Ovum Decision Matrix: Selecting a Managed Security Services Provider,

Ovum Decision Matrix: Selecting a

Managed Security Services

Provider, 2016–17

Summary

Catalyst

IT security must be top of mind at every midmarket and large enterprise on the planet. As the tools of the digital economy become pervasive, impacting everything from airlines to zoos, every business and public sector organization has spiraling amounts of data that it needs to protect. Customer data, financial data, intellectual property, and citizen and patient records – they're all at risk from individuals, organized crime, "hacktivists," and nation states that wish to profit from stealing data or disrupting processes. High-profile attacks on well-known brands such as Sony, e-Bay, Target, Home Depot, and UK network provider TalkTalk have highlighted the cost and brand damage that can be inflicted by a security breach. Government and public sector organizations of all sizes have been subject to similar attacks. If these high-profile names don't have the resources and processes in place to respond quickly and limit the damage, what hope is there for lesser-known brands and organizations? Systems integrators and IT outsourcers think they have the answers. They certainly have years of experience running IT for some of the largest businesses and government organizations in the world. As

organizations face growing security challenges with limited expertise and resources, SIs and IT outsourcers have added managed security as a standalone service line.

Ovum view

This report evaluates six leading SIs and one managed security services (MSS) specialist that are active in the North American, European, and Asia-Pacific (APAC) markets. Unlike previous generations of managed security services providers (MSSPs), these vendors are not primarily interested in selling enterprises one-off network appliance-related services, such as a standalone managed firewall service. They want to sell customers a broader set of integrated services that augment and optimize the customer's existing security resources, deliver the additional benefits of their IP and global threat intelligence capabilities, and outsource some or all of the functions of the customer's security operations center (SOC). The SIs are pitching themselves as "security

integrators" offering a complete managed service for the security services "tower."

How they go about delivering such services varies considerably and there's a continuum of

approaches to helping a customer keep its IT, end users, and data assets secure. At one end, there's the discrete managed services approach: customers need help to manage their security appliances, optimize and manage their security information and event management (SIEM) software, or monitor endpoint devices and attack surfaces. At the other end of the continuum, there's the traditional IT services "lifecycle" approach to outsourcing the security function: consulting, planning, architecting, engineering, testing, monitoring, and management. We detect that the MSS market is tending towards convergence in the middle. Many customers have invested in expensive software and tools, but IT security is not a core skill. IT service providers have the skills, scale, and resources that

The seven MSSPs under consideration here deliver everything from services that augment the customer's existing security operations to fully outsourced security operations. All but one, Dell SecureWorks, owe their heritage to SI parentage. SecureWorks was a fully formed MSSP that Dell acquired in 2011. IBM has recently taken its Security Services business out of Global Technology Services (GTS) and combined it with Security Systems to form a single unified Security business. However they've positioned security services within their businesses, all seven of the IT MSSPs here deliver a portfolio of services designed to help customers secure and manage the threats to the systems and processes on which their businesses depend. This report complements a previous study focusing on telecoms MSSPs (see Appendix).

Key findings

 Two vendors are rated as overall market leaders in this Ovum Decision Matrix: IBM and Hewlett-Packard Enterprise (HPE). Both earned consistently high scores on all three

dimensions of the Ovum Decision Matrix assessment: offering, execution, and market impact.

 They benefit from being able to offer a broad portfolio of MSS offerings, a wide range of service delivery options, a truly global footprint of shared SOCs, deep vertical industry knowledge, and close cooperation with the vendor's security technology divisions.

 While not rated as overall market leaders, because they didn't achieve consistently high scores on all three Ovum Decision Matrix dimensions, two of the market challengers achieved market leader status on one of the dimensions: Dell SecureWorks on the offering assessment and TCS on the execution dimension.

 If you're looking for an MSSP that's at the top of its game in terms of its technical capabilities, its proactive discovery and understanding of the threat landscape, and its ability to keep your protection up-to-date across the IT stack, then Dell SecureWorks is highly rated.

 TCS has considerable merits for those customers looking for an outsourced approach to security. It scores highly on its reputation for service quality, its processes, and its ability to optimize and transform its customers' SOCs through an outsourced approach that leverages offshore skills and resources.

 As one of the participants in this Ovum Decision Matrix put it to us, managed security services providers are on a continuum that runs from providers of discrete single-function services (managed firewall, managed vulnerability scanning, log monitoring, etc.) to systems integrators capable of building and running fully outsourced security operations centers for their customers.

 The IT services providers in this Ovum Decision Matrix are mostly systems integrators or come from the systems integration side of the business, but they're increasingly converging on the middle of the continuum. Customers of all sizes and from all sectors want more modular, easily integrated, and cost-effective managed services.

 Service providers have a view of the threat landscape across industries and geographies that customers will never achieve. The best can deliver intelligence and help customers act on it before threats cause any damage.

Service provider selection

Inclusion criteria

This IT Managed Security Services Decision Matrix considers the managed security services offerings available from seven leading IT service providers. These service providers deliver a wide range of services covering the IT security lifecycle, from consulting to business continuity. However, managed services account for the bulk of the providers' security services revenues and it is here that there is most demand from customers for assistance.

In this Ovum Decision Matrix, we wanted to evaluate service providers that could deliver all of the functions of a typical customer's SOC requirements, either by augmenting or taking over the

management of some or all of the functions of the customer's existing on-site SOC(s), or by delivering hosted services from shared multi-tenant SOCs. We have restricted our study to global players, or more specifically vendors that market and deliver their services in North America, Europe, and APAC. For inclusion in the Ovum Decision Matrix, we stipulated the following:

 Vendors were required to complete a comprehensive request for information (RFI) and provide a briefing call and follow-up.

 Only vendors actively marketing and delivering a comprehensive portfolio of managed security services as a distinct service line separate from their other IT outsourcing activities were included.

 Only vendors that could provide evidence of a significant and growing customer base on two or more continents were included.

The following vendors are included in this report:

 CGI

 CSC

 Dell SecureWorks

 Hewlett-Packard Enterprise (HPE)

 IBM

 TCS

 Unisys

Exclusion criteria

 The vendor's failure to complete the Ovum RFI or provide follow-up briefings.

 The vendor's decision to opt out of inclusion in the Ovum Decision Matrix on this occasion.

 The vendor's failure to demonstrate that it has a significant customer base on two or more continents.

Methodology

Ovum Decision Matrices evaluate products and services across three dimensions. For the Managed Security Services Decision Matrix, we have assessed the MSSPs' services on the following

dimensions:

 The service offering assessment, aka offering dimension, which assesses the alignment of the vendor's MSS portfolio to current and future demand.

 The execution dimension, which assesses the vendor's ability to deliver effective services in ways that suit a variety of different customer needs and sourcing models.

