IDC MarketScape: Canadian Managed Security Services 2015 Vendor Assessment

IDC MarketScape IDC MarketScape: Canadian Managed Security Services 2015 Vendor Assessment Kevin Lonergan David Senf IN THIS EXCERPT The content for this excerpt was taken directly from the IDC MarketScape: Canadian Managed Security Services 2015 Vendor Assessment by Kevin Lonergan and David Senf (Doc #CA1SD15). All or parts of the following sections are included in this excerpt: IDC Opinion, IDC MarketScape Vendor Inclusion Criteria, Essential Buyer Guidance, Vendor Summary Profile, Appendix, Learn More, and Related Research. Also included is the IDC MarketScape Figure (Figure 1). July 2015, IDC #CA1SD15

IDC MARKETSCAPE FIGURE FIGURE 1 IDC MarketScape Canadian Managed Security Services Vendor Assessment Source: IDC, 2015 Please see the Appendix for detailed methodology, market definition, and scoring criteria. 2015 IDC Excerpt of #CA1SD15 2

IDC OPINION Using the IDC MarketScape model, 12 managed security service providers (MSSPs) with operations and customers in Canada were compared. This process included interviewing all 12 providers and one or more customers from each, resulting in over 24 hours of discussion on managed and professional security services. Moreover, IDC used survey research conducted across Canada to assess IT and security professionals' opinion of the managed security marketplace and competitors. From these discussions, it became clear that all providers included in this study were capable of offering a range of MSSs offering to Canadian customers from basic firewall monitoring to mobile device management. As a result of this study, IDC Canada found four Leaders and eight Major Players. When reviewing provider positioning in the IDC MarketScape chart, customers need to be aware of their particular needs and which providers can meet their requirements. For example, a smaller pure-play provider may be able to meet all the device management requirements of an SMB organization at a low cost, where a large financial institution would likely be willing to pay for cutting-edge threat intelligence and analytics offered by some of the more advanced providers. The main differentiators for providers relate to their: Canadian footprint including channel partners, security operations centers (SOCs), offices, sales staff, and security engineers and their geographic distribution across Canada Breadth of professional services, network services, and other related services (This allows bundling opportunities for providers and potential cost savings/ease of relationship management for customers. For instance, a provider that can provide managed network, security, and professional services [incidence response, penetration testing, etc.] could potentially provide ease of management [e.g., one point of contact] and the potential for cost savings for a customer rather than using multiple providers.) Ability to support advanced threat intelligence beyond classic SIEM models (Providers that have migrated to developing big data threat intelligence platforms to either replace or complement traditional SIEM solutions scored higher than those that were not investing in new technologies.) Capability to aid in or conduct IT security research through either a university partnership, internal lab, or partnership with a security organization (Providers that are on the forefront of security research can provide customers with a higher level of protection due to additional tools and threat intelligence. Educational partnerships extended their recruitment opportunities, as well, in a tough labour market for security professionals.) Security offerings along top trendlines such as in cloud (e.g., identity management in hybrid cloud environments, DLP), big data, and enterprise mobility management IDC MARKETSCAPE VENDOR INCLUSION CRITERIA To be included in the 2015 Canadian Managed Security Services IDC MarketScape, providers had to meet the following criteria: Need to have a presence in Canada. This criterion could be met by having a Canadian SOC, Canadian offices, or sales staff with a focus on selling security products or services in Canada. MSS revenue of over $2 million for 2015. Any hardware or software resale revenue and professional services revenue are not included. 2015 IDC Excerpt of #CA1SD15 3

