Ovum Decision Matrix: Selecting a Managed Security Services Provider,

Transcription

1 Ovum Decision Matrix: Selecting a Managed Security Services Provider, Publication Date: 08 Jan 2016 Ian Brown Product code: IT

2 Summary Catalyst IT security must be top of mind at every midmarket and large enterprise on the planet. As the tools of the digital economy become pervasive, impacting everything from airlines to zoos, every business and public sector organization has spiraling amounts of data that it needs to protect. Customer data, financial data, intellectual property, and citizen and patient records they're all at risk from individuals, organized crime, "hacktivists," and nation states that wish to profit from stealing data or disrupting processes. High-profile attacks on well-known brands such as Sony, e-bay, Target, Home Depot, and UK network provider TalkTalk have highlighted the cost and brand damage that can be inflicted by a security breach. Government and public sector organizations of all sizes have been subject to similar attacks. If these high-profile names don't have the resources and processes in place to respond quickly and limit the damage, what hope is there for lesser-known brands and organizations? Systems integrators and IT outsourcers think they have the answers. They certainly have years of experience running IT for some of the largest businesses and government organizations in the world. As organizations face growing security challenges with limited expertise and resources, SIs and IT outsourcers have added managed security as a standalone service line. Ovum view This report evaluates six leading SIs and one managed security services (MSS) specialist that are active in the North American, European, and Asia-Pacific (APAC) markets. Unlike previous generations of managed security services providers (MSSPs), these vendors are not primarily interested in selling enterprises one-off network appliance-related services, such as a standalone managed firewall service. They want to sell customers a broader set of integrated services that augment and optimize the customer's existing security resources, deliver the additional benefits of their IP and global threat intelligence capabilities, and outsource some or all of the functions of the customer's security operations center (SOC). The SIs are pitching themselves as "security integrators" offering a complete managed service for the security services "tower." How they go about delivering such services varies considerably and there's a continuum of approaches to helping a customer keep its IT, end users, and data assets secure. At one end, there's the discrete managed services approach: customers need help to manage their security appliances, optimize and manage their security information and event management (SIEM) software, or monitor endpoint devices and attack surfaces. At the other end of the continuum, there's the traditional IT services "lifecycle" approach to outsourcing the security function: consulting, planning, architecting, engineering, testing, monitoring, and management. We detect that the MSS market is tending towards convergence in the middle. Many customers have invested in expensive software and tools, but IT security is not a core skill. IT service providers have the skills, scale, and resources that nonspecialists find difficult to maintain. IT budgets are under constant pressure, so customers are looking for service providers who can help them make sense of what they have, optimize their IT security operations, and transform these assets into efficient, effective, and consumable services that deliver meaningful and actionable outputs. Page 2

3 The seven MSSPs under consideration here deliver everything from services that augment the customer's existing security operations to fully outsourced security operations. All but one, Dell SecureWorks, owe their heritage to SI parentage. SecureWorks was a fully formed MSSP that Dell acquired in IBM has recently taken its Security Services business out of Global Technology Services (GTS) and combined it with Security Systems to form a single unified Security business. However they've positioned security services within their businesses, all seven of the IT MSSPs here deliver a portfolio of services designed to help customers secure and manage the threats to the systems and processes on which their businesses depend. This report complements a previous study focusing on telecoms MSSPs (see Appendix). Key findings Two vendors are rated as overall market leaders in this Ovum Decision Matrix: IBM and Hewlett-Packard Enterprise (HPE). Both earned consistently high scores on all three dimensions of the Ovum Decision Matrix assessment: offering, execution, and market impact. They benefit from being able to offer a broad portfolio of MSS offerings, a wide range of service delivery options, a truly global footprint of shared SOCs, deep vertical industry knowledge, and close cooperation with the vendor's security technology divisions. While not rated as overall market leaders, because they didn't achieve consistently high scores on all three Ovum Decision Matrix dimensions, two of the market challengers achieved market leader status on one of the dimensions: Dell SecureWorks on the offering assessment and TCS on the execution dimension. If you're looking for an MSSP that's at the top of its game in terms of its technical capabilities, its proactive discovery and understanding of the threat landscape, and its ability to keep your protection up-to-date across the IT stack, then Dell SecureWorks is highly rated. TCS has considerable merits for those customers looking for an outsourced approach to security. It scores highly on its reputation for service quality, its processes, and its ability to optimize and transform its customers' SOCs through an outsourced approach that leverages offshore skills and resources. As one of the participants in this Ovum Decision Matrix put it to us, managed security services providers are on a continuum that runs from providers of discrete single-function services (managed firewall, managed vulnerability scanning, log monitoring, etc.) to systems integrators capable of building and running fully outsourced security operations centers for their customers. The IT services providers in this Ovum Decision Matrix are mostly systems integrators or come from the systems integration side of the business, but they're increasingly converging on the middle of the continuum. Customers of all sizes and from all sectors want more modular, easily integrated, and cost-effective managed services. But most of all, customers struggle to derive value from existing security investments, because they lack the skills and resources to use the tools effectively, can't keep abreast of the ever-growing threat landscape, and don't have the benefits of scale that come from monitoring and managing tens of thousands of systems, networks, and devices around the world. Page 3

4 Service providers have a view of the threat landscape across industries and geographies that customers will never achieve. The best can deliver intelligence and help customers act on it before threats cause any damage. Service provider selection Inclusion criteria This IT Managed Security Services Decision Matrix considers the managed security services offerings available from seven leading IT service providers. These service providers deliver a wide range of services covering the IT security lifecycle, from consulting to business continuity. However, managed services account for the bulk of the providers' security services revenues and it is here that there is most demand from customers for assistance. In this Ovum Decision Matrix, we wanted to evaluate service providers that could deliver all of the functions of a typical customer's SOC requirements, either by augmenting or taking over the management of some or all of the functions of the customer's existing on-site SOC(s), or by delivering hosted services from shared multi-tenant SOCs. We have restricted our study to global players, or more specifically vendors that market and deliver their services in North America, Europe, and APAC. For inclusion in the Ovum Decision Matrix, we stipulated the following: Vendors were required to complete a comprehensive request for information (RFI) and provide a briefing call and follow-up. Only vendors actively marketing and delivering a comprehensive portfolio of managed security services as a distinct service line separate from their other IT outsourcing activities were included. Only vendors that could provide evidence of a significant and growing customer base on two or more continents were included. The following vendors are included in this report: CGI CSC Dell SecureWorks Hewlett-Packard Enterprise (HPE) IBM TCS Unisys Exclusion criteria We did not include network or telecommunications (telco) MSSPs in this study as these have been covered in a separate telco MSSP report (see Appendix). Nor did we include independent software vendors (ISVs) that upsell services associated with correlation and analysis of the threat landscape. These were not considered "go to" service providers for customers that want to source multiple security operations functions from a single vendor. Other exclusion criteria included: Page 4

