MarketScope for Managed Security Services in Europe

G00219325 MarketScope for Managed Security Services in Europe Published: 24 October 2011 Analyst(s): Carsten Casper The market for managed security services in Europe is mature and changes slowly. IT infrastructure and communications service providers dominate, security specialists fill a niche, and growth continues. What You Need to Know This document was revised on 27 October 2011. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com. Managed security services (MSSs) in Europe show all the signs of a mature market, which continues to justify a Gartner MarketScope as the survey methodology. During the past 12 months, the European MSS market grew as anticipated, and will probably reach $2.5 billion by year-end 2011. We epect growth to continue, with a compound annual growth rate of 14% from 2011 to 2015. IT management is not the largest, but is still the fastest-growing segment of the security services market. Vendors Added or Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mi of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the net does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor. Our "MarketScope for Managed Security Services in Europe" in May 2010 surveyed 16 European managed security service providers (MSSPs). For 2011, 17 MSSPs met our inclusion criteria and did not meet our eclusion criteria. Table 1 shows which providers we surveyed during the past four years. In 2011, Telefonica returned, T-Systems was dropped, and Open Systems was added for the first time. Dell acquired SecureWorks, and the company appears at a different position in the list. Apart from these changes, the provider landscape has been fairly stable.

Table 1. MSSPs Surveyed in MarketScopes 2008-2011 May 2008 September 2009 September 2010 October 2011 AT&T AT&T AT&T AT&T Atos Origin Atos Origin Atos BT Global Services BT Global Services BT Global Services BT Global Services Cable & Wireless Computacenter Computacenter Computacenter CSC CSC Dell (SecureWorks) Getronics HCL Technologies HCL Technologies HCL Technologies HCL Technologies EDS, an HP Company HP HP IBM Internet Security Systems (ISS) IBM ISS IBM Global Technology Services IBM Security Services Integralis Integralis Integralis Integralis Open Systems Orange Business Services Orange Business Services Orange Business Services Orange Business Services SecureWorks Symantec Symantec Symantec Symantec Page 2 of 28 Gartner, Inc. G00219325

May 2008 September 2009 September 2010 October 2011 Tata Communications Tata Communications Telefonica Telefonica T-Systems T-Systems T-Systems VeriSign VeriSign Verizon Business Verizon Business Verizon Business Verizon Wipro Technologies Wipro Technologies Wipro Technologies Wipro Technologies Source: Gartner (October 2011) Gartner, Inc. G00219325 Page 3 of 28

Geographic Scope, Inclusion and Eclusion Criteria Although the market grew in volume, we did not revise our inclusion criteria regarding the minimum number of managed devices (700 firewalls and intrusion detection system [IDS]/intrusion prevention system [IPS]) and the minimum number of customers in Europe in 2011 (50 eternal customers; for the complete inclusion criteria, see the Inclusion and Eclusion Criteria section). We did, however, amend the eclusion criteria in order to focus this market analysis on truly regional providers. As a result, Savvis (with a U.S. focus), SSP Europe and T-Systems (with a Germany focus) meet the eclusion criteria and have not been included in this research. Several other providers have a subregional focus in Europe: Atos in Benelu/France, Computacenter in the U.K./Germany, Open Systems in Germany/Austria/Switzerland, Orange Business Systems in Benelu/France/U.K., and Telefonica in Southern Europe. They have not been ecluded, because they have significantly more than 10% of their business outside their European home countries. They have sales staff in several European countries and can support clients with regional (rather than local) requirements. This MarketScope has a strong focus on European clients, but these clients have operations all over the world. While 100% of them demand coverage in Europe, 40% also ask their provider to manage devices in Asia/Pacific, and 30% want their provider to cover devices in North America. Overall, we track around 100 MSSPs worldwide, with about one-third of them in Europe. The ones that do not appear operate mostly in one country (for eample, S12sec in Spain), provide a very specialized security service (such as Qualys for vulnerability scanning) or do not provide standalone security services (for eample, Unisys). For eample, the following providers were considered, but not included: Boing Orange, CGI Group, CompuCom, Dimension Data, KPN/Getronics, Outpost24, Retarus, S21sec, S2 Grupo, Savvis, SecureIT, Sentor, SSP Europe, Telindus, Trustwave, T-Systems, United Service Providers and Unisys. Landscape of Different Types of Providers Remains Relatively Stable The market for managed and related security services continues to evolve, but the types of players are still the same. There are few stand-alone security players left in the Pan-European market. Most providers sell security services bundled with infrastructure management and outsourcing (for eample, Atos, Computacenter, CSC, Dell, IBM Security Services, HCL Technologies, HP and Wipro Technologies) or bundled with communications services (for eample, AT&T, BT Global Services, Orange Business Services, Tata Communications, Telefonica and Verizon). Only a few European providers focus on IT security (for eample, Integralis [now part of NTT Communications], Open Systems and Symantec). All providers in this MarketScope offer MSS as a discrete service. European security providers service approimately 6,500 clients in Europe, and operate about 28,000 firewall and unified threat management (UTM) devices, 5,500 network IPS/IDS and 14,000 server IPS/IDS as well as 2,400 secure message and Web gateways. They also manage or monitor hundreds of Web application firewalls and customer-owned security information and event management (SIEM)/log management products. The large European players serve the U.K. and Ireland; Benelu; Germany, Austria and Switzerland (DACH); France; and Southern and Eastern Europe in fairly equal proportions to the population and gross domestic products of those countries. Page 4 of 28 Gartner, Inc. G00219325

