Research Publication Date: 30 September 2010 ID Number: G00206878 MarketScope for Managed Security Services in Europe Carsten Casper, Tom Scholtz The market for managed security services in Europe is mature and evolves only slowly. IT infrastructure and communications service providers dominate, security specialists fill a niche, and growth continues. 2010 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity" on its website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp
WHAT YOU NEED TO KNOW Managed security services (MSSs) in Europe show all the signs of a mature market, which continues to justify a Gartner MarketScope as the survey methodology. During the past 12 months, the European MSS market grew more than anticipated, and will probably reach $2.1 billion by year-end 2010. We expect growth to continue, with a compound annual growth rate of 14% from 2010 to 2014. IT management is not the largest, but is still the fastest-growing segment of the security services market. Vendors Added or Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor. Our "MarketScope for Managed Security Services in Europe" in May 2009 surveyed 16 European managed security service providers (MSSPs): AT&T; Atos Origin; BT Global Services; Cable & Wireless; Computacenter; HCL Technologies; EDS, an HP Company; IBM Internet Security Systems (ISS); Integralis; Orange Business Services; Symantec; Telefonica; T-Systems; VeriSign; Verizon Business; and Wipro Technologies. For 2010, again 16 managed security service providers met our inclusion criteria: AT&T, Atos Origin, BT Global Services, Computacenter, CSC, HCL Technologies, HP, IBM, Integralis, Orange Business Services, SecureWorks, Symantec, Tata Communications, T-Systems, Verizon Business and Wipro Technologies Reflecting the changing market conditions, we revised our inclusion criteria for 2010, increasing the minimum number of managed devices and the minimum number of customers in Europe, and relaxing the requirements for country-specific coverage. As a result, CSC and Tata Communications now meet the inclusion criteria and have been added to the evaluation and rating. Cable & Wireless and Telefonica do not meet the inclusion criteria this year and have been excluded. VeriSign's MSS business unit has been acquired by SecureWorks, and SecureWorks meets the inclusion criteria in 2010 (like VeriSign met the inclusion criteria in 2009). The market for managed and related security services continues to evolve there are few standalone security players left in the Pan-European market. Most providers sell security services bundled with infrastructure management and outsourcing (for example, Atos Origin, Computacenter, CSC, IBM, HCL Technologies, HP, T-Systems and Wipro Technologies) or bundled with communications services (for example, AT&T, BT Global Services, Orange Business Services, Tata Communications, T-Systems and Verizon Business). Only a few European providers focus on IT security (for example, Integralis, SecureWorks and Symantec). All providers in this MarketScope offer MSS as discrete deals. Geographic Scope European security providers (those rated in this MarketScope and those that only answered the scoping questionnaire) serve a total of 16,000 clients in Europe, and operate about 70,000 security devices. Table 1 shows the breakdown of client numbers and device numbers by Publication Date: 30 September 2010/ID Number: G00206878 Page 2 of 22
country/region. Note that the number for "others" is high because some of the largest MSSPs provided only total numbers for Europe. Table 1. Breakdown of MSS Clients and Devices by Country/Region Region Number of Clients Number of Devices U.K./Ireland 1,833 11,767 Scandinavia 144 816 Belgium/Netherlands/Luxembourg (Benelux)/France 789 5,932 Germany/Austria/Switzerland 2,932 7,390 Southern Europe 320 5,614 Eastern Europe 116 2,717 Other 2,802 34,148 Source: Gartner (September 2010) The large European players serve the U.K. and Ireland; Benelux; Germany, Austria and Switzerland (DACH); France; and Southern and Eastern Europe fairly equally (considering population and gross domestic product). Most of T-Systems' operations and clients are in Germany, while most of Orange Business Services' clients are in France. The two major branches of Computacenter focus on Germany and the U.K. U.K./Ireland is also the location of many of CSC's clients. European Providers That Did Not Meet Our Inclusion Criteria A number of providers do not meet our inclusion criteria, because they do not have a sufficient number of security devices under management and/or because they do not have sufficient European clients relevant to Gartner customers. These MSSPs in Europe responded to our scoping questionnaire, but do not meet the inclusion criteria this time: Alert Logic, Boxing Orange, CGI Group, CompuCom, Dimension Data, Fujitsu, Getronics, Retarus, SAIC, S21sec, S2 Grupo, Savvis, SecureIT, Sentor, Telefonica, Tech Mahindra, Telindus, Trustwave, Unisys and United Service Providers. Methodology This year, for the first time, we conducted our survey of MSSPs simultaneously in North America, Europe and Asia/Pacific. We contacted more than 100 providers of MSS in these regions. Of them, 47 replied to our worldwide scoping questionnaire. They included information about all the regions in which they operate. Based on this information, we selected a subset of providers per region that met our inclusion criteria. These providers had to answer a more detailed questionnaire and provide references. The questionnaire was the same in all regions. In Europe, 16 providers met our European inclusion criteria. We also contacted more than 200 reference clients. We received 81 responses to our online questionnaire, and in Europe, we were able to conduct two dozen additional reference client interviews via phone. Reference clients were not only asked for information about their providers, but also questioned about other providers on their shortlists. The assessment in this MarketScope was performed on the basis of survey data collected in April, May and June 2010, and client reference information collected in June, July and August 2010. Publication Date: 30 September 2010/ID Number: G00206878 Page 3 of 22
