G00229872
MarketScope for Managed Security Services in
Europe
Published: 24 October 2012 Analyst(s): Carsten Casper
The market for managed security services in Europe is mature.
Off-premises-delivered services increase, communications and IT infrastructure
service providers dominate, and security specialists fill a niche. Growth has
slowed.
What You Need to Know
Managed security services (MSSs) in Europe show all the signs of a mature market, which continues to justify a Gartner MarketScope.
Half of the providers that participated in this MarketScope reported their MSS revenue numbers (totaling about $950 million). For the other half, we estimate a revenue of $1.150 billion, based on extrapolated revenue numbers from previous years and regional portions of globally reported numbers. Smaller national providers, accounting for about 20% of the market, add another $400 million, bringing our total estimated market for MSS in Europe to about $2.5 billion in 2012. Those providers who reported revenue numbers claim growth rates of 30% on average, but we believe revenue growth of about 15% to be more realistic.
Our "MarketScope for Managed Security Services in Europe" in October 2011 surveyed 17 European managed security service providers (MSSPs). For 2012, 19 MSSPs met our inclusion criteria. Overall, the provider landscape has been fairly stable.
Strategic Planning Assumption
By 2015, 30% of enterprises that use public cloud infrastructure as a service will also use MSSPs for security monitoring.
MarketScope
Geographic Scope, Inclusion and Exclusion Criteria
The market grew in volume (in terms of numbers of devices), so we revised our inclusion criteria regarding the minimum number of managed devices (1,000 firewalls and intrusion detection systems [IDSs]/intrusion prevention systems [IPSs] [see Note 1], instead of 700 devices last year). The minimum number of customers in Europe in 2012 remained stable (50 external customers; for the complete inclusion criteria, see the Inclusion and Exclusion Criteria section of this research). Several providers have a subregional focus in Europe: Atos in Benelux/France, Computacenter in the U.K./Germany, Open Systems and T-Systems in Germany/Austria/Switzerland, Orange
Business Systems in Benelux/France/U.K., and Telefonica in Southern Europe. However, they have sales staff in several European countries and can support clients with regional (rather than local) requirements. This MarketScope has a strong focus on European clients, but these clients have operations all over the world. While 100% of them demand coverage in Europe, many of them also ask their provider to manage devices in other regions and countries (12% in Asia/Pacific, 6% in Japan and 24% in North America). Within Europe, clients report expected country coverage as follows: U.K./Ireland 42%, Scandinavia 12%, Benelux/France 24%, Germany/Austria/Switzerland 48%, Southern Europe 42%, Eastern Europe/Russia 6% and France 18%.
Overall, we track around 100 MSSPs worldwide, with about one-third of them in Europe. The ones that do not appear operate mostly in one country (for example, S21sec in Spain), provide a very specialized security service (such as Qualys for vulnerability scanning) or do not provide stand-alone security services (for example, Unisys). The following providers were considered, but not included: Accumuli, CGI Group, CompuCom, Dimension Data, Outpost24, Qualys, Retarus, S21sec, S2 Grupo, Savvis, SecureIT, Spamina, SSP Europe, Telindus, Trustwave, United Service Providers and Unisys.
Landscape of Different Types of Providers Remains Relatively Stable
The market for managed and related security services continues to evolve, but the types of players are still the same. There are few stand-alone security players left in the regional European market. Most providers sell security services bundled with infrastructure management and outsourcing (for example, Atos, Computacenter, CSC, Dell SecureWorks, IBM Security Services, HCL Technologies, HP, T-Systems and Wipro Technologies) or bundled with communications services (for example, AT&T, BT Global Services, Cable&Wireless Worldwide, Orange Business Services, Tata
Communications, Telefonica and Verizon). Only a few European providers focus on IT security (for example, Integralis [now part of NTT Communications], Open Systems and Symantec). All providers in this MarketScope offer MSS as a discrete service.
European security providers service approximately 6,500 clients in Europe, and operate about 35,000 firewalls, 11,000 unified threat management (UTM) devices, 8,000 network IPSs/IDSs and 23,000 server IPSs/IDSs, as well as 6,000 secure message and Web gateways (see Note 2). They also manage or monitor hundreds of Web application firewalls and customer-owned security information and event management (SIEM)/log management products. The large European players
Eastern Europe in fairly equal proportions to the populations and gross domestic products of those countries.
Methodology
We conducted our survey of MSSPs simultaneously in North America, Europe and Asia/Pacific. We contacted about 100 providers of MSS in these regions. Fifty-two replied to our worldwide scoping questionnaire. They included information about all the regions in which they operate. Based on this information, we selected a subset of providers per region that met our inclusion criteria. These providers answered a more detailed questionnaire and provided references. The questionnaire was the same in all regions. In Europe, 19 providers met our European inclusion criteria.
We also contacted reference clients and conducted phone interviews, as well as online surveys. Reference clients were not only asked for information about their providers, but also questioned about other providers on their shortlists. Overall, we collected 50 client reference data points in Europe.
The assessment in this MarketScope was performed on the basis of survey data collected in May and June 2011, and client reference information collected in June, July and August 2012.
