MarketScope for Managed Security Services in Europe

Transcription

1 G MarketScope for Managed Security Services in Europe Published: 24 October 2012 Analyst(s): Carsten Casper The market for managed security services in Europe is mature. Offpremises-delivered services increase, communications and IT infrastructure service providers dominate, and security specialists fill a niche. Growth has slowed. What You Need to Know Managed security services (MSSs) in Europe show all the signs of a mature market, which continues to justify a Gartner MarketScope. Half of the providers that participated in this MarketScope reported their MSS revenue numbers (totaling about $950 million). For the other half, we estimate a revenue of $1.150 billion, based on etrapolated revenue numbers from previous years and regional portions of globally reported numbers. Smaller national providers, accounting for about 20% of the market, add another $400 million, bringing our total estimated market for MSS in Europe to about $2.5 billion in Those providers who reported revenue numbers claim growth rates of 30% on average, but we believe revenue growth of about 15% to be more realistic. Our "MarketScope for Managed Security Services in Europe" in October 2011 surveyed 17 European managed security service providers (MSSPs). For 2012, 19 MSSPs met our inclusion criteria. Overall, the provider landscape has been fairly stable. Strategic Planning Assumption By 2015, 30% of enterprises that use public cloud infrastructure as a service will also use MSSPs for security monitoring.

2 MarketScope Geographic Scope, Inclusion and Eclusion Criteria The market grew in volume (in terms of numbers of devices), so we revised our inclusion criteria regarding the minimum number of managed devices (1,000 firewalls and intrusion detection systems [IDSs]/intrusion prevention systems [IPSs] [see Note 1], instead of 700 devices last year). The minimum number of customers in Europe in 2012 remained stable (50 eternal customers; for the complete inclusion criteria, see the Inclusion and Eclusion Criteria section of this research). Several providers have a subregional focus in Europe: Atos in Benelu/France, Computacenter in the U.K./Germany, Open Systems and T-Systems in Germany/Austria/Switzerland, Orange Business Systems in Benelu/France/U.K., and Telefonica in Southern Europe. However, they have sales staff in several European countries and can support clients with regional (rather than local) requirements. This MarketScope has a strong focus on European clients, but these clients have operations all over the world. While 100% of them demand coverage in Europe, many of them also ask their provider to manage devices in other regions and countries (12% in Asia/Pacific, 6% in Japan and 24% in North America). Within Europe, clients report epected country coverage as follows: U.K./Ireland 42%, Scandinavia 12%, Benelu/France 24%, Germany/Austria/Switzerland 48%, Southern Europe 42%, Eastern Europe/Russia 6% and France 18%. Overall, we track around 100 MSSPs worldwide, with about one-third of them in Europe. The ones that do not appear operate mostly in one country (for eample, S21sec in Spain), provide a very specialized security service (such as Qualys for vulnerability scanning) or do not provide standalone security services (for eample, Unisys). The following providers were considered, but not included: Accumuli, CGI Group, CompuCom, Dimension Data, Outpost24, Qualys, Retarus, S21sec, S2 Grupo, Savvis, SecureIT, Spamina, SSP Europe, Telindus, Trustwave, United Service Providers and Unisys. Landscape of Different Types of Providers Remains Relatively Stable The market for managed and related security services continues to evolve, but the types of players are still the same. There are few stand-alone security players left in the regional European market. Most providers sell security services bundled with infrastructure management and outsourcing (for eample, Atos, Computacenter, CSC, Dell SecureWorks, IBM Security Services, HCL Technologies, HP, T-Systems and Wipro Technologies) or bundled with communications services (for eample, AT&T, BT Global Services, Cable&Wireless Worldwide, Orange Business Services, Tata Communications, Telefonica and Verizon). Only a few European providers focus on IT security (for eample, Integralis [now part of NTT Communications], Open Systems and Symantec). All providers in this MarketScope offer MSS as a discrete service. European security providers service approimately 6,500 clients in Europe, and operate about 35,000 firewalls, 11,000 unified threat management (UTM) devices, 8,000 network IPSs/IDSs and 23,000 server IPSs/IDSs, as well as 6,000 secure message and Web gateways (see Note 2). They also manage or monitor hundreds of Web application firewalls and customer-owned security information and event management (SIEM)/log management products. The large European players serve the U.K. and Ireland; Benelu; Germany, Austria and Switzerland; France; and Southern and Page 2 of 26 Gartner, Inc. G

