MarketScope for Managed Security Services in Europe

(1)

G00219325

MarketScope for Managed Security Services in

Europe

Published: 24 October 2011

Analyst(s): Carsten Casper

The market for managed security services in Europe is mature and changes

slowly. IT infrastructure and communications service providers dominate,

security specialists fill a niche, and growth continues.

What You Need to Know

This document was revised on 27 October 2011. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.

Managed security services (MSSs) in Europe show all the signs of a mature market, which continues to justify a Gartner MarketScope as the survey methodology.

During the past 12 months, the European MSS market grew as anticipated, and will probably reach $2.5 billion by year-end 2011. We expect growth to continue, with a compound annual growth rate of 14% from 2011 to 2015. IT management is not the largest, but is still the fastest-growing

segment of the security services market.

Vendors Added or Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or

MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.

Our "MarketScope for Managed Security Services in Europe" in May 2010 surveyed 16 European managed security service providers (MSSPs). For 2011, 17 MSSPs met our inclusion criteria and did not meet our exclusion criteria. Table 1 shows which providers we surveyed during the past four years. In 2011, Telefonica returned, T-Systems was dropped, and Open Systems was added for the first time. Dell acquired SecureWorks, and the company appears at a different position in the list. Apart from these changes, the provider landscape has been fairly stable.

(2)

Table 1. MSSPs Surveyed in MarketScopes 2008-2011

May 2008 September 2009 September 2010 October 2011

AT&T AT&T AT&T AT&T

Atos Origin Atos Origin Atos

BT Global Services BT Global Services BT Global Services BT Global Services Cable & Wireless

Computacenter Computacenter Computacenter

CSC CSC

Dell (SecureWorks) Getronics

HCL Technologies HCL Technologies HCL Technologies HCL Technologies

EDS, an HP Company HP HP

IBM Internet Security Systems (ISS) IBM ISS IBM Global Technology Services IBM Security Services

Integralis Integralis Integralis Integralis

Open Systems

Orange Business Services Orange Business Services Orange Business Services Orange Business Services SecureWorks

(3)

May 2008 September 2009 September 2010 October 2011

Tata Communications Tata Communications

Telefonica Telefonica

T-Systems T-Systems T-Systems

VeriSign VeriSign

Verizon Business Verizon Business Verizon Business Verizon

Wipro Technologies Wipro Technologies Wipro Technologies Wipro Technologies Source: Gartner (October 2011)

(4)

Geographic Scope, Inclusion and Exclusion Criteria

Although the market grew in volume, we did not revise our inclusion criteria regarding the minimum number of managed devices (700 firewalls and intrusion detection system [IDS]/intrusion prevention system [IPS]) and the minimum number of customers in Europe in 2011 (50 external customers; for the complete inclusion criteria, see the Inclusion and Exclusion Criteria section). We did, however, amend the exclusion criteria in order to focus this market analysis on truly regional providers. As a result, Savvis (with a U.S. focus), SSP Europe and T-Systems (with a Germany focus) meet the exclusion criteria and have not been included in this research.

Several other providers have a subregional focus in Europe: Atos in Benelux/France,

Computacenter in the U.K./Germany, Open Systems in Germany/Austria/Switzerland, Orange Business Systems in Benelux/France/U.K., and Telefonica in Southern Europe. They have not been excluded, because they have significantly more than 10% of their business outside their European home countries. They have sales staff in several European countries and can support clients with regional (rather than local) requirements. This MarketScope has a strong focus on European clients, but these clients have operations all over the world. While 100% of them demand coverage in Europe, 40% also ask their provider to manage devices in Asia/Pacific, and 30% want their provider to cover devices in North America.

Overall, we track around 100 MSSPs worldwide, with about one-third of them in Europe. The ones that do not appear operate mostly in one country (for example, S12sec in Spain), provide a very specialized security service (such as Qualys for vulnerability scanning) or do not provide stand-alone security services (for example, Unisys). For example, the following providers were considered, but not included: Boxing Orange, CGI Group, CompuCom, Dimension Data, KPN/Getronics,

Outpost24, Retarus, S21sec, S2 Grupo, Savvis, SecureIT, Sentor, SSP Europe, Telindus, Trustwave, T-Systems, United Service Providers and Unisys.

Landscape of Different Types of Providers Remains Relatively Stable

The market for managed and related security services continues to evolve, but the types of players are still the same. There are few stand-alone security players left in the Pan-European market. Most providers sell security services bundled with infrastructure management and outsourcing (for example, Atos, Computacenter, CSC, Dell, IBM Security Services, HCL Technologies, HP and Wipro Technologies) or bundled with communications services (for example, AT&T, BT Global Services, Orange Business Services, Tata Communications, Telefonica and Verizon). Only a few European providers focus on IT security (for example, Integralis [now part of NTT Communications], Open Systems and Symantec). All providers in this MarketScope offer MSS as a discrete service. European security providers service approximately 6,500 clients in Europe, and operate about 28,000 firewall and unified threat management (UTM) devices, 5,500 network IPS/IDS and 14,000 server IPS/IDS as well as 2,400 secure message and Web gateways. They also manage or monitor hundreds of Web application firewalls and customer-owned security information and event

management (SIEM)/log management products. The large European players serve the U.K. and Ireland; Benelux; Germany, Austria and Switzerland (DACH); France; and Southern and Eastern Europe in fairly equal proportions to the population and gross domestic products of those countries.