This survey focused on these security services (including managed customer premises equipment [CPE]), provider-hosted devices and cloud delivery. They are listed in order of popularity with
European clients. Devices near the top of the list are managed and monitored most often, according to the reference clients contacted during this market analysis:
■ Firewall (71%)
■ Network IDS/IPS (65%)
■ Secure Web gateway devices (29%) ■ Desktop/endpoint security client (29%) ■ Multifunction firewall/UTM (24%) ■ Web application firewall (24%)
■ Vulnerability scanning and management (24%)
■ Customer-owned SIEM/log management products (24%) ■ Server IDS/IPS (18%)
■ Secure message gateway devices (18%) ■ Data loss prevention devices (18%)
■ Server/directory/app/database management system log sources (18%) ■ Mobile device security management (12%)
In addition to these infrastructure-based security services, most European providers offer
complementary security services. The ones that are consumed most often are near the top of the list:
■ Log collection/retention (41%)
■ Professional security services (installation, configuration and upgrades, 41%) ■ Vulnerability scans (periodic, and all layers, remote and intranet; 29%)
■ Threat intelligence (29%)
■ Security consulting (architecture, policies and training, 24%) ■ Breach response, investigation and forensic analysis (18%)
■ Security system integration (customization, migration and code scanning, 6%) ■ Penetration testing and one-time vulnerability assessments (6%)
Twenty-nine percent currently do not use any other service from their provider. Note: Identity-related services (authentication and token management) are not covered in this research.
Pricing and Service-Level Agreements
Pricing is difficult to compare from provider to provider and from year to year, because each client has different requirements regarding types of services (firewall, IPS, email/Web and so on), volume (from one firewall to several thousand firewalls), delivery model (CPE-based, hosted and cloud), geographic coverage, level of engagement (monitoring/management), integration (with IT infrastructure management or with communication services), service quality, response times, service-level agreements (SLAs) and language support. Price is a key factor in most purchase decisions, but comparisons are difficult outside of a specific RFP. Just as an example, yearly subscription prices for management and monitoring of a dedicated, midsize firewall typically range from $11,000 to $21,000 in Europe, but can be as low as $1,500 and as high as $45,000. Clients must analyze delivery scope, service levels, response times, staff expertise and supplemental fees behind these offers in order not to compare apples and oranges.
Our observations on pricing for management and monitoring of virtualized security devices remain mostly unchanged compared with last year. There is no approach common to all providers. Here are some approaches we encountered in Europe:
■ The provider says that it will pass on benefits of virtualized infrastructure to the client, but
pricing details depend on the individual deal.
■ The monitoring price for a virtualized device is the same as the monitoring price for a CPE
device, but the management price for a virtualized device is less than the management price for a CPE device.
■ Pricing for virtualized infrastructure is split into a device monitoring part (fixed fee) and virtual
firewall monitoring part (digressive fee for each virtual firewall). The same applies to
■ One provider did the math and calculated that virtual instances require roughly the same
workload as appliances. Hence, the provider went back to identical pricing for both delivery models. Several other providers confirmed that they charge the same for virtual devices and for physical devices, albeit they didn't explain their motivations.
SLAs have not changed significantly. Most providers offer 15 minutes or 30 minutes as the fastest possible response times (sometimes in the standard, sometimes only in the "premium" package). However, this only relates to the notification of the client. Resolution times vary widely, and obviously depend on the nature of the issue.
Some providers display an incident immediately on the customer portal, giving customers
information in real time. Such customers can also verify SLA guarantees anytime within the portal, including current and historical performance. Other providers deliver SLA reports weekly or monthly, or they make them available only on customer request.
Some providers make an attempt to innovate with SLAs and pricing:
■ Firewall pricing depends on bandwidth commitments (not consumption).
■ Remove bandwidth as a pricing variable, moving to flat pricing for intrusion detection/
prevention devices (which is good for large, centralized deployments, and disadvantageous for small/remote-office-type devices).
■ No minimal fixed cost for usage-based pricing (for example, vulnerability scans).
■ Customers who bring new clients can benefit from a joint discount on the combined service
volume.
■ Client satisfaction is measured after each interaction as a key performance indicator. ■ Per-seat pricing is offered, as opposed to discrete component pricing.
In general, contracts have become more specific and concrete. Some providers have indicated that they now move from service-level objectives to SLAs. Clients that have been disappointed by a previous provider's performance push hard to include penalties in new contracts. Such a penalty typically amounts to a percentage of the monthly charge, up to a maximum of one monthly charge of the service cost, and is paid as a credit or an immediate payout (potentially with an "earn back" clause for subsequent SLA compliance).
Such penalties or remedies vary widely. Some providers always include language for immediate termination of the contract (under certain circumstances, which may include early termination fees, potentially with assisted transition to another service provider). In other cases, customers have to explicitly ask that remedies be put in the contract. Credits for SLA violations could be for up to 100% of the monthly fee, but often also have a cap at 70% or even 50%. Some providers display SLA violations immediately on the portal, but in many cases, the customer has to contact customer service, a customer relationship manager or some other provider staff to find out about SLA
violations. Remedies are not always of a financial nature, but can also include root cause analysis by an improvement task force, a service improvement plan or free innovation consulting.
