How has the company evolved since it was founded?
AGUSTÍN MUÑOZ-GRANDES S21Sec was one of the pioneers of the cybersecurity industry. At the time, cybersecurity was not even an industry, but fell under IT security. We were one of the first companies to develop our own technology, with over 60 engineers working on technological developments. It had an 80-90% market share in Spanish banking. We have always invested around 10% of our annual revenues on R&D to complement what we cannot find in the industry from third-party suppliers or manufacturers. We still keep a group of developers for high-quality cybersecurity services. That is part of our DNA: investing in innovation and building our own solutions when we do not find them in the market. Over the years, following Sonae Group's investment, we have also been involved in acquiring other companies to build up operations. For example, we acquired Nextel, a large system integrator of cybersecurity and IT security in Spain, which gave us a great deal of strength in the area of system integration.
JOSÉ ROSELL Both my partner and I are industrial engineers, outliers in the IT world. We are dedicated to making cybersecurity solutions both for the IT world and the operational technology (OT) world. When we started, Spain had a hard data protection law. That is the regulatory environment in which our company began. It was hard in the beginning, because there was no sector or real market for cybersecurity services. But we committed to investing in the development of our technology. We got a small project to develop surveillance technology. From then, we started R&D projects both in the Valencia area and nationally. We started working on R&D projects in Europe in 2010. Since then, we have had many programs to support R&D at the regional, national, and European level. This has allowed us to design our technology and develop our own tool kit, something that differentiated us from the beginning. We are not only a company in the computer and technology sector, but we are also a company in the industrial sector.
What needs to be done in terms of regulation?
AM-G This is one of the common ideas everyone mentions. There is a need for public-private collaboration. We are completely committed to our duty for national security and collaborate with all public institutions one way or another. However, thus far, public administrations have failed to make cybersecurity regulation coherent. There are a number of different public institutions dealing with cybersecurity in Spain, such as the National Center for Infrastructure Protection and Cybersecurity (CNPIC), the National Cybersecurity Institute (INCIBE) and the National Cryptologic Center (CCN), which is part of the international Coalition for Network Information (CNI). Furthermore, all the local administrations are building up the same types of cybersecurity bodies at regional levels. For example, the Basque region has the Basque Cyber Security Center. We work with many of them, though some level of coordination is needed to make their regulations effective.
JR There must be transnational regulation. A market that historically looks very much like the cybersecurity market is maritime safety. Why? The maritime business has been an international business since the beginning of time. The sector has developed the International Convention for the Safety of Life at Sea, also known as the Solas Convention. Practically all countries have signed and accepted this legislation. But there is nothing similar in the case of the internet. When you take a Spanish criminal code, you can apply the criminal code to those crimes that are committed in Spanish territory; however, if someone from any country is committing a criminal offense in Spain, there are no tools to fight against that. There are some agreements like the Council of Europe's Budapest Convention on Cybercrime, but they are insufficient.