5 The vendor's failure to complete the Ovum RFI or provide follow-up briefings. The vendor's decision to opt out of inclusion in the Ovum Decision Matrix on this occasion. The vendor's failure to demonstrate that it has a significant customer base on two or more continents. Methodology Ovum Decision Matrices evaluate products and services across three dimensions. For the Managed Security Services Decision Matrix, we have assessed the MSSPs' services on the following dimensions: The service offering assessment, aka offering dimension, which assesses the alignment of the vendor's MSS portfolio to current and future demand. The execution dimension, which assesses the vendor's ability to deliver effective services in ways that suit a variety of different customer needs and sourcing models. The market impact dimension, which measures the vendor's success in reaching its target market and in responding to the needs of that market. Ovum has split each dimension into multiple assessment criteria. Each of these criteria is explained below. Each assessment criterion was further subdivided into questions designed to generate a compound score that reflected how closely, or otherwise, the vendor's offering or positioning met the assessment criterion. For certain quantifiable assessment criteria, such as revenues, size of customer base, or number and location of security resources, scores were calculated as a percentage of the leading vendor's score. However, in most cases, revenues have been estimated as few vendors publish revenue details for MSS sales or have asked that revenue information is not shared. The scores for each assessment criterion have been weighted according to the importance Ovum attributes to each criterion on its particular dimension. Finally, the three dimensions (offering, execution, and market impact) were weighted according to our understanding of the importance they might have in vendor selection decisions. The weightings are indicated in the charts below. Figure 1: Overall weightings for Ovum Decision Matrix dimensions Source: Ovum Page 5

6 Offering (40% of final weighting) For this assessment dimension, Ovum assesses the capabilities that differentiate the leading providers in the marketplace. Each criterion is given a weighting as indicated in Figure 2. Figure 2: Weightings for the offering dimension criteria Source: Ovum In addition, there are multiple weighted components to each criterion on each of the Ovum Decision Matrix dimensions. Essentially, these are the questions we asked of the vendors and the assessments we made of their achievements on each criterion: Vision (15% of offering dimension) Does the vendor show evidence of developing IP and services around cutting-edge tools and technology and bringing them to market in its MSS offerings ahead of the competition? To what extent has the vendor introduced new services to the MSS portfolio or enhanced existing services that support clients' journeys to the cloud, hybrid IT, and mobility? What major strategic investments will the vendor make in the next months to grow and enhance its MSS business and how do they accord with Ovum's understanding of developing IT and business needs and their impact on security? How strategic are security services to the provider's overall business? Completeness of offering (20%) Does the vendor have a comprehensive portfolio of easily integrated intelligence-driven MSS offerings and capabilities that cover the gamut of end-to-end security operations across the IT landscape, from legacy to cloud and mobile? How well does the vendor's offering match operational security requirements across the pillars of infrastructure and endpoint monitoring, threat monitoring and intelligence, identity and access management, incident response and remediation, and cloud security? To what extent is the MSS portfolio part of a wider security services play that helps customers at the different stages of the security operations lifecycle and with different elements of their security operations? Page 6

7 To what extent are the vendor's services focused on helping customers optimize, transform, and manage their existing security operations? Technical capability (20%) Does the vendor have differentiating IP or processes that distinguish its services from its peers' managed security services? Does the vendor have access to a wide range of intelligence sources (external, internal, global, open, and closed) or conduct its own hunting or forensics, and does it use these sources, deep vertical-sector knowledge, and expertise to feed back into its MSS and proactively protect against threats? Is the vendor able to deploy and optimize next-generation threat detection technologies and analytics, for example, to reduce incident response times and deliver remediation strategies or services in the shortest possible time? To what extent are the vendor's services well integrated or how easily can they be integrated with the customer's existing security operations? Portfolio roadmap (10%) What new services does the vendor intend to introduce in the next months and how do its plans compare with competitors' roadmaps? How is the vendor enhancing and innovating in the delivery of its services? Has the vendor made any recent mergers and acquisitions that have implications for its roadmap and strategic direction? Delivery platform (15%) Does the vendor have a modern intelligence-driven SOC platform into which additional functions such as incident response (IR), remediation, and advanced threat intelligence can easily be added and integrated? Does it have a standard SOC delivery platform and frameworks for customer integration? Can the vendor support a variety of different delivery models for its SOC, including on-site, dedicated hosted, shared, and as-a-service? Tools and partner relationships (10%) Is the vendor "neutral" with regard to the customer technology it monitors and manages, and the providers it partners with to deliver its MSS? Does the vendor partner with more than one SIEM provider or is it allied to a proprietary SIEM or "SIEM-less" strategy? Can it adapt its processes to manage and optimize the customer's existing SIEM and toolset if they differ from the vendor's own SOC platforms and architecture? What status does the service provider have with key technology partners and especially the many small innovative start-ups in the security technology marketplace? Does it run joint development and go-to-market programs with key partners? Does it have dedicated security centers of excellence (CoEs), where it can demonstrate solutions developed with partners? Page 7

8 Maturity of service line/portfolio (10%) How long has the vendor been actively marketing MSS as an identifiable, discrete service line and how many customers does it have for its discrete MSS offering? Does it have a high percentage of "standalone" MSS contracts or is it delivering MSS mostly as an integral part of larger IT outsourcing and systems integration contracts? What percentage of the vendor's MSS sales are "standalone" versus bundled as part of an IT outsourcing contract? Execution (40% of final weighting) The weightings attributed to the assessment criteria for the execution dimension of this Decision Matrix are illustrated in Figure 3. Figure 3: Execution criteria and weightings Source: Ovum Again, there are multiple weighted components for each criterion and these are summarized as follows: Go-to-market strategy (10%) How successful has the vendor been in evangelizing its MSS offering to its target markets? Does the MSS business have its own dedicated sales team or does it rely on the vendor's general global sales force? Does the vendor have a cohesive security services "story" that appeals to the business as well as to the CIO/CISO? Engagement model (10%) How flexible/customizable are the vendor's MSS contracts? Is it easy to combine services, including consulting and professional services, incident response (IR), business continuity, and MSS under one contract? Does the vendor have flexible pricing models or subscription models that spread the cost of event-driven services (such as IR) or enable credits for unused services to be transferred? Does the vendor offer a variety of engagement models from utility "as-a-service" consumption models to multiyear transformational projects? Page 8