3 Eastern Europe in fairly equal proportions to the populations and gross domestic products of those countries. Methodology We conducted our survey of MSSPs simultaneously in North America, Europe and Asia/Pacific. We contacted about 100 providers of MSS in these regions. Fifty-two replied to our worldwide scoping questionnaire. They included information about all the regions in which they operate. Based on this information, we selected a subset of providers per region that met our inclusion criteria. These providers answered a more detailed questionnaire and provided references. The questionnaire was the same in all regions. In Europe, 19 providers met our European inclusion criteria. We also contacted reference clients and conducted phone interviews, as well as online surveys. Reference clients were not only asked for information about their providers, but also questioned about other providers on their shortlists. Overall, we collected 50 client reference data points in Europe. The assessment in this MarketScope was performed on the basis of survey data collected in May and June 2011, and client reference information collected in June, July and August This survey focused on these security services (including managed customer premises equipment [CPE]), provider-hosted devices and cloud delivery. They are listed in order of popularity with European clients. Devices near the top of the list are managed and monitored most often, according to the reference clients contacted during this market analysis: Firewall (71%) Network IDS/IPS (65%) Secure Web gateway devices (29%) Desktop/endpoint security client (29%) Multifunction firewall/utm (24%) Web application firewall (24%) Vulnerability scanning and management (24%) Customer-owned SIEM/log management products (24%) Server IDS/IPS (18%) Secure message gateway devices (18%) Data loss prevention devices (18%) Server/directory/app/database management system log sources (18%) Mobile device security management (12%) Gartner, Inc. G Page 3 of 26

4 In addition to these infrastructure-based security services, most European providers offer complementary security services. The ones that are consumed most often are near the top of the list: Log collection/retention (41%) Professional security services (installation, configuration and upgrades, 41%) Vulnerability scans (periodic, and all layers, remote and intranet; 29%) Threat intelligence (29%) Security consulting (architecture, policies and training, 24%) Breach response, investigation and forensic analysis (18%) Security system integration (customization, migration and code scanning, 6%) Penetration testing and one-time vulnerability assessments (6%) Twenty-nine percent currently do not use any other service from their provider. Note: Identityrelated services (authentication and token management) are not covered in this research. Pricing and Service-Level Agreements Pricing is difficult to compare from provider to provider and from year to year, because each client has different requirements regarding types of services (firewall, IPS, /web and so on), volume (from one firewall to several thousand firewalls), delivery model (CPE-based, hosted and cloud), geographic coverage, level of engagement (monitoring/management), integration (with IT infrastructure management or with communication services), service quality, response times, service-level agreements (SLAs) and language support. Price is a key factor in most purchase decisions, but comparisons are difficult outside of a specific RFP. Just as an eample, yearly subscription prices for management and monitoring of a dedicated, midsize firewall typically range from $11,000 to $21,000 in Europe, but can be as low as $1,500 and as high as $45,000. Clients must analyze delivery scope, service levels, response times, staff epertise and supplemental fees behind these offers in order not to compare apples and oranges. Our observations on pricing for management and monitoring of virtualized security devices remain mostly unchanged compared with last year. There is no approach common to all providers. Here are some approaches we encountered in Europe: The provider says that it will pass on benefits of virtualized infrastructure to the client, but pricing details depend on the individual deal. The monitoring price for a virtualized device is the same as the monitoring price for a CPE device, but the management price for a virtualized device is less than the management price for a CPE device. Pricing for virtualized infrastructure is split into a device monitoring part (fied fee) and virtual firewall monitoring part (digressive fee for each virtual firewall). The same applies to management of virtualized infrastructure. Page 4 of 26 Gartner, Inc. G

5 One provider did the math and calculated that virtual instances require roughly the same workload as appliances. Hence, the provider went back to identical pricing for both delivery models. Several other providers confirmed that they charge the same for virtual devices and for physical devices, albeit they didn't eplain their motivations. SLAs have not changed significantly. Most providers offer 15 minutes or 30 minutes as the fastest possible response times (sometimes in the standard, sometimes only in the "premium" package). However, this only relates to the notification of the client. Resolution times vary widely, and obviously depend on the nature of the issue. Some providers display an incident immediately on the customer portal, giving customers information in real time. Such customers can also verify SLA guarantees anytime within the portal, including current and historical performance. Other providers deliver SLA reports weekly or monthly, or they make them available only on customer request. Some providers make an attempt to innovate with SLAs and pricing: Firewall pricing depends on bandwidth commitments (not consumption). Remove bandwidth as a pricing variable, moving to flat pricing for intrusion detection/ prevention devices (which is good for large, centralized deployments, and disadvantageous for small/remote-office-type devices). No minimal fied cost for usage-based pricing (for eample, vulnerability scans). Customers who bring new clients can benefit from a joint discount on the combined service volume. Client satisfaction is measured after each interaction as a key performance indicator. Per-seat pricing is offered, as opposed to discrete component pricing. In general, contracts have become more specific and concrete. Some providers have indicated that they now move from service-level objectives to SLAs. Clients that have been disappointed by a previous provider's performance push hard to include penalties in new contracts. Such a penalty typically amounts to a percentage of the monthly charge, up to a maimum of one monthly charge of the service cost, and is paid as a credit or an immediate payout (potentially with an "earn back" clause for subsequent SLA compliance). Such penalties or remedies vary widely. Some providers always include language for immediate termination of the contract (under certain circumstances, which may include early termination fees, potentially with assisted transition to another service provider). In other cases, customers have to eplicitly ask that remedies be put in the contract. Credits for SLA violations could be for up to 100% of the monthly fee, but often also have a cap at 70% or even 50%. Some providers display SLA violations immediately on the portal, but in many cases, the customer has to contact customer service, a customer relationship manager or some other provider staff to find out about SLA violations. Remedies are not always of a financial nature, but can also include root cause analysis by an improvement task force, a service improvement plan or free innovation consulting. Gartner, Inc. G Page 5 of 26