Types of Services Offered
Delivery models change, and the topics "cloud computing" and "virtualization" continue to
dominate many discussions with European clients. As in previous years, service delivery in Europe is moving from CPE to delivery from a shared or virtualized infrastructure. On average, 70% are still delivered on CPE, and 30% are delivery from a shared or virtualized environment. The ratio between both models varies widely by service type: firewall 75%-to-25%, intrusion prevention 90%-to-10%, secure gateways 56%-to-44%, vulnerability scans and log data 65%-to-35%, and SIEM 45%-to-55%. Gartner expects this shift to continue by — on average — 5% in 2013.
Virtualization also plays an increasing role. The providers' approaches to virtualization have matured since last year as the following examples of provider capabilities illustrate:
■ Security controls in a virtual environment point their logs and alerts to a collector, where they
are integrated into the standard threat-monitoring service.
■ Security monitoring in virtual environments is supported by the collection and analysis of the
operational and security log data of the guest OS and hosted applications.
■ In VMware-based environments, event monitoring has been extended to consume and correlate
events from the VMware components themselves, giving visibility into the hypervisor layers.
■ Protect virtual data centers with network security technologies, and protect individual virtual
servers (from the network or from other virtual server), as well as the applications they are hosting, based on virtual security enforcement technologies that integrate with the virtualization layer.
■ Use a shared SIEM platform to monitor the security controls in a virtualized environment
(inter-virtual machine [VM] traffic, hypervisor attacks and malware).
■ Monitor and manage Juniper Virtual System and Check Point VSX infrastructures. ■ Virtual security operations centers (SOCs) provide each virtualized instance with its own
personalized view (policies, logs and reporting), no different than if it were a stand-alone device.
■ Monitor cross-VM network activity with Sourcefire's VM IDS, and use collectors to monitor
directly from the VM hypervisor.
A concern raised by some clients is that monitoring capabilities for virtualized infrastructure are not as detailed as the ones for on-premises equipment. This will be acceptable for some clients, but untenable for others.
Decision Criteria
The main drivers to engage an MSSP are still to reduce costs, to reduce capital expenditures, and to supplement or replace in-house expertise and in-house resources. In Europe, regulatory
More specifically, we asked our European reference clients for their main reasons for choosing their service providers. The enumeration below shows the decision factors in decreasing order of
importance:
■ Security expertise
■ Viewed as a strategic partner
■ Pricing (total cost of contracted services) ■ Industry experience
■ Quality of response to RFP or presentation of capabilities ■ Positive prior experience with provider
■ Perceived viability and/or financial strength ■ Understanding of business needs
■ Good feedback from references ■ Project implementation methodology
These priorities present almost equal opportunity for the specialist provider, the one that can show security and industry expertise, and the large incumbent provider of IT or network operations who likes to be preselected as a strategic partner and is also better able to compete on price. This observation is confirmed by the fact that many European customers shortlist security specialists and integrators alike.
Purchasing Behavior
The bulk of the contracts for MSS in the European region are valued from $150,000 to $750,000 per year (40% of contracts), while 30% of contracts are below the range, and 30% are above that range. The average contract size in Europe is around $500,000.
The typical contract size in Europe is still much greater than in Asia/Pacific, where 55% of the contracts have a value of less than $150,000 per year. On the other hand, the typical contract size in Europe is very similar to the typical contract size in the U.S.
Customer-provider relationships have been fairly stable over the past year. Eighty-two percent of the European reference clients have been customers of their providers for one year or more, only 18% for less than a year. Customer growth has been somewhat limited. Several providers reported no net increase in customer numbers or even honestly reported a net loss. Overall, European
MSSPs have lost 1% of their customers and gained only 6%, resulting in a net increase of customer numbers of 5%. From a customer perspective, this means that providers need to find ways to grow and should be more amenable to more competitive pricing and better service.
Advancing Threat Response
Many client organizations are concerned about targeted attacks and advanced persistent threats. Providers respond to such fears by evolving their defense portfolio. They align security monitoring and the monitoring of normal behavior of IT and business processes, systems and users, trying to avoid isolated detection controls that can be easily bypassed by sophisticated targeted attacks. This includes the application layer, where they monitor abnormal user activity and identify likely violation of regular user rights or abnormal user management activities. They also use failed authentication logs from operating systems to determine a pattern indicative of a brute force authentication attempt.
Advanced analytics also include the monitoring of network intrusions in the context of customer vulnerability posture — that is, correlating vulnerability data with a real-time network intrusion detection feed. Providers use statistical and trend analysis to detect denial-of-service attacks, internal botnet activity, the appearance of backdoors, or covert communication channels installed by malware or trojans. Providers differentiate on the amount of human intelligence that goes into such analysis. Some rely on efficient, automated processes for the statistical and behavioral analysis of large data feeds. Others rely on highly trained security professionals who analyze logs, correlate events and identify behavior anomalies. Both types of providers received positive client feedback, but none of it was attributable to the specific advanced response capabilities.