(5)

Methodology

We conducted our survey of MSSPs simultaneously in North America, Europe and Asia/Pacific. We contacted about 100 providers of MSS in these regions. Of them, 46 replied to our worldwide scoping questionnaire. They included information about all the regions in which they operate. Based on this information, we selected a subset of providers per region that met our inclusion criteria. These providers had to answer a more detailed questionnaire and provide references. The questionnaire was the same in all regions. In Europe, 17 providers met our European inclusion criteria.

We also contacted reference clients and conducted phone interviews, as well as online surveys. Reference clients were not only asked for information about their providers, but also questioned about other providers on their shortlists.

The assessment in this MarketScope was performed on the basis of survey data collected in May and June 2011, and client reference information collected in June, July and August 2011.

Strategic Planning Assumption

By 2015, 30% of enterprises that use public cloud infrastructure as a service will also use MSSPs for security monitoring.

MarketScope

This survey focuses on these security services (including managed customer premises equipment [CPE]), provider-hosted devices and cloud delivery. They are listed in order of popularity to

European clients. Devices near the top of the list are managed and monitored most often, according to the reference clients contacted during this market analysis:

■ _Firewall

■ _{Network IDS/IPS (see Note 1)} ■ _{Web application firewall}

■ _{Secure Web gateway devices (see Note 2)} ■ _{Vulnerability scan devices}

■ _{Secure message gateway devices (see Note 2)}

■ _{Server/directory/application/database management system log sources} ■ _{Server IDS/IPS}

(6)

■ _{Multifunction firewall/UTM device}

■ _{Customer-owned SIEM/log management products} ■ _{Data loss prevention (DLP) devices}

Firewall management and monitoring are still the most widely consumed security services.

However, the use of Web application firewalls, secure Web and email gateway devices, vulnerability scanning, and log management has increased significantly — now being consumed by roughly 30% to 40% of European clients. On the other hand, fewer organizations rely on network-based IDS/IPS services (only about half of them do, compared with 70% in 2010). Consumption of desktop/ endpoint security and SIEM management has increased only slightly. DLP still closes the list. European clients are not pressured to deploy DLP, and most discussions evolve around policy design and implementation, not the management of DLP devices.

In addition to these infrastructure-based security services, most European providers offer

complementary security services. The ones that are consumed most often are near the top of the list:

■ _{On-site technical support for security products}

■ _{Security consulting (policy, organizations and architecture)} ■ _{Security system integration}

■ _{Threat intelligence information (vulnerability research)} ■ _{Application security (security testing and code review)}

Note: Identity-related services (authentication and token management) are not covered in this research.

Pricing and Service-Level Agreements

Pricing is difficult to compare from provider to provider and from year to year, because each client has different requirements regarding types of services (firewall, IPS, email/Web and so on), volume (from one firewall to several thousand firewalls), delivery model (CPE-based, hosted and cloud), geographic coverage, level of engagement (monitoring/management), integration (with IT infrastructure management or with communication services), service quality, response times, service-level agreements (SLAs) and language support. Price is a key factor in most purchase decisions, but comparisons are difficult outside of a specific RFP.

Our observations on pricing for management and monitoring of virtualized security devices remain unchanged. There is still not best practice. Here are some approaches we encountered in Europe: ■ _{The provider says that it will pass on benefits of virtualized infrastructure to the client, but no}

pricing details are revealed.

■ _{The monitoring price for a virtualized device is the same as the monitoring price for a CPE} device, but the management price for a virtualized device is less than the management price for a CPE device.

(7)

■ _{Pricing for virtualized infrastructure is split into a}_device_{monitoring part (fixed fee) and}_virtual

firewall monitoring part (digressive fee for each virtual firewall). The same applies to

management of virtualized infrastructure.

SLAs have not changed significantly. Most providers offer 15 minutes or 30 minutes as the fastest possible response times (sometimes in the standard, sometimes only in the "premium" package). However, this only relates to the notification of the client. Resolution times vary widely, and

obviously depend on the nature of the issue. A few providers even display an incident immediately on the customer portal, giving customers information in real time.

Some providers make an attempt to innovate with SLAs and pricing. Below are some examples: ■ _{Firewall pricing depends on bandwidth commitments (not consumption).}

■ _{No minimal fixed cost for usage-based pricing (for example, vulnerability scans).} ■ _{Reduced pricing for permission to offshore security operations.}

■ _{Customers who bring new clients can benefit from a discount on the combined service volume.} ■ _{Client satisfaction is measured after each interaction as a key performance indicator.}

■ _{Outsourcer commits to a price decrease per year (such as 5%) rather than an upfront payment.} In general, contracts have become more specific and concrete. Some providers have indicated that they now move from service-level objectives to service-level agreements. Clients that have been disappointed by a previous provider's performance push hard to include penalties in new contracts. Such a penalty typically amounts to a percentage of the monthly charge up to a maximum of one monthly charge of the service cost and is paid as a credit or an immediate payout (potentially with an "earn-back" clause for subsequent SLA compliance).