6 Types of Services Offered Delivery models change, and the topics "cloud computing" and "virtualization" continue to dominate many discussions with European clients. As in previous years, service delivery in Europe is moving from CPE to delivery from a shared or virtualized infrastructure. On average, 70% are still delivered on CPE, and 30% are delivery from a shared or virtualized environment. The ratio between both models varies widely by service type: firewall 75%-to-25%, intrusion prevention 90%-to-10%, secure gateways 56%-to-44%, vulnerability scans and log data 65%-to-35%, and SIEM 45%- to-55%. Gartner epects this shift to continue by on average 5% in Virtualization also plays an increasing role. The providers' approaches to virtualization have matured since last year as the following eamples of provider capabilities illustrate: Security controls in a virtual environment point their logs and alerts to a collector, where they are integrated into the standard threat-monitoring service. Security monitoring in virtual environments is supported by the collection and analysis of the operational and security log data of the guest OS and hosted applications. In VMware-based environments, event monitoring has been etended to consume and correlate events from the VMware components themselves, giving visibility into the hypervisor layers. Protect virtual data centers with network security technologies, and protect individual virtual servers (from the network or from other virtual server), as well as the applications they are hosting, based on virtual security enforcement technologies that integrate with the virtualization layer. Use a shared SIEM platform to monitor the security controls in a virtualized environment (intervirtual machine [VM] traffic, hypervisor attacks and malware). Monitor and manage Juniper Virtual System and Check Point VSX infrastructures. Virtual security operations centers (SOCs) provide each virtualized instance with its own personalized view (policies, logs and reporting), no different than if it were a stand-alone device. Monitor cross-vm network activity with Sourcefire's VM IDS, and use collectors to monitor directly from the VM hypervisor. A concern raised by some clients is that monitoring capabilities for virtualized infrastructure are not as detailed as the ones for on-premises equipment. This will be acceptable for some clients, but untenable for others. Decision Criteria The main drivers to engage an MSSP are still to reduce costs, to reduce capital ependitures, and to supplement or replace in-house epertise and in-house resources. In Europe, regulatory compliance plays less of a role than in the U.S. Page 6 of 26 Gartner, Inc. G

7 More specifically, we asked our European reference clients for their main reasons for choosing their service providers. The enumeration below shows the decision factors in decreasing order of importance: Security epertise Viewed as a strategic partner Pricing (total cost of contracted services) Industry eperience Quality of response to RFP or presentation of capabilities Positive prior eperience with provider Perceived viability and/or financial strength Understanding of business needs Good feedback from references Project implementation methodology These priorities present almost equal opportunity for the specialist provider, the one that can show security and industry epertise, and the large incumbent provider of IT or network operations who likes to be preselected as a strategic partner and is also better able to compete on price. This observation is confirmed by the fact that many European customers shortlist security specialists and integrators alike. Purchasing Behavior The bulk of the contracts for MSS in the European region are valued from $150,000 to $750,000 per year (40% of contracts), while 30% of contracts are below the range, and 30% are above that range. The average contract size in Europe is around $500,000. The typical contract size in Europe is still much greater than in Asia/Pacific, where 55% of the contracts have a value of less than $150,000 per year. On the other hand, the typical contract size in Europe is very similar to the typical contract size in the U.S. Customer-provider relationships have been fairly stable over the past year. Eighty-two percent of the European reference clients have been customers of their providers for one year or more, only 18% for less than a year. Customer growth has been somewhat limited. Several providers reported no net increase in customer numbers or even honestly reported a net loss. Overall, European MSSPs have lost 1% of their customers and gained only 6%, resulting in a net increase of customer numbers of 5%. From a customer perspective, this means that providers need to find ways to grow and should be more amenable to more competitive pricing and better service. Gartner, Inc. G Page 7 of 26