Outlook
The market for MSS continues to evolve. Advanced threats, effective and efficient responses, and competitive prices dominate discussions with clients. Delivery continues to move off-premises. Management of customer premises security devices will still be the dominant delivery model, but the percentage of hosted, security-as-a-service (SecaaS) and in-the-cloud security services will increase steadily. Overall, growth in Europe has slowed in 2012, and there are no signs that this will change significantly in 2013. There are multiple reasons for this: The overall economic outlook cautions organizations not to take any additional risk (such as outsourcing risk); most security service contracts have a duration of three years, and many were not up for renewal in 2012; skilled security staff is hard to find and poses a natural limit to growth of provider operations; some
providers are still busy digesting previous acquisitions; and even providers have no "silver bullet" to address advanced persistent and other emerging threats, which is top of mind for many
organizations that toy with the idea of getting help with security matters.
The split of the MSS market into IT outsourcers that offer security services, network providers that offer security services, and security specialists has stabilized, and the market will continue this way in 2013. Pure-play security providers will continue to have their place, and new players will increase in size and reach, and enter the regional European market, trying to differentiate themselves with innovative technology and a flexible portfolio of supported products.
Market/Market Segment Description
For the purposes of this research, Gartner defines "managed security services" as the remote management or monitoring of IT security functions delivered via remote SOCs, not through
personnel on-site. MSS does not, therefore, include staff augmentation or any consulting, development and integration services.
MSS includes:
■ Monitored or managed firewall or IPS ■ Monitored or managed IPS
■ Distributed denial of service (DDoS) protection ■ Managed secure messaging gateway
■ Managed secure Web gateway ■ Security information management ■ Security event management
■ Managed vulnerability scanning of networks, servers, databases or applications ■ Security vulnerability or threat notification services
■ Log management and analysis
■ Reporting associated with monitored/managed devices and incident response
This MarketScope evaluates service providers that offer monitored/managed firewall and intrusion detection/prevention functions as primary offerings, rather than those whose main focus is on other elements of the services listed.
Inclusion and Exclusion Criteria
To be included in this MarketScope, an MSSP must have these qualifications:
■ The ability to remotely monitor and/or manage firewalls and intrusion detection/prevention (IDP)
devices from multiple vendors via discrete service offerings
■ At least 1,000 firewall/IDP devices under remote management or monitoring for external
customers in Europe
■ At least 50 external customers in Europe with those devices under management or monitoring ■ Reference accounts in Europe relevant to Gartner customers
For example, vendors that only have offerings such as DDoS protection or vulnerability scanning, but not device monitoring and management, are not included. Providers of primarily Web and email hygiene and trust services (for example, certificate authorities) are not included. Other vendors offer MSS primarily to hosting customers, with limited offerings to others. As these providers expand the scope of their MSS offerings, they may be included in future MarketScopes.
Rating for Overall Market/Market Segment
Overall Market Rating: Positive
With a portfolio of mature basic services and an array of innovative options, the MSS market in Europe is mature, with a moderate growth perspective, despite — or to some extent because of — a continuously difficult economic climate in Europe. Secure infrastructure management is a
prerequisite for businesses that have to cut costs and operate under regulatory scrutiny and tight competition. Outsourcing of security has become a normal business option for most organizations. Where security concerns remain, physical operations in Europe are an option for most providers in this MarketScope. MSS customers usually extend their outsourcing contracts and occasionally change providers, but they rarely move services back in-house, which is still considered the more costly option.
These factors have resulted in the MSS market in Europe growing by merely 12% versus 2011 (with the market size for 2012 forecast at $2.5 billion by year's end). The reasons were discussed in the Outlook section of this research.
It is interesting to note that none of the providers achieved a Strong Positive rating this year. It's not to say that none of the providers is strong in security operations. Rather, none of the providers could prove this with reliable, sufficient customer feedback. Some providers, in particular the non-European ones, proved strong in terms of marketing, sales and innovation, but failed to prove that customers see it the same way. Other providers — in particular, some security specialists — offered excellent customer feedback, but couldn't prove a sufficiently broad portfolio of security services, geographic coverage, market insights and innovative road maps. Many providers in this
MarketScope are rated Positive, but these ratings aren't always the same. Customers need to put forward their detailed requirements and look closely to identify a provider with matching
Evaluation Criteria
Table 1. Evaluation CriteriaEvaluation Criteria Comment Weighting
Overall Viability (Business Unit, Financial, Strategy, Organization)
Viability includes an assessment of the provider's financial health, the financial and practical success of the MSS unit, and the likelihood that the MSS unit will continue investing in MSSs and researching and developing innovative security services. Additional areas assessed include management experience, the number of customers in Europe, investment in R&D, and understanding of business and technology trends.
Standard
Geographic Strategy
This includes the provider's strategy to direct resources, skills and offerings to meet the specific needs of regions outside the native area, directly or through partners, channels and subsidiaries, as appropriate for the region and market. We considered the vendor's ability to articulate the differences between the U.S. and European MSS markets, as well as differences within Europe.
High
Product/Service This is the provider's approach to service development and delivery, which emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements. We considered the number of target platforms vendors can manage.
Standard
Marketing Strategy This is a clear, differentiated set of messages, consistently
communicated throughout the organization and externalized through the website, advertising, customer programs and positioning
statements. In addition, we considered how providers measure the effectiveness of marketing programs.