STRATEGIC PLANNING ASSUMPTION By 2015, 30% of enterprises buying infrastructure as a service from public cloud-style computing providers will use external (third-party) security service providers to implement or monitor security controls for the cloud infrastructure. MARKETSCOPE This survey focuses on these security services (including managed CPE), provider-hosted devices and cloud delivery: Firewall Network intrusion detection system (IDS)/intrusion prevention system (IPS; see Note 1) Multifunction firewall/unified threat management (UTM) device (do not double count with other devices) Server IDS/IPS Web application firewall Secure message gateway devices Secure Web gateway devices (see Note 2) Vulnerability scan devices Desktop/endpoint security client Data loss prevention devices Server/directory/application/database management system (DBMS) log sources Customer-owned security information and event management (SIEM)/log management products Log management services We asked reference clients in an online survey (n = 27) which MSS they currently consume in Europe. Most in demand are firewall services (82%) and network intrusion detection and prevention services (70%). Many clients let their MSSP also manage desktop/endpoint security clients (33%), multifunction firewall/utm devices (26%), secure Web gateway devices (26%), vulnerability scan devices (26%), Web application firewalls (22%) and secure message gateway devices (22%). Demand is relatively low for log management (19%), server intrusion detection/prevention systems (15%) and SIEM management (11%). Only very few (7%) let the provider manage data loss prevention devices. In addition to these infrastructure-based security services, most European providers can offer these security services: Security consulting services Security system integration services Vulnerability scanning/management services Security threat intelligence/vulnerability notification services Publication Date: 30 September 2010/ID Number: G00206878 Page 4 of 22
Note: Identity-related services (authentication and token management) are covered in a separate report this year. We also asked our reference clients about which additional services they have under contract from their MSSPs. Half of them (50%) also use security consulting services from their providers (that is, advice on security policy, organization and architecture). Some also purchase on-site technical support for security products (31%), security system integration services (23%), application security (for example, testing and code review [19%]), and threat intelligence information (15%). However, 39% of these reference clients currently do not use any other additional security service. Pricing and Service-Level Agreements Pricing is difficult to compare from provider to provider and from year to year, because each client has different requirements regarding types of services (firewall, IPS, e-mail/web, etc.), volume (from one firewall to several thousand firewalls), delivery model (CPE-based, hosted, cloud), geographic coverage, level of engagement (monitoring/management), integration (with IT infrastructure management or with communication services), service quality, response times, service-level agreements (SLAs), and language support. Price is a key factor in most purchase decisions, but comparisons are difficult outside of a specific RFP. There is still no best practice for pricing of virtualized services. Here are some approaches we encountered in Europe: The provider says that it will pass on benefits of virtualized infrastructure to the client, but no pricing details are revealed. The monitoring price for a virtualized device is the same as the monitoring price for a CPE device, but the management price for a virtualized device is less than the management price for a CPE device. Pricing for virtualized infrastructure is split into a device monitoring part (fixed fee) and virtual firewall monitoring part (digressive fee for each virtual firewall). The same applies to management of virtualized infrastructure. SLAs have not changed significantly. Most providers offer 15 minutes or 30 minutes as the fastest possible response times (sometimes in the standard, sometimes only in the "premium" package). However, this only relates to the notification of the client. Resolution times vary widely, and obviously depend on the nature of the issue. A few providers even display an incident immediately on the customer portal, giving customers information in real time. In general, contracts get more specific and concrete. Providers move from service-level objectives (SLOs) to SLAs. Clients that have been disappointed by a previous provider's performance push hard to include penalties in new contracts. Such a penalty typically amounts to up to a monthly charge of the service cost and is paid as a credit or an immediate payout. Types of Services Offered Security services are changing slowly, in terms of types of services and delivery models. Providers report that some clients, large ones in particular, move their IT infrastructure to the provider's data center, basically turning CPE-based service into hosted or security as a service (SecaaS). At least 5% of revenue per year is shifting in this direction. Firewall, intrusion detection/prevention, e-mail/web security and desktop security services are standard services. Log management services are gaining traction, and so is SIEM management. Portal features are a differentiator in any case. Most capture the current security infrastructure, Publication Date: 30 September 2010/ID Number: G00206878 Page 5 of 22