Available services. Providers need to have a SIEM solution, either developed in-house or made available through a partner. Canadian customer base. Only providers that serviced the Canadian market at the time of the study were included. ESSENTIAL BUYER GUIDANCE Assessing the many current capabilities and strategic alignment of an MSSP to your IT and business needs can be a lengthy process. Selecting a trusted advisor requires due diligence around a number of factors. IDC has rated a number of essential criteria that firms need to use to compare one provider with others. Some additional areas to consider during your selection process are: Plan ahead. The four pillars of cloud, mobile (including IoT), big data, and social are fundamentally changing the role of MSSPs and the services their customers will require in the near future. Where MSSPs are in terms of adopting the following should be a key concerns for buyers: Threat intelligence. Advanced threat intelligence is being used to complement or replace traditional SIEM solutions. Buyers need to be aware if the MSSP they are considering has a road map to deliver advanced threat intelligence (which may include big data solutions such as Hadoop). Cloud security services. Cloud identity and access management (IAM) is going to be increasingly important for organizations as cloud adoption continues. This is especially true of hybrid cloud deployments, where single sign-on (SSO) and user provisioning become challenging. Ingress/egress filtering of traffic in whichever deployment your data is moving from and to is critical as well. Traditional firewall, IDP, DLP, and other filters from the legacy world still apply in cloud (particularly in IaaS and PaaS). Mobile enterprise management. Client endpoints are changing rapidly as tablets and smartphones vastly outnumber desktop and notebook PCs (there are now more tablets in use than desktop computers in Canada, and by 2018, tablets will equal the number of notebook PCs). BYOD is bringing new challenges to Canadian organizations as more unsecure and unmanaged devices make it into the workplace. If buyers are looking to adopt an enterprise mobility management solution, then they need to make sure their MSSP can provide a suitable in-house and off-premise solution or is partnered with thirdparty providers that can. Business alignment. How well the MSSP ties its offerings into your business requirements and risk tolerance is critical. Can the provider decipher for you why your firm should care/take action on given alerts? Not all of your assets are equal in value, ensure that your provider can help assign importance to threat activity from the standpoint of your risk profile. Evaluate customer portals. Customer portals provide a convenient, Web-based view of all things security related on the network and "things" connected to the network. Although the majority of vendors in this study had a customer portal, their maturity varied greatly. Mature portals have real-time data analysis, customizable visualizations, reporting, and advanced analytics capabilities. As most MSSPs are willing to provide a demo of their portal, buyers should take the time to evaluate them. Professional services and bench strength. Many MSSPs provide one or more professional services such as incidence response and forensics. What differentiate their ability to deliver these services are the facilities and security professionals at their disposal. Some of the MSSPs in this study have specialized labs for forensics, vulnerability management, and/or 2015 IDC Excerpt of #CA1SD15 4

network operating centre (NOC) teams for incidence response. Buyers need to assess what professional and other services they require and seek out the provider with the right facilities or personnel. Determine data residency requirements. Although Canadian data residency legislation (and U.S.-compelled disclosure rules such as the PATRIOT Act) only affects a small number of organizations and a small amount of data, many are still weary of data crossing the border. Outside of customer perception issues, there are likely little reason for concern over data residency. The underlying buying criteria for all the points mentioned previously are responsiveness, ease of use/working with and, of course, the cost for desired services. The number 1 reason customers inform IDC why they engage an MSSP in the first place is that they don't have the in-house skills (or time) to effectively manage and monitor the vast threat environment across their own array of vulnerabilities. As a criteria, price, typically is in the top 3 or 4 decision criteria. That having been said, although all organizations want the advances services mentioned previously, some of them are simply out of budget. The goal for Canadian organizations should be to find a provider that can optimize their services for the complexity of your environment while staying within budget. Setting expectations (e.g., who manages/does what) will be key. VENDOR SUMMARY PROFILE This section briefly explains IDC's key observations resulting in a vendor's position in the IDC MarketScape. While every vendor is evaluated against each of the criteria outlined in the Appendix, the description here provides a summary of each vendor's strengths and challenges. International players, Canadian telcos, and pure-play providers all have unique qualities that are outlined in these profiles providing context to the IDC MarketScape graph depicted previously (refer back to Figure 1). The MSSPs in this study have the ability to deploy and manage the leading SIEM, IPS, firewall, DLP, vulnerability management, and endpoint security solutions, and as a result, the profiles in the sections that follow focus on the key differentiators for each vendor, instead of descriptions of the services provided. TELUS According to IDC analysis and buyer perception, TELUS is an IDC MarketScape Leader in the managed security services market in Canada. TELUS is the second-largest telecom provider in Canada, with 13.3 million customer connections including wired, mobile, IP, and cable. TELUS provides a full range of professional and managed security services. TELUS' security business has grown to include TELUS Security Labs and a dedicated forensics lab built on the acquisition of Assurant and Digital WYZDOM, respectfully. In 2014, TELUS also acquired Enode, further enhancing its professional services lineup, particularly in the Quebec region. TELUS can support multiple SIEM solutions depending on customers' needs including HP ArcSight. TELUS' main focus today is expanding the company's threat intelligence using Hadoop and Splunk to perform big data analytics. The company sees threat intelligence as a way to complement traditional SIEMs by increasing the ability to recognize security events in an increasingly diverse threat landscape. TELUS sees security research and customer education as important parts of threat intelligence, and it is active in both areas. TELUS Security Labs is pursuing proactive threat research 2015 IDC Excerpt of #CA1SD15 5