High
Customer Experience
This includes the ways customers receive technical and account support. These can include ancillary tools, customer support
programs (and the quality thereof) and the availability of user groups, SLAs and so on. We also assessed providers' implementation processes and system integration and consulting capabilities. Reference client feedback was particularly important in the rating for this criterion.
High
Innovation This takes into account capital and human resource investments, and the development of new services as displayed in the security service strategy and the road map.
Standard
Market
Responsiveness and Track Record
Ability to understand business and security technology trends and assess competitors. This includes the ability to respond, change direction, be flexible and achieve competitive success as new opportunities develop, competitors act, customer needs evolve and market dynamics change.
Standard
Figure 1. MarketScope for Managed Security Services in Europe
Strong
Negative Caution Promising Positive
Strong Positive AT&T x Atos x BT Global Services x Cable&Wireless Worldwide x Computacenter x CSC x Dell SecureWorks x HCL Technologies x HP x
IBM Security Services x
Integralis x
Open Systems x
Orange Business Services x
Symantec x Tata Communications x Telefonica x T-Systems x Verizon x Wipro Technologies x As of 24 October 2012 RATING
Source: Gartner (October 2012)
Vendor Product/Service Analysis
AT&T
AT&T is an established network service provider with a global approach, rather than regional differentiation. It emphasizes real-time visibility into wireline/wireless threats as a core capability of its MSS offers. It provides MSS to European multinational companies via SOCs in the U.S. and India, and still plans to open another SOC in Eastern Europe.
Its MSS strategy focuses on providing integrated network-based security to European-based customers that possess a global footprint, utilizing services such as virtualized firewall, integrated network intrusion prevention, UTMs and server intrusion prevention. It is aggressively moving into cloud-based security services.
Strengths
■ Its tight bundling of security services with network services and capabilities in cloud security ■ Design team's flexibility with customer scenarios
Challenges
■ AT&T has limited control over some third-party delivery elements of its security service portfolio
(for example, Cisco ScanSafe).
■ Variable response to customer service requests remains an issue. Internal collaboration could
be improved. AT&T must continue to improve its visibility as a security provider to extend beyond the multinational company market.
Rating: Positive
Atos
Atos is an international IT services company with four primary service lines: consulting and
technology services, system integration, managed services, and transactional services. Atos claims to provide a holistic approach to managed security "from the router to the boardroom" that also addresses the business relevance of its security services. In July 2011, Atos completed its acquisition of the IT Solutions and Services subsidiary of Siemens.
The centerpiece of its security portfolio is Atos High Performance Security, an integrated SecaaS platform. The comprehensive portfolio also includes endpoint security, server security, network security and secure gateways. Most of its MSSP contracts are part of larger IT outsourcing relationships.
Strengths
■ Experience in integrating security services with complex, large-scale IT programs ■ Professionalism, knowledge and skills of its technical MSS staff
■ Ability to work effectively and collaboratively with other service providers (for example, network
service providers) that its clients have engaged
Challenges
■ Pursuing information security with the same diligence as IT operations
■ Improving collaboration among and consistency of different countries' and teams' operations ■ Clients reporting occasional outages, and Atos sometimes slow in picking up incidents
BT Global Services
BT is an established name in network and communications services in Europe. It continues to invest globally in research and development. BT has a comprehensive security service portfolio called BT Assure that includes firewalls, network intrusion prevention, UTMs, email gateways, endpoint security and SIEM, as well as log management and some server IPSs.
Its MSS differentiation focuses on security embedded in the network, skilled resources and a global infrastructure. Targeting mainly large enterprises, its key message in 2012 emphasizes the need to "rethink the risk," meaning that organizations should step back and reassess their current security posture — looking in particular at bring your own device, cloud, expanded vendor/platform choice and analytics.
Strengths
■ Presents well its focus on emerging threats and technologies with business relevance ■ A resilient operations infrastructure and BT's responsiveness in incident reporting ■ The quality of its internal operational processes (for example, quality assurance)
■ The skills of its engineers, and the ability to listen, respond and adjust to client requirements
Challenges
■ BT Global Services must be careful not to lose its regional differentiation on its way to
becoming a global player.
■ Cost savings in order to keep pricing competitive must not result in staff shortage.
Rating: Positive
Cable&Wireless Worldwide
Cable&Wireless is an international communications company with a strong focus on the U.K./ Ireland and a limited number of customers in other European countries. It manages firewalls and some log sources, and a small amount of other security devices.
Strengths
■ Ability to leverage existing telecommunications client base for selling MSSs
■ Onshore team's knowledge and expertise, which brings real value to the relationship
Challenges
■ Cable&Wireless rarely appears on shortlists for MSS in Europe.
Rating: Promising
Computacenter
Computacenter is a multivendor provider of IT infrastructure services. It operates primarily in the U.K. and in Germany, and has two SOCs in each of these two countries.
Its MSS strategy emphasizes a holistic approach to security (client, network and data center), integrating MSS into other outsourcing deals and customer intimacy. Its strategy is to do "as much standards as possible, as much individuality as necessary."