 The market impact dimension, which measures the vendor's success in reaching its target market and in responding to the needs of that market.

Ovum has split each dimension into multiple assessment criteria. Each of these criteria is explained below. Each assessment criterion was further subdivided into questions designed to generate a compound score that reflected how closely, or otherwise, the vendor's offering or positioning met the assessment criterion. For certain quantifiable assessment criteria, such as revenues, size of customer base, or number and location of security resources, scores were calculated as a percentage of the leading vendor's score. However, in most cases, revenues have been estimated as few vendors publish revenue details for MSS sales or have asked that revenue information is not shared. The scores for each assessment criterion have been weighted according to the importance Ovum attributes to each criterion on its particular dimension. Finally, the three dimensions (offering,

execution, and market impact) were weighted according to our understanding of the importance they might have in vendor selection decisions. The weightings are indicated in the charts below.

Figure 1: Overall weightings for Ovum Decision Matrix dimensions

Offering (40% of final weighting)

For this assessment dimension, Ovum assesses the capabilities that differentiate the leading providers in the marketplace. Each criterion is given a weighting as indicated in Figure 2.

Figure 2: Weightings for the offering dimension criteria

Source: Ovum

In addition, there are multiple weighted components to each criterion on each of the Ovum Decision Matrix dimensions. Essentially, these are the questions we asked of the vendors and the assessments we made of their achievements on each criterion:

Vision (15% of offering dimension)

 Does the vendor show evidence of developing IP and services around cutting-edge tools and technology and bringing them to market in its MSS offerings ahead of the competition?

 To what extent has the vendor introduced new services to the MSS portfolio or enhanced existing services that support clients' journeys to the cloud, hybrid IT, and mobility?

 What major strategic investments will the vendor make in the next 12–18 months to grow and enhance its MSS business and how do they accord with Ovum's understanding of developing IT and business needs and their impact on security?

 How strategic are security services to the provider's overall business?

Completeness of offering (20%)

 Does the vendor have a comprehensive portfolio of easily integrated intelligence-driven MSS offerings and capabilities that cover the gamut of end-to-end security operations across the IT landscape, from legacy to cloud and mobile?

 How well does the vendor's offering match operational security requirements across the pillars of infrastructure and endpoint monitoring, threat monitoring and intelligence, identity and access management, incident response and remediation, and cloud security?

 To what extent are the vendor's services focused on helping customers optimize, transform, and manage their existing security operations?

Technical capability (20%)

 Does the vendor have differentiating IP or processes that distinguish its services from its peers' managed security services?

 Does the vendor have access to a wide range of intelligence sources (external, internal, global, open, and closed) or conduct its own hunting or forensics, and does it use these sources, deep vertical-sector knowledge, and expertise to feed back into its MSS and proactively protect against threats?

 Is the vendor able to deploy and optimize next-generation threat detection technologies and analytics, for example, to reduce incident response times and deliver remediation strategies or services in the shortest possible time?

 To what extent are the vendor's services well integrated or how easily can they be integrated with the customer's existing security operations?

Portfolio roadmap (10%)

 What new services does the vendor intend to introduce in the next 12–18 months and how do its plans compare with competitors' roadmaps?

 How is the vendor enhancing and innovating in the delivery of its services?

 Has the vendor made any recent mergers and acquisitions that have implications for its roadmap and strategic direction?

Delivery platform (15%)

 Does the vendor have a modern intelligence-driven SOC platform into which additional functions such as incident response (IR), remediation, and advanced threat intelligence can easily be added and integrated?

 Does it have a standard SOC delivery platform and frameworks for customer integration?

 Can the vendor support a variety of different delivery models for its SOC, including on-site, dedicated hosted, shared, and as-a-service?

Tools and partner relationships (10%)

 Is the vendor "neutral" with regard to the customer technology it monitors and manages, and the providers it partners with to deliver its MSS?

 Does the vendor partner with more than one SIEM provider or is it allied to a proprietary SIEM or "SIEM-less" strategy?

 Can it adapt its processes to manage and optimize the customer's existing SIEM and toolset if they differ from the vendor's own SOC platforms and architecture?

 What status does the service provider have with key technology partners and especially the many small innovative start-ups in the security technology marketplace?

 Does it run joint development and go-to-market programs with key partners?

Maturity of service line/portfolio (10%)

 How long has the vendor been actively marketing MSS as an identifiable, discrete service line and how many customers does it have for its discrete MSS offering?

 Does it have a high percentage of "standalone" MSS contracts or is it delivering MSS mostly as an integral part of larger IT outsourcing and systems integration contracts?

 What percentage of the vendor's MSS sales are "standalone" versus bundled as part of an IT outsourcing contract?

Execution (40% of final weighting)

The weightings attributed to the assessment criteria for the execution dimension of this Decision Matrix are illustrated in Figure 3.

Figure 3: Execution criteria and weightings

Source: Ovum

Again, there are multiple weighted components for each criterion and these are summarized as follows:

Go-to-market strategy (10%)

 How successful has the vendor been in evangelizing its MSS offering to its target markets?

 Does the MSS business have its own dedicated sales team or does it rely on the vendor's general global sales force?

 Does the vendor have a cohesive security services "story" that appeals to the business as well as to the CIO/CISO?

Engagement model (10%)

 How flexible/customizable are the vendor's MSS contracts?

 Is it easy to combine services, including consulting and professional services, incident response (IR), business continuity, and MSS under one contract?

 Does the vendor have flexible pricing models or subscription models that spread the cost of event-driven services (such as IR) or enable credits for unused services to be transferred?

 Does the vendor also have a fixed-price service catalog or portal-based catalog for modular MSS?

Processes and execution (30%)

 Does the vendor have mature security operations processes that adhere to ITIL, COBIT, or other standard methodologies?

 Does the vendor have a proven track record of delivering simplification, well-defined processes, SOC optimization, and operational efficiency?

 Has the vendor developed "security integration" frameworks that provide reference points for the customer's transition from its current-state security operations maturity level to its future desired state?

 Does the vendor have a global footprint of certified security professionals?

 Does it have security professionals with deep understanding of highly regulated and security-sensitive industries such as banking and financial services, central/federal government, insurance, and healthcare?

Service delivery (20%)

 Does the vendor have shared SOCs in multiple regions worldwide?

 Does the vendor have certified onshore and offshore resources capable of delivering on-site or remote MSS support in multiple regions and countries?

 Does the vendor offer a range of different service delivery models, including on-premise SOC, shared SOC, dedicated hosted SOC, staff augmentation, offshore monitoring and

management, and as-a-service/cloud-based MSS?

Service governance (20%)

 What level of dedicated or specialist resources does the vendor offer in its SOCs? Dedicated account management is table stakes; desirable attributes include dedicated account teams and support in the vendor's SOC allied to on-site operations (vendor's or customer's own), dedicated customer account analysts in the vendor's SOCs (onshore or offshore), industry compliance specialists, global risk and compliance (GRC) monitoring services, and the ability to manage all elements as "CISO-as-a-service."