9 Does the vendor also have a fixed-price service catalog or portal-based catalog for modular MSS? Processes and execution (30%) Does the vendor have mature security operations processes that adhere to ITIL, COBIT, or other standard methodologies? Does the vendor have a proven track record of delivering simplification, well-defined processes, SOC optimization, and operational efficiency? Has the vendor developed "security integration" frameworks that provide reference points for the customer's transition from its current-state security operations maturity level to its future desired state? Does the vendor have a global footprint of certified security professionals? Does it have security professionals with deep understanding of highly regulated and security-sensitive industries such as banking and financial services, central/federal government, insurance, and healthcare? Service delivery (20%) Does the vendor have shared SOCs in multiple regions worldwide? Does the vendor have certified onshore and offshore resources capable of delivering on-site or remote MSS support in multiple regions and countries? Does the vendor offer a range of different service delivery models, including on-premise SOC, shared SOC, dedicated hosted SOC, staff augmentation, offshore monitoring and management, and as-a-service/cloud-based MSS? Service governance (20%) What level of dedicated or specialist resources does the vendor offer in its SOCs? Dedicated account management is table stakes; desirable attributes include dedicated account teams and support in the vendor's SOC allied to on-site operations (vendor's or customer's own), dedicated customer account analysts in the vendor's SOCs (onshore or offshore), industry compliance specialists, global risk and compliance (GRC) monitoring services, and the ability to manage all elements as "CISO-as-a-service." Does the vendor have a track record of delivering well-integrated governance, regular meetings, planning, reporting, and assistance in managed services in general? Customer success/retention (10%) How successful has the vendor been in winning new customers from competing MSS suppliers and retaining existing customers? To what extent is the vendor referred to by other MSS suppliers as a competitor? How often does it appear on RFP shortlists for large commercial security services contracts? How successful has the vendor been in winning large, high-status MSS contracts? Market impact (20% of final weighting) This dimension assesses the global market impact of a provider. The weightings attributed to each criterion are illustrated in Figure 4. Page 9

10 Figure 4: Market impact criteria and weightings Source: Ovum The weighted components that have been attributed to each criterion on the market impact dimension are summarized as follows: Market evangelism and market visibility (45%) Is the vendor perceived as a leader in the managed security services market, separate from any IP, technology, and products that it also develops? Is the vendor seen as a thought leader or leading contributor to security intelligence? Can the vendor cite examples of innovation, papers, publications, or threat reports? Revenue/customer base (10%) How big a player is the vendor in the MSS market by revenue? How many MSS customers does the vendor have worldwide? How many endpoints does the vendor currently protect? What percentage of the vendor's MSS contracts is worth more than $5m in total contract value? Growth (15%) What revenue growth did the vendor achieve in its latest fiscal year? Is it growing ahead of the market, keeping up with its peers, or lagging behind the market? Geographical market penetration (15%) What geographical penetration has the vendor achieved outside of its home market (where it is headquartered)? Does its home market account for more than 80% of its security revenues or customer base? Vertical market penetration (15%) What market penetration has the vendor achieved in commercial markets as opposed to federal government and defense? Is the vendor primarily a supplier to multinational corporations (MNCs) and large enterprises as opposed to midmarket or SME customers? Page 10

11 Ovum ratings Market leader: This category represents the service providers that achieved the highest overall scores across all three assessment dimensions. They are a good fit for the broadest range of customers from small to large. A market leader has established a commanding market position with a service portfolio that is comprehensive and matches the broadest range of customer needs, from staff augmentation and security monitoring to fully outsourced security operations. Similarly, the vendor offers the most comprehensive set of delivery options from dedicated on-site services to "as-a-service." Market challenger: The providers in this category may perform well on one Decision Matrix dimension, but less well on others, or may perform reasonably well on two or more dimensions, but don't make it into the leaders' category. Most of these providers offer a narrower set of services than the market leaders and don't offer all of the service delivery options available from the leaders. Some are focused on a specific type of service delivery, such as a more traditional bespoke outsourcing approach. The market challengers' services are generally tailored to specific types of customer and engagement models. Market challengers may be strong or indeed leaders on specific assessment criteria, so customers should pay attention to the criteria that are most important to them. The market challengers' offerings generally provide competitive capabilities and sound managed security propositions, but customers will select them on the basis of how the providers' strengths align with their specific needs. Market outlier: Providers in this category typically meet the requirements of customers looking for a more traditional bespoke outsourcing approach to their IT security needs. Market outliers have a narrower target market, often focusing on specific verticals or geographies where their understanding and insights into industry regulation and compliance put them into contention with other suppliers. They know their approach will not suit all customers, but it often appeals to highly regulated industries, the public sector, and MSS engagements embedded within larger IT outsourcing engagements. Market outliers have not attempted to "modularize" their services, preferring to concentrate on custom-engineered solutions and the skills of their analysts rather than discrete services for "out-of-the-box" solutions. Consequently, their services are more expensive to deploy than their competitors'. Market and service analysis Ovum Decision Matrix: Managed Security Services, The MSS market has expanded and developed considerably in the last several years from the telecoms-dominated market of five or more years ago to the establishment of security operations as a major IT and business function, whose complexity has led to demand for assistance not only in how to design, build, and run secure enterprise IT, but how to protect the business and reduce risk. The MSS market has developed from one where providers concentrated on managing point solutions and technologies protecting the edge of the enterprise network to one in which providers take a holistic view of protecting the organization's ICT infrastructure, data, and related business processes. The telecoms and network carriers sold circuits and network appliances which made them the obvious choice for monitoring network traffic in the Internet age and keeping out the bad guys. This was a Page 11

12 managed service they could bundle and sell with a circuit. This also created the construct of customers protecting the edge separate from the core of ICT infrastructure. More recently, the sophistication of the attackers, universal interconnectivity, mobile devices, and the universality of online and social media as primary front-office channels for businesses and public organizations alike have meant that MSS is no longer just about keeping the bad guys out or protecting the perimeter. Breaches will occur internal and external attackers will get into places they shouldn't be so now MSS isn't just about building and maintaining the defenses; it's also about spotting and responding to the breaches, the malware, the advanced persistent threats, and the zero-day attacks. Systems integrators have been managing security and protecting organizations as part of their IT outsourcing contracts for years. In many cases, they have done this by managing a litany of security point solutions. As demand for managed security increases from organizations across the board, whether or not they've outsourced their IT, the SIs have joined the telecoms vendors in offering a broader set of services designed to augment, assist, manage, or outsource security operations to a greater or lesser degree. However, the SIs and IT service providers have moved the focus to the core ICT infrastructure and applications in contrast to the initial network and perimeter focus of the telco MSSPs. Not surprisingly, the telco MSSPs are following suit. Figure 5: Ovum Decision Matrix: Managed Security Services, Source: Ovum Page 12