including a specialized "Hunter Team," which continuously monitors third-party feeds for new vulnerabilities and threats. TELUS employs a distributed SOC model, which provides redundancy across Canada at multiple sites. TELUS is opening a dedicated public sector SOC in 2015 to service provincial and the federal government requirements, as well as launching its Portal 2.0 in mid-2015. This enhanced customer portal will bring new capabilities to customers in the form of reporting, customization, and analytics. Strengths As a telecom provider, TELUS has many opportunities to bundle multiple different network, mobile, and other IT services. TELUS' presence across Canada and the distributed SOC enables the company to provide local points of contact for customers regardless of geographic region. Moreover, with a focus on next-generation threat intelligence, cloud, and mobile enterprise management, TELUS is well positioned to maintain its position as a leading Canadian provider of MSS. Challenges Being within a large telco benefits TELUS' MSSP business as noted previously, but it has downsides too. For example, the Canadian market is less receptive to security messaging from a telco despite advantages such as early threat detection from within its network services. APPENDIX Situation Overview Preferred Managed Security Services Partner Canadian organizations have a choice between three types of MSSPs. Depending on the needs of the customer, there are possible advantages and disadvantages with each group. Large multinational consulting firms tend to have a full range of MSSs, consulting services, and mature SIEM solutions and customer portals. Consulting/systems integrator MSSPs usually focus on the enterprise and may not have a strong local presence in Canada, or a local SOC. The capabilities of pure-play MSSPs can vary greatly, with certain providers focusing on geographic areas and/or particular verticals. In general, pure-play providers have a strong presence in at least one region of Canada and have a local SOC, which may be complemented by more outside of Canada. Pure-play providers are much smaller than consulting/systems integrators, which can lead to somewhat less mature SIEM solutions and customer portals (unless they are provided by a channel partner of a larger consulting/systems integrator). Finally, Canadian telcos find themselves in-between the two camps with a national presence, custom SIEM solutions and customer portals, and a broad focus from the midmarket to the large enterprise. Moreover, they can monitor and stop threat activity from within their network before it reaches the customer premise. Figure 2 depicts the rankings of the three MSSP groups for medium-sized and large businesses. For medium-sized businesses, the top preference is for systems integrator/consulting-based MSSPs, followed by pure-play providers and telcos. Enterprise organizations are closely split in their preference, with a small lead for telcos and pure-play providers over systems integrators. 2015 IDC Excerpt of #CA1SD15 6

FIGURE 2 Preferred Managed Security Services Provider Q. What type of managed security services partner does your organization prefer to buy your managed security services from? n = 98 for large businesses; n = 202 for medium-sized businesses Source: IDC Canada's ITAP n3, 2015 Adoption of and Plans to Use Managed Security Services Offerings Table 1 depicts the current adoption of managed security services by Canadian organizations. Device management continues to be the predominant service that Canadian organizations have already contracted for. Although revenue margins on device management are low, this segment continues to provide an opportunity for MSSPs to onboard clients and move towards becoming a trusted advisor of multiple security services. Mobile security management is a strong growth market, which provides yet another opportunity for MSSPs. Despite the low adoption of SIEM and log management services, these are the higher margin markets and key areas for growth (particularly with the passing of the Digital Privacy Act). Once a customer subscribes to SIEM, it's likely that the provider is thought of a valued partner and is providing the company with a complete security solution from basic device management to advanced professional services. With the passing of the Canadian Digital Privacy Act in June 2015, there is finally national requirements around mandatory breach notification. This will have a small positive impact on the security services markets. Managed log retention, for example, could increase based on stipulations in the Act. Moreover, governance and compliance consulting services (e.g., to explain implications) and incident response will gain in some small measure, as well. 2015 IDC Excerpt of #CA1SD15 7