display some sort of status information, and track events and incidents. However, details vary. Only some provider portals offer the customer the ability to create, review, update and close tickets and relevant ticket information and/or integrate with the customer's ticketing system (usually remedy). Adding business information to the record of a managed asset is still not a standard feature. Only some allow a point of contact to be assigned for each monitored device. Correlation can also mean different things. For some providers, the presence of a vulnerability changes only the severity rating of an alert. Other providers, however, can create a specific mapping between the vulnerability and the incident (an alert is only raised if the incident indicates that this particular vulnerability is being exploited). Providers have also reported some demand for traffic scrubbing services, and services that help detect port volumetric anomalies, worm propagation, botnet controllers and other traffic anomalies relative to a baseline. Data loss prevention services are being offered, but few clients actually contract them. Relationships Between Providers and Customers The relationship between providers is also changing slightly. Several providers indicated this year that they white-label their services to be resold by other (security and nonsecurity providers), especially telecommunication providers. Similarly, most providers collaborate with Qualys to offer vulnerability scanning services; few offer exclusively their own or another vulnerability scanning service. It seems that customers appreciate this segregation of duties. The split of responsibilities is clearer this year than it was last year. There are basically three types of security services: 1. Management of security infrastructure, including hosted or cloud-based security infrastructure. In-house infrastructure is still sometimes managed by an internal team, often by network operations. 2. Monitoring of security infrastructure, including log management, correlation, SIEM and advanced portal capabilities. Especially in large contracts, there is a tendency to let the MSSP do the monitoring while in-house staff or another partner (e.g., a telecommunication provider or an IT outsourcer) is managing the infrastructure. 3. Vulnerability scanning services. These are often provided by Qualys, sometimes by other vendors or the MSSP itself. In summary, clients engage up to three different providers for the different tasks. Alternatively, an in-house team takes care of these tasks. This is often the case for infrastructure management, sometimes for monitoring, and rarely for vulnerability scanning. Decision Criteria The main drivers to engage an MSSP are still to reduce costs, to reduce capital expenditures, and to supplement or replace in-house expertise and in-house resources. In Europe, regulatory compliance plays less of a role than in the U.S. More specifically, we asked our European reference clients (n = 27) for the main reasons for choosing their service provider. Fifty-two percent of them said that they view their security service provider as a strategic partner; 49% think that their security expertise is most important. Other important reasons were pricing (that is, the total cost of contracted services [33%]), understanding of business needs (30%), a positive prior experience with the provider (30%), and the quality of response to the RFP or presentation of capabilities (26%). Less than a quarter think that industry expertise plays a role (22%), that perceived viability and/or financial strength is Publication Date: 30 September 2010/ID Number: G00206878 Page 6 of 22
important (19%), or that good feedback from other references is important (11%). Only 7% believe that the project implementation methodology is relevant. These responses from Gartner's online reference client survey are consistent with the answers that we received during our reference client interviews. Security expertise, pricing, and the ability to adjust to the client's business and IT requirements are the most important factors. Industry experience and the use of a methodological approach rarely play a role. Regarding the providers in this survey, financial viability was not a concern. We also asked the complementary question: Why did clients not accept offers from some service providers? Again, the main factors were pricing (28%), followed by the inability of providers to present their capabilities (14%), act as a strategic partner (11%), or demonstrate that they understand the client's business needs (10%) and industry needs (10%). Other reasons were a lack of previous experience (7%), a lack of security expertise (6%), a poor track record (5%), inadequate project implementation methodology (4%), or concerns about vendor viability and/or financial strength (4%). Few providers know how to differentiate themselves from the competition. Many claim to be "trusted advisors" and to have "global coverage." Feedback from reference clients is different. Pricing, service quality and lack of SLAs are often reasons for dissatisfaction. Sometimes, mistakes are covered up, and documentation is bad. Clients often use two or more security providers (one for e-mail security and one for firewall management). They also compare the performance of the network provider against the performance of the security infrastructure monitoring provider. For example, a firewall and a router, both managed by different providers, are connected together. In case of an outage, the client sees and compares the reaction time of both companies. One client said: "our network provider informed us that the router was down, and our firewall provider did not even notice. It also happened that penetration testing by a different provider has revealed that ports were not monitored." Many contracts are up for renewal, and it is not unusual to change providers. Purchasing Behavior The bulk of the contracts for MSS in the European region are valued between $150,000 and $750,000 per year (41% of contracts), while 30% of contracts are below and 29% are above that range. Eleven percent of all contracts are valued between $750,000 and $1.5 million, 18% even have a total value of $1.5 million or more. The typical contract size in Europe is much greater than in Asia/Pacific. In Asia/Pacific, 59% of contracts are valued at less than $150,000 per year, in Europe only 30% are less than $150,000. On the other hand, the typical contract size in Europe is very similar to the U.S., where 44% of the contracts are between $150,000 and $750,000, and 28% less than $150,000. The