 Does the vendor have a track record of delivering well-integrated governance, regular meetings, planning, reporting, and assistance in managed services in general?

Customer success/retention (10%)

 How successful has the vendor been in winning new customers from competing MSS suppliers and retaining existing customers?

 To what extent is the vendor referred to by other MSS suppliers as a competitor?

 How often does it appear on RFP shortlists for large commercial security services contracts?

 How successful has the vendor been in winning large, high-status MSS contracts?

Market impact (20% of final weighting)

Figure 4: Market impact criteria and weightings

Source: Ovum

The weighted components that have been attributed to each criterion on the market impact dimension are summarized as follows:

Market evangelism and market visibility (45%)

 Is the vendor perceived as a leader in the managed security services market, separate from any IP, technology, and products that it also develops?

 Is the vendor seen as a thought leader or leading contributor to security intelligence?

 Can the vendor cite examples of innovation, papers, publications, or threat reports?

Revenue/customer base (10%)

 How big a player is the vendor in the MSS market by revenue?

 How many MSS customers does the vendor have worldwide?

 How many endpoints does the vendor currently protect?

 What percentage of the vendor's MSS contracts is worth more than $5m in total contract value?

Growth (15%)

 What revenue growth did the vendor achieve in its latest fiscal year?

 Is it growing ahead of the market, keeping up with its peers, or lagging behind the market?

Geographical market penetration (15%)

 What geographical penetration has the vendor achieved outside of its home market (where it is headquartered)?

 Does its home market account for more than 80% of its security revenues or customer base?

Vertical market penetration (15%)

 What market penetration has the vendor achieved in commercial markets as opposed to federal government and defense?

Ovum ratings

 Market leader: This category represents the service providers that achieved the highest

overall scores across all three assessment dimensions. They are a good fit for the broadest range of customers from small to large. A market leader has established a commanding market position with a service portfolio that is comprehensive and matches the broadest range of customer needs, from staff augmentation and security monitoring to fully outsourced security operations. Similarly, the vendor offers the most comprehensive set of delivery options from dedicated on-site services to "as-a-service."

 Market challenger: The providers in this category may perform well on one Decision Matrix

dimension, but less well on others, or may perform reasonably well on two or more dimensions, but don't make it into the leaders' category. Most of these providers offer a narrower set of services than the market leaders and don't offer all of the service delivery options available from the leaders. Some are focused on a specific type of service delivery, such as a more traditional bespoke outsourcing approach. The market challengers' services are generally tailored to specific types of customer and engagement models. Market

challengers may be strong or indeed leaders on specific assessment criteria, so customers should pay attention to the criteria that are most important to them. The market challengers' offerings generally provide competitive capabilities and sound managed security propositions, but customers will select them on the basis of how the providers' strengths align with their specific needs.

 Market outlier: Providers in this category typically meet the requirements of customers

looking for a more traditional bespoke outsourcing approach to their IT security needs. Market outliers have a narrower target market, often focusing on specific verticals or geographies where their understanding and insights into industry regulation and compliance put them into contention with other suppliers. They know their approach will not suit all customers, but it often appeals to highly regulated industries, the public sector, and MSS engagements embedded within larger IT outsourcing engagements. Market outliers have not attempted to "modularize" their services, preferring to concentrate on custom-engineered solutions and the skills of their analysts rather than discrete services for "out-of-the-box" solutions.

Consequently, their services are more expensive to deploy than their competitors'.

Market and service analysis

Ovum Decision Matrix: Managed Security Services, 2016–17

The MSS market has expanded and developed considerably in the last several years from the telecoms-dominated market of five or more years ago to the establishment of security operations as a major IT and business function, whose complexity has led to demand for assistance not only in how to design, build, and run secure enterprise IT, but how to protect the business and reduce risk. The MSS market has developed from one where providers concentrated on managing point solutions and technologies protecting the edge of the enterprise network to one in which providers take a holistic view of protecting the organization's ICT infrastructure, data, and related business processes.

managed service they could bundle and sell with a circuit. This also created the construct of customers protecting the edge separate from the core of ICT infrastructure. More recently, the sophistication of the attackers, universal interconnectivity, mobile devices, and the universality of online and social media as primary front-office channels for businesses and public organizations alike have meant that MSS is no longer just about keeping the bad guys out or protecting the perimeter. Breaches will occur – internal and external attackers will get into places they shouldn't be – so now MSS isn't just about building and maintaining the defenses; it's also about spotting and responding to the breaches, the malware, the advanced persistent threats, and the zero-day attacks.

Systems integrators have been managing security and protecting organizations as part of their IT outsourcing contracts for years. In many cases, they have done this by managing a litany of security point solutions. As demand for managed security increases from organizations across the board, whether or not they've outsourced their IT, the SIs have joined the telecoms vendors in offering a broader set of services designed to augment, assist, manage, or outsource security operations to a greater or lesser degree. However, the SIs and IT service providers have moved the focus to the core ICT infrastructure and applications in contrast to the initial network and perimeter focus of the telco MSSPs. Not surprisingly, the telco MSSPs are following suit.

Figure 5: Ovum Decision Matrix: Managed Security Services, 2016–17

Figure 6: Expanded view of Ovum Decision Matrix: Managed Security Services, 2016–17

Source: Ovum

Table 1: Ovum Decision Matrix: Managed Security Services

Market leaders Market challengers Market outlier

IBM CSC CGI

HPE Dell SecureWorks

TCS Unisys Source: Ovum

Market leaders: managed security services

IBM and HPE are the overall MSS market leaders both in terms of their size (annual MSS revenues and global presence) and the comprehensiveness of their service offerings. Both are well-known technology providers and have large systems integration businesses with global reach. This has had an important influence on the way they have developed as MSSPs. They have a heritage of

large-scale IT outsourcing, especially to highly regulated industries such as financial services and central/federal government. They have deep industry knowledge and can relate this to business needs. They are also the two vendors with the broadest global footprint, both in terms of SOC locations and in terms of customers and devices under management. This means they have a wide view of the global threat landscape just from their internal customer base alone. In both cases, this is supplemented by both open and closed external sources (i.e., publicly available and confidential intelligence sources).

of technical capability or vision. Those accolades go to Dell SecureWorks. Instead, where IBM and HPE impress most is in the consistency of their scores across a range of criteria and specifically on the execution and market impact dimensions. On the key execution dimension in particular, IBM leads on service delivery and HPE leads on service governance. IBM has all the service delivery options covered, from cloud to on-site, hosted, and fully managed SOCs and can deliver its MSS portfolio at global scale. HPE's "Pod" model in its shared SOCs can provide security analysts dedicated to a large customer or a group of smaller customers, rather than using its SOC resources simply to provide security for a broad range of clients on a "next-in-line" basis.