TABLE 1 Adoption of Managed Security Services in Canada Q. What is the status of the following managed security services within your organization? Rank Managed Service Adoption 2015 Growth 1 Network firewall Third 2 Web app firewall Sixth 3 PC endpoints Fourth 4 Mobile endpoints Fourth 5 UTM/NGFW Second 6 Identity management Fifth 7 IDS/IDP First 8 Log retention Sixth 9 SIEM Sixth n = 300 Source: IDC Canada's ITAP n3, 2015 Adoption of and Plans to Use Professional Security Services Offerings Table 2 depicts the adoption of professional security services by Canadian organizations. There is strong growth in security architecture, network penetration testing, and employee training over the next year, as cloud and mobility in particular force firms to think (and rethink) broadly. The attention from high-profile security breaches in the media as well has Canadian organizations questioning if they really are secure and they are actively seeking help. 2015 IDC Excerpt of #CA1SD15 8

TABLE 2 Status of Professional Security Services Adoption in Canada Q. What is the status of the following professional security services within your organization? Rank Professional Service Adoption 2015 Growth 1 Security architecture Third 2 Network penetration testing Second 3 Employee training First 4 Application vulnerability testing Fifth 5 Incidence response Sixth 6 Governance, compliance, and PCI Fifth 7 Implementation and migration Fourth 8 Device vulnerability testing Third 9 Forensics Seventh n = 300 Source: IDC Canada's ITAP n3, 2015 Reading an IDC MarketScape Graph For the purposes of this analysis, IDC divided potential key measures for success into two primary categories: capabilities and strategies. Positioning on the y-axis reflects the vendor's current capabilities and menu of services and how well aligned the vendor is to customer needs. The capabilities category focuses on the capabilities of the company and product today, here and now. Under this category, IDC analysts will look at how well a vendor is building/delivering capabilities that enable it to execute its chosen strategy in the market. Positioning on the x-axis, or strategies axis, indicates how well the vendor's future strategy aligns with what customers will require in three to five years. The strategies category focuses on high-level decisions and underlying assumptions about offerings, customer segments, and business and go-tomarket plans for the next three to five years. The size of the individual vendor markers in the IDC MarketScape represents the market share of each individual vendor within the specific market segment being assessed. 2015 IDC Excerpt of #CA1SD15 9

IDC MarketScape Methodology IDC MarketScape criteria selection, weightings, and vendor scores represent well-researched IDC judgment about the market and specific vendors. IDC analysts tailor the range of standard characteristics by which vendors are measured through structured discussions, surveys, and interviews with market leaders, participants, and end users. Market weightings are based on user interviews, buyer surveys, and the input of a review board of IDC experts in each market. IDC analysts base individual vendor scores, and ultimately vendor positions on the IDC MarketScape, on detailed surveys and interviews with the vendors, publicly available information, and end-user experiences in an effort to provide an accurate and consistent assessment of each vendor's characteristics, behavior, and capability. Note: All numbers in this document may not be exact due to rounding. Market Definition Managed Security Services For the purpose of this study, IDC defines managed security services as "the around-the-clock remote management or monitoring of IT security functions delivered via remote security operations centres (SOCs), not through personnel onsite." Exceptions and Inclusions Managed security services can include complementary consulting and advisory activities that are typically defined under professional security services. This study did seek to understand whether the MSSPs offer these services as IDC believes these are critical to the evolution and maturity of MSS. The MSSPs in this study do provide professional services although there is no standard approach to how they are offered. Commonly, an initial assessment is bundled with MSS. Some MSSPs bundle other services. Most, however, offer complementary services as optional add-ons and charge separately for them. Complementary or professional services surveyed include breach management, incidence response, forensics, compliance services, and assessment of architecture and design. Not all MSSPs provide all of these services. Some MSSPs provide all of the listed complementary services among others. Terminology Managed security and information even management (SIEM). This managed on-premise event collector transmits the raw log data to the MSSPs SOC for analysis, reporting, and archiving. Managed SOC. A security operations centre includes the people, processes, and technologies involved in detecting, containing, and remediating security threats. Some MSSPs take over the operation of SOCs that their customers have built and no longer want to manage. This is an advanced and niche offering that only a handful of MSSPs offer. Strategies and Capabilities Criteria This section includes an introduction of market-specific weightings definitions and includes weightings tables (see Tables 3 and 4). The MSS market exhibits the following characteristics that suppliers must take into consideration when crafting a future strategy and in leveraging existing capabilities to best advantage. The factors were 2015 IDC Excerpt of #CA1SD15 10