13 Figure 6: Expanded view of Ovum Decision Matrix: Managed Security Services, Source: Ovum Table 1: Ovum Decision Matrix: Managed Security Services Market leaders Market challengers Market outlier IBM CSC CGI HPE Dell SecureWorks TCS Unisys Source: Ovum Market leaders: managed security services IBM and HPE are the overall MSS market leaders both in terms of their size (annual MSS revenues and global presence) and the comprehensiveness of their service offerings. Both are well-known technology providers and have large systems integration businesses with global reach. This has had an important influence on the way they have developed as MSSPs. They have a heritage of large-scale IT outsourcing, especially to highly regulated industries such as financial services and central/federal government. They have deep industry knowledge and can relate this to business needs. They are also the two vendors with the broadest global footprint, both in terms of SOC locations and in terms of customers and devices under management. This means they have a wide view of the global threat landscape just from their internal customer base alone. In both cases, this is supplemented by both open and closed external sources (i.e., publicly available and confidential intelligence sources). In terms of service offerings and delivery, IBM and HPE cover the broadest range of customer needs of any suppliers here. However, while both are security technology providers (they both develop and market SIEM technology: IBM QRadar and HPE ArcSight), they are not the outright leaders in terms Page 13

14 of technical capability or vision. Those accolades go to Dell SecureWorks. Instead, where IBM and HPE impress most is in the consistency of their scores across a range of criteria and specifically on the execution and market impact dimensions. On the key execution dimension in particular, IBM leads on service delivery and HPE leads on service governance. IBM has all the service delivery options covered, from cloud to on-site, hosted, and fully managed SOCs and can deliver its MSS portfolio at global scale. HPE's "Pod" model in its shared SOCs can provide security analysts dedicated to a large customer or a group of smaller customers, rather than using its SOC resources simply to provide security for a broad range of clients on a "next-in-line" basis. Market challengers: managed security services There's very little to divide the scores of the four market challengers: CSC, Dell SecureWorks, TCS, and Unisys. However, the similarities of the overall scores mask key differences in their offerings and service delivery. CSC comes from a traditional SI heritage and has been a major supplier of security services to the US government for a number of years. It has a very broad portfolio of modular MSS offerings covering everything from data center to endpoint security and identity management, and from cloud to mobility and application security, for those customers looking to augment their security functions with specific services. However, it can also deliver an integrated approach to security operations, governance, and compliance through its Risk Management Center (RMC) SOC strategy. RMCs can be delivered and managed either on-site or from CSC's global shared SOCs. The main challenge for CSC is that it is a company in transition. It has split off its US public sector business into a separate company (CSRA) and is refocusing its remaining commercial sector business away from traditional large-scale ITO contracts to the new world of cloud, big data, and next-generation "IT-as-a-service." Its security resources have also suffered attrition, although CSC is keen to emphasize that cybersecurity is strategic to its future. CSC's immediate challenge will be to survive the delta between the decline in its traditional ITO business and the growth of its next-generation services, one of which is cybersecurity. With its broad portfolio of discrete modular MSS offerings, Dell SecureWorks comes from the other end of the MSSP spectrum to the SIs featured in this Decision Matrix. Nevertheless, its regular appearance on enterprise customers' MSSP shortlists means that it should be assessed along with its SI competitors. Dell SecureWorks isn't in the business of taking on the on-site management of a customer's existing SOC, though that's something that Dell Services, which often leads with SecureWorks, would undertake. It is consequently marked down on the execution dimension. Its strengths lie in its technical capabilities and especially its threat intelligence, incident response, and threat hunting and forensics capabilities. There are some omissions in its portfolio, notably managed SIEM, which could prove problematic to customers who have made significant investments in SIEM technology and for whom the SIEM is central to their SOC operations. Consequently, SecureWorks is marked down on criteria such as completeness of offering and for its limited execution/service delivery options compared with SIs. TCS is a very successful SI with a large international customer base in banking and financial services, insurance, manufacturing, and telecoms, including many Global 1000 clients. TCS's main strengths as an MSSP are in its ability to deliver its services, wherever customers are in their security operations lifecycle, be it design, build, optimize, transform, manage, or replace. It is a market leader on process and execution, and the customer success/retention criteria. It is also the fastest-growing MSSP in our Decision Matrix, though from a smaller customer base than most of its SI competitors. However, it is Page 14

15 focused on the larger, more comprehensive security services and "embedded" MSS outsourcing engagements, rather than one-off MSS sales. TCS is global in that it has a global ITO customer base and looks after 26 dedicated SOCs worldwide, but its service delivery capability is restricted by its lack of shared SOCs. We understand it will bring new shared SOCs online in the US and UK (its largest markets by geography) in However, scale and lack of evidence of its ability to access leading-edge technical capabilities and intelligence sources hold it back on the offering dimension. Unisys focuses its MSS activities primarily around managed SIEM (and more specifically, HPE's ArcSight), although it also has a reasonably comprehensive portfolio of complementary services covering security device management; governance, risk, and compliance (GRC); and identity and access management (IAM). The MSSP's USP for managed SIEM is the event analytics platform that it has built around the HPE ArcSight correlation engine. For ArcSight customers that want to optimize their SIEM, the Unisys Noise Cancellation Advanced Analytics Platform (UNCAAP) is an obvious attraction and one that leads to high scores for Unisys on criteria such as delivery platform and processes and execution. The ArcSight managed SIEM is the focal point for the vendor's integration efforts and its moves to bring more automation into security operations it has integrated its ArcSight event correlation engine with the central Unisys Customer Ticketing System to speed up incident response and remediation, for example. However, the vendor's main challenges are its relatively limited scores on the market impact dimension. It doesn't have the scale of its main competitors in terms of customer numbers, revenues, and reach, and we think it could do more to evangelize its proposition and expand its focus beyond ArcSight. Market outliers: managed security services There is one market outlier in this Decision Matrix, so-called because while it competes for managed security engagements with other SIs and MSSPs, it has no pretensions to be an MSSP or provider of MSS as a discrete service line. CGI is a global SI with a strong security services customer base as a supplier of secure IT to the US federal, Canadian, and UK governments. It is also a leading SI with many large customers in banking and financial services, insurance (a particular specialty for CGI's security business), utilities, oil & gas, and commercial sectors, particularly in the UK and Europe. So what does CGI do that will meet the needs of some MSS customers but not others? CGI sees itself as a "security integrator": it takes what its customers already have in the way of security and makes it better or it builds a fully managed security operations service from the ground up. Often, that requires a highly custom-engineered solution and "full service" approach that's at the other end of the spectrum to Dell SecureWorks with its comprehensive portfolio of very function-specific services. The main reason CGI is classed as a market outlier is that it isn't trying to address the more commoditized end of the market where demand for affordable, industrialized, and customizable services is growing fast. It is consequently marked down on the offering dimension. While CGI acknowledges that there is a growing market for a discrete security services service line, it sees MSS as a component within that service line. Because it is focused on a more bespoke approach than its MSS-focused competitors, it doesn't have the same global coverage and variety of service delivery as its competitors (it has fewer shared SOCs outside of North America), and potential customers won't find a portfolio of discrete, standardized, managed security services, for SIEM, firewalls, or secure Web gateways, for example. Those services exist, but only within the context of the full scope of security operations required by the customer. Page 15