question of whether offshoring security services is a good or a bad thing came up less often in discussions with reference clients than last year. Gartner's clients are increasingly looking for advice on how to secure and control such offshoring, not whether this is the right option at all. Outlook The market for MSS is changing in many ways, especially regarding cloud delivery and virtualization. In 2011, the market for MSS in Europe will continue to grow significantly in volume and also in terms of breadth of features and services. Management of customer premises security devices will still be the dominant delivery model, but the share of hosted and in-the-cloud security services will increase steadily. Although cloud delivery and virtualization are clearly visible trends, offerings and pricing are not always clear. "Cloud" and "software as a service" (SaaS) are vague terms. It is difficult to explain Publication Date: 30 September 2010/ID Number: G00206878 Page 7 of 22
why a telecommunication company reports only 10% cloud delivery, though most of its firewalls are not customer premises-based; in addition, a traditional security player without its own network claims that a third of its revenue comes from cloud-based services. Also, cloud services are not necessarily a packaged offering. Cloud-based services other than external vulnerability scanning and certain distributed denial-of-service (DDoS) mitigation services are often customer service wraps, which may include personal reassignment, dedicated service desks and large-scale Multiprotocol Label Switching (MPLS) network deployments. This ambiguity will continue through 2011. There is also still no widely accepted standard for pricing of monitoring and management of virtualized security infrastructure. However, clients can expect a significant advantage over premises-based services and should keep pushing for lower price points. At the least, pricing for the hardware and pricing for the logical service have to be separated and priced individually, whether or not management and monitoring are addressed together. The segregation of the MSS market into IT outsourcers that offer security services, network providers that offer security services, and security specialists will continue in 2011. However, pure-play security providers will continue to struggle to establish and maintain a Pan-European presence. In addition, new players (e.g., from India and Scandinavia) will increase in size and reach, and enter the regional European market, trying to differentiate themselves with innovative technology and a flexible portfolio of supported products. Market/Market Segment Description For the purposes of this research, Gartner defines "managed security services" as the remote management or monitoring of IT security functions delivered via remote security operations centers, not through personnel on-site. MSS does not, therefore, include staff augmentation or any consulting or development and integration services. MSS includes: Monitored or managed firewall or intrusion prevention systems Monitored or managed intrusion detection systems Distributed denial-of-service protection Managed secure messaging gateway Managed secure Web gateway Security information management Security event management Managed vulnerability scanning of networks, servers, databases or applications Security vulnerability or threat notification services Log management and analysis Reporting associated with monitored/managed devices and incident response This MarketScope evaluates service providers that offer monitored/managed firewall and intrusion detection/prevention functions, rather than those whose main focus is on other elements of the services listed. Publication Date: 30 September 2010/ID Number: G00206878 Page 8 of 22
Inclusion and Exclusion Criteria Inclusion Criteria To be included in this MarketScope, an MSSP must have these qualifications: The ability to remotely monitor and/or manage firewalls and intrusion detection/prevention (IDP) devices from multiple vendors via discrete service offerings At least 700 firewall/idp devices under remote management or monitoring for external customers in Europe At least 50 external customers in Europe with those devices under management or monitoring Reference accounts in Europe relevant to Gartner customers Exclusion Criteria Providers were excluded from this MarketScope if they offer: MSS only to end users that buy other, non-mss services. Services that monitor or manage only the service provider's own technology For example, vendors that have only MSS offerings such as DDoS protection or vulnerability scanning but not device monitoring and management are not included. Providers of primarily Web and e-mail hygiene and trust services (for example, certificate authorities) are not included. Other vendors offer MSS primarily to hosting customers, with limited offerings to others. As these providers expand the scope of their MSS offerings, they may be included in future MarketScopes. Rating for Overall Market/Market Segment Overall Market Rating: Positive With a portfolio of mature basic services and an array of innovative options, the MSS market in Europe is mature with a solid growth perspective, despite or to some extent because of a continuously difficult global economic climate. Secure infrastructure management is a prerequisite for businesses that have to cut costs and operate under regulatory scrutiny and tight competition. Outsourcing of security to "nearshore" or offshore countries has become a normal business option for most organizations. Where security concerns remain, physical operations in Europe are an option for most providers in this MarketScope. MSS customers usually extend their outsourcing contracts and occasionally change providers, but they rarely move services back inhouse, which is still considered the more costly option. These factors have resulted in the MSS market in Europe being forecast to grow at a 14% compound annual growth rate from 2010 to 2014 (with the market size for 2010 forecast at $2.1 billion), which means it is still one of the growth sectors in the IT industry. Publication Date: 30 September 2010/ID Number: G00206878 Page 9 of 22