Market challengers: managed security services

There's very little to divide the scores of the four market challengers: CSC, Dell SecureWorks, TCS, and Unisys. However, the similarities of the overall scores mask key differences in their offerings and service delivery.

CSC comes from a traditional SI heritage and has been a major supplier of security services to the US government for a number of years. It has a very broad portfolio of modular MSS offerings covering everything from data center to endpoint security and identity management, and from cloud to mobility and application security, for those customers looking to augment their security functions with specific services. However, it can also deliver an integrated approach to security operations, governance, and compliance through its Risk Management Center (RMC) SOC strategy. RMCs can be delivered and managed either on-site or from CSC's global shared SOCs. The main challenge for CSC is that it is a company in transition. It has split off its US public sector business into a separate company (CSRA) and is refocusing its remaining commercial sector business away from traditional large-scale ITO contracts to the new world of cloud, big data, and next-generation "IT-as-a-service." Its security resources have also suffered attrition, although CSC is keen to emphasize that cybersecurity is strategic to its future. CSC's immediate challenge will be to survive the delta between the decline in its traditional ITO business and the growth of its next-generation services, one of which is cybersecurity. With its broad portfolio of discrete modular MSS offerings, Dell SecureWorks comes from the other end of the MSSP spectrum to the SIs featured in this Decision Matrix. Nevertheless, its regular appearance on enterprise customers' MSSP shortlists means that it should be assessed along with its SI competitors. Dell SecureWorks isn't in the business of taking on the on-site management of a customer's existing SOC, though that's something that Dell Services, which often leads with SecureWorks, would undertake. It is consequently marked down on the execution dimension. Its strengths lie in its technical capabilities and especially its threat intelligence, incident response, and threat hunting and forensics capabilities. There are some omissions in its portfolio, notably managed SIEM, which could prove problematic to customers who have made significant investments in SIEM technology and for whom the SIEM is central to their SOC operations. Consequently, SecureWorks is marked down on criteria such as completeness of offering and for its limited execution/service delivery options compared with SIs.

focused on the larger, more comprehensive security services and "embedded" MSS outsourcing engagements, rather than one-off MSS sales. TCS is global in that it has a global ITO customer base and looks after 26 dedicated SOCs worldwide, but its service delivery capability is restricted by its lack of shared SOCs. We understand it will bring new shared SOCs online in the US and UK (its largest markets by geography) in 2016. However, scale and lack of evidence of its ability to access leading-edge technical capabilities and intelligence sources hold it back on the offering dimension. Unisys focuses its MSS activities primarily around managed SIEM (and more specifically, HPE's ArcSight), although it also has a reasonably comprehensive portfolio of complementary services covering security device management; governance, risk, and compliance (GRC); and identity and access management (IAM). The MSSP's USP for managed SIEM is the event analytics platform that it has built around the HPE ArcSight correlation engine. For ArcSight customers that want to optimize their SIEM, the Unisys Noise Cancellation Advanced Analytics Platform (UNCAAP) is an obvious attraction and one that leads to high scores for Unisys on criteria such as delivery platform and processes and execution. The ArcSight managed SIEM is the focal point for the vendor's integration efforts and its moves to bring more automation into security operations – it has integrated its ArcSight event correlation engine with the central Unisys Customer Ticketing System to speed up incident response and remediation, for example. However, the vendor's main challenges are its relatively limited scores on the market impact dimension. It doesn't have the scale of its main competitors in terms of customer numbers, revenues, and reach, and we think it could do more to evangelize its proposition and expand its focus beyond ArcSight.

Market outliers: managed security services

Market leaders

Market leaders: Offering

Figure 7: Ovum Decision Matrix: Managed Security Services, 2016–17 – Market leaders – Offering

Source: Ovum

The three overall leaders on the offering dimension were Dell SecureWorks, IBM, and HPE. Dell SecureWorks was the outright top scorer on four of the assessment criteria for this dimension:

 vision

 technical capability

 delivery platform

 maturity of service line/portfolio.

It shared top honors with TCS for tools and partner relationships.

Dell SecureWorks exists to deliver IT security services. It has its own budget and P&L. It is an autonomous business unit within Dell and as such is more focused on developing MSS than other MSSPs that are part of a wider systems integration business and have to compete with other business units for budget and resources. SecureWorks has consistently promoted an

intelligence-driven, proactive vision of MSS. Its intelligence gathering, hunting, and forensics resources feed back into its managed security services to offer customers advice and help in proactively protecting against threats. It has consistently demonstrated its technical capabilities in its ability to develop new services around innovative new security tools ahead of the competition. IBM was the top scorer on "completeness of offering" and runner-up on three criteria:

 technical capability

 maturity of service line/portfolio.

IBM's great strength is that as an SI it has been managing IT for some of the largest companies and organizations in highly regulated and risk-averse industries for almost longer than any other vendor. Its security professionals have a deep knowledge of the security needs of customers in these industries and this is reflected in the breadth of its MSS portfolio. Cybersecurity is one of IBM's five strategic imperatives, which is why it decided to bring IBM Security Services and IBM Security Systems together in a new IBM Security business unit. By bringing the two businesses together, the vendor believes it will derive additional synergies in terms of technical capabilities and roadmap. We also believe it drove out some of the complacency that existed when Security Services was part of IBM GTS and success was measured by the size of the strategic outsourcing deals it took part in. IBM Security Services is a growth business keen to develop more consumable services that match the needs of customers embracing cloud computing, mobility, analytics, and social media.

HPE was the top scorer on the "portfolio roadmap" criterion, second placed on "delivery platform" and “completeness of offering,” and fourth placed on "technical capability." HPE's Enterprise Security Services business unit is part of the vendor's Enterprise Services division and by mid-2015 had a customer base of at least 1,800 customers with strong representation among Global 1000 customers, as well as with US, UK, and Canadian government customers. The customer base and its moves to embrace what HPE calls the "new style of IT" (cloud, mobility, and analytics) have strongly influenced its portfolio and roadmap, while the fact that HPE can leverage its own ArcSight SIEM technology and Vertica analytics tools have added to the Enterprise Security Services' technical capabilities. HPE has nevertheless maintained a high degree of "neutrality" with regard to the devices it monitors and partners with whom it works.

Market leaders: Execution

Figure 8: Ovum Decision Matrix: Managed Security Services, 2016–17 – Market leaders – Execution

Source: Ovum

IBM, HPE, and TCS are the overall leaders on execution. However, only TCS is a top three scorer on the most important criterion of processes and execution (in fact, TCS is the top scorer). Interestingly, it is two other SIs, Unisys and CGI, that also mark themselves out as having especially good processes and execution. All three SIs have well-defined processes and methodologies for optimizing customers' security operations (often that means outsourcing the SOC to the SI), delivering improved service levels and response times, embedding secure operations within IT and business processes, and architecting security support for cloud, mobility, and the app-based marketing and sales channels that many businesses are keen to deploy.