16 Market leaders Market leaders: Offering Figure 7: Ovum Decision Matrix: Managed Security Services, Market leaders Offering Source: Ovum The three overall leaders on the offering dimension were Dell SecureWorks, IBM, and HPE. Dell SecureWorks was the outright top scorer on four of the assessment criteria for this dimension: vision technical capability delivery platform maturity of service line/portfolio. It shared top honors with TCS for tools and partner relationships. Dell SecureWorks exists to deliver IT security services. It has its own budget and P&L. It is an autonomous business unit within Dell and as such is more focused on developing MSS than other MSSPs that are part of a wider systems integration business and have to compete with other business units for budget and resources. SecureWorks has consistently promoted an intelligence-driven, proactive vision of MSS. Its intelligence gathering, hunting, and forensics resources feed back into its managed security services to offer customers advice and help in proactively protecting against threats. It has consistently demonstrated its technical capabilities in its ability to develop new services around innovative new security tools ahead of the competition. IBM was the top scorer on "completeness of offering" and runner-up on three criteria: technical capability portfolio roadmap Page 16

17 maturity of service line/portfolio. IBM's great strength is that as an SI it has been managing IT for some of the largest companies and organizations in highly regulated and risk-averse industries for almost longer than any other vendor. Its security professionals have a deep knowledge of the security needs of customers in these industries and this is reflected in the breadth of its MSS portfolio. Cybersecurity is one of IBM's five strategic imperatives, which is why it decided to bring IBM Security Services and IBM Security Systems together in a new IBM Security business unit. By bringing the two businesses together, the vendor believes it will derive additional synergies in terms of technical capabilities and roadmap. We also believe it drove out some of the complacency that existed when Security Services was part of IBM GTS and success was measured by the size of the strategic outsourcing deals it took part in. IBM Security Services is a growth business keen to develop more consumable services that match the needs of customers embracing cloud computing, mobility, analytics, and social media. HPE was the top scorer on the "portfolio roadmap" criterion, second placed on "delivery platform" and completeness of offering, and fourth placed on "technical capability." HPE's Enterprise Security Services business unit is part of the vendor's Enterprise Services division and by mid-2015 had a customer base of at least 1,800 customers with strong representation among Global 1000 customers, as well as with US, UK, and Canadian government customers. The customer base and its moves to embrace what HPE calls the "new style of IT" (cloud, mobility, and analytics) have strongly influenced its portfolio and roadmap, while the fact that HPE can leverage its own ArcSight SIEM technology and Vertica analytics tools have added to the Enterprise Security Services' technical capabilities. HPE has nevertheless maintained a high degree of "neutrality" with regard to the devices it monitors and partners with whom it works. Another key asset is HPE's distributed delivery platform, which is hosted in three "global" SOCs in North America, the UK, and Australia (most other vendors' security services delivery platforms are located only in one location, usually North America). It also has "regional" SOCs in Canada, Costa Rica, Germany, Bulgaria, India, and Malaysia. The regional SOCs in Canada and Germany were opened for data privacy reasons. Page 17

18 Market leaders: Execution Figure 8: Ovum Decision Matrix: Managed Security Services, Market leaders Execution Source: Ovum IBM, HPE, and TCS are the overall leaders on execution. However, only TCS is a top three scorer on the most important criterion of processes and execution (in fact, TCS is the top scorer). Interestingly, it is two other SIs, Unisys and CGI, that also mark themselves out as having especially good processes and execution. All three SIs have well-defined processes and methodologies for optimizing customers' security operations (often that means outsourcing the SOC to the SI), delivering improved service levels and response times, embedding secure operations within IT and business processes, and architecting security support for cloud, mobility, and the app-based marketing and sales channels that many businesses are keen to deploy. All the MSSPs in our assessment have very high levels of certifications among their security professionals and attract a high caliber of professional in many of their locations around the world. Security experts like to work with the best in their trade and it is easier for an MSSP to attract skilled individuals than it is for most commercial companies or public sector organizations. Nevertheless, the challenge for MSSPs is retaining high-caliber professionals, when demand for their skills is so high, especially from more successful competitors. Vendors that are in transition and undergoing reorganization are often vulnerable to seeing talent poached by competitors and this may be reflected in the vendor's ability to retain customers and its market impact. IBM, HPE, and Unisys rank highest on service delivery. They generally support the widest range of service delivery models, from on-site to "as-a-service"; have the most comprehensive global SOC coverage; and have onshore, nearshore, and offshore resources capable of delivering on-site staff augmentation or remote monitoring and resident services in multiple regions and countries. Page 18