Types of Services Offered

Delivery models continue to change, and the topics "cloud computing" and "virtualization" dominate many discussions with European clients. However, the change is not massive; rather, it develops at varying speeds, depending on the service in question. Up to 5% of revenue is shifting from CPE to non-CPE delivered services every year, and non-CPE-based delivery is at

approximately 10% for firewalls, UTMs and network IDS/IPS; more than 15% for Web application firewalls; and up to 35% for secure messaging. SIEM management, log sources and server IDS/IPS are still predominantly operated on customer premises. Vulnerability scanning is often executed remotely, but usually with the help of some additional devices installed on customers' premises. Virtualization also plays an increasing role. A concern raised by some clients is that monitoring capabilities for virtualized infrastructure are not as detailed as the ones for on-premises equipment. Moreover, a report might be available only on request, rather than through the portal. This will be acceptable for some clients, but impossible for others. This is similar to different customers' attitudes to determining the security product vendor. While some customers explicitly require that the provider takes over the management of their existing infrastructures (into which they invested

(8)

heavily), others accept whatever product the provider suggests and are also more open to virtualized versions of these products.

Relationships Between Providers and Customers

White-labeling of services (that is, offering security services under the brand name of another provider) seemed a trend in 2010, but did not gain in importance in 2011. The only exception continues to be vulnerability scanning where most European providers collaborate with Qualys (12 out of 17). In the area of threat intelligence and vulnerability notification services, the picture is less consistent, and European MSSPs collaborate with up to seven partners to provide this information. Integration of network/IT services and security services also deserves particular attention. Client satisfaction can go both ways. Some clients said that they only consume the security services of this provider, because it's part of a larger outsourcing deal, and they did not have any choice but to include security. Other clients also criticize such an integrated approach, but in fact, they are happier with the security services than with the main part of the outsourcing deal.

Clients also need to exercise caution regarding new types of security services. Some providers will fill the gap with third-party service offerings — which is certainly acceptable — but contract

management can become an issue if the client is locked into a contract with the third party, rather than its own security provider. Once the incumbent provider starts offering the same service, the client must be allowed to quit the third-party contract and transition back to the legacy providers, which does not always seem to be the case.

Some clients appreciate a clear segregation of duties, but few actually phrase it as a requirement. Overall, there are basically three types of security services:

1. Management of security infrastructure, including hosted or cloud-based security infrastructure. In-house infrastructure is still sometimes managed by an internal team, often by network operations.

2. Monitoring of security infrastructure, including log management, correlation, SIEM and

advanced portal capabilities. Especially in large contracts, there is a tendency to let the MSSP do the monitoring while in-house staff or another partner (such as a telecommunication provider or an IT outsourcer) is managing the infrastructure.

3. Vulnerability scanning services. These are often provided by Qualys, sometimes by other vendors or the MSSP itself, and usually in a combination of all of the previous.

In summary, clients engage up to three different providers for the different tasks. Alternatively, an in-house team takes care of these tasks. This is often the case for infrastructure management,

sometimes for monitoring and rarely for vulnerability scanning.

Operational Concerns

There are some indications that the follow-the-sun approach with which several providers operate is not always the best solution. Clients mentioned the following issues:

(9)

■ _{There is the danger that difficult customer issues are passed from security operations center} (SOC) to SOC like a hot potato. While the local SOC focuses on the immediate needs of local clients, the needs of remote clients receive a lower priority. Clients have explained that their European SOC serves them very well, while the North American SOC does more harm than good.

■ _{Given the increasing need to store data in the country (or at least the region) of origin, clients} are concerned that sensitive data is sent to countries with less protection. This can already be a problem regarding backup data centers in other regions, but it is an immediate issue when data is passed around on a daily basis. Fortunately, this is critical for only very few clients, and while some might bring up this concern during contract negotiations, very few will actually make SOC location an exclusion criterion.

Related to the location of the primary data center is another concern: cultural differences. Staff from other countries or even from other regions of the world may not only speak with a strong accent, but also have a different attitude toward service delivery and customer satisfaction. However, these differences are decreasing year over year. As one reference client expressed it: If you're going offshore, then you should plan for cultural adjustments. You can't expect everybody else to adapt to you — you have to adapt as well.

Decision Criteria

The main drivers to engage an MSSP are still to reduce costs, to reduce capital expenditures, and to supplement or replace in-house expertise and in-house resources. In Europe, regulatory

compliance plays less of a role than in the U.S.

More specifically, we asked our European reference clients for their main reasons for choosing their service provider. Unlike last year, viewing the provider as a strategic partner is not as important a decision factor as in 2010 (28% in 2011 versus 52% in 2010). The enumeration below shows the decision factors in decreasing order of importance:

■ _{Security expertise}

■ _{Pricing (total cost of contracted services)} ■ _{Understanding of business needs}

■ _{Industry experience}

■ _{Quality of response to RFP or presentation of capabilities} ■ _{View as a strategic partner}

■ _{Perceived viability and/or financial strength} ■ _{Positive experience with provider}

■ _{Good feedback from references} ■ _{Project implementation methodology}

(10)

These priorities favor the specialist provider, the one that can show security, business and industry expertise, not the large incumbent provider of IT or network operations who likes to be preselected as a strategic partner. This is emphasized by the fact that the reason quoted most often for rejecting a provider's offer is "did not demonstrate understanding of business needs."

Few providers know how to differentiate themselves from the competition. Many claim to be "trusted advisors" and to have "global coverage." Feedback from reference clients is different. Pricing, service quality and lack of SLAs are often reasons for dissatisfaction. Sometimes, mistakes are covered up, and documentation is bad. Clients often use two or more security providers (one for email security and one for firewall management). They also compare the performance of the

network provider against the performance of the security infrastructure monitoring provider. For example, a firewall and a router, both managed by different providers, are connected. In case of an outage, the client sees and compares the reaction time of both companies. One client said: "Our network provider informed us that the router was down, and our firewall provider did not even notice. It also happened that penetration testing by a different provider has revealed that ports were not monitored." This has surfaced in 2010 and now again in 2011. Several reference clients were not willing to take this any longer and gave "fair" to "poor" ratings, although most clients are still happy with their provider, and one-quarter rated them as "excellent."

