March 10, 2010

Market Overview: Managed Security Services

by Khalid Kark for Security & Risk Professionals

Making Leaders Successful Every Day

For Security & Risk Professionals

Market Overview: Managed Security Services

look beyond cost Savings and 24x7 Support to Select an MSSP
by Khalid Kark with Jonathan Penn, Robert Whiteley, and lindsey coit

March 10, 2010

ExEcut i v E S u M Ma Ry
The managed security services market is growing at a healthy clip due to a confluence of several factors, most notably staffing and skill pressures, an ever-evolving threat landscape, and an increasing compliance burden. As a result, not only are we seeing a significant change in the services offered, but the demands from the customers are also changing and shaping some of those changes. Its safe to assume that using a managed security services provider (MSSP) today is a lot more than just a cheap alternative to doing the same work in-house. MSSPs are not just managing devices; they also provide insightful analysis that can help with business decisions.

tabl E O F cO n tE ntS
2 The MSS Market Is Growing During The Economic Downturn Steady Growth and vendor consolidation Point to a Maturing Market changing Market Dynamics bring in new customers and Market Opportunities 5 Organizations Turn To MSSPs More For Competency Than For Cost changing business Expectations are Defining new Service Offerings 9 Managed Security Services Come In Different Flavors 11 Key Factors That Will Influence Your Decision todays Decision criteria are Focused On tactical and Operational capabilities Future Decision criteria Will Focus On the value and Risk Management vendor Overview
REcOMMEnDatiOnS

n Ot E S & RE S O u RcE S
in developing this report, Forrester drew from a wealth of analyst experience, insight, and research through advisory and inquiry discussions with end users, vendors, and regulators across industry sectors.

Related Research Documents the Forrester Wave: content Security Suites, Q2 2009 april 16, 2009
case Study: Standard chartered bank uses an MSSP to Optimize its Security Monitoring September 29, 2008 the Forrester Wave: Managed Security Services, Q4 2007 October 4, 2007

16 How To Choose The Right Managed Security Services Provider For You

2010, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To purchase reprints of this document, please email clientsupport@forrester.com. For additional information, go to www.forrester.com.

Market Overview: Managed Security Services

For Security & Risk Professionals

THE MSS MaRKET IS GROWInG DuRInG THE ECOnOMIC DOWnTuRn A few years back as companies grappled with IT outsourcing it was safe to assume that the IT security organization was exempt because, as many chief information security officers (CISOs) told us, We would never outsource security. Guess what? Today, one in four now outsource their email filtering, and another 12% are very interested in doing so in the next 12 months. Another 13% already outsource their vulnerability management a treasure trove for potential hackers and an additional 19% say they are very interested in doing so in the next 12 months. Although security spending stayed flat for the most part in 2009, Forrester estimates that the managed services market grew by roughly 8%.1 Today, managed security services (MSS) offerings exist in various forms, from pure system management to more sophisticated log analysis using a number of delivery mechanisms, from software-as-a-service (SaaS) and cloud services to on-premises device monitoring and management (see Figure 1). Steady Growth and Vendor Consolidation Point To a Maturing Market Not only has the market been growing steadily over the past few years, but the service provider and market dynamics have also changed due to a series of mergers, acquisitions, partnerships, and reprioritization of MSS portfolios. After a tumultuous 2009, we have seen:

The MSSP market size eclipse $4 billion. Forrester estimates the global size of the managed

security services market to be $4.5 billion, which includes outsourced and SaaS security services as well as other annualized security operations.2 Although the market is still consolidating, the top 20 vendors already command close to 80% of the market share (see Figure 2).3

Mergers and acquisitions enhance current capabilities. The recent acquisition of VeriSign

MSS by SecureWorks and the previous acquisitions of Counterpane, Cybertrust, and ISS have all been fairly successful at not just growing the MSSP market share for the acquirers but also at providing the financial wherewithal to invest in areas such as threat intelligence and to build new and enhanced services.

Partnerships expand international presence. Another trend is companies expanding beyond

the traditional geographic boundaries to serve an increasingly global client base. Recent announcements of Solutionary partnering with e-Cop in Singapore and SecureWorks acquiring DNS point to this trend.