Strengths
■ Providing cost-effective services from a local European vendor
■ Acting as a strategic partner, so it can understand infrastructure and business requirements ■ Having the ability to leverage the existing client base for upselling MSSs
Challenges
■ Proving that Computacenter delivers what it promises ■ Improving service consistency and quality
■ Improving knowledge of vertical-industry-specific needs and requirements
Rating: Promising
CSC
CSC is a global provider of IT-enabled business solutions and services, with a global strategy. Its portfolio ranges from consulting, to solution design, through to implementation and management of the solution. Headquartered in the U.S., it provides MSS via SOCs in the U.K., Australia, Malaysia, India and the U.S.
CSC emphasizes a broad service portfolio and industry expertise that leads to business-oriented security service outcomes. This is a message that tends to resonate with European client
organizations.
Most customers in Europe use CSC for the management of firewalls, SIEM/log management and endpoint security clients. For cloud-based Web and email, CSC chooses to work with partners.
Strengths
■ Having the capability to embed an information risk manager as a single point of contact in the
client's organization
■ Flexible contracts that allow the downscaling and upscaling of consumption
Challenges
■ Be consistently more proactive and efficient in managing daily tasks
■ Portal capabilities that are still lagging behind competition, but are being expanded
■ Improving the ability to leverage security and threat information from its large client base for the
benefit of individual clients
Rating: Positive
Dell SecureWorks
Dell strives to expand its Information Security Services in Europe following its acquisition of the U.S.-based company SecureWorks. U.K. Dell SecureWorks manages and/or monitors security devices in several European countries, especially log sources, firewalls, network IDSs/IPSs and endpoint protection systems. Dell SecureWorks Counter Threat Unit provides threat intelligence, malware analysis and analytic support for MSS operations. Customer may buy these services as part of an MSS subscription. Dell SecureWorks provides a comprehensive portal, and also offers support in Spanish and French.
Strengths
■ Its clearly articulated strategy regarding the monitoring of virtualized environments and
advanced detection capabilities
■ Its comprehensive portal (including asset information and various correlation capabilities)
Challenges
■ Continuing to establish a brand presence in the European security market and proving success ■ Ensuring consistency of service quality during the acquisition and integration of SecureWorks
into Dell
Rating: Positive
HCL Technologies
HCL Technologies is an India-based offshore provider that has already gained some traction in Europe. HCL staff is engaged and enthusiastic, aiming for solutions, rather than merely trying to close the deal. HCL emphasizes end-to-end security services, SLA-based service delivery and flexibility to meet customer's dynamic info-security requirements.
HCL offers the most comprehensive security services portfolio of all European providers. HCL not only is strong in server-based security services (IDS/IPS and log collection) as well as endpoint security client management, but also offers network security. In addition, it offers application
security services and identity and access management. It also claims comprehensive portal
capabilities. HCL focuses on providing services based on a large pool of skilled resources and can support delivery in a number of European languages.
Strengths
■ Consistent and mature service delivery, with a process-driven approach to security
management
■ Ability to optimize the balance between onshore (high-touch) and offshore (low-cost) staff ■ Cost-effectiveness, especially for standard platforms in the HCL support portfolio, and for
services that don't deviate from the standard offerings
Challenges
■ Improving management of nonstandard requests, specifically the ability to deal with requests
and issues that fall outside the scope of the existing formal processes
■ Improving strategic planning — clients would like to see more forward-thinking and innovative
suggestions for dealing with a constantly changing security environment
Rating: Positive
HP
HP has invested billions in building a comprehensive security portfolio that includes services acquired from EDS and Vistorm, and SIEM products from ArcSight.
HP's comprehensive security services portfolio includes endpoint security, firewall and network IPS management, UTMs, and log management. It has five SOCs worldwide, two of which are in Europe (the U.K. and Spain).
Strengths
■ It has experience in integrating security services with complex, large-scale enterprise IT
solutions.
■ Account managers take the time to develop a detailed understanding of the technical,
commercial and functional aspects of client business operations.
■ HP has a strength in helping organizations design and manage SOCs — including SOC
outsourcing.
Challenges
■ Improving HP's visibility as provider of MSSs in Europe, not just as an IT company
Rating: Positive
IBM Security Services
IBM emphasizes its ability to support clients as a trusted advisor by understanding their organizational goals and risk tolerances, and drawing from a global portfolio of asset-based managed and professional services to implement effective programs and controls that enable business growth through the application of security intelligence. IBM's security services portfolio is focused on endpoint, server and network protection. IBM targets larger enterprises and existing customers for its MSS. It emphasizes its reputation, global reach, and depth and breadth of its solution offerings as key differentiators. IBM is the MSS provider that appears most often on customer shortlists in Europe.
Strengths
■ Comprehensive portal and global security view based on large number of customers ■ Supports many European languages and has a presence in all major European countries ■ Addressing European customers' data center concerns
Challenges
■ Providing consistent quality and customer experience, regardless of the delivering SOC ■ Relatively expensive compared with some providers
Rating: Positive
Integralis
Integralis provides IT security and information risk management solutions. It delivers a portfolio of managed security, business infrastructure, consulting and technology integration services — including mobile security, advanced log management, and security intelligence and network
profiling. Integralis is an independent subsidiary of NTT Communications, Japan. Integralis focuses on firewall, UTM and network IPS services, complemented by log management and some endpoint security. Integralis grew strongly in 2012 in Europe, in terms of devices, customers, revenue and R&D investments.