Purchasing Behavior

The bulk of the contracts for MSS in the European region are valued from $150,000 to $750,000 per year (67% of contracts), while 11% of contracts are below the range, and 18% are above that range. The number of midsize contracts (versus large or small contracts) has increased compared with 2010.

The typical contract size in Europe is still much greater than in Asia/Pacific, where 60% of the contracts have a value of less than $150,000 per year. On the other hand, the typical contract size in Europe is similar to the typical contract size in the U.S., where 11% of the contracts are more than $1.5 million in annual value.

Only one-quarter of the European reference clients has been customers of their providers for less than one year; three-quarters have had their contracts for more than one year. The typical contract duration is still three years, but occasionally clients do not conduct a full tender with a detailed request for proposal when the contract expires after three years. If there are no major concerns, then they prefer to extend the contract for another three years, after which they would do a full-scale market analysis again.

The question of whether it is a good or a bad thing to outsource security services to non-European providers came up less often in discussions with reference clients than last year. Gartner's clients are increasingly looking for advice on how to secure and control such offshoring, not whether this is the right option at all.

Security Marketing

The marketing message of a European MSSP often reflects the providers' attitude to service delivery. Some providers focus on technical details, insights about the changing threat landscape

(11)

and security product innovations that cater to the needs of "lean in" customers — that is,

customers who want to get the maximum out of the security services for which they believe they pay a premium. Other providers market to the needs of the "lean back" customer — that is, a customer who has very different core competencies (that is, not IT security) and simply wants the assurance that security has been taken care of. Such a provider emphasizes simplicity, cost-effectiveness, global operations with local adjustments and integration (of networks and security or IT operations and security). Enterprise clients need to look beyond these marketing messages, because some providers cater to both types of audiences. Although there is no right or wrong, it is important that client expectations and provider capabilities match.

Outlook

The market for MSS is changing in various ways, including cloud delivery and virtualization. In 2012, the market for MSS in Europe will continue to grow significantly in volume and also in terms of breadth of features and services. New or enhanced services will include distributed denial of service (DDoS) detection and mitigation, malware/botnet detection, fraud detection, DLP selection and implementation, reputation-based services, tokenization, and mobile security. These services will continue to be complemented on occasion with various identity and access management (IAM) services (role management, authentication and privileged user monitoring), VPN services and more powerful log management services. Management of customer premises security devices will still be the dominant delivery model, but the percentage of hosted, security-as-a-service (SecaaS) and in-the-cloud security services will increase steadily.

There is still no widely accepted standard for the pricing of monitoring and the management of virtualized security infrastructure, and given the variety of options, it may never come. However, clients should ask for a significant advantage over premises-based services and should keep

pushing for lower price points. Pricing for the hardware and pricing for the logical service have to be separated and priced individually, whether or not management and monitoring are addressed together.

The split of the MSS market into IT outsourcers that offer security services, network providers that offer security services, and security specialists has stabilized, and the market will continue this way in 2012. Pure-play security providers will continue to have their place and new players (for example, from Europe or India) will increase in size and reach, and enter the regional European market, trying to differentiate themselves with innovative technology and a flexible portfolio of supported products.

Market/Market Segment Description

For the purposes of this research, Gartner defines "managed security services" as the remote management or monitoring of IT security functions delivered via remote security operations centers, not through personnel on-site. MSS does not, therefore, include staff augmentation or any

consulting, development and integration services. MSS includes:

(12)

■ _{Monitored or managed IPSs} ■ _{DDoS protection}

■ _{Managed secure messaging gateway} ■ _{Managed secure Web gateway} ■ _{Security information management} ■ _{Security event management}

■ _{Managed vulnerability scanning of networks, servers, databases or applications} ■ _{Security vulnerability or threat notification services}

■ _{Log management and analysis}

■ _{Reporting associated with monitored/managed devices and incident response}

This MarketScope evaluates service providers that offer monitored/managed firewall and intrusion detection/prevention functions, rather than those whose main focus is on other elements of the services listed.

Inclusion and Exclusion Criteria

Inclusion Criteria

To be included in this MarketScope, an MSSP must have these qualifications:

■ _{The ability to remotely monitor and/or manage firewalls and intrusion detection/prevention (IDP)} devices from multiple vendors via discrete service offerings

■ _{At least 700 firewall/IDP devices under remote management or monitoring for external} customers in Europe

■ _{At least 50 external customers in Europe with those devices under management or monitoring} ■ _{Reference accounts in Europe relevant to Gartner customers}

Exclusion Criteria

Providers were excluded from this MarketScope of regional providers if they:

■ _{Have more than 90% of their European customers and more than 90% of their devices installed} in Europe in only one country

■ _{Offer MSS only to end users that buy other, non-MSS services}

■ _{Offer services that monitor or manage only the service provider's own technology}

For example, vendors that have only MSS offerings, such as DDoS protection or vulnerability scanning, but not device monitoring and management, are not included. Providers of primarily Web

(13)

and email hygiene and trust services (for example, certificate authorities) are not included. Other vendors offer MSS primarily to hosting customers, with limited offerings to others. As these providers expand the scope of their MSS offerings, they may be included in future MarketScopes.