All the MSSPs in our assessment have very high levels of certifications among their security professionals and attract a high caliber of professional in many of their locations around the world. Security experts like to work with the best in their trade and it is easier for an MSSP to attract skilled individuals than it is for most commercial companies or public sector organizations. Nevertheless, the challenge for MSSPs is retaining high-caliber professionals, when demand for their skills is so high, especially from more successful competitors. Vendors that are in transition and undergoing

reorganization are often vulnerable to seeing talent poached by competitors and this may be reflected in the vendor's ability to retain customers and its market impact.

HPE's "Pod" setup in its SOCs provides dedicated account delivery teams with tier-2 and above analyst support for large customers or groups of smaller customers. This and other typical SI attributes, such as local account management and responsibility; involvement in local industry, government, and public sector regulatory processes; and compliance monitoring on large outsourcing contracts, put HPE, CGI, and IBM in the lead positions on service governance.

Market leaders: Market impact

Figure 9: Ovum Decision Matrix: Managed Security Services, 2016–17 – Market leaders – Market impact

Source: Ovum

Overall, we consider market impact to be a less important dimension in our assessments than the offering and execution dimensions. We have consequently given it a lower weighting than the other two dimensions. Nevertheless, we recognize that market positioning, customer base, growth, geographic penetration, and vertical market penetration will all play a part in the due diligence customers undertake when assessing potential suppliers.

IBM is the largest player by revenues, though Dell SecureWorks has more customers: more than 4,000 by mid-2015 compared with more than 3,000 for IBM. At the other end of the spectrum, CGI and Unisys had just 150 MSS customers each. However, both vendors' MSS engagements, not surprisingly, tend to be far more substantial in contract value than Dell's. Typically, the SIs' larger MSS deals tend to be where MSS is a bundled component in a larger ITO or SI contract.

MSS is a double-digit growth market for all seven vendors, but the standout growth rates are for TCS, Dell SecureWorks, and CGI. We estimate TCS at 30% revenue growth and CGI at 25%. Dell

Security, we would expect it to target the midmarket more aggressively with its modular and cloud-delivered MSS offerings. Even CSC and Unisys are considering how they can address the needs of the midmarket with more modular services and services "for the cloud, from the cloud."

Vendor analysis

In this section, we highlight differentiation between the providers to enable organizations to evaluate and compare these providers' capabilities.

CGI (Ovum recommendation: Outlier)

Source: Ovum

CGI is headquartered in Canada and is a leading systems integrator in North America and Europe, having acquired UK-based SI Logica in 2012. CGI has a large federal or central government customer base in North America (both US and Canada) and the UK. The other main vertical markets on which it focuses include banking and financial services, insurance, oil & gas, utilities, and "commercial," which includes retail, travel and transport, and manufacturing.

ensure compliance with industry regulation, or an SI to design, integrate, and manage their

end-to-end security operations, CGI's approach is that of a "security integrator." It offers consulting, engineering, and managed security services from its Global Cyber Security Group, and its MSS engagements typically involve consulting and assessment of the customer's governance, risk, and compliance (GRC) needs, reengineering of its security operations, and service delivery and service governance in accordance with those GRC needs.

CGI isn't in the game of selling discrete security appliance monitoring services from an online service catalog, so customers won't find a portfolio of discrete managed security services to choose from. However, in addition to the "holistic" Protective Monitoring services it delivers from its SOCs, it has recently added the Advanced Threat Investigation (ATI) service. This is intended for customers (commercial and public sector) with sophisticated monitoring requirements, and uses analytics, threat intelligence (from open and closed sources), malware analysis, and advanced sensors to identify and trace advanced attacks. Developed in the UK and now being rolled out in North America in 2016, ATI is again indicative of CGI's strong engineering and integration focus, rather than the more

portfolio-based approach of a typical MSSP.

While CGI's Global Cyber Security Group is horizontal in that it supports all CGI's vertical industry practices, its go-to-market focus is closely allied to its verticals. Deep knowledge of industry processes and an ability to understand the business's risk profile allied to an understanding of the industry's propensity to invest in security mean that CGI can tailor its services to the needs of industry verticals. Experience and knowledge of security issues and requirements in one industry are often relevant and transferable to others. Governments, for example, store huge amounts of personal data, while retailers store huge amounts of customer data. The problems and risks facing the two are similar, so experience in one can help in another, even when the customers are in entirely different parts of the world.

The ability to understand the requirements and issues of different verticals and the industry knowledge and skills of its analysts are CGI's chief differentiators: it does a lot of work for the insurance vertical, for example, and this gives the cybersecurity team greater insight into the regulatory environment (it is an advisor to the industry). Similarly, as a global supplier, CGI can pick up on regional variations or learn things in one region that can be applied in another: for example, California was a leader in data protection. Now that there is a big push around data protection in the UK, CGI can look at what happened in California and anticipate requirements elsewhere.

CGI is one of the smaller MSSPs in this Decision Matrix, with a customer base of 150 customers worldwide, but as we have already noted, it is not aiming to be a typical MSSP selling a portfolio of discrete managed security services. It says demand for its brand of security services is growing strongly, which has encouraged it to market managed security as a distinct service line within its overall security offering. It has around 1,400 security professionals worldwide, of which 1,100 are employed in managed services and operations. This may seem high given the size of its customer base, but CGI concentrates on high-value security services engagements as indicated above. Although it claims to be a global supplier, the majority of CGI's customers are located in North

personnel in North America and on-site in most of the countries where it operates. It is a major UK government supplier.

Table 2: CGI's global SOCs

Center location Serving Comments

Ottawa, Canada Global government and commercial

clients Supports clients in Canada, US, and Europe. 24x7x365 Manassas, Virginia Government This SOC currently monitors CGI

Federal's own internal network but can be expanded to provide services to external clients. Also supports Phoenix center. 24x7x365.

Phoenix, Arizona Commercial The PDC SOC provides services to 95+ Commercial and Federal cloud and non-cloud clients 24x7x365. Bridgend, Wales, UK Government and commercial clients There is one SOC in the UK (South

Wales). It serves several clients now, some government, some private sector. 24x7x365. The ATI team in Reading is not a SOC but it does support the SOC for complex cases.