Evaluation Criteria Table 2. Evaluation Criteria Evaluation Criteria Comment Weighting Overall Viability (Business Unit, Financial, Strategy, Organization) Geographic Strategy Offering (Product) Strategy Marketing Strategy Viability includes an assessment of the provider's financial health; the financial and practical success of the MSS unit; and the likelihood that the MSS unit will continue investing in managed security services, and researching and developing innovative security services. Additional areas assessed include management experience, the number of customers in Europe, investment in R&D, and understanding of business and technology trends. This includes the provider's strategy to direct resources, skills and offerings to meet the specific needs of regions outside the native area directly or through partners, channels and subsidiaries, as appropriate for the region and market. We considered the vendor's ability to articulate the differences between the U.S. and European MSS markets, as well as differences within Europe. This is the provider's approach to service development and delivery, which emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements. We considered the number of target platforms vendors can manage. This is a clear, differentiated set of messages, consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. In addition, we considered how providers measure the effectiveness of marketing programs. High Low High Standard Publication Date: 30 September 2010/ID Number: G00206878 Page 10 of 22
Evaluation Criteria Comment Weighting Customer Experience Source: Gartner (September 2010) This includes the ways customers receive technical and account support. These can include ancillary tools; customer support programs (and the quality thereof); and the availability of user groups, SLAs and so on. We also assessed providers' implementation processes and system integration and consulting capabilities. Reference client feedback was particularly important in the rating for this criterion. Figure 1. MarketScope for Managed Security Services in Europe High Source: Gartner (September 2010) Vendor Product/Service Analysis AT&T AT&T is a venerable network service provider that tends to emphasize its global approach (it is present in more than 200 countries) rather than regional differentiation. It offers MSS to European clients via security operations centers (SOCs) in the U.S. and India. Publication Date: 30 September 2010/ID Number: G00206878 Page 11 of 22
Its MSS strategy focuses on providing integrated carrier grade security to customers of all sizes in the commercial and government sectors, such as virtualized firewall, intrusion detection and prevention, URL, content and e-mail filtering, DDoS, and premises-based solutions. It is aggressively, and successfully, moving into cloud and SaaS-based security services. Rating: Positive Atos Origin Its well-defined customer support processes and procedures. Its ability to leverage existing communications clients for upselling MSS. Its tight bundling of security services with network services is dominant, which is illustrated by the high number of services that are provided in the cloud (ITC). Improving its responsiveness to customer requests. Improving its visibility. Despite its global brand and presence, it is not seen as a major competitor on the European MSSP landscape. Atos Origin is an international IT services company with three primary service lines: business consulting, system integration and managed operations. It also has two specialized business units focused on electronic transaction enablement and the smart utilities market. It is listed on the Paris Eurolist market. Its MSSP strategy focuses on continuous improvement in operational efficiencies and offering SaaS and compliance as a service. It also wants to establish Atos Origin as a security and trusted cloud services aggregator. Most of its MSSP contracts are part of larger IT outsourcing relationships. It targets the public sector, financial services (card payments) and healthcare sectors. Rating: Positive The knowledge and skill, as well as low turnover, of its technical MSS staff. Its ability to work effectively and independently with other service providers (e.g., network service providers) that its clients have engaged. Its experience in integrating security services with complex, large-scale IT programs (its IT security services for the Olympics are an example). Becoming more flexible to varying and changing customer requirements. Becoming less risk-averse, reducing the tendency to over-engineer security solutions. Reducing the frequency of account management turnover. Publication Date: 30 September 2010/ID Number: G00206878 Page 12 of 22
BT Global Services BT is an established name in network and communications services in Europe. Because of ongoing investments and strong marketing that exhibits regional insights, BT also managed to shape a decent security service profile. BT has an extensive security service portfolio and drives the adoption of ITC services. Its MSS differentiation focuses on security embedded in the network, skilled experienced resources and a global infrastructure. Targeting mainly large enterprises, its key messages emphasize the basics productivity, efficiency and customer satisfaction. Rating: Positive The quality of its internal operational processes (for example, quality assurance). Its willingness to negotiate and adapt SLAs and penalty clauses to suit individual client requirements. Its responsiveness in incident reporting. BT is seen as one of the top-three players in the European MSSP market. Providing more information to customers as part of standard reporting, rather than mainly providing additional information on request. Realizing that clients sometimes have to ask explicitly for adaptation of SLAs and additional penalties (where appropriate). Overcoming the fact that cost is often cited as the major reason for not selecting BT during competitive bidding. Computacenter Computacenter is listed on the London Stock Exchange and is an established European provider of outsourcing, out-tasking and support services. Founded in the U.K., it has steadily expanded into continental Europe during the past two decades. It has four SOCs in Europe two in Germany and two in the U.K. Its MSS strategy emphasizes a holistic approach to security (client, network and data center), integrating MSS into other outsourcing deals, and customer intimacy. It differentiates on agility, value for money, customer relationships and the holistic security approach. Computacenter has had recent success in the automotive, pharmaceutical and finance industries. Its currency of skills and knowledge of security technology. Its ability to leverage existing client base for upselling managed security services. Its knowledge and experience of desktop/pc management and security. Publication Date: 30 September 2010/ID Number: G00206878 Page 13 of 22