19 HPE's "Pod" setup in its SOCs provides dedicated account delivery teams with tier-2 and above analyst support for large customers or groups of smaller customers. This and other typical SI attributes, such as local account management and responsibility; involvement in local industry, government, and public sector regulatory processes; and compliance monitoring on large outsourcing contracts, put HPE, CGI, and IBM in the lead positions on service governance. Market leaders: Market impact Figure 9: Ovum Decision Matrix: Managed Security Services, Market leaders Market impact Source: Ovum Overall, we consider market impact to be a less important dimension in our assessments than the offering and execution dimensions. We have consequently given it a lower weighting than the other two dimensions. Nevertheless, we recognize that market positioning, customer base, growth, geographic penetration, and vertical market penetration will all play a part in the due diligence customers undertake when assessing potential suppliers. IBM is the largest player by revenues, though Dell SecureWorks has more customers: more than 4,000 by mid-2015 compared with more than 3,000 for IBM. At the other end of the spectrum, CGI and Unisys had just 150 MSS customers each. However, both vendors' MSS engagements, not surprisingly, tend to be far more substantial in contract value than Dell's. Typically, the SIs' larger MSS deals tend to be where MSS is a bundled component in a larger ITO or SI contract. MSS is a double-digit growth market for all seven vendors, but the standout growth rates are for TCS, Dell SecureWorks, and CGI. We estimate TCS at 30% revenue growth and CGI at 25%. Dell SecureWorks is part of the privately owned Dell, so does not disclose revenue or growth data. However, we believe it is performing well in its segment of the market. TCS and CGI are growing fast off a small base, but even so, they are outperforming some of the other SIs. Dell's growth rates are particularly impressive given its relatively large customer base, but this reflects the surge of demand for MSS, particularly in Dell's midmarket heartland. Now that IBM Security Services is part of IBM Page 19

20 Security, we would expect it to target the midmarket more aggressively with its modular and cloud-delivered MSS offerings. Even CSC and Unisys are considering how they can address the needs of the midmarket with more modular services and services "for the cloud, from the cloud." Vendor analysis In this section, we highlight differentiation between the providers to enable organizations to evaluate and compare these providers' capabilities. CGI (Ovum recommendation: Outlier) Figure 10: CGI Market outlier Source: Ovum CGI is headquartered in Canada and is a leading systems integrator in North America and Europe, having acquired UK-based SI Logica in CGI has a large federal or central government customer base in North America (both US and Canada) and the UK. The other main vertical markets on which it focuses include banking and financial services, insurance, oil & gas, utilities, and "commercial," which includes retail, travel and transport, and manufacturing. CGI is at the other end of the spectrum to the "pure-play" managed security services providers, such as Dell SecureWorks, in that it has a more holistic view of MSS, within an overall lifecycle approach to the customer's security needs and posture. As an IT outsourcer, security is baked into service delivery for its outsourcing customers. For MSS customers looking for assistance with their IT security needs, whether that is something as basic as a service provider to monitor their systems and services to Page 20

21 ensure compliance with industry regulation, or an SI to design, integrate, and manage their end-to-end security operations, CGI's approach is that of a "security integrator." It offers consulting, engineering, and managed security services from its Global Cyber Security Group, and its MSS engagements typically involve consulting and assessment of the customer's governance, risk, and compliance (GRC) needs, reengineering of its security operations, and service delivery and service governance in accordance with those GRC needs. CGI isn't in the game of selling discrete security appliance monitoring services from an online service catalog, so customers won't find a portfolio of discrete managed security services to choose from. However, in addition to the "holistic" Protective Monitoring services it delivers from its SOCs, it has recently added the Advanced Threat Investigation (ATI) service. This is intended for customers (commercial and public sector) with sophisticated monitoring requirements, and uses analytics, threat intelligence (from open and closed sources), malware analysis, and advanced sensors to identify and trace advanced attacks. Developed in the UK and now being rolled out in North America in 2016, ATI is again indicative of CGI's strong engineering and integration focus, rather than the more portfolio-based approach of a typical MSSP. While CGI's Global Cyber Security Group is horizontal in that it supports all CGI's vertical industry practices, its go-to-market focus is closely allied to its verticals. Deep knowledge of industry processes and an ability to understand the business's risk profile allied to an understanding of the industry's propensity to invest in security mean that CGI can tailor its services to the needs of industry verticals. Experience and knowledge of security issues and requirements in one industry are often relevant and transferable to others. Governments, for example, store huge amounts of personal data, while retailers store huge amounts of customer data. The problems and risks facing the two are similar, so experience in one can help in another, even when the customers are in entirely different parts of the world. The ability to understand the requirements and issues of different verticals and the industry knowledge and skills of its analysts are CGI's chief differentiators: it does a lot of work for the insurance vertical, for example, and this gives the cybersecurity team greater insight into the regulatory environment (it is an advisor to the industry). Similarly, as a global supplier, CGI can pick up on regional variations or learn things in one region that can be applied in another: for example, California was a leader in data protection. Now that there is a big push around data protection in the UK, CGI can look at what happened in California and anticipate requirements elsewhere. CGI is one of the smaller MSSPs in this Decision Matrix, with a customer base of 150 customers worldwide, but as we have already noted, it is not aiming to be a typical MSSP selling a portfolio of discrete managed security services. It says demand for its brand of security services is growing strongly, which has encouraged it to market managed security as a distinct service line within its overall security offering. It has around 1,400 security professionals worldwide, of which 1,100 are employed in managed services and operations. This may seem high given the size of its customer base, but CGI concentrates on high-value security services engagements as indicated above. Although it claims to be a global supplier, the majority of CGI's customers are located in North America and Europe, with some pockets in the Asia-Pacific region, notably, Australia and Hong Kong. The locations of its shared global SOCs reflect this (see Table 2), though CGI has actually reduced the number of SOCs it operates in order to ensure a consistent level of quality from all its centers. The table also indicates CGI's strong government security focus. It has government-accredited security Page 21

22 personnel in North America and on-site in most of the countries where it operates. It is a major UK government supplier. Table 2: CGI's global SOCs Center location Serving Comments Ottawa, Canada Global government and commercial clients Supports clients in Canada, US, and Europe. 24x7x365 Manassas, Virginia Government This SOC currently monitors CGI Federal's own internal network but can be expanded to provide services to external clients. Also supports Phoenix center. 24x7x365. Phoenix, Arizona Commercial The PDC SOC provides services to 95+ Commercial and Federal cloud and non-cloud clients 24x7x365. Bridgend, Wales, UK Government and commercial clients There is one SOC in the UK (South Wales). It serves several clients now, some government, some private sector. 24x7x365. The ATI team in Reading is not a SOC but it does support the SOC for complex cases. EPA NOSC/CSIRC Single government client This is a US government-owned and -managed SOC supported by CGI. 24x7x365 US Cyber Command J3 Single government client Although not a SOC in the traditional sense, US Cyber Command is a tier-1 Computer Network Defense Service Provider (CND-SP) where CGI staffs the J3 Watch Desk. 24x7x365 Source: CGI Ovum SWOT assessment Strengths Holistic approach to managed security needs and strong engineering/integration focus Major IT security provider to US, Canadian, and UK governments Ability to deliver on-site SOC and other locally based managed security services in its primary geographical markets Deep understanding of highly regulated and security-sensitive industries: government, banking and financial services, insurance, energy, and utilities Weaknesses Lacks the global scale of some of its competitors, but seems over-resourced for the number of clients compared with its competitors Lacks visibility in certain key markets such as US commercial, continental Europe, and major APAC locations Limited shared SOC capability outside of North America Vendor neutral, but lacks industrialized "technology solutions" approach and roadmap Opportunities Ability to deliver dedicated SOC facilities from its North American and European facilities Page 22