Rating for Overall Market/Market Segment

Overall Market Rating: Positive

With a portfolio of mature basic services and an array of innovative options, the MSS market in Europe is mature, with a solid growth perspective, despite — or to some extent because of — a continuously difficult global economic climate. Secure infrastructure management is a prerequisite for businesses that have to cut costs and operate under regulatory scrutiny and tight competition. Outsourcing of security to nearshore or offshore countries has become a normal business option for most organizations. Where security concerns remain, physical operations in Europe are an option for most providers in this MarketScope. MSS customers usually extend their outsourcing contracts and occasionally change providers, but they rarely move services back in-house, which is still considered the more costly option.

These factors have resulted in the MSS market in Europe being forecast to grow at a 14% compound annual growth rate from 2011 to 2015 (with the market size for 2011 forecast at $2.5 billion), which means it is still one of the growth sectors in the IT industry.

(14)

Evaluation Criteria

Table 2. Evaluation Criteria

Evaluation Criteria Comment Weighting

Overall Viability (Business Unit, Financial, Strategy, Organization)

Viability includes an assessment of the provider's financial health, the financial and practical success of the MSS unit, and the likelihood that the MSS unit will continue investing in managed security services, and researching and developing innovative security services. Additional areas assessed include management experience, the number of customers in Europe, investment in R&D, and understanding of business and technology trends.

High

Geographic Strategy

This includes the provider's strategy to direct resources, skills and offerings to meet the specific needs of regions outside the native area, directly or through partners, channels and subsidiaries, as appropriate for the region and market. We considered the vendor's ability to articulate the differences between the U.S. and European MSS markets, as well as differences within Europe.

Standard

Product/ Service This is the provider's approach to service development and delivery, which emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements. We considered the number of target platforms vendors can manage.

Standard

Marketing Strategy This is a clear, differentiated set of messages, consistently

communicated throughout the organization and externalized through the website, advertising, customer programs and positioning

statements. In addition, we considered how providers measure the effectiveness of marketing programs.

High

Customer Experience

This includes the ways customers receive technical and account support. These can include ancillary tools, customer support

programs (and the quality thereof) and the availability of user groups, SLAs and so on. We also assessed providers' implementation processes and system integration and consulting capabilities. Reference client feedback was particularly important in the rating for this criterion.

High

Innovation This takes into account capital and human resource investments, and the development of new services as displayed in the security service strategy and the road map.

Standard

Market

Responsiveness and Track Record

Ability to understand business and security technology trends and assess competitors. This includes the ability to respond, change direction, be flexible and achieve competitive success as new opportunities develop, competitors act, customer needs evolve and market dynamics change.

Standard

(15)

Figure 1. MarketScope for Managed Security Services in Europe RATING

Strong

Negative Caution Promising Positive

Strong Positive AT&T x Atos x BT Global Services x Computacenter x CSC x Dell (SecureWorks) x HCL Technologies x HP x

IBM Security Services x

Integralis x

Open Systems x

Orange Business Services x

Symantec x Tata Communications x Telefonica x Verizon x Wipro Technologies x As of 26 October 2011

Source: Gartner (October 2011)

Vendor Product/Service Analysis

AT&T

AT&T is a venerable network service provider that tends to emphasize its global approach (it is present in more than 200 countries), rather than regional differentiation. It offers MSS to European multinational companies via SOCs in the U.S. and India, and plans to open another SOC in Eastern Europe.

Its MSS strategy focuses on providing integrated network-based security to European-based customers that possess a global footprint, utilizing services such as virtualized firewall, intrusion prevention, Web filtering, DDoS and premises-based solutions. It is aggressively moving into cloud and software-as-a-service-based security services.

Strengths

(16)

■ _{Its ability to leverage existing communications clients for upselling MSS}

■ _{Its tight bundling of security services with network services and capabilities in cloud security}

Challenges

■ _{Variable response to customer service requests remains an issue}

■ _{Despite global brand and presence, rarely appears on MSS shortlists in Europe, and needs to} improve its visibility as a security provider to extend beyond the multinational company market

Rating: Promising

Atos

Atos (formerly Atos Origin) is an international IT services company with four primary service lines: business consulting, system integration, managed operations and transactional services. In July 2011, Atos completed its acquisition of the IT Solutions and Services subsidiary of Siemens. This analysis reflects the preacquisition situation.

Its security services strategy focuses on Atos High Performance Security, an integrated SecaaS platform. The security portfolio includes endpoint security, server security, network security and IAM. Other focus areas are governance/risk/compliance and cloud security. Most of its MSSP contracts are part of larger IT outsourcing relationships. It targets the public sector, financial services (card payments) and healthcare sectors.

Strengths

■ _{Experience in integrating security services with complex, large-scale IT programs (its IT security} services for the Olympics are an example)

■ _{Ability to work effectively and collaboratively with other service providers (for example, network} service providers) that its clients have engaged

■ _{Knowledge and skills of some of its technical MSS staff}

Challenges

■ _{Pursuing information security with the same diligence as IT operations}

■ _{Improving collaboration among and consistency of different countries' and teams' operations} ■ _{Becoming more cost-efficient, reducing the tendency to overengineer security solutions}

Rating: Positive

BT Global Services

BT is an established name in network and communications services in Europe. Because of ongoing R&D investments and marketing that exhibits regional insights, BT also managed to shape a decent

(17)

security service profile. Customer feedback in Europe has also been more positive over the past year. BT has an extensive security service portfolio with a focus on multifunction firewall/UTM devices and secure message gateways.