EPA NOSC/CSIRC Single government client This is a US government-owned and -managed SOC supported by CGI. 24x7x365

US Cyber Command J3 Single government client Although not a SOC in the traditional sense, US Cyber Command is a tier-1 Computer Network Defense Service Provider (CND-SP) where CGI staffs the J3 Watch Desk. 24x7x365

Source: CGI

Ovum SWOT assessment

Strengths

 Holistic approach to managed security needs and strong engineering/integration focus

 Major IT security provider to US, Canadian, and UK governments

 Ability to deliver on-site SOC and other locally based managed security services in its primary geographical markets

 Deep understanding of highly regulated and security-sensitive industries: government, banking and financial services, insurance, energy, and utilities

Weaknesses

 Lacks the global scale of some of its competitors, but seems over-resourced for the number of clients compared with its competitors

 Lacks visibility in certain key markets such as US commercial, continental Europe, and major APAC locations

 Limited shared SOC capability outside of North America

 Vendor neutral, but lacks industrialized "technology solutions" approach and roadmap

Opportunities

 Ability to deliver locally based expertise and understanding of the security risks and needs in key industry sectors

 Potential to industrialize and sell its SOC-based monitoring services and its Advanced Threat Investigation services to a wider commercial audience

 Wider marketing of secure cloud offerings, especially Microsoft-based offerings

Threats

 Global competitors selling a more industrialized, modular catalog of MSS, which they can support with fewer personnel

 Offshore competitors with cost-competitive MSS offerings

 Lack of clarity around its offering and strategy and failure to embrace the wider market opportunity beyond existing regional vertical-industry targets

CSC (Ovum recommendation: Challenger)

Source: Ovum

CSC is another SI that has developed MSS as a service line separate from its large-scale IT outsourcing activities. While the management of security operations and development of SOCs was always something embedded in its large-scale IT outsourcing engagements, CSC was one of the first SIs to recognize the growing need for MSS and security services as IT service lines in their own right. Having established MSS as a strategic component in its IT services portfolio, CSC set about

framework is known as the CSC Risk Management Center or RMC Framework (see Figure 12), which integrates traditional "passive" managed security operations with threat intelligence, proactive

analytics and response, GRC requirements, and various counter-threat activities. The RMCs are essentially CSC's integrated next-generation SOCs.

Figure 12: CSC Risk Management Center Framework

Source: CSC

CSC's MSS portfolio consists of a number of discrete security services under the categories of mobile, app, endpoint, network, cloud, and identity and access management. It has done more than most SIs to create a portfolio of discrete managed security services, similar to those of the pure-play MSSPs and telco MSSPs. However, while CSC has said that it is keen to address some of the more function-specific needs of midmarket and smaller clients and has shown a willingness to go after smaller engagements throughout its IT services business, we don't believe that CSC is doing this to become more of a volume player in a commoditized MSS business. CSC's main targets are still midsized to large enterprises that are finding it difficult to find and retain the skills and resources to integrate, optimize, and run their internal security operations. Its moves to modularize and rationalize the MSS portfolio and define an architectural template for end-to-end risk management, which is what the RMC represents, should be seen in the overall context of the vendor's attempts to improve efficiency in delivering on its engagements. It needed a portfolio of repeatable services that it could implement efficiently without reinventing the wheel every time.

supports over 30 languages through its service desk and offers local language support for onshore security services in the main European languages. CSC has more than 460 customers worldwide, ranging from very large government agencies down to smaller organizations of around 1,000 employees. The customer base is split roughly between 30% government clients and 70% commercial clients.

Like the other SIs in this Decision Matrix, CSC is a government contractor for security services in North America and the UK. However, it recently spun off its US public sector business into a separate publicly traded company, which combined with SRA International in November 2015, and is now known as CSRA. Apart from decreasing the size of CSC's overall revenues, this will also have an impact on CSC's security revenues and investments, as a large proportion of the vendor's security revenues were associated with its US federal government business.

Security services and specifically cybersecurity nevertheless remain strategically important to the slimmed-down CSC, alongside big data and cloud computing. CSC previously set great store by its connection to the US federal government and the insights and investments it was able to gain from being part of the US government intelligence community. The post-spin-off CSC will not have the same access to these resources and both security revenues and personnel will be reduced, affecting our assessment of the vendor's current "market impact." CSC will retain a number of public sector clients in other countries (Canada, the UK, and Australia, for example), but these may not have the same kudos as being a US federal government security contractor. Some of CSC's most talented US-based security analysts will also no doubt transfer to CSRA, and CSC's operations have been subject to some attrition in recent quarters.

Besides government and the public sector, other key markets include healthcare, banking and capital markets, insurance, energy and natural resources, travel and transport, manufacturing, and

technology and consumer services.

Ovum SWOT assessment

Strengths

 Mature security services provider with deep government and public sector experience and understanding

 Comprehensive MSS portfolio including cloud, mobility (including apps scanning and mobile email), and IAM

 Global SOCs and service delivery capability, with onshore resources in primary geographical markets

 Very experienced personnel with strong technology focus coming from cloud (ServiceMesh) and analytics (Infochimps) acquisitions

Weaknesses

 Customer perception of an old-school SI – needs to do more to sell its vision of a next-generation service provider and the importance of cybersecurity in its strategy

 Spin-off of the US public sector business implies a reduction in security revenues and resources

Opportunities

 Capitalize on acquired IP and skills in data analytics (Infochimps) and hybrid cloud integration and orchestration (ServiceMesh)

 Build on secure cloud offerings in both hybrid cloud and mobility space

 Build on partnership with HCL to deliver additional consulting and managed security services to complement the vendors' joint application-modernization venture

 Take advantage of increasing global demand for MSS, especially in APAC

Threats

 Increasing competition from offshore providers

 Global competitors upselling MSS to their existing SIEM customers

 Loss of talent

 Inability to maintain investments in the face of declining revenues and earnings

Dell SecureWorks (Ovum recommendation: Challenger)

Source: Ovum

marketed globally, wherever its parent has a presence, but in reality, most of its 4,000+ customers are based in North America.

Dell SecureWorks' traditional market has been midmarket enterprises, but as demand for MSS has grown, the client base has expanded to encompass everything from SMEs to Global 500

corporations. Unlike the SI providers of MSS, SecureWorks does not have a vertical go-to-market focus – its sales span all verticals. However, other businesses within Dell do focus on particular verticals, notably Dell Services, and the latter often includes ServiceWorks offerings in its sales to healthcare, education, government, and the public sector. Perhaps not surprisingly, the vast majority of SecureWorks' business comes from the financial sector.

Dell SecureWorks has five SOCs: three in the US (Atlanta, Chicago, and Providence, Rhode Island), one in Edinburgh, Scotland, and one in Japan. It also has a center of excellence (CoE) based in Romania. The CoE is a facility for the provisioning of "virtual residents" (security experts who work on a dedicated basis for clients) to perform a number of security duties as requested. Dell's SOCs are operational 24x7x365, but do not operate a "follow-the-sun" model.