23 Ability to deliver locally based expertise and understanding of the security risks and needs in key industry sectors Potential to industrialize and sell its SOC-based monitoring services and its Advanced Threat Investigation services to a wider commercial audience Wider marketing of secure cloud offerings, especially Microsoft-based offerings Threats Global competitors selling a more industrialized, modular catalog of MSS, which they can support with fewer personnel Offshore competitors with cost-competitive MSS offerings Lack of clarity around its offering and strategy and failure to embrace the wider market opportunity beyond existing regional vertical-industry targets CSC (Ovum recommendation: Challenger) Figure 11: CSC Market challenger Source: Ovum CSC is another SI that has developed MSS as a service line separate from its large-scale IT outsourcing activities. While the management of security operations and development of SOCs was always something embedded in its large-scale IT outsourcing engagements, CSC was one of the first SIs to recognize the growing need for MSS and security services as IT service lines in their own right. Having established MSS as a strategic component in its IT services portfolio, CSC set about developing a security services framework and a managed security services portfolio. The overall Page 23

24 framework is known as the CSC Risk Management Center or RMC Framework (see Figure 12), which integrates traditional "passive" managed security operations with threat intelligence, proactive analytics and response, GRC requirements, and various counter-threat activities. The RMCs are essentially CSC's integrated next-generation SOCs. Figure 12: CSC Risk Management Center Framework Source: CSC CSC's MSS portfolio consists of a number of discrete security services under the categories of mobile, app, endpoint, network, cloud, and identity and access management. It has done more than most SIs to create a portfolio of discrete managed security services, similar to those of the pure-play MSSPs and telco MSSPs. However, while CSC has said that it is keen to address some of the more function-specific needs of midmarket and smaller clients and has shown a willingness to go after smaller engagements throughout its IT services business, we don't believe that CSC is doing this to become more of a volume player in a commoditized MSS business. CSC's main targets are still midsized to large enterprises that are finding it difficult to find and retain the skills and resources to integrate, optimize, and run their internal security operations. Its moves to modularize and rationalize the MSS portfolio and define an architectural template for end-to-end risk management, which is what the RMC represents, should be seen in the overall context of the vendor's attempts to improve efficiency in delivering on its engagements. It needed a portfolio of repeatable services that it could implement efficiently without reinventing the wheel every time. CSC delivers its services to a global client base and is resourced accordingly. It has approximately 700 full-time engineers and analysts dedicated to MSS, though this is notably smaller than some of its competing SIs. The majority of its analysts are located in the Americas and India (approximately 250 in each location), while the remaining 30% are split between APAC, Australia, and Europe. It has nine SOCs worldwide: four in the US, two in the UK, and one each in Australia, India, and Kuala Lumpur. It Page 24

25 supports over 30 languages through its service desk and offers local language support for onshore security services in the main European languages. CSC has more than 460 customers worldwide, ranging from very large government agencies down to smaller organizations of around 1,000 employees. The customer base is split roughly between 30% government clients and 70% commercial clients. Like the other SIs in this Decision Matrix, CSC is a government contractor for security services in North America and the UK. However, it recently spun off its US public sector business into a separate publicly traded company, which combined with SRA International in November 2015, and is now known as CSRA. Apart from decreasing the size of CSC's overall revenues, this will also have an impact on CSC's security revenues and investments, as a large proportion of the vendor's security revenues were associated with its US federal government business. Security services and specifically cybersecurity nevertheless remain strategically important to the slimmed-down CSC, alongside big data and cloud computing. CSC previously set great store by its connection to the US federal government and the insights and investments it was able to gain from being part of the US government intelligence community. The post-spin-off CSC will not have the same access to these resources and both security revenues and personnel will be reduced, affecting our assessment of the vendor's current "market impact." CSC will retain a number of public sector clients in other countries (Canada, the UK, and Australia, for example), but these may not have the same kudos as being a US federal government security contractor. Some of CSC's most talented US-based security analysts will also no doubt transfer to CSRA, and CSC's operations have been subject to some attrition in recent quarters. Besides government and the public sector, other key markets include healthcare, banking and capital markets, insurance, energy and natural resources, travel and transport, manufacturing, and technology and consumer services. Ovum SWOT assessment Strengths Mature security services provider with deep government and public sector experience and understanding Comprehensive MSS portfolio including cloud, mobility (including apps scanning and mobile ), and IAM Global SOCs and service delivery capability, with onshore resources in primary geographical markets Very experienced personnel with strong technology focus coming from cloud (ServiceMesh) and analytics (Infochimps) acquisitions Weaknesses Customer perception of an old-school SI needs to do more to sell its vision of a next-generation service provider and the importance of cybersecurity in its strategy Spin-off of the US public sector business implies a reduction in security revenues and resources Suffered revenue declines and customer losses as it restructured its commercial business prior to the spin-off of the US federal government business Page 25

26 Opportunities Capitalize on acquired IP and skills in data analytics (Infochimps) and hybrid cloud integration and orchestration (ServiceMesh) Build on secure cloud offerings in both hybrid cloud and mobility space Build on partnership with HCL to deliver additional consulting and managed security services to complement the vendors' joint application-modernization venture Take advantage of increasing global demand for MSS, especially in APAC Threats Increasing competition from offshore providers Global competitors upselling MSS to their existing SIEM customers Loss of talent Inability to maintain investments in the face of declining revenues and earnings Dell SecureWorks (Ovum recommendation: Challenger) Figure 13: Dell SecureWorks Market challenger Source: Ovum Dell acquired SecureWorks in 2011 and it operates as an autonomous business unit within the company, reporting directly to Michael Dell. Dell SecureWorks is a pure-play managed security services provider, delivering MSS and security consulting services. As a Dell company its services are Page 26