March 10, 2010

2010, Forrester Research, inc. Reproduction Prohibited

Market Overview: Managed Security Services

For Security & Risk Professionals

Figure 1 common Managed Security Services and Forresters Estimate Of Market Penetration
Forresters estimated market penetration 15%-20% 10%-15%

Domain Security event monitoring Managed endpoints

Types of services Log monitoring, event correlation, and analysis DDoS protection Managed desktop antimalware Managed desktop data security Managed desktop change/conguration control Managed server HIDS Managed server change/conguration control Log collection, retention, integrity/chain of custody, access/review auditing, and reporting Threat/malware/vulnerability intelligence and alert services Internal and external vulnerability scans Patching, upgrades, conguration enforcement, and change control Internal and external vulnerability scans Patching, upgrades, conguration enforcement, and change control Application penetration testing and vulnerability scans Code analysis and review Managed application rewalls Incident planning and response Forensics and investigations Email monitoring and ltering Email encryption Email archiving Web monitoring and ltering Regulatory compliance assessments Policy compliance assessments Third-party assessments Security benchmarking

Log management Threat intelligence

5%-10% 15%-20%

Vulnerability management Application security services

10%-15%

5%-10%

Incident response services Content security

0%-5% 25%-30%

Policy/compliance

15%-20%

Managed devices (i.e., Managed/hosted network perimeter services hosted and managed Managed/hosted application rewalls CPE security devices Managed/hosted SIEM not just the logs of those devices) Identity and access management Access administration Two-factor authN Federation Credential services

10%-15%

5%-10%

56068

Source: Forrester Research, Inc.

2010, Forrester Research, inc. Reproduction Prohibited

March 10, 2010

Market Overview: Managed Security Services

For Security & Risk Professionals

Figure 2 Market Share Of top Managed Security Services Providers

IBM 10% Other 23% Symantec 9% BT 7% CGI 2% Bell Canada 2% Wipro 3% T-Systems 3% SecureWorks 3% Northrop Grumman 3% AT&T 4% CSC 4% Lockheed Martin 3% Source: Forrester estimate based on information provided by managed security service providers
56068 Source: Forrester Research, Inc.

Getronics Raytheon 2% 2%

HP 7%

Verizon Business 7% Fujitsu 6%

Changing Market Dynamics Bring In new Customers and Market Opportunities Not only are the internal and external threat paradigms changing rapidly, but the changing business conditions are also affecting the types of services that customers request. In todays MSS market we see that:

Both supply and demand of MSS are on the rise. Companies are willing to outsource more

of their environment than ever before. Traditionally, outsourcing was only used for day-to-day security functions such as network firewall monitoring and email filtering areas discrete and unintegrated from the rest of IT such as email security and Web filtering. While these are still among the most prevalent services, increasingly more companies are turning to an MSSP to manage additional security functions that are highly operationalized (event monitoring) and integrated (log management ) within the IT environment.

Security services are being bundled with larger IT outsourcing deals. In recent years weve seen
a vast number of service providers marketing and selling security services as part of a larger IT and telecom services bundle. While this is a growing trend, there are still some large outsourcing companies, such as IBM and Wipro Technologies, that primarily sell security as a standalone offering, so expect this trend to only continue as all companies move to integrated offerings.

March 10, 2010

2010, Forrester Research, inc. Reproduction Prohibited

Market Overview: Managed Security Services

For Security & Risk Professionals

Professional services capabilities are improving. Many companies are looking for both an

outsourcer and a strategic partner to help them transform their security capabilities. In fact, one CISO we spoke to uses the term co-sourcing rather than outsourcing, to emphasize just how vital the MSSP-customer relationship is. While many MSSPs have started to respond to this need by offering consulting services, not all providers are equally proficient. Expect MSSPs to further invest in professional services capabilities to provide appropriate integration and consulting to run your environment efficiently.

Cloud services are ushering in a new set of customers and requirements . . . Over the past

few months, Forrester has received several inquiries on telcos offering cloud services such as distributed denial of service (DDoS) protection and clean pipe services. Traditional MSSPs are only starting to take this area on, and a number of them are building infrastructure and offerings in this space. Network service providers that own the pipe have an inherent advantage in this area because they can look across their backbones and detect and prevent potential attacks earlier than most of the other service providers. Forrester is also seeing specialized cloud service providers such as MessageLabs (now Symantec Hosted Services), Postini (now part of Google), and Zscaler successfully offering focused cloud security services.

. . . but some service providers may just be transferring the infrastructure to their data

centers. Customers get the benefit of infrastructure being shifted away from their own real estate, but they are not getting the same economic advantage that a true, multitenant cloud architect provides. Telcos can offer a true multitenant architecture that is closer to the client from a network perspective. Other cloud services are also being offered by purpose-built service providers such as MessageLabs, Postini, and Zscaler.

ORGanIzaTIOnS TuRn TO MSSPs MORE FOR COMPETEnCY THan FOR COST Initially, lower cost was the primary driver for moving to a managed services provider, but cost only ranks fourth in decision criteria today. There are a number of other drivers pushing companies to use MSSPs (see Figure 3). CISOs tell us that they turn to MSSPs to:

Improve the quality of protection. The security resources in many organizations are stretched

too thin already, leading to increased workload, more stress, and the potential for more mistakes. Some organizations simply dont have the desired security expertise in certain areas or cant afford it, leading to large gaps in the security portfolio. Rather than invest internally, an MSSP can help fill the gaps and reduce the workload from existing resources.