Rating: Promising CSC Improving service quality and consistency. Improving process capabilities (versus technology skills). Improving knowledge of industry-specific needs and requirements. CSC is a global provider of IT-enabled business solutions and services. Headquartered in the U.S., it provides MSS via security operations centers in the U.K., Australia, Asia, India and the U.S. It emphasizes the need to address security from a business risk perspective, not just a technology perspective. This is a message that tends to resonate with European client organizations. In Europe, its traditional customers are from within its outsource base, although more recently, it has targeted the public sector and financial services for its MSS. Most customers in Europe use CSC for firewall, network IDS/IPS, vulnerability scan or desktop security services, as well as auditing of log files, managed encryption services and data loss prevention. Rating: Positive The strength and depth of its operational skills and capabilities. Its MSS team in Europe is much more integrated and attuned to working with its clients' businesses than in the other regions. Its ability to leverage its existing client base for upselling MSS. Being more flexible (and less commercially rigorous) in its response to changing client requirements. Improving the ability to leverage security and threat information from its large client base for the benefit of individual clients. Improving quality and transparency in customer reporting. HCL Technologies HCL Technologies is an offshore provider that can build on its experience as a strong player in the local market in India. In Europe, HCL is a player with good growth potential that continues to develop its MSS portfolio and grow its European MSS business. It focuses on providing flexible services based on a large pool of skilled, experienced resources. Its human resource management expertise of staff and low staffing turnover rate. Its ability to pull in expertise, on demand, from a large resource pool. Publication Date: 30 September 2010/ID Number: G00206878 Page 14 of 22
Rating: Positive HP Its cost-effectiveness, especially for standard platforms in the HCL support portfolio, and for services that don't deviate from the standard offerings. Its methodological, process-driven approach to security management. Improving management of nonstandard requests, specifically the ability to deal with requests and issues that fall outside the scope of the existing formal processes. Improving strategic planning and proactive management capabilities. Clients would like to see more-forward thinking and innovative suggestions for dealing with a constantly changing security environment. Overcoming communications problems that occasionally result in misunderstanding of client requirements. HP's managed security services represent the capabilities of HP, EDS (acquired by HP in August 2008), and Vistorm (acquired by EDS in April 2008). Vistorm is an established security services and consulting vendor based in the U.K. The company's European strategy is built around Vistorm to pursue the discrete MSS market while leveraging outsourcing business to grow the security component of general outsourcing deals. In Europe, it targets enterprise accounts in the public sector, financial services and utilities sectors, as well as organizations in the low-end enterprise/high-end small and midsize business scale. The acquisition of Vistorm and EDS has tripled HP's security revenue in Europe. Based on the number of (non-iam) devices, HP is a lower-midsize MSSP in Europe. It has five SOCs worldwide, two of which are in Europe (the U.K. and Spain). Rating: Positive Its depth of technical skills. Its responsiveness to customer requests, strong account management and generally good customer service. It takes the time to develop a detailed understanding of the technical, commercial and functional aspects of client business operations. Improving the features and functionality of its MSS portal. Ensuring that the Vistorm's strengths are not lost in the HP enterprise. Improving HP's profile in the broader European MSS market. Publication Date: 30 September 2010/ID Number: G00206878 Page 15 of 22
IBM Global Technology Services IBM Global Technology Services targets larger enterprises and existing enterprises for its MSS. In Europe, it focuses on the financial services, business services (telecommunications), manufacturing, energy and utilities sectors. It emphasizes its reputation, global reach, and depth and breadth of its solutions offerings as key differentiators. Most of IBM's security services in Europe are currently delivered with premises-based equipment, but IBM also offers a suite of complementary cloud-based solutions. Rating: Positive Integralis The expertise of its technical staff. The functionality of its customer portal. Its ranking as one of the top-three MSSP competitors in the European market. Overcoming client reports of inconsistencies in service delivery standards. The vertical organization of the business units challenges customer support and relationships. Improving the flexibility of IBM processes and procedures to cater to changing customer requirements. Realizing that cost is often quoted as a major