Methodology We conducted our survey of MSSPs simultaneously in North America, Europe and Asia/Pacific. We contacted about 100 providers of MSS in these regions. Of them, 46 replied to our worldwide scoping questionnaire. They included information about all the regions in which they operate. Based on this information, we selected a subset of providers per region that met our inclusion criteria. These providers had to answer a more detailed questionnaire and provide references. The questionnaire was the same in all regions. In Europe, 17 providers met our European inclusion criteria. We also contacted reference clients and conducted phone interviews, as well as online surveys. Reference clients were not only asked for information about their providers, but also questioned about other providers on their shortlists. The assessment in this MarketScope was performed on the basis of survey data collected in May and June 2011, and client reference information collected in June, July and August 2011. Strategic Planning Assumption By 2015, 30% of enterprises that use public cloud infrastructure as a service will also use MSSPs for security monitoring. MarketScope This survey focuses on these security services (including managed customer premises equipment [CPE]), provider-hosted devices and cloud delivery. They are listed in order of popularity to European clients. Devices near the top of the list are managed and monitored most often, according to the reference clients contacted during this market analysis: Firewall Network IDS/IPS (see Note 1) Web application firewall Secure Web gateway devices (see Note 2) Vulnerability scan devices Secure message gateway devices (see Note 2) Server/directory/application/database management system log sources Server IDS/IPS Desktop/endpoint security client Gartner, Inc. G00219325 Page 5 of 28

Multifunction firewall/utm device Customer-owned SIEM/log management products Data loss prevention (DLP) devices Firewall management and monitoring are still the most widely consumed security services. However, the use of Web application firewalls, secure Web and email gateway devices, vulnerability scanning, and log management has increased significantly now being consumed by roughly 30% to 40% of European clients. On the other hand, fewer organizations rely on network-based IDS/IPS services (only about half of them do, compared with 70% in 2010). Consumption of desktop/ endpoint security and SIEM management has increased only slightly. DLP still closes the list. European clients are not pressured to deploy DLP, and most discussions evolve around policy design and implementation, not the management of DLP devices. In addition to these infrastructure-based security services, most European providers offer complementary security services. The ones that are consumed most often are near the top of the list: On-site technical support for security products Security consulting (policy, organizations and architecture) Security system integration Threat intelligence information (vulnerability research) Application security (security testing and code review) Note: Identity-related services (authentication and token management) are not covered in this research. Pricing and Service-Level Agreements Pricing is difficult to compare from provider to provider and from year to year, because each client has different requirements regarding types of services (firewall, IPS, email/web and so on), volume (from one firewall to several thousand firewalls), delivery model (CPE-based, hosted and cloud), geographic coverage, level of engagement (monitoring/management), integration (with IT infrastructure management or with communication services), service quality, response times, service-level agreements (SLAs) and language support. Price is a key factor in most purchase decisions, but comparisons are difficult outside of a specific RFP. Our observations on pricing for management and monitoring of virtualized security devices remain unchanged. There is still not best practice. Here are some approaches we encountered in Europe: The provider says that it will pass on benefits of virtualized infrastructure to the client, but no pricing details are revealed. The monitoring price for a virtualized device is the same as the monitoring price for a CPE device, but the management price for a virtualized device is less than the management price for a CPE device. Page 6 of 28 Gartner, Inc. G00219325

Pricing for virtualized infrastructure is split into a device monitoring part (fied fee) and virtual firewall monitoring part (digressive fee for each virtual firewall). The same applies to management of virtualized infrastructure. SLAs have not changed significantly. Most providers offer 15 minutes or 30 minutes as the fastest possible response times (sometimes in the standard, sometimes only in the "premium" package). However, this only relates to the notification of the client. Resolution times vary widely, and obviously depend on the nature of the issue. A few providers even display an incident immediately on the customer portal, giving customers information in real time. Some providers make an attempt to innovate with SLAs and pricing. Below are some eamples: Firewall pricing depends on bandwidth commitments (not consumption). No minimal fied cost for usage-based pricing (for eample, vulnerability scans). Reduced pricing for permission to offshore security operations. Customers who bring new clients can benefit from a discount on the combined service volume. Client satisfaction is measured after each interaction as a key performance indicator. Outsourcer commits to a price decrease per year (such as 5%) rather than an upfront payment. In general, contracts have become more specific and concrete. Some providers have indicated that they now move from service-level objectives to service-level agreements. Clients that have been disappointed by a previous provider's performance push hard to include penalties in new contracts. Such a penalty typically amounts to a percentage of the monthly charge up to a maimum of one monthly charge of the service cost and is paid as a credit or an immediate payout (potentially with an "earn-back" clause for subsequent SLA compliance). Types of Services Offered Delivery models continue to change, and the topics "cloud computing" and "virtualization" dominate many discussions with European clients. However, the change is not massive; rather, it develops at varying speeds, depending on the service in question. Up to 5% of revenue is shifting from CPE to non-cpe delivered services every year, and non-cpe-based delivery is at approimately 10% for firewalls, UTMs and network IDS/IPS; more than 15% for Web application firewalls; and up to 35% for secure messaging. SIEM management, log sources and server IDS/IPS are still predominantly operated on customer premises. Vulnerability scanning is often eecuted remotely, but usually with the help of some additional devices installed on customers' premises. Virtualization also plays an increasing role. A concern raised by some clients is that monitoring capabilities for virtualized infrastructure are not as detailed as the ones for on-premises equipment. Moreover, a report might be available only on request, rather than through the portal. This will be acceptable for some clients, but impossible for others. This is similar to different customers' attitudes to determining the security product vendor. While some customers eplicitly require that the provider takes over the management of their eisting infrastructures (into which they invested Gartner, Inc. G00219325 Page 7 of 28