8 Advancing Threat Response Many client organizations are concerned about targeted attacks and advanced persistent threats. Providers respond to such fears by evolving their defense portfolio. They align security monitoring and the monitoring of normal behavior of IT and business processes, systems and users, trying to avoid isolated detection controls that can be easily bypassed by sophisticated targeted attacks. This includes the application layer, where they monitor abnormal user activity and identify likely violation of regular user rights or abnormal user management activities. They also use failed authentication logs from operating systems to determine a pattern indicative of a brute force authentication attempt. Advanced analytics also include the monitoring of network intrusions in the contet of customer vulnerability posture that is, correlating vulnerability data with a real-time network intrusion detection feed. Providers use statistical and trend analysis to detect denial-of-service attacks, internal botnet activity, the appearance of backdoors, or covert communication channels installed by malware or trojans. Providers differentiate on the amount of human intelligence that goes into such analysis. Some rely on efficient, automated processes for the statistical and behavioral analysis of large data feeds. Others rely on highly trained security professionals who analyze logs, correlate events and identify behavior anomalies. Both types of providers received positive client feedback, but none of it was attributable to the specific advanced response capabilities. Outlook The market for MSS continues to evolve. Advanced threats, effective and efficient responses, and competitive prices dominate discussions with clients. Delivery continues to move off-premises. Management of customer premises security devices will still be the dominant delivery model, but the percentage of hosted, security-as-a-service (SecaaS) and in-the-cloud security services will increase steadily. Overall, growth in Europe has slowed in 2012, and there are no signs that this will change significantly in There are multiple reasons for this: The overall economic outlook cautions organizations not to take any additional risk (such as outsourcing risk); most security service contracts have a duration of three years, and many were not up for renewal in 2012; skilled security staff is hard to find and poses a natural limit to growth of provider operations; some providers are still busy digesting previous acquisitions; and even providers have no "silver bullet" to address advanced persistent and other emerging threats, which is top of mind for many organizations that toy with the idea of getting help with security matters. The split of the MSS market into IT outsourcers that offer security services, network providers that offer security services, and security specialists has stabilized, and the market will continue this way in Pure-play security providers will continue to have their place, and new players will increase in size and reach, and enter the regional European market, trying to differentiate themselves with innovative technology and a fleible portfolio of supported products. Market/Market Segment Description For the purposes of this research, Gartner defines "managed security services" as the remote management or monitoring of IT security functions delivered via remote SOCs, not through Page 8 of 26 Gartner, Inc. G

9 personnel on-site. MSS does not, therefore, include staff augmentation or any consulting, development and integration services. MSS includes: Monitored or managed firewall or IPS Monitored or managed IPS Distributed denial of service (DDoS) protection Managed secure messaging gateway Managed secure Web gateway Security information management Security event management Managed vulnerability scanning of networks, servers, databases or applications Security vulnerability or threat notification services Log management and analysis Reporting associated with monitored/managed devices and incident response This MarketScope evaluates service providers that offer monitored/managed firewall and intrusion detection/prevention functions as primary offerings, rather than those whose main focus is on other elements of the services listed. Inclusion and Eclusion Criteria To be included in this MarketScope, an MSSP must have these qualifications: The ability to remotely monitor and/or manage firewalls and intrusion detection/prevention (IDP) devices from multiple vendors via discrete service offerings At least 1,000 firewall/idp devices under remote management or monitoring for eternal customers in Europe At least 50 eternal customers in Europe with those devices under management or monitoring Reference accounts in Europe relevant to Gartner customers For eample, vendors that only have offerings such as DDoS protection or vulnerability scanning, but not device monitoring and management, are not included. Providers of primarily Web and hygiene and trust services (for eample, certificate authorities) are not included. Other vendors offer MSS primarily to hosting customers, with limited offerings to others. As these providers epand the scope of their MSS offerings, they may be included in future MarketScopes. Gartner, Inc. G Page 9 of 26

10 Rating for Overall Market/Market Segment Overall Market With a portfolio of mature basic services and an array of innovative options, the MSS market in Europe is mature, with a moderate growth perspective, despite or to some etent because of a continuously difficult economic climate in Europe. Secure infrastructure management is a prerequisite for businesses that have to cut costs and operate under regulatory scrutiny and tight competition. Outsourcing of security has become a normal business option for most organizations. Where security concerns remain, physical operations in Europe are an option for most providers in this MarketScope. MSS customers usually etend their outsourcing contracts and occasionally change providers, but they rarely move services back in-house, which is still considered the more costly option. These factors have resulted in the MSS market in Europe growing by merely 12% versus 2011 (with the market size for 2012 forecast at $2.5 billion by year's end). The reasons were discussed in the Outlook section of this research. It is interesting to note that none of the providers achieved a Strong Positive rating this year. It's not to say that none of the providers is strong in security operations. Rather, none of the providers could prove this with reliable, sufficient customer feedback. Some providers, in particular the non- European ones, proved strong in terms of marketing, sales and innovation, but failed to prove that customers see it the same way. Other providers in particular, some security specialists offered ecellent customer feedback, but couldn't prove a sufficiently broad portfolio of security services, geographic coverage, market insights and innovative road maps. Many providers in this MarketScope are rated Positive, but these ratings aren't always the same. Customers need to put forward their detailed requirements and look closely to identify a provider with matching capabilities. Page 10 of 26 Gartner, Inc. G