reason for not selecting IBM during competitive bidding. Integralis is a comparatively small and focused pure-play provider of MSS in Europe, but it covers many major European and international regions. It has five SOCs globally, two of which are in Europe. In 2009, NTT Communications acquired a majority stake in Integralis. It plans to keep Integralis as an independent subsidiary of NTT Communications to help Integralis maintain its focus and culture. One of the company's key strategies is to leverage the NTT Communications investment and relationship to gain traction in the NTT client base, and to focus more on larger multinational corporations. While its current strength is in the financial services, healthcare and pharmaceutical industries, the NTT client base gives it access to multinational organizations in the automotive, retail and manufacturing sectors. The technical skills of its workforce. The functionality of its client portal. Its flexibility in dealing with client requirements. It is very price competitive, especially for a European-based provider. Retaining its price competitiveness versus the offshore providers. Publication Date: 30 September 2010/ID Number: G00206878 Page 16 of 22
Rating: Positive Expanding the range of security devices supported. Becoming more proactive in managing customer environments (e.g., initiating patching procedures rather than waiting for a client request). Orange Business Services Orange Business Services is the brand name under which France Telecom offers most of its products and services, including its MSS portfolio. The company is a sizable player in the MSS space in Europe because of its large base of network and communications clients. Security services are available independently, but many sales combine aspects of network operations and security services. It emphasizes simplicity, flexible delivery models and reduced total cost of ownership (TCO) in its MSS offerings. It has 10 SOCs globally, four of which are in Europe. Customers report that security services, while expensive, are a good value for the money. The number and quality of its skilled staff and the efficiency of its internal processes. Its responsiveness to events and incidents. Its ability to leverage existing client relationships for selling security services. It is moving aggressively from device-based to hosted and cloud security services. Expanding the range of platforms supported. Growing market share outside of France. Improving the speed of implementation turnaround times for new services and projects clients report that complexity in the engagement process can delay delivery times. Rating: Promising SecureWorks SecureWorks is a specialist security service provider headquartered in Atlanta, Georgia, in the U.S. It purchased the VeriSign MSS operation in 2009. In December 2009, it acquired dns, a U.K. MSS and consulting services provider. In Europe, SecureWorks targets Fortune 1000, financial services, retail, manufacturing and U.K. public-sector organizations. During 2010-2011, it is also focusing on growing its business in Scandinavia, the Netherlands and Belgium. Its ability and willingness to adapt to the changing needs of large clients. Its clearly articulated strategy in Europe and its continuing investments in R&D. Its advanced portal (including asset information and various correlation capabilities). Publication Date: 30 September 2010/ID Number: G00206878 Page 17 of 22
Rating: Positive Symantec Improving analysis of collected security information to provide better decision support to clients. Ensuring consistency of service quality during acquisition integration. Establishing a brand presence in the European security market. Symantec provides storage and system management solutions, and offers a comprehensive portfolio of security products and services. It targets large enterprises globally distributed multinational companies are the primary customers of Symantec MSS. It has a good presence in the retail/wholesale, transportation and financial services sectors. Its strategy in Europe centers around customer satisfaction, consistent service delivery and regional presence. Rating: Positive Its responsiveness to client requests. The quality of its local support and sales resources. Its global view of the threat environment via its threat intelligence capability. Speeding up integration of products and services after acquisitions. Speeding up support for new hardware and software versions, which has been slow; however, this is being addressed with its new log collection platform with a target of processing requests in days, not weeks. Realizing that, despite its massive brand presence in the security product market, Symantec still has a comparatively low profile as an MSS player in Europe. Tata Communications A new entrant in this MarketScope, Tata Communications is an India-based global communications provider. It provides MSS via five global SOCs, one of which is in Europe. It targets large multinational organizations in the retail, pharmaceutical, oil and gas, and financial services industries. Its MSS strategy focuses on compliance, customer service, TCO and integration with the rest of its services portfolio. While its European revenue base is still small, it is growing rapidly. MSS revenue per European customer organization is comparatively low (less than $40,000 per annum), providing ample opportunity for growth. A lack of referenceable clients in Europe makes it difficult to perform a comprehensive assessment. Its ability to leverage existing clients for upselling MSS. Publication Date: 30 September 2010/ID Number: G00206878 Page 18 of 22