heavily), others accept whatever product the provider suggests and are also more open to virtualized versions of these products. Relationships Between Providers and Customers White-labeling of services (that is, offering security services under the brand name of another provider) seemed a trend in 2010, but did not gain in importance in 2011. The only eception continues to be vulnerability scanning where most European providers collaborate with Qualys (12 out of 17). In the area of threat intelligence and vulnerability notification services, the picture is less consistent, and European MSSPs collaborate with up to seven partners to provide this information. Integration of network/it services and security services also deserves particular attention. Client satisfaction can go both ways. Some clients said that they only consume the security services of this provider, because it's part of a larger outsourcing deal, and they did not have any choice but to include security. Other clients also criticize such an integrated approach, but in fact, they are happier with the security services than with the main part of the outsourcing deal. Clients also need to eercise caution regarding new types of security services. Some providers will fill the gap with third-party service offerings which is certainly acceptable but contract management can become an issue if the client is locked into a contract with the third party, rather than its own security provider. Once the incumbent provider starts offering the same service, the client must be allowed to quit the third-party contract and transition back to the legacy providers, which does not always seem to be the case. Some clients appreciate a clear segregation of duties, but few actually phrase it as a requirement. Overall, there are basically three types of security services: 1. Management of security infrastructure, including hosted or cloud-based security infrastructure. In-house infrastructure is still sometimes managed by an internal team, often by network operations. 2. Monitoring of security infrastructure, including log management, correlation, SIEM and advanced portal capabilities. Especially in large contracts, there is a tendency to let the MSSP do the monitoring while in-house staff or another partner (such as a telecommunication provider or an IT outsourcer) is managing the infrastructure. 3. Vulnerability scanning services. These are often provided by Qualys, sometimes by other vendors or the MSSP itself, and usually in a combination of all of the previous. In summary, clients engage up to three different providers for the different tasks. Alternatively, an inhouse team takes care of these tasks. This is often the case for infrastructure management, sometimes for monitoring and rarely for vulnerability scanning. Operational Concerns There are some indications that the follow-the-sun approach with which several providers operate is not always the best solution. Clients mentioned the following issues: Page 8 of 28 Gartner, Inc. G00219325

There is the danger that difficult customer issues are passed from security operations center (SOC) to SOC like a hot potato. While the local SOC focuses on the immediate needs of local clients, the needs of remote clients receive a lower priority. Clients have eplained that their European SOC serves them very well, while the North American SOC does more harm than good. Given the increasing need to store data in the country (or at least the region) of origin, clients are concerned that sensitive data is sent to countries with less protection. This can already be a problem regarding backup data centers in other regions, but it is an immediate issue when data is passed around on a daily basis. Fortunately, this is critical for only very few clients, and while some might bring up this concern during contract negotiations, very few will actually make SOC location an eclusion criterion. Related to the location of the primary data center is another concern: cultural differences. Staff from other countries or even from other regions of the world may not only speak with a strong accent, but also have a different attitude toward service delivery and customer satisfaction. However, these differences are decreasing year over year. As one reference client epressed it: If you're going offshore, then you should plan for cultural adjustments. You can't epect everybody else to adapt to you you have to adapt as well. Decision Criteria The main drivers to engage an MSSP are still to reduce costs, to reduce capital ependitures, and to supplement or replace in-house epertise and in-house resources. In Europe, regulatory compliance plays less of a role than in the U.S. More specifically, we asked our European reference clients for their main reasons for choosing their service provider. Unlike last year, viewing the provider as a strategic partner is not as important a decision factor as in 2010 (28% in 2011 versus 52% in 2010). The enumeration below shows the decision factors in decreasing order of importance: Security epertise Pricing (total cost of contracted services) Understanding of business needs Industry eperience Quality of response to RFP or presentation of capabilities View as a strategic partner Perceived viability and/or financial strength Positive eperience with provider Good feedback from references Project implementation methodology Gartner, Inc. G00219325 Page 9 of 28