Dell SecureWorks offers a very comprehensive portfolio of managed security services, but there are some notable omissions. It does not offer managed SIEM services and does not currently provide managed services for IAM, mobile security services (though it does offer advanced endpoint threat detection), or business continuity services (though these are currently available from Dell Services). The service provider explains the lack of managed SIEM on the basis that it doesn't use basic SIEM technology in its own SOCs and doesn't believe it can add value to SIEM products. Instead, its strategy is to add intelligence and apply analytics to its monitoring services wherever it can. If SecureWorks is ever asked to take on the management of a customer's existing SIEM, it generally treats this as an opener for a bigger discussion about the customer's security issues. A more cynical view would suggest that Dell doesn't want to leave any openings for MSS competitors, such as IBM and HP, that have proprietary SIEMs and also want to upsell MSS to those customers.

Dell SecureWorks is mid-table in terms of revenue size compared to other MSSPs. It does fewer full security lifecycle, multiyear contracts than the global SIs and MSSPs, such as HP and IBM. However, the size of SecureWorks' customer base indicates the strength and market impact generated by sales of its discrete MSS portfolio.

Ovum SWOT assessment

Strengths

 Combination of people and technology: strong technology focus, especially in the use of analytics, forensics, and intelligence gathering; well-respected research team – Counter Threat Unit (CTU)

 Clearly defined MSS portfolio, integrated around the SecureWorks Counter Threat Platform (CTP), which forms the backbone for all its MSS

 Able to deliver a range of MSS solutions from basic appliance management and monitoring to complex re-architecting of customers' security operations

Weaknesses

 Limited number of SOCs in continental Europe and APAC

 Lack of managed SIEM offering for those customers who have significant existing investments in the technology

 Current lack of managed IAM services

Opportunities

 Establish additional SOCs in continental Europe and APAC

 Partner with global and local SIs to deliver more complex MSS engagements and on-site SOC support in regions where Dell Services has limited coverage

 Capitalize on increasing demand for MSS from midmarket customers

Threats

 Global competitors upselling MSS to their SIEM customers

 Acquisition of key technology partners by competitors

 Competitors offering a full suite of security lifecycle and SOC transformation services

Hewlett-Packard Enterprise (Ovum recommendation: Leader)

Source: Ovum

Services or Dell SecureWorks in terms of customer numbers, we estimate that it is the second largest MSS provider in revenue terms after IBM.

HPE's customers are primarily large enterprises (Global 1000), multinational corporations, and public sector customers in the US, Canada, and the UK. The nature of its client base means that a lot of its engagements are complex end-to-end "security integration" projects. However, HPE also develops and markets the popular ArcSight SIEM (used by many other MSSPs) and is increasingly upselling managed SIEM services to customers that only have a small security operations team and are looking to get the most out of their SIEM investment.

In spite of HPE also being a developer of proprietary SIEM technology, ESS claims to be "vendor neutral" and able to support and manage a wide range of third-party products and software. It has an impressive list of security technology partners. Because of this and the increasingly modular nature of its managed security services, HPE is moving more towards the middle of the MSS continuum than other SIs, with a mix of some commoditized services, as well as dedicated "custom" managed security operations. Not surprisingly, ESS makes use of ArcSight for correlation and log collection purposes, but has designed its own custom analytics engine (based on HPE Vertica) and portal for its SOC platform.

HPE has 10 SOCs worldwide. One of HPE's differentiators is that it has a distributed security platform located in three global SOCs in the US, UK, and Australia, and regional SOCs in Canada, Costa Rica, Germany, Bulgaria, India, and Malaysia (there's a second SOC in the US too). As well as providing global coverage, this enables logs to be collected and stored in-country, where customers have a need to keep data within their home country or region. Its investigation and response platform is also distributed within its three global SOCs.

Figure 15: HPE Enterprise Security Services "Pod" service delivery teams

Source: HPE

Like other SIs, HPE offers the usual service delivery options – on-premise, hosted, shared service – but also cloud-based "as-a-service" delivery. This further points to the way HPE Enterprise Security is expanding its offering to meet the needs of a more diverse set of customers as well as delivering a more industrialized and cost-competitive service even within its most complex customer

engagements. HPE's recent announcement that it is partnering with Microsoft Azure as its preferred public cloud will offer new opportunities for ESS to offer cloud-related security services for customers building out their hybrid IT footprint around Azure.

Ovum SWOT assessment

Strengths

 Good global coverage: three global SOCs (Plano, Texas, US; Daresbury, UK; and Sydney, Australia) and six regional SOCs (Canada, Costa Rica, Germany, Bulgaria, India, and Malaysia)

 Ability to meet customer compliance and data sovereignty requirements of international customers via regional SOCs

 Focus on analytics and moving beyond the "hygiene" services

 Dedicated service delivery teams (Pods) foster stronger customer relationships and understanding of customer needs.

Weaknesses

 Needs to do more to industrialize processes and security integration frameworks

 Enterprise Services business is still implementing its turnaround and needs to do more to change customer perceptions

 Appears on MSS shortlists less frequently than some of its competitors

Opportunities

 Enter into more strategic partnerships with key technology partners such as its recent partnership with FireEye

 Build MSS around hybrid IT and Microsoft Azure

 Upsell MSS to its ArcSight customer base

 Sell pre-integrated "SOC-in-a-Box" appliance, coupled with remote monitoring/management services

Threats

 Increasing competition from cost-competitive offshore providers

 Acquisition of key technology partners by competitors

 Reinvigorated and unified IBM Security division combining IBM Security Systems and Security Services

IBM (Ovum recommendation: Leader)

Source: Ovum

IBM Security Services was formerly part of IBM's Global Technology Services business until it was folded into the IBM Security business unit in 2013. The Security Services organization's heritage is in systems integration and delivering security services and consulting for some of the largest IT

outsourcing engagements and companies in the world. Its primary focus is on helping its customers optimize and modernize their security operations, processes, and teams. It takes a holistic approach to its people, processes, and technology. Most of its MSS engagements derive from one of three customer requirements:

 Companies are looking at their business holistically from a GRC profile perspective and need help to facilitate and maintain compliance, review their controls and operations center, and understand their risk profile.

 The customer has had an incident or breach, wants it sorted out, and wants to improve its security posture.

 Customers need help to get the most out of their security technology investments – they often lack the people, skills, and processes to optimize and derive the full value from the

technology.

multinational businesses across a variety of industries. It is a leading supplier to Global 1000 businesses and by industry its largest numbers of customers are in banking and financial services, government and public sector, insurance, and healthcare, in that order. IBM has the widest

geographical coverage of any vendor in this Decision Matrix, monitoring devices and security-related activities in 133 countries. It sells its services in more than 150 countries and offers support in all the major European languages, as well as Japanese and Chinese.