Gain 24x7 support. The threat landscape has become too complex and too sophisticated to rely
on a 9 to 5 security support model. Internal resources would require two additional shifts along with the costs and manpower associated with them, while an outsourcing provider can do it for a fraction of the cost and in many cases may even provide local on-site support.

2010, Forrester Research, inc. Reproduction Prohibited

March 10, 2010

Market Overview: Managed Security Services

For Security & Risk Professionals

Get better skill sets and competencies. One CISO of a large entertainment company that

uses extensive MSS recently told us, It is important to understand the fact that your staff will not be competent in all aspects of security its better to outsource certain areas and let the real professionals handle those issues. Security analysts at managed security companies have more depth, breadth, and experience because they deal with a wide variety of clients and environments.

Reduce costs. Continued economic pressures have forced many security organizations to

significantly scale back either in the form of budget cuts, head count reduction, or in some cases, both. Faced with fewer resources, many security organizations have been forced to employ MSS to meet their obligations. Interestingly, many of these companies plan on continuing with this model even when times get better.

Decrease complexity. Over time, large enterprises amass an impressive array of security

technologies and processes that churn out a tremendous amount of data. As a result, its not surprising that one of the most common challenges cited by security managers is sifting through this data and bringing it all together to create a comprehensive view of their information security. Having someone else do the sifting and presenting a neat dashboard to review is certainly an appealing concept for many CISOs.

Figure 3 Drivers For Employing MSS Have changed Significantly From the Past
How important were the following in your rms decision to adopt managed security services? (respondents that answered very important) Gain 24x7 coverage Improve quality of protection Greater competency Reduced cost Improve regulatory compliance Reduced complexity Decrease liability concerns Because the rest of the IT environment is outsourced 4% 21% 20% 18% 28% 27% 34% 34%

Base: 1,214 North American and European IT security decision-makers interested in managed security services Source: Enterprise And SMB Security Survey, North America And Europe, Q3 2009
56068 Source: Forrester Research, Inc.

March 10, 2010

2010, Forrester Research, inc. Reproduction Prohibited

Market Overview: Managed Security Services

For Security & Risk Professionals

Changing Business Expectations are Defining new Service Offerings Over time, the expectations and role of the information security group have changed significantly. Today, security managers are expected to run the operations as well as provide value-added services in support of business objectives such as enhancing privacy, achieving compliance, and protecting intellectual property (see Figure 4). Security managers are now demanding additional services from MSSPs, which in return are responding by transforming their traditional services from:

Operational metrics to return on investment (ROI) and efficiency metrics. Organizations

are not necessarily looking to cut their security costs; they are more interested in spending the money on the right priorities. To get there, they need to be armed with the right operational metrics. Many MSSPs are addressing this need by providing comprehensive dashboards and drilldown capabilities to give the right level of visibility to their clients. Some are even quantifying the risks in dollars and providing ROI and efficiency metrics for management consumption.

Infrastructure protection to application security. MSSPs today offer a lot more than device

monitoring and email filtering. Log aggregation is no longer enough. A majority of attacks today focus not on the infrastructure but on the applications residing on this infrastructure.4 Service providers are offering managed application firewalls, application security scanning, and penetration testing to make the applications more secure. These services will continue to grow as more people realize the significance of application security and as regulatory requirements such as PCI highlight this as a potential area of concern.

Regulatory compliance to risk management. As a consequence of the maturing managed

services market, expectations around regulatory compliance have also changed. CISOs are not just asking the MSSPs to help them comply with particular regulations but to advise on future investments and focus areas. Many MSSPs are being asked to perform basic security and risk assessments based on a standard or framework not a regulation. The goal is to address the core risks rather than putting on a Band-Aid solution to appease an auditors regulatory check.

Monitoring and alerting to analysis and intelligence. The sophistication and targeted nature of
attacks are becoming too much for small security staffs to handle. As a result, many are turning to MSSPs, which in turn are offering more than the run-of-the-mill monitoring and alerting service and are now providing intelligence capabilities that are specific to the environment of the organization. Service providers are classifying data and applications, maintaining device inventory, and applying the vulnerability and threat intelligence they get to this information so that they can provide relevant and contextual information to their clients.