Strengths
■ Excellent technical skills of its workforce
■ Operational and commercial flexibility in dealing with clients' security requirements ■ Clients' valuing Integralis' security architecture design capabilities
Challenges
■ Retaining the high-touch approach appreciated by its customers in a growing and highly
competitive market
■ Keeping the functionality of its portal competitive
Rating: Positive
Open Systems
Open Systems is a specialized security service provider headquartered in Switzerland, with an additional SOC in Sydney. Its portfolio focuses on multifunction firewall/UTM devices, Web application firewalls and secure Web/email gateways, managed by its Mission Control security service. Open Systems operates a variation of the follow-the-sun model with its two SOCs. Other sites are equipped remotely and serviced remotely.
Open Systems is committed to on-premises delivery due to the need for storing sensitive data locally. It shows the highest proven customer satisfaction.
Strengths
■ Solid security service portfolio with a focus on network-based security
■ Highly skilled, measurably engaged, client-focused, flexible and highly professional staff ■ Commitment to employee development, resulting in low staff fluctuation, stable service quality
and high customer satisfaction
Challenges
■ Maintaining the balance between high-growth, high-quality and customized (rather than merely
packaged) security services
■ Expanding the service portfolio toward log management, server and endpoint security ■ Improving visibility in the European market for MSSs
Rating: Positive
Orange Business Services
Orange Business Services is a division of the Orange Group, which delivers integrated and managed security solutions with a strong network focus. Offerings include the management of firewalls, network intrusion prevention devices and an above-average number of secure Web gateways. Security services are available independently, but many sales combine aspects of network operations, security services and security consulting. A third-party network allows direct connectivity with Orange-connected business partners.
The company's marketing emphasizes simplicity, flexible delivery models and reduced total cost of ownership (TCO) in its MSS offerings. It runs eight SOCs.
Strengths
■ Clients see Orange as a global player and speak favorably of Orange's large, regional Internet
gateways (connectivity, filtering, proxies, remote access and redundancy).
■ It focuses on small and midsize businesses, especially in France/Benelux. ■ Orange offers operational stability and support around the world.
■ Orange leverages existing client relationships for selling security services.
Challenges
■ Improve time to market with new products: When balancing diligence and prudence against
innovation, clients would like Orange to lean a bit more toward the latter.
■ Improve efficiency of collaboration between account teams and engineering. ■ Improve visibility in the enterprise security market segment.
Rating: Positive
Symantec
Symantec offers security monitoring, management and message protection capabilities,
augmenting in-house security operation capabilities with threat intelligence and security expertise. This portfolio includes server and network IDS/IPS, firewalls, and endpoint security solutions. It has an SOC in the U.K. and three other SOCs worldwide (and one additional one planned in Japan), operates a large network of security information sensors, and employs a sizable global staff of security administrators. Symantec appears often on MSS shortlists in Europe.
Strengths
■ Its global view of the threat environment via its large sensor network and threat intelligence
capability
■ Protects and monitors VM's infrastructures ■ The quality of its support and sales resources
Challenge
■ Must continue to prove that European customers value its MSSs
Tata Communications
Tata Communications is an India-based global communications provider. It delivers a portfolio of management and monitoring services to protect customers' information assets from internal and external threats. It offers MSS via several global SOCs, one of which is in Europe. It targets large multinational organizations in various industries.
Its MSS strategy focuses on compliance, customer service, TCO and integration with the rest of its service portfolio.
Strengths
■ Global presence, owning one of the largest fiber networks in the world ■ Invests massively in its security service portfolio
Challenges
■ Prove its presence as an MSSP in the European market
■ Lacks the depth of understanding of regional and local requirements shown by competitors
Rating: Promising
Telefonica
Telefonica is a large, integrated telecommunications provider with international operations and a strong position in Spain. Its portfolio encompasses maintenance, monitoring, support and
administration of security devices, as well as vulnerability management, alert services, firewall rule analysis, SIEM, computer security incident response and anti-fraud.
Strengths
■ Flexibility in adapting to client requirements ■ Good number of skilled security staff
■ Ability to foster and maintain strong local relationships
Challenges
■ Improving the quality of service delivery and service management to competitive standards ■ Accelerating service deployments and equipment updates
T-Systems
T-Systems provides a full range of managed information and communication technology services, including a comprehensive portfolio of security services delivered on remotely managed appliances or devices, as well as managed services with appliances and devices installed within a T-Systems data center. Most of its SOCs are located in Germany and comply with national legislation,
especially German Data Privacy Law. This makes T-Systems a preferred security services partner for the German public sector and health sector. MSSs are often an integrated part of larger outsourcing deals. Its traditional focus is on the German-speaking parts of Europe, and it's also expanding into the Asia/Pacific region.