These priorities favor the specialist provider, the one that can show security, business and industry epertise, not the large incumbent provider of IT or network operations who likes to be preselected as a strategic partner. This is emphasized by the fact that the reason quoted most often for rejecting a provider's offer is "did not demonstrate understanding of business needs." Few providers know how to differentiate themselves from the competition. Many claim to be "trusted advisors" and to have "global coverage." Feedback from reference clients is different. Pricing, service quality and lack of SLAs are often reasons for dissatisfaction. Sometimes, mistakes are covered up, and documentation is bad. Clients often use two or more security providers (one for email security and one for firewall management). They also compare the performance of the network provider against the performance of the security infrastructure monitoring provider. For eample, a firewall and a router, both managed by different providers, are connected. In case of an outage, the client sees and compares the reaction time of both companies. One client said: "Our network provider informed us that the router was down, and our firewall provider did not even notice. It also happened that penetration testing by a different provider has revealed that ports were not monitored." This has surfaced in 2010 and now again in 2011. Several reference clients were not willing to take this any longer and gave "fair" to "poor" ratings, although most clients are still happy with their provider, and one-quarter rated them as "ecellent." Purchasing Behavior The bulk of the contracts for MSS in the European region are valued from $150,000 to $750,000 per year (67% of contracts), while 11% of contracts are below the range, and 18% are above that range. The number of midsize contracts (versus large or small contracts) has increased compared with 2010. The typical contract size in Europe is still much greater than in Asia/Pacific, where 60% of the contracts have a value of less than $150,000 per year. On the other hand, the typical contract size in Europe is similar to the typical contract size in the U.S., where 11% of the contracts are more than $1.5 million in annual value. Only one-quarter of the European reference clients has been customers of their providers for less than one year; three-quarters have had their contracts for more than one year. The typical contract duration is still three years, but occasionally clients do not conduct a full tender with a detailed request for proposal when the contract epires after three years. If there are no major concerns, then they prefer to etend the contract for another three years, after which they would do a fullscale market analysis again. The question of whether it is a good or a bad thing to outsource security services to non-european providers came up less often in discussions with reference clients than last year. Gartner's clients are increasingly looking for advice on how to secure and control such offshoring, not whether this is the right option at all. Security Marketing The marketing message of a European MSSP often reflects the providers' attitude to service delivery. Some providers focus on technical details, insights about the changing threat landscape Page 10 of 28 Gartner, Inc. G00219325

and security product innovations that cater to the needs of "lean in" customers that is, customers who want to get the maimum out of the security services for which they believe they pay a premium. Other providers market to the needs of the "lean back" customer that is, a customer who has very different core competencies (that is, not IT security) and simply wants the assurance that security has been taken care of. Such a provider emphasizes simplicity, costeffectiveness, global operations with local adjustments and integration (of networks and security or IT operations and security). Enterprise clients need to look beyond these marketing messages, because some providers cater to both types of audiences. Although there is no right or wrong, it is important that client epectations and provider capabilities match. Outlook The market for MSS is changing in various ways, including cloud delivery and virtualization. In 2012, the market for MSS in Europe will continue to grow significantly in volume and also in terms of breadth of features and services. New or enhanced services will include distributed denial of service (DDoS) detection and mitigation, malware/botnet detection, fraud detection, DLP selection and implementation, reputation-based services, tokenization, and mobile security. These services will continue to be complemented on occasion with various identity and access management (IAM) services (role management, authentication and privileged user monitoring), VPN services and more powerful log management services. Management of customer premises security devices will still be the dominant delivery model, but the percentage of hosted, security-as-a-service (SecaaS) and inthe-cloud security services will increase steadily. There is still no widely accepted standard for the pricing of monitoring and the management of virtualized security infrastructure, and given the variety of options, it may never come. However, clients should ask for a significant advantage over premises-based services and should keep pushing for lower price points. Pricing for the hardware and pricing for the logical service have to be separated and priced individually, whether or not management and monitoring are addressed together. The split of the MSS market into IT outsourcers that offer security services, network providers that offer security services, and security specialists has stabilized, and the market will continue this way in 2012. Pure-play security providers will continue to have their place and new players (for eample, from Europe or India) will increase in size and reach, and enter the regional European market, trying to differentiate themselves with innovative technology and a fleible portfolio of supported products. Market/Market Segment Description For the purposes of this research, Gartner defines "managed security services" as the remote management or monitoring of IT security functions delivered via remote security operations centers, not through personnel on-site. MSS does not, therefore, include staff augmentation or any consulting, development and integration services. MSS includes: Monitored or managed firewall or IPSs Gartner, Inc. G00219325 Page 11 of 28

Monitored or managed IPSs DDoS protection Managed secure messaging gateway Managed secure Web gateway Security information management Security event management Managed vulnerability scanning of networks, servers, databases or applications Security vulnerability or threat notification services Log management and analysis Reporting associated with monitored/managed devices and incident response This MarketScope evaluates service providers that offer monitored/managed firewall and intrusion detection/prevention functions, rather than those whose main focus is on other elements of the services listed. Inclusion and Eclusion Criteria Inclusion Criteria To be included in this MarketScope, an MSSP must have these qualifications: The ability to remotely monitor and/or manage firewalls and intrusion detection/prevention (IDP) devices from multiple vendors via discrete service offerings At least 700 firewall/idp devices under remote management or monitoring for eternal customers in Europe At least 50 eternal customers in Europe with those devices under management or monitoring Reference accounts in Europe relevant to Gartner customers Eclusion Criteria Providers were ecluded from this MarketScope of regional providers if they: Have more than 90% of their European customers and more than 90% of their devices installed in Europe in only one country Offer MSS only to end users that buy other, non-mss services Offer services that monitor or manage only the service provider's own technology For eample, vendors that have only MSS offerings, such as DDoS protection or vulnerability scanning, but not device monitoring and management, are not included. Providers of primarily Web Page 12 of 28 Gartner, Inc. G00219325