11 Evaluation Criteria Table 1. Evaluation Criteria Evaluation Criteria Comment Weighting Overall Viability (Business Unit, Financial, Strategy, Organization) Geographic Strategy Product/Service Marketing Strategy Customer Eperience Innovation Market Responsiveness and Track Record Viability includes an assessment of the provider's financial health, the financial and practical success of the MSS unit, and the likelihood that the MSS unit will continue investing in MSSs and researching and developing innovative security services. Additional areas assessed include management eperience, the number of customers in Europe, investment in R&D, and understanding of business and technology trends. This includes the provider's strategy to direct resources, skills and offerings to meet the specific needs of regions outside the native area, directly or through partners, channels and subsidiaries, as appropriate for the region and market. We considered the vendor's ability to articulate the differences between the U.S. and European MSS markets, as well as differences within Europe. This is the provider's approach to service development and delivery, which emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements. We considered the number of target platforms vendors can manage. This is a clear, differentiated set of messages, consistently communicated throughout the organization and eternalized through the website, advertising, customer programs and positioning statements. In addition, we considered how providers measure the effectiveness of marketing programs. This includes the ways customers receive technical and account support. These can include ancillary tools, customer support programs (and the quality thereof) and the availability of user groups, SLAs and so on. We also assessed providers' implementation processes and system integration and consulting capabilities. Reference client feedback was particularly important in the rating for this criterion. This takes into account capital and human resource investments, and the development of new services as displayed in the security service strategy and the road map. Ability to understand business and security technology trends and assess competitors. This includes the ability to respond, change direction, be fleible and achieve competitive success as new opportunities develop, competitors act, customer needs evolve and market dynamics change. Standard High Standard High High Standard Standard Source: Gartner (October 2012) Gartner, Inc. G Page 11 of 26

12 Figure 1. MarketScope for Managed Security Services in Europe RATING AT&T Atos BT Global Services Cable&Wireless Worldwide Computacenter CSC Dell SecureWorks HCL Technologies HP IBM Security Services Integralis Open Systems Orange Business Services Symantec Tata Communications Telefonica T-Systems Verizon Wipro Technologies Strong Negative Caution Promising Positive Strong Positive As of 24 October 2012 Source: Gartner (October 2012) Vendor Product/Service Analysis AT&T AT&T is an established network service provider with a global approach, rather than regional differentiation. It emphasizes real-time visibility into wireline/wireless threats as a core capability of its MSS offers. It provides MSS to European multinational companies via SOCs in the U.S. and India, and still plans to open another SOC in Eastern Europe. Its MSS strategy focuses on providing integrated network-based security to European-based customers that possess a global footprint, utilizing services such as virtualized firewall, integrated network intrusion prevention, UTMs and server intrusion prevention. It is aggressively moving into cloud-based security services. Global coverage of communications and security services Its ability to leverage communications clients for upselling MSS Page 12 of 26 Gartner, Inc. G

13 Its tight bundling of security services with network services and capabilities in cloud security Design team's fleibility with customer scenarios AT&T has limited control over some third-party delivery elements of its security service portfolio (for eample, Cisco ScanSafe). Variable response to customer service requests remains an issue. Internal collaboration could be improved. AT&T must continue to improve its visibility as a security provider to etend beyond the multinational company market. Atos Atos is an international IT services company with four primary service lines: consulting and technology services, system integration, managed services, and transactional services. Atos claims to provide a holistic approach to managed security "from the router to the boardroom" that also addresses the business relevance of its security services. In July 2011, Atos completed its acquisition of the IT Solutions and Services subsidiary of Siemens. The centerpiece of its security portfolio is Atos High Performance Security, an integrated SecaaS platform. The comprehensive portfolio also includes endpoint security, server security, network security and secure gateways. Most of its MSSP contracts are part of larger IT outsourcing relationships. Eperience in integrating security services with comple, large-scale IT programs Professionalism, knowledge and skills of its technical MSS staff Ability to work effectively and collaboratively with other service providers (for eample, network service providers) that its clients have engaged Pursuing information security with the same diligence as IT operations Improving collaboration among and consistency of different countries' and teams' operations Clients reporting occasional outages, and Atos sometimes slow in picking up incidents Gartner, Inc. G Page 13 of 26

14 BT Global Services BT is an established name in network and communications services in Europe. It continues to invest globally in research and development. BT has a comprehensive security service portfolio called BT Assure that includes firewalls, network intrusion prevention, UTMs, gateways, endpoint security and SIEM, as well as log management and some server IPSs. Its MSS differentiation focuses on security embedded in the network, skilled resources and a global infrastructure. Targeting mainly large enterprises, its key message in 2012 emphasizes the need to "rethink the risk," meaning that organizations should step back and reassess their current security posture looking in particular at bring your own device, cloud, epanded vendor/platform choice and analytics. Presents well its focus on emerging threats and technologies with business relevance A resilient operations infrastructure and BT's responsiveness in incident reporting The quality of its internal operational processes (for eample, quality assurance) The skills of its engineers, and the ability to listen, respond and adjust to client requirements BT Global Services must be careful not to lose its regional differentiation on its way to becoming a global player. Cost savings in order to keep pricing competitive must not result in staff shortage. Cable&Wireless Worldwide Cable&Wireless is an international communications company with a strong focus on the U.K./ Ireland and a limited number of customers in other European countries. It manages firewalls and some log sources, and a small amount of other security devices. Ability to leverage eisting telecommunications client base for selling MSSs Onshore team's knowledge and epertise, which brings real value to the relationship Cable&Wireless rarely appears on shortlists for MSS in Europe. The less skilled offshore team makes it sometimes necessary to revert to the onshore team. Page 14 of 26 Gartner, Inc. G