27 marketed globally, wherever its parent has a presence, but in reality, most of its 4,000+ customers are based in North America. Dell SecureWorks' traditional market has been midmarket enterprises, but as demand for MSS has grown, the client base has expanded to encompass everything from SMEs to Global 500 corporations. Unlike the SI providers of MSS, SecureWorks does not have a vertical go-to-market focus its sales span all verticals. However, other businesses within Dell do focus on particular verticals, notably Dell Services, and the latter often includes ServiceWorks offerings in its sales to healthcare, education, government, and the public sector. Perhaps not surprisingly, the vast majority of SecureWorks' business comes from the financial sector. Dell SecureWorks has five SOCs: three in the US (Atlanta, Chicago, and Providence, Rhode Island), one in Edinburgh, Scotland, and one in Japan. It also has a center of excellence (CoE) based in Romania. The CoE is a facility for the provisioning of "virtual residents" (security experts who work on a dedicated basis for clients) to perform a number of security duties as requested. Dell's SOCs are operational 24x7x365, but do not operate a "follow-the-sun" model. Dell SecureWorks offers a very comprehensive portfolio of managed security services, but there are some notable omissions. It does not offer managed SIEM services and does not currently provide managed services for IAM, mobile security services (though it does offer advanced endpoint threat detection), or business continuity services (though these are currently available from Dell Services). The service provider explains the lack of managed SIEM on the basis that it doesn't use basic SIEM technology in its own SOCs and doesn't believe it can add value to SIEM products. Instead, its strategy is to add intelligence and apply analytics to its monitoring services wherever it can. If SecureWorks is ever asked to take on the management of a customer's existing SIEM, it generally treats this as an opener for a bigger discussion about the customer's security issues. A more cynical view would suggest that Dell doesn't want to leave any openings for MSS competitors, such as IBM and HP, that have proprietary SIEMs and also want to upsell MSS to those customers. Dell SecureWorks is mid-table in terms of revenue size compared to other MSSPs. It does fewer full security lifecycle, multiyear contracts than the global SIs and MSSPs, such as HP and IBM. However, the size of SecureWorks' customer base indicates the strength and market impact generated by sales of its discrete MSS portfolio. Ovum SWOT assessment Strengths Combination of people and technology: strong technology focus, especially in the use of analytics, forensics, and intelligence gathering; well-respected research team Counter Threat Unit (CTU) Clearly defined MSS portfolio, integrated around the SecureWorks Counter Threat Platform (CTP), which forms the backbone for all its MSS Able to deliver a range of MSS solutions from basic appliance management and monitoring to complex re-architecting of customers' security operations Weaknesses Limited number of SOCs in continental Europe and APAC Limited service delivery options does not support dedicated on-site SOCs for commercial customers, for example Page 27

28 Lack of managed SIEM offering for those customers who have significant existing investments in the technology Current lack of managed IAM services Opportunities Establish additional SOCs in continental Europe and APAC Partner with global and local SIs to deliver more complex MSS engagements and on-site SOC support in regions where Dell Services has limited coverage Capitalize on increasing demand for MSS from midmarket customers Threats Global competitors upselling MSS to their SIEM customers Acquisition of key technology partners by competitors Competitors offering a full suite of security lifecycle and SOC transformation services Hewlett-Packard Enterprise (Ovum recommendation: Leader) Figure 14: Hewlett-Packard Enterprise Market leader Source: Ovum The former HP split into two businesses, HP, Inc., and Hewlett-Packard Enterprise (HPE) in November The Enterprise Security Services (ESS) business remains with the Enterprise Services division of HPE. Enterprise Security Services has been delivering security services for more than 15 years, and although its 1,800-plus customers mean it is not quite as big as IBM Security Page 28

29 Services or Dell SecureWorks in terms of customer numbers, we estimate that it is the second largest MSS provider in revenue terms after IBM. HPE's customers are primarily large enterprises (Global 1000), multinational corporations, and public sector customers in the US, Canada, and the UK. The nature of its client base means that a lot of its engagements are complex end-to-end "security integration" projects. However, HPE also develops and markets the popular ArcSight SIEM (used by many other MSSPs) and is increasingly upselling managed SIEM services to customers that only have a small security operations team and are looking to get the most out of their SIEM investment. In spite of HPE also being a developer of proprietary SIEM technology, ESS claims to be "vendor neutral" and able to support and manage a wide range of third-party products and software. It has an impressive list of security technology partners. Because of this and the increasingly modular nature of its managed security services, HPE is moving more towards the middle of the MSS continuum than other SIs, with a mix of some commoditized services, as well as dedicated "custom" managed security operations. Not surprisingly, ESS makes use of ArcSight for correlation and log collection purposes, but has designed its own custom analytics engine (based on HPE Vertica) and portal for its SOC platform. HPE has 10 SOCs worldwide. One of HPE's differentiators is that it has a distributed security platform located in three global SOCs in the US, UK, and Australia, and regional SOCs in Canada, Costa Rica, Germany, Bulgaria, India, and Malaysia (there's a second SOC in the US too). As well as providing global coverage, this enables logs to be collected and stored in-country, where customers have a need to keep data within their home country or region. Its investigation and response platform is also distributed within its three global SOCs. Another of HPE's differentiators that we would call out is the "Pod" model it has adopted for its service delivery teams (see Figure 15). In the Pod model, a set of senior-level analysts are dedicated to a large customer or a group of smaller customers, rather than providing security for a broad range of clients. This allows for more intimate knowledge of the customer and a closer relationship with the customer's teams. The Pod model also fosters collaboration across the organizations (both HPE and the customer) and allows for the quick dissemination of threat intelligence. Page 29

30 Figure 15: HPE Enterprise Security Services "Pod" service delivery teams Source: HPE Like other SIs, HPE offers the usual service delivery options on-premise, hosted, shared service but also cloud-based "as-a-service" delivery. This further points to the way HPE Enterprise Security is expanding its offering to meet the needs of a more diverse set of customers as well as delivering a more industrialized and cost-competitive service even within its most complex customer engagements. HPE's recent announcement that it is partnering with Microsoft Azure as its preferred public cloud will offer new opportunities for ESS to offer cloud-related security services for customers building out their hybrid IT footprint around Azure. In addition to capitalizing on HPE's own in-house technology assets and resources to deliver a number of its security monitoring services from the cloud, Enterprise Security Services is also using HPE's Vertica data analytics software as the analytics engine underpinning its Security Investigation and Response platform. Analytics plays a key role in identifying trends and anomalies that may indicate attacker activities. Most MSSPs are increasingly applying analytics tools and in-house analytics expertise in a bid to improve their ability to identify threats, but HP seems to have gone further than most in integrating analytics into its core delivery platform. Page 30