and email hygiene and trust services (for eample, certificate authorities) are not included. Other vendors offer MSS primarily to hosting customers, with limited offerings to others. As these providers epand the scope of their MSS offerings, they may be included in future MarketScopes. Rating for Overall Market/Market Segment Overall Market Rating: Positive With a portfolio of mature basic services and an array of innovative options, the MSS market in Europe is mature, with a solid growth perspective, despite or to some etent because of a continuously difficult global economic climate. Secure infrastructure management is a prerequisite for businesses that have to cut costs and operate under regulatory scrutiny and tight competition. Outsourcing of security to nearshore or offshore countries has become a normal business option for most organizations. Where security concerns remain, physical operations in Europe are an option for most providers in this MarketScope. MSS customers usually etend their outsourcing contracts and occasionally change providers, but they rarely move services back in-house, which is still considered the more costly option. These factors have resulted in the MSS market in Europe being forecast to grow at a 14% compound annual growth rate from 2011 to 2015 (with the market size for 2011 forecast at $2.5 billion), which means it is still one of the growth sectors in the IT industry. Gartner, Inc. G00219325 Page 13 of 28

Evaluation Criteria Table 2. Evaluation Criteria Evaluation Criteria Comment Weighting Overall Viability (Business Unit, Financial, Strategy, Organization) Geographic Strategy Product/ Service Marketing Strategy Customer Eperience Innovation Market Responsiveness and Track Record Viability includes an assessment of the provider's financial health, the financial and practical success of the MSS unit, and the likelihood that the MSS unit will continue investing in managed security services, and researching and developing innovative security services. Additional areas assessed include management eperience, the number of customers in Europe, investment in R&D, and understanding of business and technology trends. This includes the provider's strategy to direct resources, skills and offerings to meet the specific needs of regions outside the native area, directly or through partners, channels and subsidiaries, as appropriate for the region and market. We considered the vendor's ability to articulate the differences between the U.S. and European MSS markets, as well as differences within Europe. This is the provider's approach to service development and delivery, which emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements. We considered the number of target platforms vendors can manage. This is a clear, differentiated set of messages, consistently communicated throughout the organization and eternalized through the website, advertising, customer programs and positioning statements. In addition, we considered how providers measure the effectiveness of marketing programs. This includes the ways customers receive technical and account support. These can include ancillary tools, customer support programs (and the quality thereof) and the availability of user groups, SLAs and so on. We also assessed providers' implementation processes and system integration and consulting capabilities. Reference client feedback was particularly important in the rating for this criterion. This takes into account capital and human resource investments, and the development of new services as displayed in the security service strategy and the road map. Ability to understand business and security technology trends and assess competitors. This includes the ability to respond, change direction, be fleible and achieve competitive success as new opportunities develop, competitors act, customer needs evolve and market dynamics change. High Standard Standard High High Standard Standard Source: Gartner (October 2011) Page 14 of 28 Gartner, Inc. G00219325

Figure 1. MarketScope for Managed Security Services in Europe RATING Strong Negative Caution Promising Positive Strong Positive AT&T Atos BT Global Services Computacenter CSC Dell (SecureWorks) HCL Technologies HP IBM Security Services Integralis Open Systems Orange Business Services Symantec Tata Communications Telefonica Verizon Wipro Technologies As of 26 October 2011 Source: Gartner (October 2011) Vendor Product/Service Analysis AT&T AT&T is a venerable network service provider that tends to emphasize its global approach (it is present in more than 200 countries), rather than regional differentiation. It offers MSS to European multinational companies via SOCs in the U.S. and India, and plans to open another SOC in Eastern Europe. Its MSS strategy focuses on providing integrated network-based security to European-based customers that possess a global footprint, utilizing services such as virtualized firewall, intrusion prevention, Web filtering, DDoS and premises-based solutions. It is aggressively moving into cloud and software-as-a-service-based security services. Global coverage of communications and security services Gartner, Inc. G00219325 Page 15 of 28

Its ability to leverage eisting communications clients for upselling MSS Its tight bundling of security services with network services and capabilities in cloud security Variable response to customer service requests remains an issue Despite global brand and presence, rarely appears on MSS shortlists in Europe, and needs to improve its visibility as a security provider to etend beyond the multinational company market Rating: Promising Atos Atos (formerly Atos Origin) is an international IT services company with four primary service lines: business consulting, system integration, managed operations and transactional services. In July 2011, Atos completed its acquisition of the IT Solutions and Services subsidiary of Siemens. This analysis reflects the preacquisition situation. Its security services strategy focuses on Atos High Performance Security, an integrated SecaaS platform. The security portfolio includes endpoint security, server security, network security and IAM. Other focus areas are governance/risk/compliance and cloud security. Most of its MSSP contracts are part of larger IT outsourcing relationships. It targets the public sector, financial services (card payments) and healthcare sectors. Eperience in integrating security services with comple, large-scale IT programs (its IT security services for the Olympics are an eample) Ability to work effectively and collaboratively with other service providers (for eample, network service providers) that its clients have engaged Knowledge and skills of some of its technical MSS staff Pursuing information security with the same diligence as IT operations Improving collaboration among and consistency of different countries' and teams' operations Becoming more cost-efficient, reducing the tendency to overengineer security solutions Rating: Positive BT Global Services BT is an established name in network and communications services in Europe. Because of ongoing R&D investments and marketing that ehibits regional insights, BT also managed to shape a decent Page 16 of 28 Gartner, Inc. G00219325