15 Rating: Promising Computacenter Computacenter is a multivendor provider of IT infrastructure services. It operates primarily in the U.K. and in Germany, and has two SOCs in each of these two countries. Its MSS strategy emphasizes a holistic approach to security (client, network and data center), integrating MSS into other outsourcing deals and customer intimacy. Its strategy is to do "as much standards as possible, as much individuality as necessary." Providing cost-effective services from a local European vendor Acting as a strategic partner, so it can understand infrastructure and business requirements Having the ability to leverage the eisting client base for upselling MSSs Proving that Computacenter delivers what it promises Improving service consistency and quality Improving knowledge of vertical-industry-specific needs and requirements Rating: Promising CSC CSC is a global provider of IT-enabled business solutions and services, with a global strategy. Its portfolio ranges from consulting, to solution design, through to implementation and management of the solution. Headquartered in the U.S., it provides MSS via SOCs in the U.K., Australia, Malaysia, India and the U.S. CSC emphasizes a broad service portfolio and industry epertise that leads to business-oriented security service outcomes. This is a message that tends to resonate with European client organizations. Most customers in Europe use CSC for the management of firewalls, SIEM/log management and endpoint security clients. For cloud-based Web and , CSC chooses to work with partners. Having the capability to embed an information risk manager as a single point of contact in the client's organization Being able to work with partners to complete the security service portfolio Gartner, Inc. G Page 15 of 26

16 Fleible contracts that allow the downscaling and upscaling of consumption Be consistently more proactive and efficient in managing daily tasks Portal capabilities that are still lagging behind competition, but are being epanded Improving the ability to leverage security and threat information from its large client base for the benefit of individual clients Dell SecureWorks Dell strives to epand its Information Security Services in Europe following its acquisition of the U.S.-based company SecureWorks. U.K. Dell SecureWorks manages and/or monitors security devices in several European countries, especially log sources, firewalls, network IDSs/IPSs and endpoint protection systems. Dell SecureWorks Counter Threat Unit provides threat intelligence, malware analysis and analytic support for MSS operations. Customer may buy these services as part of an MSS subscription. Dell SecureWorks provides a comprehensive portal, and also offers support in Spanish and French. Its clearly articulated strategy regarding the monitoring of virtualized environments and advanced detection capabilities Its comprehensive portal (including asset information and various correlation capabilities) Continuing to establish a brand presence in the European security market and proving success Ensuring consistency of service quality during the acquisition and integration of SecureWorks into Dell HCL Technologies HCL Technologies is an India-based offshore provider that has already gained some traction in Europe. HCL staff is engaged and enthusiastic, aiming for solutions, rather than merely trying to close the deal. HCL emphasizes end-to-end security services, SLA-based service delivery and fleibility to meet customer's dynamic info-security requirements. HCL offers the most comprehensive security services portfolio of all European providers. HCL not only is strong in server-based security services (IDS/IPS and log collection) as well as endpoint security client management, but also offers network security. In addition, it offers application Page 16 of 26 Gartner, Inc. G

17 security services and identity and access management. It also claims comprehensive portal capabilities. HCL focuses on providing services based on a large pool of skilled resources and can support delivery in a number of European languages. Consistent and mature service delivery, with a process-driven approach to security management Ability to optimize the balance between onshore (high-touch) and offshore (low-cost) staff Cost-effectiveness, especially for standard platforms in the HCL support portfolio, and for services that don't deviate from the standard offerings Improving management of nonstandard requests, specifically the ability to deal with requests and issues that fall outside the scope of the eisting formal processes Improving strategic planning clients would like to see more forward-thinking and innovative suggestions for dealing with a constantly changing security environment HP HP has invested billions in building a comprehensive security portfolio that includes services acquired from EDS and Vistorm, and SIEM products from ArcSight. HP's comprehensive security services portfolio includes endpoint security, firewall and network IPS management, UTMs, and log management. It has five SOCs worldwide, two of which are in Europe (the U.K. and Spain). It has eperience in integrating security services with comple, large-scale enterprise IT solutions. Account managers take the time to develop a detailed understanding of the technical, commercial and functional aspects of client business operations. HP has a strength in helping organizations design and manage SOCs including SOC outsourcing. Improving the features and functionality of its MSS portal Gartner, Inc. G Page 17 of 26