The IBM Security Services portfolio is aligned around six key competencies:

 IBM Security, Strategy, Risk and Compliance

 IBM Security Intelligence and Operations Consulting (SIOC)

 IBM Cyber Security Assessment and Response

 IBM Identity and Access Management Services

 IBM Data and Application Security Services

 IBM Infrastructure and Endpoint Security Services

Its MSS offerings are aligned to these competencies as indicated in Figure 17.

Figure 17: IBM Security Services portfolio

Source: IBM

The MSS portfolio is comprehensive, including cloud identity, managed SIEM, and advanced cyber-threat intelligence. Delivery options include on-site, hosted, and services delivered from the cloud (SIEM-as-a-service). IBM also designs, builds, and operates dedicated SOCs, as well as delivering services from its global shared SOC locations. With its consulting, risk and compliance, and cybersecurity assessment and response teams, IBM is able to offer the full gamut of security services over and above MSS.

Hortolandia, Brazil; Bangalore, India; Brussels, Belgium; Wroclaw, Poland; Tokyo, Japan; and Brisbane, Australia.

The vendor cites its global service delivery capability, investment in technology and threat

environment research, geographic monitoring and coverage, SIOC capability, breadth of third-party technology partnerships, and ability to incorporate its QRadar SIEM technology into its MSS platform as key differentiators. IBM's MSS roadmap and future investments will center on proactive threat intelligence gathering, artificial intelligence-based automation (including IBM Watson), cloud, and the "cyber supply chain."

Ovum SWOT assessment

Strengths

 Importance of cybersecurity to IBM's overall business plans: it is one of six "strategic initiatives" IBM is investing in to lead its turnaround

 Geographic coverage, scale, and ability to gather intelligence both within and across industries and geographies

 Level of investment, both organic and inorganic, in security technology and skills

 Global consulting capability and ability to help customers "present the case" for security to the business

Weaknesses

 By combining IBM Security Services and Security Systems in the same business unit, IBM Security leaves itself open to the charge that designing, building, or managing a customer SOC is an opportunity to install its own SIEM technology (QRadar)

 While IBM's services practices as a whole are more willing to address smaller deals that previously would have been left to the channel, there is still the perception that IBM will try to tie customers into a bundled multiyear services engagement

 Less agile than the competition in partnering with innovative third-party technology providers

Opportunities

 Capitalize on the momentum and opportunity to develop its own MSS strategy brought about by the creation of the unified IBM Security business unit

 Sell and upsell its increasingly modular MSS and as-a-service offerings to midmarket and IBM Security technology customers

 Develop Watson and AI technology as a customer-accessible "expert security assistant"

 Acquire advanced threat intelligence, forensics, and incident and response companies

 Capitalize on its relationship with Apple to deliver advanced mobile security and management offerings to the enterprise

Threats

 Increasing competition from cost-competitive offshore providers

 Acquisition of key technology partners by competitors

TCS (Ovum recommendation: Challenger)

Source: Ovum

TCS established its Enterprise Security and Risk Management (ESRM) service line in fiscal year 2014/15, though it has been securing customers' IT since 1998 as part of its IT services business. TCS is a global IT services provider with a large customer base in North America and Europe. It had approximately 300 ESRM customers by 2015.

TCS is a "full-service" provider that undertakes comprehensive end-to-end design, build, implement, and operate engagements related to security. It lies at the security integrator end of the MSS continuum, so while it has a relatively small number of active MSS engagements, these are

comprehensive in scope. Like other SIs, TCS tends to come into a customer to stabilize, re-architect, and transition existing security operations to a new operating model. These are typically multiyear managed services engagements, usually at least three years in length. The high contract values associated with such deals reflect the IT outsourcer's customer base of large multinational

corporations and financial services clients, and the complexity of the transformations undertaken for them. The split between standalone "operate my SOC" contracts and end-to-end design/build/run is 45% to 55% in favor of end-to-end and this is where TCS is seeing most growth.

TCS offers the usual list of MSS (see Figure 19) and partners with the usual technology suspects. It is not a security technology provider, so it can be more flexible about whom it works with, especially around the SIEM. However, TCS really differentiates itself with its integration and service delivery capabilities. It operates 26 dedicated SOCs as of 2015 and one shared SOC out of India. It is building two more shared SOCs in the US and the UK, which will become operational in 2016. It works with a variety of technology providers and claims to have acquired and developed the relevant skills to support customers' existing investments in SIEMs, firewalls, endpoint security, advanced threat detection, and so on. It integrates new technology and processes for the customer where there are gaps in the customer's security footprint.

TCS's SOCs and service delivery are underpinned by its Global Network Delivery Model (GNDM), which brings together the global resources, integrated processes, and global infrastructure to support its customers with the appropriate combination of on-site, nearshore, and offshore skills and

resources to meet their risk and compliance needs. Offshore resources might not be appropriate for all industry sectors (public sector and healthcare, for example), but where they are, customers can be reassured by the high certification and training levels maintained by TCS.

Figure 19: TCS MSS offerings

Source: TCS

Offshore delivery inevitably plays a major role in TCS's MSS monitoring services, which are typically 90% offshore/10% onshore. Services such as forensics and fraud management are more likely to be split 50:50 onshore/offshore. Inevitably, TCS plays up the cost advantages of its offshoring

capabilities, but it is its ability to deliver consistent high-quality processes from its delivery centers that counts more for most customers.

providers, but TCS has built a sound reputation for disciplined processes and efficient implementation, which distinguishes it from many of its competitors. Its client retention levels and customer

satisfaction, as reflected in net promoter scores, are particularly high.

Inevitably, as the number of devices, endpoints, the amount of data, and the number of security events increase exponentially, TCS will add more automation and increase its use of analytics in its MSS offerings. While it may not have the in-house assets and resources that, say, HP has with Vertica, CSC with Infochimps, or IBM with Watson, TCS will concentrate on developing IP and skills around third-party tools such as RSA Security and Analytics.

Ovum SWOT assessment

Strengths

 Full-scope managed security offering, from SOC build to run

 Well-defined processes and frameworks

 Flexible service delivery model provided by GNDM

 Strong reputation for delivery excellence

Weaknesses

 Small MSS customer base

 Currently only one shared SOC and it is located in India

 Not as proactive in intelligence gathering as its main competitors

 Perceived as a full-scope applications and IT outsourcer rather than a function-specific managed services provider

Opportunities

 Develop or acquire intelligence-centric skills and IP

 Expand shared SOCs in Europe, where concerns over data privacy/sovereignty agreements are causing hesitancy around North American suppliers

 Publicize ability to secure hybrid IT alongside efforts to publicize TCS's hybrid cloud strategy and successes

Threats

 Acquisition of key technology partners by competitors

 Competition from increasingly "productized" and modular services delivered remotely from shared SOCs and the cloud