security service profile. Customer feedback in Europe has also been more positive over the past year. BT has an etensive security service portfolio with a focus on multifunction firewall/utm devices and secure message gateways. Its MSS differentiation focuses on security embedded in the network, skilled resources and a global infrastructure. Targeting mainly large enterprises, its key messages emphasize the basics simplicity, cost reduction, compliance and asset protection. A resilient operations infrastructure and BT's responsiveness in incident reporting The quality of its internal operational processes (for eample, quality assurance) The skills of its engineers and the ability to listen, respond and adjust to client requirements Sharing information more openly and making it available in real time, rather than on request Cost savings in order to keep pricing competitive must not result in staff shortage Rating: Strong Positive Computacenter Computacenter is a European provider of outsourcing, outtasking, consulting and support services. It operates primarily in the U.K. and in Germany, and has two SOCs in each of these two countries. Its MSS strategy emphasizes a holistic approach to security (client, network and data center), integrating MSS into other outsourcing deals and customer intimacy. It differentiates on agility, value for money and customer relationships. Its customer growth in 2010 was above average. Computacenter has had recent success in the automotive, pharmaceutical and finance industries. Providing cost-effective services from a European vendor Acting as a strategic partner, is able to understand infrastructure and business requirements Having the ability to leverage the eisting client base for upselling managed security services Reducing the perceived gap between promise and performance Improving service consistency and quality Gartner, Inc. G00219325 Page 17 of 28

Improving knowledge of industry-specific needs and requirements Rating: Positive CSC CSC is a global provider of IT-enabled business solutions and services. This ranges from consulting, to solution design through to implementation and management of the solution. Headquartered in the U.S., it provides MSS via security operations centers in the U.K., Australia, Malaysia and the U.S. It emphasizes the need to address security from a business risk perspective, not just a technology perspective. This is a message that tends to resonate with European client organizations. In Europe, its traditional customers are from within its outsourcing base, although more recently, it has targeted the public sector and financial services for its MSS. Most customers in Europe use CSC for the management of firewalls, customer-owned SIEM/log management and endpoint security clients. For cloud-based Web and email, CSC chooses to work with partners. Having the capability to embed an information risk manager as a single point of contact in the client's organization Being able to work with partners to complete the security service portfolio Being able to leverage its eisting client base for upselling MSS Being more fleible (and less commercially rigorous) in its response to changing client requirements Aligning communications between security and other operational teams Improving the ability to leverage security and threat information from its large client base for the benefit of individual clients and delivering enhanced portal capabilities Rating: Positive Dell (SecureWorks) Dell SecureWorks Information Security Services is the result of Dell's acquisition of SecureWorks (U.S.). With this acquisition, Dell benefits from SecureWorks' previous acquisitions of VeriSign's MSS operations and dns (U.K.) in 2009 through 2011. Dell SecureWorks manages and/or monitors security devices all over Europe, predominantly in the U.K., especially log sources, firewalls, network IDS/IPSs and data loss prevention systems. Dell SecureWorks operates two SOCs in Europe, provides a comprehensive portal, and also offers support in Spanish and French. Page 18 of 28 Gartner, Inc. G00219325

Its clearly articulated strategy in Europe, its understanding of the market and its increasing investments in R&D Its ability and willingness to adapt to the changing needs of large clients Its advanced portal (including asset information and various correlation capabilities) Mitigating the perception that a large vendor cannot provide customer intimacy Continuing to establish a brand presence in the European security market Ensuring consistency of service quality during acquisition integration Rating: Positive HCL Technologies HCL Technologies is an India-based offshore provider that has already gained some traction in Europe. HCL continues to show significant revenue growth in Europe. HCL is strong in server-based security services (IDS/IPS and log collection) as well as endpoint security client management. In addition, it offers application security services and IAM. It also claims comprehensive portal capabilities. HCL focuses on providing fleible services based on a large pool of skilled, eperienced resources and can support delivery in a large number of European languages. Consistent and mature service delivery, including a methodological, process-driven approach to security management Human resource management epertise of staff and relatively low staffing turnover rate Ability to pull in epertise, on demand, from a large resource pool Cost-effectiveness, especially for standard platforms in the HCL support portfolio, and for services that don't deviate from the standard offerings Improving management of nonstandard requests, specifically the ability to deal with requests and issues that fall outside the scope of the eisting formal processes Improving strategic planning clients would like to see more forward-thinking and innovative suggestions for dealing with a constantly changing security environment Gartner, Inc. G00219325 Page 19 of 28