18 Improving HP's visibility as provider of MSSs in Europe, not just as an IT company IBM Security Services IBM emphasizes its ability to support clients as a trusted advisor by understanding their organizational goals and risk tolerances, and drawing from a global portfolio of asset-based managed and professional services to implement effective programs and controls that enable business growth through the application of security intelligence. IBM's security services portfolio is focused on endpoint, server and network protection. IBM targets larger enterprises and eisting customers for its MSS. It emphasizes its reputation, global reach, and depth and breadth of its solution offerings as key differentiators. IBM is the MSS provider that appears most often on customer shortlists in Europe. Comprehensive portal and global security view based on large number of customers Supports many European languages and has a presence in all major European countries Addressing European customers' data center concerns Providing consistent quality and customer eperience, regardless of the delivering SOC Relatively epensive compared with some providers Integralis Integralis provides IT security and information risk management solutions. It delivers a portfolio of managed security, business infrastructure, consulting and technology integration services including mobile security, advanced log management, and security intelligence and network profiling. Integralis is an independent subsidiary of NTT Communications, Japan. Integralis focuses on firewall, UTM and network IPS services, complemented by log management and some endpoint security. Integralis grew strongly in 2012 in Europe, in terms of devices, customers, revenue and R&D investments. Ecellent technical skills of its workforce Operational and commercial fleibility in dealing with clients' security requirements Clients' valuing Integralis' security architecture design capabilities Can prove that customers are satisfied Page 18 of 26 Gartner, Inc. G

19 Retaining the high-touch approach appreciated by its customers in a growing and highly competitive market Keeping the functionality of its portal competitive Open Systems Open Systems is a specialized security service provider headquartered in Switzerland, with an additional SOC in Sydney. Its portfolio focuses on multifunction firewall/utm devices, Web application firewalls and secure Web/ gateways, managed by its Mission Control security service. Open Systems operates a variation of the follow-the-sun model with its two SOCs. Other sites are equipped remotely and serviced remotely. Open Systems is committed to on-premises delivery due to the need for storing sensitive data locally. It shows the highest proven customer satisfaction. Solid security service portfolio with a focus on network-based security Highly skilled, measurably engaged, client-focused, fleible and highly professional staff Commitment to employee development, resulting in low staff fluctuation, stable service quality and high customer satisfaction Maintaining the balance between high-growth, high-quality and customized (rather than merely packaged) security services Epanding the service portfolio toward log management, server and endpoint security Improving visibility in the European market for MSSs Orange Business Services Orange Business Services is a division of the Orange Group, which delivers integrated and managed security solutions with a strong network focus. Offerings include the management of firewalls, network intrusion prevention devices and an above-average number of secure Web gateways. Security services are available independently, but many sales combine aspects of network operations, security services and security consulting. A third-party network allows direct connectivity with Orange-connected business partners. Gartner, Inc. G Page 19 of 26

20 The company's marketing emphasizes simplicity, fleible delivery models and reduced total cost of ownership (TCO) in its MSS offerings. It runs eight SOCs. Clients see Orange as a global player and speak favorably of Orange's large, regional Internet gateways (connectivity, filtering, proies, remote access and redundancy). It focuses on small and midsize businesses, especially in France/Benelu. Orange offers operational stability and support around the world. Orange leverages eisting client relationships for selling security services. Improve time to market with new products: When balancing diligence and prudence against innovation, clients would like Orange to lean a bit more toward the latter. Improve efficiency of collaboration between account teams and engineering. Improve visibility in the enterprise security market segment. Symantec Symantec offers security monitoring, management and message protection capabilities, augmenting in-house security operation capabilities with threat intelligence and security epertise. This portfolio includes server and network IDS/IPS, firewalls, and endpoint security solutions. It has an SOC in the U.K. and three other SOCs worldwide (and one additional one planned in Japan), operates a large network of security information sensors, and employs a sizable global staff of security administrators. Symantec appears often on MSS shortlists in Europe. Its global view of the threat environment via its large sensor network and threat intelligence capability Protects and monitors VM's infrastructures The quality of its support and sales resources Challenge Must continue to prove that European customers value its MSSs Page 20 of 26 Gartner, Inc. G

21 Tata Communications Tata Communications is an India-based global communications provider. It delivers a portfolio of management and monitoring services to protect customers' information assets from internal and eternal threats. It offers MSS via several global SOCs, one of which is in Europe. It targets large multinational organizations in various industries. Its MSS strategy focuses on compliance, customer service, TCO and integration with the rest of its service portfolio. Global presence, owning one of the largest fiber networks in the world Invests massively in its security service portfolio Prove its presence as an MSSP in the European market Lacks the depth of understanding of regional and local requirements shown by competitors Rating: Promising Telefonica Telefonica is a large, integrated telecommunications provider with international operations and a strong position in Spain. Its portfolio encompasses maintenance, monitoring, support and administration of security devices, as well as vulnerability management, alert services, firewall rule analysis, SIEM, computer security incident response and anti-fraud. Fleibility in adapting to client requirements Good number of skilled security staff Ability to foster and maintain strong local relationships Improving the quality of service delivery and service management to competitive standards Accelerating service deployments and equipment updates Gartner, Inc. G Page 21 of 26