weighted because IDC believes that some are more important than others in maximizing opportunity and realizing market success in Canada. IDC believes MSSPs must exhibit the characteristics shown in Tables 3 and 4 to be completely successful when crafting a future strategy and in leveraging capabilities to their best advantage. TABLE 3 Key Strategy Measures for Success: Canadian Managed Security Services Strategies Criteria Offering strategy Functionality or offering road map Delivery model Cost management strategy Portfolio strategy Subcriteria Definitions Excellence is marked by plans to offer advanced MSS functionality including threat intelligence data and big data analytics. More weight is given for future plans to add additional advanced service offerings and moving towards a nationwide footprint via multiple offices and SOCs. Excellence is marked by meeting customers' shifting preference for adoption and consumption. More weight is given to having plans to have a hybrid delivery model and easier methods of onboarding clients. Superior service calls for ways in which the vendor employs benchmarks to ensure competitive cost and pricing and help clients justify expenditures for MSS. More weight is given to having plans in place to have both internal and external tools for cost and price benchmarking. Excellence is marked by a portfolio of complementary services such as breach management, incident response, and forensic analysis and compliance services, which enable the client to make the most of the MSS engagement. Subcriteria Weights 4.25 1.50 1.50 2.75 Subtotal 10.00 Go-to-market strategy Pricing model Sales/distribution strategy Marketing strategy Firms have superior planning for future pricing alignment with market direction. More weight is given for plans to have more options in pricing and payment. Excellence is demonstrated by plans to offer multiple routes of purchase (online, offline, direct, indirect, etc.). Particular weight is given for having plans to add additional routes to market. Successful firms have a well-articulated plan for how they will market their capabilities in the future, especially for emerging opportunities. More weight is given for plans to utilize more localized marketing and for plans to acquire, upsell, and retain customers. 1.75 2.50 2.75 2015 IDC Excerpt of #CA1SD15 11

TABLE 3 Key Strategy Measures for Success: Canadian Managed Security Services Strategies Criteria Customer service strategy Subcriteria Definitions Successful firms continuously focus on ways to improve retention of customers as it relates to its service and support over the next 12 months. More weight is given for having plans to offer robust portal capabilities, flexible customer service delivery, and measurement of customer satisfaction. Subcriteria Weights 3.00 Subtotal 10.00 Business strategy Growth strategy Employee strategy Firms poised for growth in the near term provide relevant specialized offerings that address specific needs, particularly for industries, geographic markets, or the size of the client. Particular weight is given to plans for a multifaceted business growth strategy. Firms have clearly articulated plans for attracting and cultivating talent. Particular weight is given for career customization programs that facilitate multiple paths to career success within the firms and programs to attract and develop future skills. Particular weight is given for multifaceted acquisition and retention plans. 5.00 5.00 Subtotal 10.00 Source: IDC, 2015 2015 IDC Excerpt of #CA1SD15 12