Its MSS differentiation focuses on security embedded in the network, skilled resources and a global infrastructure. Targeting mainly large enterprises, its key messages emphasize the basics —

simplicity, cost reduction, compliance and asset protection.

Strengths

■ _{A resilient operations infrastructure and BT's responsiveness in incident reporting} ■ _{The quality of its internal operational processes (for example, quality assurance)}

■ _{The skills of its engineers and the ability to listen, respond and adjust to client requirements}

Challenges

■ _{Sharing information more openly and making it available in real time, rather than on request} ■ _{Cost savings in order to keep pricing competitive must not result in staff shortage}

Rating: Strong Positive

Computacenter

Computacenter is a European provider of outsourcing, outtasking, consulting and support services. It operates primarily in the U.K. and in Germany, and has two SOCs in each of these two countries. Its MSS strategy emphasizes a holistic approach to security (client, network and data center), integrating MSS into other outsourcing deals and customer intimacy. It differentiates on agility, value for money and customer relationships. Its customer growth in 2010 was above average. Computacenter has had recent success in the automotive, pharmaceutical and finance industries.

Strengths

■ _{Providing cost-effective services from a European vendor}

■ _{Acting as a strategic partner, is able to understand infrastructure and business requirements} ■ _{Having the ability to leverage the existing client base for upselling managed security services}

Challenges

■ _{Reducing the perceived gap between promise and performance} ■ _{Improving service consistency and quality}

(18)

■ _{Improving knowledge of industry-specific needs and requirements}

Rating: Positive

CSC

CSC is a global provider of IT-enabled business solutions and services. This ranges from consulting, to solution design through to implementation and management of the solution. Headquartered in the U.S., it provides MSS via security operations centers in the U.K., Australia, Malaysia and the U.S.

It emphasizes the need to address security from a business risk perspective, not just a technology perspective. This is a message that tends to resonate with European client organizations. In Europe, its traditional customers are from within its outsourcing base, although more recently, it has

targeted the public sector and financial services for its MSS.

Most customers in Europe use CSC for the management of firewalls, customer-owned SIEM/log management and endpoint security clients. For cloud-based Web and email, CSC chooses to work with partners.

Strengths

■ _{Having the capability to embed an information risk manager as a single point of contact in the} client's organization

■ _{Being able to work with partners to complete the security service portfolio} ■ _{Being able to leverage its existing client base for upselling MSS}

Challenges

■ _{Being more flexible (and less commercially rigorous) in its response to changing client} requirements

■ _{Aligning communications between security and other operational teams}

■ _{Improving the ability to leverage security and threat information from its large client base for the} benefit of individual clients and delivering enhanced portal capabilities

Rating: Positive

Dell (SecureWorks)

Dell SecureWorks Information Security Services is the result of Dell's acquisition of SecureWorks (U.S.). With this acquisition, Dell benefits from SecureWorks' previous acquisitions of VeriSign's MSS operations and dns (U.K.) in 2009 through 2011. Dell SecureWorks manages and/or monitors security devices all over Europe, predominantly in the U.K., especially log sources, firewalls, network IDS/IPSs and data loss prevention systems. Dell SecureWorks operates two SOCs in Europe, provides a comprehensive portal, and also offers support in Spanish and French.

(19)

Strengths

■ _{Its clearly articulated strategy in Europe, its understanding of the market and its increasing} investments in R&D

■ _{Its ability and willingness to adapt to the changing needs of large clients}

■ _{Its advanced portal (including asset information and various correlation capabilities)}

Challenges

■ _{Mitigating the perception that a large vendor cannot provide customer intimacy} ■ _{Continuing to establish a brand presence in the European security market} ■ _{Ensuring consistency of service quality during acquisition integration}

Rating: Positive

HCL Technologies

HCL Technologies is an India-based offshore provider that has already gained some traction in Europe. HCL continues to show significant revenue growth in Europe.

HCL is strong in server-based security services (IDS/IPS and log collection) as well as endpoint security client management. In addition, it offers application security services and IAM. It also claims comprehensive portal capabilities. HCL focuses on providing flexible services based on a large pool of skilled, experienced resources and can support delivery in a large number of European languages.

Strengths

■ _{Consistent and mature service delivery, including a methodological, process-driven approach to} security management

■ _{Human resource management — expertise of staff and relatively low staffing turnover rate} ■ _{Ability to pull in expertise, on demand, from a large resource pool}

■ _{Cost-effectiveness, especially for standard platforms in the HCL support portfolio, and for} services that don't deviate from the standard offerings

Challenges

■ _{Improving management of nonstandard requests, specifically the ability to deal with requests} and issues that fall outside the scope of the existing formal processes

■ _{Improving strategic planning — clients would like to see more forward-thinking and innovative} suggestions for dealing with a constantly changing security environment

(20)

Rating: Positive

HP

HP offers enterprise security products and enterprise security services. Its managed security services represent the capabilities of HP, EDS (acquired by HP in August 2008) and Vistorm

(acquired by EDS in April 2008). Vistorm was an established security services and consulting vendor based in the U.K. With ArcSight, HP also owns one of the more widely deployed SIEM technologies. In Europe, HP targets enterprise accounts in various industries, including the public sector, financial services and utilities sectors, as well as organizations in the high-end small and midsize business scale. Its European security customer base is stable.