22 T-Systems T-Systems provides a full range of managed information and communication technology services, including a comprehensive portfolio of security services delivered on remotely managed appliances or devices, as well as managed services with appliances and devices installed within a T-Systems data center. Most of its SOCs are located in Germany and comply with national legislation, especially German Data Privacy Law. This makes T-Systems a preferred security services partner for the German public sector and health sector. MSSs are often an integrated part of larger outsourcing deals. Its traditional focus is on the German-speaking parts of Europe, and it's also epanding into the Asia/Pacific region. Is focused on customer-specific security requirements for the German market Has a broad solution portfolio, coupling security services with information and communication technology services Large installed base in the German and German-speaking market Transparency on pricing model because its prices are perceived to be above the market average Improving MSS portal functionality, in particular regarding the integration of log and vulnerability data Establishing a stronger profile in the European (rather than merely German-speaking) MSS market in terms of visibility and client footprint Rating: Promising Verizon Verizon offers customer support, providing region-specific solutions spanning managed network, MSSs and professional security services to address a wide range of risk, compliance and security needs. It offers premises-based as well as cloud-based MSSs, available stand-alone or bundled. It has a sound road map, introducing new or redefined services, improving customer eperience and secure mobility services. Verizon has a solid presence in Europe, and emphasizes its correlation capabilities, security epertise, global reach and risk-based security on global IP networks. Global reach and epertise Page 22 of 26 Gartner, Inc. G

23 European Security Operations Centers in Luembourg, Zurich and (since 2011) Dortmund, with highly skilled security staff Large and knowledgeable sales team Offering threat intelligence correlated from various sources Consistent and easy access to highly qualified security staff Continuously proving high customer satisfaction Wipro Technologies Wipro Technologies provides MSSs to organizations in Europe from a primary control center in India supported by SOCs in Eastern Europe and Germany, which deliver services locally and improve cross-border data privacy compliance. Wipro offers the most comprehensive security services portfolio, and claims to have one of the largest bases of managed security devices in Europe. Consulting and professional services augment MSS offerings, which include co-managed and fully managed services. Customer focus, epertise and business understanding Well-distributed sales force in Europe Its ability to upsell security services to eisting clients Identifying the right staff resources quickly and making them available in Europe Increasing brand visibility in the European security services market Recommended Reading Some documents may not be available as part of your current Gartner subscription. "The Global Managed Security Services Provider Landscape" "Toolkit: Selecting the Right Managed Security Services Provider" Gartner, Inc. G Page 23 of 26

24 "Magic Quadrant for MSSPs, North America" "MarketScope for Managed Security Services in Asia/Pacific" "Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors Within a Market" "Forecast: Security Service Markets, Worldwide, " Evidence For this research, we contacted about 100 MSSPs, of which 19 met the selection criteria. They had to answer a detailed list of questions about their company and their security services. In addition, we collected information on the providers' performance from Gartner clients and provider reference clients through phone interviews and an online survey. Note 1 Intrusion Detection System and Intrusion Prevention System For the purposes of this research, we ignore the differences between IDSs and IPSs. Whenever we use "IPS," we mean both. Note 2 Secure Web and Gateway Services Secure Web and gateway services refer to the filtering of malware from Web and traffic at the gateway. This does not include filtering at the endpoint. Vendors Added or Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mi of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the net does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor. Gartner MarketScope Defined Gartner's MarketScope provides specific guidance for users who are deploying, or have deployed, products or services. A Gartner MarketScope rating does not imply that the vendor meets all, few or none of the evaluation criteria. The Gartner MarketScope evaluation is based on a weighted evaluation of a vendor's products in comparison with the evaluation criteria. Consider Gartner's criteria as they apply to your specific requirements. Contact Gartner to discuss how this evaluation may affect your specific needs. In the table below, the various ratings are defined: Page 24 of 26 Gartner, Inc. G

25 MarketScope Rating Framework Strong Positive Is viewed as a provider of strategic products, services or solutions: Customers: Continue with planned investments. Potential customers: Consider this vendor a strong choice for strategic investments. Positive Demonstrates strength in specific areas, but eecution in one or more areas may still be developing or inconsistent with other areas of performance: Customers: Continue planned investments. Potential customers: Consider this vendor a viable choice for strategic or tactical investments, while planning for known limitations. Promising Shows potential in specific areas; however, eecution is inconsistent: Customers: Consider the short- and long-term impact of possible changes in status. Potential customers: Plan for and be aware of issues and opportunities related to the evolution and maturity of this vendor. Caution Faces challenges in one or more areas: Customers: Understand challenges in relevant areas, and develop contingency plans based on risk tolerance and possible business impact. Potential customers: Account for the vendor's challenges as part of due diligence. Strong Negative Has difficulty responding to problems in multiple areas: Customers: Eecute risk mitigation plans and contingency options. Potential customers: Consider this vendor only for tactical investment with shortterm, rapid payback. Gartner, Inc. G Page 25 of 26

26 Regional Headquarters Corporate Headquarters 56 Top Gallant Road Stamford, CT USA European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM Japan Headquarters Gartner Japan Ltd. Atago Green Hills MORI Tower 5F Atago, Minato-ku Tokyo JAPAN Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, andar World Trade Center São Paulo SP BRAZIL Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions epressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on its website, ombudsman/omb_guide2.jsp. Page 26 of 26 Gartner, Inc. G