Rating: Positive HP HP offers enterprise security products and enterprise security services. Its managed security services represent the capabilities of HP, EDS (acquired by HP in August 2008) and Vistorm (acquired by EDS in April 2008). Vistorm was an established security services and consulting vendor based in the U.K. With ArcSight, HP also owns one of the more widely deployed SIEM technologies. In Europe, HP targets enterprise accounts in various industries, including the public sector, financial services and utilities sectors, as well as organizations in the high-end small and midsize business scale. Its European security customer base is stable. HP's security service portfolio includes endpoint security, and firewall and network IPS management. HP recently announced enterprise cloud services: vulnerability scanning, vulnerability intelligence and endpoint threat management. It has five SOCs worldwide, two of which are in Europe (the U.K. and Spain). Its eperience in integrating security services with comple, large-scale enterprise IT solutions It takes the time to develop a detailed understanding of the technical, commercial and functional aspects of client business operations Willingness to reduce service pricing if customer accepts management handled in another country Improving the features and functionality of its MSS portal (which is currently available only in English) Ensuring that Vistorm's strengths are not lost in the HP enterprise Improving HP's visibility as a security player in the broader European MSS market Rating: Positive IBM Security Services IBM's security capabilities include managed security services and cloud-based security offerings complemented by a portfolio of professional security services with a slight emphasis on server and endpoint security (versus network security). IBM Security Services targets larger enterprises and eisting customers for its MSS. It emphasizes its reputation, global reach, and depth and breadth of its solution offerings as key differentiators. IBM is the MSS provider that appears most often on customer shortlists in Europe. Page 20 of 28 Gartner, Inc. G00219325

Global security view based on large number of customers Supports many European languages and has a presence in all major European countries Eperience with various security products (such as IBM and Cisco) Addressing client reports of inconsistencies in service delivery standards Improving the fleibility of IBM processes and procedures to cater to changing customer requirements Realizing that cost is still often quoted as a major reason for not selecting IBM during competitive bidding Rating: Positive Integralis Integralis is a provider of security services originally based in Europe that has grown steadily over the years and is now present in Europe, the U.S. and Southeast Asia with a total of nine SOCs. This includes operations of Secode, a Scandinavian MSSP that was acquired in 2010 like Integralis in 2009 by NTT Communications, Japan. Integralis remains an independent subsidiary of NTT Communications. Integralis provides a broad portfolio of network and server-based security services, including data center, CPE and cloud-based services. Ecellent technical skills of its workforce Fleibility in dealing with clients' security requirements Clients especially value Integralis' security architecture design capabilities Retaining its price competitiveness versus the offshore providers Making sure that administrative back-end processes don't slip Keeping the functionality of its portal competitive Rating: Strong Positive Gartner, Inc. G00219325 Page 21 of 28

Open Systems Open Systems is a specialized security service provider headquartered in Switzerland, with an additional security operations center in Sydney. Its portfolio focuses on multifunction firewall/utm devices, Web application firewalls, secure Web/email gateways and traditional firewall/network IPS. Open Systems operates a variation of the follow-the-sun model with its two SOCs. All Sydney employees are recruited under Swiss law. They are trained in the headquarters and then sent to Sydney three to four months in rotation. Open Systems is conscious of the demand for on-premises delivery due to the need for storing sensitive data locally, and hence, it evaluates cloud delivery options with caution. Comprehensive service portfolio with a focus on network-based security Commitment to employee development resulting in low staff fluctuation, stable service quality and high customer satisfaction Customers' appreciation that the staff is client-focused, fleible and highly professional Maintain the balance between high growth, high quality and customized (rather than merely packaged) security services Epand the standard portfolio to include log management if clients demand it Improve visibility in the European market for managed security services Rating: Positive Orange Business Services Orange Business Services is the brand name under which France Telecom offers most of its managed security services. The company is a sizable player in the MSS space in Europe because of its large base of network and communications clients. Offerings include the management of firewalls, network intrusion prevention devices and an above-average number of secure Web gateways. Security services are available independently, but many sales combine aspects of network operations, security services and security consulting. The company's marketing emphasizes simplicity, fleible delivery models and reduced total cost of ownership (TCO) in its MSS offerings. It has 10 SOCs globally, seven of which are in Europe. Focus on small and midsize businesses, especially in France/Benelu, but also active in all other European regions Its ability to leverage eisting client relationships for selling security services Page 22 of 28 Gartner, Inc. G00219325

Its moving from device-based to hosted and cloud security services Epress more clearly how it intends to stay abreast of threat and technological developments Implement the road map for security services and articulate where R&D investments will be made Improve visibility in the enterprise security market segment Rating: Promising Symantec Symantec is a vendor with a broad portfolio of security products and services. Managed services include server and network IDS/IPS, firewalls, and endpoint security solutions. It has four SOCs worldwide, operates a large network of security information sensors and employs a sizable staff of security administrators. It offers a comprehensive security portal, has developed a technology- and customer-oriented road map, and has detailed awareness of its regional competition. Its global view of the threat environment via its threat intelligence capability Its responsiveness to client requests, and its fleibility The quality of its support and sales resources Monitoring quality of support services provided by local partners Realizing that, despite its massive brand presence in the security product market, Symantec still has a comparatively low profile as an MSS player in Europe Rating: Strong Positive Tata Communications Tata Communications is an India-based global communications provider. It provides MSS via five global SOCs, one of which is in Europe. It targets large multinational organizations in the retail, pharmaceutical, oil and gas, and financial services industries. Its MSS strategy focuses on compliance, customer service, TCO and integration with the rest of its service portfolio. While its European revenue base is still small, it showed the strongest customer growth of all European MSSPs surveyed in 2010. Gartner, Inc. G00219325 Page 23 of 28