HP's security service portfolio includes endpoint security, and firewall and network IPS

management. HP recently announced enterprise cloud services: vulnerability scanning, vulnerability intelligence and endpoint threat management. It has five SOCs worldwide, two of which are in Europe (the U.K. and Spain).

Strengths

■ _{Its experience in integrating security services with complex, large-scale enterprise IT solutions} ■ _{It takes the time to develop a detailed understanding of the technical, commercial and}

functional aspects of client business operations

■ _{Willingness to reduce service pricing if customer accepts management handled in another} country

Challenges

■ _{Improving the features and functionality of its MSS portal (which is currently available only in} English)

■ _{Ensuring that Vistorm's strengths are not lost in the HP enterprise}

■ _{Improving HP's visibility as a security player in the broader European MSS market}

Rating: Positive

IBM Security Services

IBM's security capabilities include managed security services and cloud-based security offerings complemented by a portfolio of professional security services with a slight emphasis on server and endpoint security (versus network security). IBM Security Services targets larger enterprises and existing customers for its MSS. It emphasizes its reputation, global reach, and depth and breadth of its solution offerings as key differentiators. IBM is the MSS provider that appears most often on customer shortlists in Europe.

(21)

Strengths

■ _{Global security view based on large number of customers}

■ _{Supports many European languages and has a presence in all major European countries} ■ _{Experience with various security products (such as IBM and Cisco)}

Challenges

■ _{Addressing client reports of inconsistencies in service delivery standards}

■ _{Improving the flexibility of IBM processes and procedures to cater to changing customer} requirements

■ _{Realizing that cost is still often quoted as a major reason for not selecting IBM during} competitive bidding

Rating: Positive

Integralis

Integralis is a provider of security services originally based in Europe that has grown steadily over the years and is now present in Europe, the U.S. and Southeast Asia with a total of nine SOCs. This includes operations of Secode, a Scandinavian MSSP that was acquired in 2010 — like Integralis in 2009 — by NTT Communications, Japan. Integralis remains an independent subsidiary of NTT Communications. Integralis provides a broad portfolio of network and server-based security services, including data center, CPE and cloud-based services.

Strengths

■ _{Excellent technical skills of its workforce}

■ _{Flexibility in dealing with clients' security requirements}

■ _{Clients especially value Integralis' security architecture design capabilities}

Challenges

■ _{Retaining its price competitiveness versus the offshore providers} ■ _{Making sure that administrative back-end processes don't slip} ■ _{Keeping the functionality of its portal competitive}

(22)

Open Systems

Open Systems is a specialized security service provider headquartered in Switzerland, with an additional security operations center in Sydney. Its portfolio focuses on multifunction firewall/UTM devices, Web application firewalls, secure Web/email gateways and traditional firewall/network IPS. Open Systems operates a variation of the follow-the-sun model with its two SOCs. All Sydney employees are recruited under Swiss law. They are trained in the headquarters and then sent to Sydney three to four months in rotation. Open Systems is conscious of the demand for on-premises delivery due to the need for storing sensitive data locally, and hence, it evaluates cloud delivery options with caution.

Strengths

■ _{Comprehensive service portfolio with a focus on network-based security}

■ _{Commitment to employee development resulting in low staff fluctuation, stable service quality} and high customer satisfaction

■ _{Customers' appreciation that the staff is client-focused, flexible and highly professional}

Challenges

■ _{Maintain the balance between high growth, high quality and customized (rather than merely} packaged) security services

■ _{Expand the standard portfolio to include log management if clients demand it} ■ _{Improve visibility in the European market for managed security services}

Rating: Positive

Orange Business Services

Orange Business Services is the brand name under which France Telecom offers most of its

managed security services. The company is a sizable player in the MSS space in Europe because of its large base of network and communications clients. Offerings include the management of

firewalls, network intrusion prevention devices and an above-average number of secure Web gateways. Security services are available independently, but many sales combine aspects of network operations, security services and security consulting.

The company's marketing emphasizes simplicity, flexible delivery models and reduced total cost of ownership (TCO) in its MSS offerings. It has 10 SOCs globally, seven of which are in Europe.

Strengths

■ _{Focus on small and midsize businesses, especially in France/Benelux, but also active in all} other European regions

(23)

■ _{Its moving from device-based to hosted and cloud security services}

Challenges

■ _{Express more clearly how it intends to stay abreast of threat and technological developments} ■ _{Implement the road map for security services and articulate where R&D investments will be}

made

■ _{Improve visibility in the enterprise security market segment}

Rating: Promising

Symantec

Symantec is a vendor with a broad portfolio of security products and services. Managed services include server and network IDS/IPS, firewalls, and endpoint security solutions. It has four SOCs worldwide, operates a large network of security information sensors and employs a sizable staff of security administrators. It offers a comprehensive security portal, has developed a technology- and customer-oriented road map, and has detailed awareness of its regional competition.

Strengths

■ _{Its global view of the threat environment via its threat intelligence capability} ■ _{Its responsiveness to client requests, and its flexibility}

■ _{The quality of its support and sales resources}

Challenges

■ _{Monitoring quality of support services provided by local partners}

■ _{Realizing that, despite its massive brand presence in the security product market, Symantec still} has a comparatively low profile as an MSS player in Europe

Rating: Strong Positive

Tata Communications

Tata Communications is an India-based global communications provider. It provides MSS via five global SOCs, one of which is in Europe. It targets large multinational organizations in the retail, pharmaceutical, oil and gas, and financial services industries.