TABLE 4 Key Capability Measures for Success: Canadian Managed Security Services Capabilities Criteria Offering capabilities Functionality/offering delivered Delivery model appropriateness and execution Cost competitiveness Portfolio benefits delivered Subcriteria Definitions The ideal offering includes solutions along the full spectrum of managed security services. More weight is given for delivery of advanced service offerings and nationwide 24 x 7 x 365 monitoring from Canadian SOCs. Reviews how well an MSSP's current delivery model meets end-user preference for adoption and consumption. More weight is given to offering a hybrid delivery model and easier methods of onboarding clients. Pricing must be competitive with market pricing and modular and scalable to meet customer requirements. More weight is given to having both internal and external tools for cost and price benchmarking. Key MSS portfolio benefits will reduce budget, improve security, lower risk, and free up overburdened IT resources. Particular weight is given for more complementary services that assist the customer in making the most of its MSS engagement. Subcriteria Weights 4.50 1.50 1.50 2.50 Subtotal 10.00 Go-to-market capabilities Pricing model options and alignment Sales/distribution structure and capabilities Marketing Customer service Flexible arrangements are available so that the client can choose to be billed as the budget allows (by the drink, capex/opex, with migration, quarterly/annually). More weight is given for multiple pricing and payment options. Assess the strength of MSSP's distribution model by region (western, central, eastern, and Atlantic). Particular weight is given for multiple routes to market. The MSSP's services are geared towards well-defined target markets. The message is consistent and appropriate for each of the target markets. More weight is given for regional marketing and execution of plans to acquire, upsell, and retain customers. Customer service excellence is marked by how well an MSSP provides customer service and support. More weight is given to robust portal capabilities, flexible customer service delivery, and measurement of customer satisfaction. 3.00 1.00 3.00 3.00 Subtotal 10.00 2015 IDC Excerpt of #CA1SD15 13

TABLE 4 Key Capability Measures for Success: Canadian Managed Security Services Capabilities Criteria Business capabilities Growth strategy execution Employee management Subcriteria Definitions Market momentum and growth is shown through acquisition of new capabilities as well as organic growth. Particular weight is given to evidence of multifaceted business growth through organic development, acquisition, and/or partnering. The MSSP demonstrates a method of attracting and cultivating talent. More weight is given for partnerships with Canadian educational institutions to increase security talent in the marketplace. Subcriteria Weights 5.00 5.00 Subtotal 10.00 Source: IDC, 2015 LEARN MORE Related Research Brand Perceptions of Security Appliance Vendors in Canada, 2015 (IDC #CA4SD15, April 2015) Canadian IT Security Markets in Flux: Investments Rise, But Not in All the Right Places in 2015 (IDC #CA3SD14, December 2014) Canadian Security Products 2013 Vendor Shares (IDC #CA2SD14, December 2014) Canadian IT Security Hardware, Software, Services, and Cloud 2014 2018 Forecast (IDC #CA1SD14, October 2014) Canadian Mobile Enterprise Management: Spotlight on Consumer and Business Security (IDC #CA4SD14, October 2014) IDC MarketScape: Worldwide Managed Security Services 2014 Vendor Assessment (IDC #248646, June 2014) Profile of 12 Leading Canadian Managed Security Services Providers (IDC #CA14CIC13, October 2013) 2015 IDC Excerpt of #CA1SD15 14

About IDC International Data Corporation (IDC) is the premier global provider of market intelligence, advisory services, and events for the information technology, telecommunications and consumer technology markets. IDC helps IT professionals, business executives, and the investment community make factbased decisions on technology purchases and business strategy. More than 1,100 IDC analysts provide global, regional, and local expertise on technology and industry opportunities and trends in over 110 countries worldwide. For 50 years, IDC has provided strategic insights to help our clients achieve their key business objectives. IDC is a subsidiary of IDG, the world's leading technology media, research, and events company. IDC Canada 33 Yonge St., Suite 420 Toronto, Ontario Canada, M5E 1G4 Twitter: @IDC idc-insights-community.com www.idc.com Copyright Notice This IDC research document was published as part of an IDC continuous intelligence service, providing written research, analyst interactions, telebriefings, and conferences. Visit www.idc.com to learn more about IDC subscription and consulting services. To view a list of IDC offices worldwide, visit www.idc.com/offices. Please contact the IDC Hotline at 800.343.4952, ext. 7988 (or +1.508.988.7988) or sales@idc.com for information on applying the price of this document toward the purchase of an IDC service or for information on additional copies or Web rights. Copyright 2015 IDC. Reproduction is forbidden unless authorized. All rights reserved.