While Tata Communications meets the inclusion criteria in terms of device and customer numbers in Europe, we could not verify the provider's portfolio and performance claims independently. Being able to leverage eisting clients for upselling MSS Supporting a broad range of security products Understanding global market trends, and being able to present an insightful road map, having obtained relevant certifications for its security services Establishing a measurable presence in the European market Proving their understanding of regional and local requirements Rating: Caution Telefonica Telefonica is a large, integrated telecommunications provider with international operations and a strong position in Spain, also with a relevant customer base in most other European regions. It provides management of Web application firewalls, network firewalls and IPSs. It also manages endpoint security clients and operates some DLP devices. Fleibility in adapting to client requirements Ability to foster and maintain strong local relationships Sound knowledge of technology and client requirements Improving the quality of service delivery and service management to competitive standards, in particular where subcontractors are involved Accelerating service deployments and equipment updates Rating: Positive Verizon Verizon is a major mainstream MSS provider with good coverage in Europe. It has an elaborate road map and invests in reputational intelligence and secure mobility services. Verizon tends to integrate security services into other networking and IT services. It has a solid presence in Europe, and Page 24 of 28 Gartner, Inc. G00219325

emphasizes its correlation capabilities, security epertise, global reach and risk-based security on global IP networks. While not inepensive, its prices are generally considered acceptable. Having global reach and epertise The knowledge and skills of its European staff Offering threat intelligence correlated from various sources Providing European clients with consistently high service quality from U.S. operations Improving the quality of communications among staff in different teams managing different services (for eample, firewall administration versus antivirus versus IDS/IPS) Avoiding becoming more bureaucratic, especially in back-office processes Rating: Positive Wipro Technologies Wipro Technologies is an offshore IT service and system integration company based in India. It provides managed security services to organizations in Europe from a primary control center in India supported by five regional SOCs in Europe, which deliver services locally and improve crossborder data privacy compliance. Wipro offers various delivery models, including a dedicated SOC, an SOC at customer premises, cloud-based operations or hosted services. Its staff works as part of the customer organization, co-managed and in a fully outsourced model. The majority of its European MSS clients are also clients of other Wipro IT services. Its fleibility and willingness to help customers, even on short notice The quantity and quality of its skilled staff Its ability to upsell security services to eisting clients Finding the right balance between tolerating some staff fluctuation in order to support very competitive pricing and deploying eperienced staff to provide the best service eperience Increasing brand visibility in the European security services market Rating: Positive Gartner, Inc. G00219325 Page 25 of 28

Recommended Reading Some documents may not be available as part of your current Gartner subscription. "The Global Managed Security Services Provider Landscape" "Toolkit: Selecting the Right Managed Security Services Provider" "Magic Quadrant for MSSPs, North America" "MarketScope for Managed Security Services in Asia/Pacific" "Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors Within a Market" Evidence For this research, we contacted about 100 managed security service providers, of whom 17 met the selection criteria. They had to answer a detailed list of questions about their company and their security services. In addition, we collected information on the providers' performance from Gartner clients and provider reference clients through phone interviews and an online survey. Note 1 Intrusion Detection System and Intrusion Prevention System For the purposes of this research, we ignore the differences between IDSs and IPSs. Whenever we use "IPS," we mean both. Note 2 Secure Web and Email Gateway Services Secure Web and email gateway services refer to the filtering of malware from Web and email traffic at the gateway. This does not include filtering at the endpoint. Vendors Added or Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mi of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the net does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor. Gartner MarketScope Defined Gartner's MarketScope provides specific guidance for users who are deploying, or have deployed, products or services. A Gartner MarketScope rating does not imply that the vendor meets all, few or none of the evaluation criteria. The Gartner MarketScope evaluation is based on a weighted evaluation of a vendor's products in comparison with Page 26 of 28 Gartner, Inc. G00219325

the evaluation criteria. Consider Gartner's criteria as they apply to your specific requirements. Contact Gartner to discuss how this evaluation may affect your specific needs. MarketScope Rating Framework Strong Positive Is viewed as a provider of strategic products, services or solutions: Customers: Continue with planned investments. Potential customers: Consider this vendor a strong choice for strategic investments. Positive Demonstrates strength in specific areas, but eecution in one or more areas may still be developing or inconsistent with other areas of performance: Customers: Continue planned investments. Potential customers: Consider this vendor a viable choice for strategic or tactical investments, while planning for known limitations. Promising Shows potential in specific areas; however, eecution is inconsistent: Customers: Consider the short- and long-term impact of possible changes in status. Potential customers: Plan for and be aware of issues and opportunities related to the evolution and maturity of this vendor. Caution Faces challenges in one or more areas: Customers: Understand challenges in relevant areas, and develop contingency plans based on risk tolerance and possible business impact. Potential customers: Account for the vendor's challenges as part of due diligence. Strong Negative Has difficulty responding to problems in multiple areas: Customers: Eecute risk mitigation plans and contingency options. Potential customers: Consider this vendor only for tactical investment with shortterm, rapid payback. Gartner, Inc. G00219325 Page 27 of 28

Regional Headquarters Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 USA +1 203 964 0096 European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611 Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo 153-0042 JAPAN +81 3 3481 3670 Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, 12551 9 andar World Trade Center 04578-903 São Paulo SP BRAZIL +55 11 3443 1509 Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA +61 2 9459 4600 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions epressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on its website, http://www.gartner.com/technology/about/ ombudsman/omb_guide2.jsp. Page 28 of 28 Gartner, Inc. G00219325