Strengths
■ Is focused on customer-specific security requirements for the German market
■ Has a broad solution portfolio, coupling security services with information and communication
technology services
■ Large installed base in the German and German-speaking market
Challenges
■ Transparency on pricing model because its prices are perceived to be above the market
average
■ Improving MSS portal functionality, in particular regarding the integration of log and vulnerability
data
■ Establishing a stronger profile in the European (rather than merely German-speaking) MSS
market in terms of visibility and client footprint
Rating: Promising
Verizon
Verizon offers customer support, providing region-specific solutions spanning managed network, MSSs and professional security services to address a wide range of risk, compliance and security needs. It offers premises-based as well as cloud-based MSSs, available stand-alone or bundled. It has a sound road map, introducing new or redefined services, improving customer experience and secure mobility services. Verizon has a solid presence in Europe, and emphasizes its
correlation capabilities, security expertise, global reach and risk-based security on global IP networks.
Strengths
■ European Security Operations Centers in Luxembourg, Zurich and (since 2011) Dortmund, with
highly skilled security staff
■ Large and knowledgeable sales team
■ Offering threat intelligence correlated from various sources
Challenges
■ Consistent and easy access to highly qualified security staff ■ Continuously proving high customer satisfaction
Rating: Positive
Wipro Technologies
Wipro Technologies provides MSSs to organizations in Europe from a primary control center in India supported by SOCs in Eastern Europe and Germany, which deliver services locally and improve cross-border data privacy compliance. Wipro offers the most comprehensive security services portfolio, and claims to have one of the largest bases of managed security devices in Europe. Consulting and professional services augment MSS offerings, which include co-managed and fully managed services.
Strengths
■ Customer focus, expertise and business understanding ■ Well-distributed sales force in Europe
■ Its ability to upsell security services to existing clients
Challenges
■ Identifying the right staff resources quickly and making them available in Europe ■ Increasing brand visibility in the European security services market
Rating: Positive
Recommended Reading
Some documents may not be available as part of your current Gartner subscription.
"The Global Managed Security Services Provider Landscape" "Toolkit: Selecting the Right Managed Security Services Provider"
"Magic Quadrant for MSSPs, North America"
"MarketScope for Managed Security Services in Asia/Pacific"
"Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors Within a Market" "Forecast: Security Service Markets, Worldwide, 2009-2014"
Evidence
For this research, we contacted about 100 MSSPs, of which 19 met the selection criteria. They had to answer a detailed list of questions about their company and their security services. In addition, we collected information on the providers' performance from Gartner clients and provider reference clients through phone interviews and an online survey.
Note 1 Intrusion Detection System and Intrusion Prevention System
For the purposes of this research, we ignore the differences between IDSs and IPSs. Whenever we use "IPS," we mean both.
Note 2 Secure Web and Email Gateway Services
Secure Web and email gateway services refer to the filtering of malware from Web and email traffic at the gateway. This does not include filtering at the endpoint.
Vendors Added or Dropped
We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.
Gartner MarketScope Defined
Gartner's MarketScope provides specific guidance for users who are deploying, or have deployed, products or services. A Gartner MarketScope rating does not imply that the vendor meets all, few or none of the evaluation criteria. The Gartner MarketScope evaluation is based on a weighted evaluation of a vendor's products in comparison with the evaluation criteria. Consider Gartner's criteria as they apply to your specific
requirements. Contact Gartner to discuss how this evaluation may affect your specific needs.
MarketScope Rating Framework
Strong Positive
Is viewed as a provider of strategic products, services or solutions:
■ Customers: Continue with planned investments.
■ Potential customers: Consider this vendor a strong choice for strategic
investments. Positive
Demonstrates strength in specific areas, but execution in one or more areas may still be developing or inconsistent with other areas of performance:
■ Customers: Continue planned investments.
■ Potential customers: Consider this vendor a viable choice for strategic or tactical
investments, while planning for known limitations.
Promising
Shows potential in specific areas; however, execution is inconsistent:
■ Customers: Consider the short- and long-term impact of possible changes in
status.
■ Potential customers: Plan for and be aware of issues and opportunities related to
the evolution and maturity of this vendor. Caution
Faces challenges in one or more areas:
■ Customers: Understand challenges in relevant areas, and develop contingency
plans based on risk tolerance and possible business impact.
■ Potential customers: Account for the vendor's challenges as part of due diligence.
Strong Negative
Has difficulty responding to problems in multiple areas:
■ Customers: Execute risk mitigation plans and contingency options.
■ Potential customers: Consider this vendor only for tactical investment with
Regional Headquarters
Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 USA+1 203 964 0096
Japan Headquarters Gartner Japan Ltd.
Atago Green Hills MORI Tower 5F 2-5-1 Atago, Minato-ku Tokyo 105-6205 JAPAN + 81 3 6430 1800 European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611
Latin America Headquarters Gartner do Brazil
Av. das Nações Unidas, 12551 9° andar—World Trade Center 04578-903—São Paulo SP BRAZIL
+55 11 3443 1509 Asia/Pacific Headquarters
Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney
New South Wales 2060 AUSTRALIA
+61 2 9459 4600
© 2012 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its
shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website, http://www.gartner.com/technology/about/