Rating: Caution T-Systems Establishing a referenceable presence in the European market. T-Systems is the information and communications technology service arm of Deutsche Telekom, and provides managed security services targeted at named multinational clients, large enterprises and smaller German organizations. It offers MSS as an integrated part of larger outsourcing deals. Revenue, customer and device numbers position T-Systems as a midsize-to-large MSSP in Europe. It plans to offer a whole range of new services, including identity as a service, converged security and application security as a service. The quality and quantity of its skilled security staff. Its attention to customer service. Realizing that the market perceives T-Systems' MSS pricing to be above market average. Rating: Promising Improving MSS portal functionality. Establishing a stronger profile in the European MSS market. Verizon Business Verizon Business (the solution arm of the telecommunications provider Verizon) is a mainstream MSS provider with good coverage in Europe after the acquisition of Cybertrust (formerly Ubizen). Verizon Business tends to integrate security services into other networking and IT services. It has a solid presence in the healthcare, financial services, retail and utilities sectors, and emphasizes its expertise, global reach, and risk-based security on global IP networks. While not inexpensive, its prices are generally considered good value for the money. The knowledge and skills of its staff. Its global reach and expertise. The quality of its IDS/IPS alert management. Verizon is one of the top-three MSS players in the European market. Improving the quality of communications between staff in different teams managing different services (e.g., firewall administration versus antivirus versus IDS/IPS). Publication Date: 30 September 2010/ID Number: G00206878 Page 19 of 22
It needs to be more proactive that is, occasionally offer value (e.g., unsolicited advice) beyond the minimum contract requirements. Avoiding becoming more bureaucratic, especially in back-office processes. Rating: Strong Positive Wipro Technologies Wipro Technologies is an offshore IT service and system integration provider based in India. It offers MSS to organizations in Europe from a primary control center in India supported by four regional SOCs in Europe. The majority of its European MSS clients are also clients of other Wipro IT services. Wipro's European strategy includes strengthening local client-facing resources, and improved alignment between its security services and ITIL-based IT service management processes. Rating: Positive Its flexibility and willingness to help customers Wipro is keen to improve the service value it provides to its customers. The quantity and quality of its skilled staff. Its ability to upsell security services to existing clients. Visa and border control requirements in some European countries make it laborious to get Indian resources to work on client premises when required. Establishing a clear profile in the European security services market. RECOMMENDED READING "The Global Managed Security Services Provider Landscape" "Toolkit: Selecting the Right Managed Security Services Provider" "Magic Quadrant for MSSPs, North America" "MarketScope for Managed Security Services in Asia/Pacific" "Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors Within a Market" Note 1 Intrusion Detection System and Intrusion Prevention System For the purposes of this research, we ignore the differences between intrusion detection systems and intrusion prevention systems. Whenever we use "IPS," we mean both. Publication Date: 30 September 2010/ID Number: G00206878 Page 20 of 22
Note 2 Secure Web and E-Mail Gateway Services Secure Web and e-mail gateway services refer to the filtering of malware from Web and e-mail traffic at the gateway. This does not include filtering at the endpoint. Vendors Added or Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor. Gartner MarketScope Defined Gartner's MarketScope provides specific guidance for users who are deploying, or have deployed, products or services. A Gartner MarketScope rating does not imply that the vendor meets all, few or none of the evaluation criteria. The Gartner MarketScope evaluation is based on a weighted evaluation of a vendor's products in comparison with the evaluation criteria. Consider Gartner's criteria as they apply to your specific requirements. Contact Gartner to discuss how this evaluation may affect your specific needs. In the below table, the various ratings are defined: MarketScope Rating Framework Strong Positive Is viewed as a provider of strategic products, services or solutions: Customers: Continue with planned investments. Potential customers: Consider this vendor a strong choice for strategic investments. Positive Demonstrates strength in specific areas, but execution in one or more areas may still be developing or inconsistent with other areas of performance: Customers: Continue planned investments. Potential customers: Consider this vendor a viable choice for strategic or tactical investments, while planning for known limitations. Promising Shows potential in specific areas; however, execution is inconsistent: Customers: Consider the short- and long-term impact of possible changes in status. Potential customers: Plan for and be aware of issues and opportunities related to the evolution and maturity of this vendor. Publication Date: 30 September 2010/ID Number: G00206878 Page 21 of 22
Caution Faces challenges in one or more areas: Customers: Understand challenges in relevant areas, and develop contingency plans based on risk tolerance and possible business impact. Potential customers: Account for the vendor's challenges as part of due diligence. Strong Negative Has difficulty responding to problems in multiple areas: Customers: Execute risk mitigation plans and contingency options. Potential customers: Consider this vendor only for tactical investment with short-term, rapid payback. This research is part of a set of related research pieces. See "Roundup of Security Operations Research, 3Q10" for an overview. REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 U.S.A. +1 203 964 0096 European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611 Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA +61 2 9459 4600 Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo 153-0042 JAPAN +81 3 3481 3670 Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, 12551 9 andar World Trade Center 04578-903 São Paulo SP BRAZIL +55 11 3443 1509 Publication Date: 30 September 2010/ID Number: G00206878 Page 22 of 22