the threat and innovations

Guillaume Poupard notes two major points concerning digital and cybersecurity today.

First of all, he raises the positive side of the digital transformation, which helped overcome the lack of activity during this period. However, according to him, we must remain cautious, especially in the face of the particularly worrying growth of cybercrime, which now targets large companies, with very serious cases multiplying (50 ransomwares in 2019, against already 130 in 2020, and it’s not over yet). The issue of combating cybercrime is therefore a topic of major importance. It is then useful to perform new risk analyses and information system audits to detect possible cybersecurity flaws that were created in these few months. Like Jamal Attif, he reiterates the importance of public and private stakeholders of all sizes, with different motivations, working together to strengthen our cybersecurity defenses. According to him, it is necessary to put forward those who innovate, and this is one of the objectives of the cyber campus, which should soon be created, in the Paris region.

The other point is to continue to raise these issues at the European Union level, and even beyond, by setting up networks so that all stakeholders can work together. This is notably the objective of the recent launch, by the member states of the European Union, of the Cyber Crisis Liaison Organisation Network (CyCLONe).

Focus on the innovation and startups ecosystem

Reza Maghsoudnia shares the very essence of the startup ecosystem, which is to think outside the box, to challenge established players, and to innovate in order to give more value to the various transformations we are experiencing. The crisis is further increasing the need for innovation, and it is of deep importance for Wavestone to continue to identify these sources of innovation, to support and accompany them.

That is for this reason that, in 2015, Wavestone created a startup accelerator program (Shake’Up), enabling it to be in constant interaction with several hundred innovative players on the market and to identify great startups to accompany them. As of now, more than 40 startups have been supported, including real success stories such as Alsid and Citalid, in the field of cybersecurity. Regarding the French Cybersecurity startup ecosystem, we invite you to read the analysis of our experts, following the 2020 startup radar conducted by Wavestone.

61 startups competed, 8 startups retained and 4 startups rewarded

Isahit, Special Prize – Data for good & Ethics

Founded in 2016, the French “Tech for Good” Isahit offers companies a digital impact sourcing platform for processing digital tasks that cannot be handled by artificial intelligence.

Watch the video presentation of the startup Isahit.

CryptoNext, Special Prize – Cybersecurity Made in France

Founded in 2019, CryptoNext has developed an encryption technology to make data resistant to the power of quantum computing. Its software is intended to be implemented in the offerings of major players in the IT security sector.

Watch the video presentation of the startup CryptoNext.

Inqom, Data & AI Grand Prix

Founded in 2015, Inqom has built a SaaS software for automating accounting production, allowing real time generation of the balance sheet. Using artificial intelligence, the solution processes and enriches accounting data to create centralized, standardized and intelligent accounting.

Watch the video presentation of the startup Inqom.

Hackuity, Cybersecurity Grand Prix

Founded in 2018, Hackuity provides a platform that rethinks the way IT vulnerabilities are managed across the enterprise by collecting, standardizing and orchestrating all security assessment practices, whether automated or manual.

Watch the video presentation of the startup Hackuity.

Cet article Banking Innovation Awards: together they are building the bank of tomorrow! est apparu en premier sur RiskInsight.

Wavestone publishes its 2020 Belgian Cybersecurity Startup Radar

Thomas Vo-Dinh — Mon, 20 Jul 2020 09:00:01 +0000

For several years now, Wavestone’s different offices have been periodically identifying startups active in the field of cybersecurity. Wavestone Brussels office has therefore carried out its very first census in this field: the 2020 Belgian Cybersecurity Startup Radar.

A proven and pragmatic methodology

This study starts with a global overview of the Belgian cybersecurity ecosystem based on a first mapping of companies active in this field. To that end, we consulted 3 main sources. The first one are databases specialized in the identification of startups, then co-working spaces & incubators and finally organizations & associations supporting cybersecurity startups.

Only companies marketing a product (application, platform, hardware, etc.) were retained. Consulting companies are out of scope.

The purpose of this first step is to establish a list of actors in order to then apply the selection criteria of the Wavestone radar. Those criteria allow us to establish the perimeter of the radar in accordance with those already carried out previously by our others offices.

The criteria we select to map out the companies are the age, the location and the size:

The result of our 2020 Belgian cybersecurity startup radar

After having drawn up a list of companies active in Belgium and offering a product, we apply our 3 criteria. The first census identified 30 companies, 11 of which met our criteria.

The results of our study allow us to identify certain trends for the Belgian ecosystem. The typical Belgian cybersecurity startup is extra small, working in Brussels in the field of IAM.

More than 1/3 of the identified startups works in the field of IAM

Identity and Access Management (IAM) and Application Security, which groups “Vulnerabilities”, “E-mail security” and “Surveillance” categories, are the two most important areas of activity and represent more than 60% of the cyber ecosystem. The figure reveals also that the IAM seems to be the most mature sector in this ecosystem, echoing the figures from the French, English or Swiss startup radars, which show a similar trend.

More than 80% of the startups surveyed have less than 10 employees

The majority of the startups on our radar have few employees: more than 80% have less than 10 employees and none have more than 35 employees.

In Belgium it is the extra small startup that predominates compared to the other radars of the group that see the medium-sized startups more numerous.

The cyber ecosystem is mainly concentrated in Brussels Region with almost 60% of startups, followed by Leuven and Antwerp by far

The majority of startups are located in Brussels. No wonder, given that Brussels is the capital and one of the most dynamic economic centers in the country.

Focus on the analysis of the degree of innovation of startups

The next step in the analysis is to estimate the level of innovation of the companies on the radar. To do this, it is necessary to estimate a “degree of innovation” whether:

• The company imagines a completely new security solution

• The company reinvents an existing security solution

• The company secures already existing uses (IoT, Cloud, etc.)

Most Belgian startups are reinventing existing solutions or providing a tool to secure new uses.

Quite logically, few startups work on a totally innovative project. This is also a trend observed in other international Wavestone radars, where the degrees of innovation are more or less the same as in Belgium.

The other trend is the low (or even non-existent) presence of startups active in the fields of “data security”, “network security” and “cloud security”. Several actors and employees of the startups met during this study confirmed the firm’s convictions on the subject.

Firstly, the cyber market only rings the bell for experts or insiders, which can repel investors. Then, cybersecurity is a complex field that often requires special IT expertise and specific support. Finally, the current maturity of the market does not facilitate startups to find their customers.

These observations may also explain why few contacted incubators support IT startups, and by extension the cyber field.

Conclusion

The 2020 Belgian Cybersecurity Startup Radar shows that the vast majority of startups are located in Brussels, have less than 10 employees and work in the IAM sector. This study also reveals that the Belgian cybersecurity market is still in its infancy. Most of the startups encountered are either looking for financing, customers or are still in the testing phase.

The objective of Wavestone is to follow the evolution of this ecosystem through new editions: new startups appearing during the year, possible disappearance, etc.

In order to prepare these next versions, and for the purpose of improving and enriching this study, please do not hesitate to contact us if you know any company that might join our radar.

Cet article Wavestone publishes its 2020 Belgian Cybersecurity Startup Radar est apparu en premier sur RiskInsight.