Its MSS strategy focuses on compliance, customer service, TCO and integration with the rest of its service portfolio. While its European revenue base is still small, it showed the strongest customer growth of all European MSSPs surveyed in 2010.

(24)

While Tata Communications meets the inclusion criteria in terms of device and customer numbers in Europe, we could not verify the provider's portfolio and performance claims independently.

Strengths

■ _{Being able to leverage existing clients for upselling MSS} ■ _{Supporting a broad range of security products}

■ _{Understanding global market trends, and being able to present an insightful road map, having} obtained relevant certifications for its security services

Challenges

■ _{Establishing a measurable presence in the European market} ■ _{Proving their understanding of regional and local requirements}

Rating: Caution

Telefonica

Telefonica is a large, integrated telecommunications provider with international operations and a strong position in Spain, also with a relevant customer base in most other European regions. It provides management of Web application firewalls, network firewalls and IPSs. It also manages endpoint security clients and operates some DLP devices.

Strengths

■ _{Flexibility in adapting to client requirements}

■ _{Ability to foster and maintain strong local relationships} ■ _{Sound knowledge of technology and client requirements}

Challenges

■ _{Improving the quality of service delivery and service management to competitive standards, in} particular where subcontractors are involved

■ _{Accelerating service deployments and equipment updates}

Rating: Positive

Verizon

Verizon is a major mainstream MSS provider with good coverage in Europe. It has an elaborate road map and invests in reputational intelligence and secure mobility services. Verizon tends to integrate security services into other networking and IT services. It has a solid presence in Europe, and

(25)

emphasizes its correlation capabilities, security expertise, global reach and risk-based security on global IP networks. While not inexpensive, its prices are generally considered acceptable.

Strengths

■ _{Having global reach and expertise}

■ _{The knowledge and skills of its European staff}

■ _{Offering threat intelligence correlated from various sources}

Challenges

■ _{Providing European clients with consistently high service quality from U.S. operations} ■ _{Improving the quality of communications among staff in different teams managing different}

services (for example, firewall administration versus antivirus versus IDS/IPS) ■ _{Avoiding becoming more bureaucratic, especially in back-office processes}

Rating: Positive

Wipro Technologies

Wipro Technologies is an offshore IT service and system integration company based in India. It provides managed security services to organizations in Europe from a primary control center in India supported by five regional SOCs in Europe, which deliver services locally and improve cross-border data privacy compliance. Wipro offers various delivery models, including a dedicated SOC, an SOC at customer premises, cloud-based operations or hosted services. Its staff works as part of the customer organization, co-managed and in a fully outsourced model. The majority of its

European MSS clients are also clients of other Wipro IT services.

Strengths

■ _{Its flexibility and willingness to help customers, even on short notice} ■ _{The quantity and quality of its skilled staff}

■ _{Its ability to upsell security services to existing clients}

Challenges

■ _{Finding the right balance between tolerating some staff fluctuation in order to support very} competitive pricing and deploying experienced staff to provide the best service experience ■ _{Increasing brand visibility in the European security services market}

(26)

Vendors Added or Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.

Gartner MarketScope Defined

Gartner's MarketScope provides specific guidance for users who are deploying, or have deployed, products or services. A Gartner MarketScope rating does not imply that the vendor meets all, few or none of the evaluation criteria. The Gartner MarketScope evaluation is based on a weighted evaluation of a vendor's products in comparison with

(27)

the evaluation criteria. Consider Gartner's criteria as they apply to your specific requirements. Contact Gartner to discuss how this evaluation may affect your specific needs.

MarketScope Rating Framework

Strong Positive

Is viewed as a provider of strategic products, services or solutions: ■ _{Customers: Continue with planned investments.}

■ _{Potential customers: Consider this vendor a strong choice for strategic} investments.

Positive

Demonstrates strength in specific areas, but execution in one or more areas may still be developing or inconsistent with other areas of performance:

■ _{Customers: Continue planned investments.}

■ _{Potential customers: Consider this vendor a viable choice for strategic or tactical} investments, while planning for known limitations.

Promising

Shows potential in specific areas; however, execution is inconsistent:

■ _{Customers: Consider the short- and long-term impact of possible changes in} status.

■ _{Potential customers: Plan for and be aware of issues and opportunities related to} the evolution and maturity of this vendor.

Caution

Faces challenges in one or more areas:

■ _{Customers: Understand challenges in relevant areas, and develop contingency} plans based on risk tolerance and possible business impact.

■ _{Potential customers: Account for the vendor's challenges as part of due diligence.}

Strong Negative

Has difficulty responding to problems in multiple areas:

■ _{Customers: Execute risk mitigation plans and contingency options.}

■ _{Potential customers: Consider this vendor only for tactical investment with} short-term, rapid payback.

(28)

Regional Headquarters

Corporate Headquarters

56 Top Gallant Road Stamford, CT 06902-7700 USA +1 203 964 0096 Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo 153-0042 JAPAN +81 3 3481 3670 European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611

Latin America Headquarters

Gartner do Brazil

Av. das Nações Unidas, 12551 9° andar—World Trade Center 04578-903—São Paulo SP BRAZIL

+55 11 3443 1509

Asia/Pacific Headquarters

Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney

New South Wales 2060 AUSTRALIA

+61 2 9459 4600

© 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its

shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website, http://www.gartner.com/technology/about/

MarketScope for Managed Security Services in Europe