2010, Forrester Research, inc. Reproduction Prohibited

March 10, 2010

Market Overview: Managed Security Services

For Security & Risk Professionals

Figure 4 MSSP Focus areas and Operations centers

Vendor AT&T

No op . of er se at cu io rit ns y ce nt er s

SOC location Virginia, North Carolina, New Jersey

Top three industries Healthcare, government (state and federal), and nancial companies Government, nancial, and health Public sector, nance & insurance, and retail & manufacturing Government, nance, and leisure & entertainment Manufacturing, healthcare, and energy Financial services (banking & insurance), government, and manufacturing Financial, healthcare, and public (education & federal) Government, healthcare, and nance Financial services, distribution, and public sector

Bell Canada BT Boxing Orange CentraComm CGI

3 9 2 2 5

Montreal, Ottawa, Vancouver Los Angeles; Chantilly, Va.; Princeton, N.J.; London; Edinburgh, UK; Paris; Milan; Sao Paulo Leeds, UK; Sunderland, UK Bluton, Ohio; Findlay, Ohio Ottawa; Gatineau, Canada; Phoenix; Basingstoke, UK Solihull, UK; Tatebayashi, Japan; Maarssen, Netherlands; Kazan, Russia; Sunnyvale, Calif.; Dallas; Montreal; Quebec Plano, Texas; Zaragoza, Spain; Kuala Lumpur, Malaysia; Daresbury, UK Atlanta; Southeld, Mich.; Boulder; Colo.; Toronto, Canada; Brisbane, Australia; Brussels; Hortolandia, Brazil; Tokyo; Bangalore, India

Fujitsu

HP IBM

4 9

Integralis ITC Infotech

7 1

Financial services & retail, Aliso Viejo, Calif.; Hartford, Conn.; Theale, UK; Ismaning, Germany; Paris; Stockholm; Singapore government, and healthcare Bangalore, India Consumer packaged goods, manufacturing, and nancial services Public sector; industry, distribution & transport (IDT); and energy & utilities

Logica

Sweden

NIIT Technologies SecureWorks

56068

3 5

Stuttgart, Germany; Gurgaon and Mumbai, India Insurance, travel, and banking Atlanta; Chicago; Myrtle Beach; Providence; UK Financial, utilities, and retail
Source: Forrester Research, Inc.

March 10, 2010

2010, Forrester Research, inc. Reproduction Prohibited

Market Overview: Managed Security Services

For Security & Risk Professionals

Figure 4 MSSP Focus areas and Operations centers (cont.)

Vendor

No op . of er se at cu io rit ns y ce nt er s

SOC location

Top three industries Retail, nancial services, and healthcare Financial services, healthcare, and retail Financial services, manufacturing, and government

Secure Designs Solutionary

2 10*

North Carolina Omaha, Neb.; Pittsburgh; Singapore; Malaysia; Hong Kong; Germany; Beijing; Taiwan; Bangkok, Thailand; Japan Alexandria, Va.; Sydney; Green Park, UK; Pune, India

Symantec Tata Communications Telefonica

4 4 3

Chennai, India; Singapore; Herndon, Va.; London Finance, manufacturing, and technology Madrid, Spain; Lima, Peru; Miami Financial institutions, national security administrations, and industrial services Financial institutions, retail, and hospitality & food service Auto, telco, and public Financial services, federal government, and retail Financial services, government, and healthcare BFM, retail, and energy & utility

Trustwave T-Systems Unisys Verizon Wipro

3 3 5 5 7

Chicago; Madison, Wis.; Warsaw, Poland Germany, Czech Republic, Hungary Amsterdam; Wellington, New Zealand; Salt Lake City; Reston, Va.; Bangalore, India Leuven, Belgium; Luxembourg; Ashburn, Va.; Cary, N.C.; Canberra; Australia Arizona; New York; Denver; Reading, UK; India; Romania; Toulouse, France

*This includes three Solutionary SOCs and seven SOCs through partnership with e-Cop.
56068 Source: Forrester Research, Inc.

ManaGED SECuRITY SERVICES COME In DIFFEREnT FlaVORS We anticipate that MSS growth will accelerate if the economy remains soft. As it is, the market for MSS is currently growing faster than any other segment in the security budget. The MSS landscape is currently divided into five segments:

Telecommunications providers. This segment of the market has really come forward as

the most dominant. It has the potential to fundamentally change market dynamics, and we expect it to take over MSS in the coming years. Telecommunications providers already have a substantial existing customer base that they can reach out to and offer additional security

2010, Forrester Research, inc. Reproduction Prohibited

March 10, 2010

10

Market Overview: Managed Security Services

For Security & Risk Professionals

services. Primarily infrastructure-focused, the telcos look to add value by bundling security services with their telecom services. This segment of the market will also change the cost dynamics for two reasons: 1) economy of scale resulting from already having a high volume of customers, and 2) heavy investment in cloud computing where a network-based cloud delivery offers a multitenant, low-cost alternative. The telco segment is also starting to offer reasonable consulting capabilities; while theyre not yet equivalent to the leading consulting players, theyre growing in maturity and capability. Major players in this space include AT&T, BT Group, T-Systems International, Tata Communications, and Verizon.

IT outsourcing companies. IT outsourcers offer a higher value-add as well as an onshore/

offshore mixed model. These service providers are focused first and foremost on reducing cost, which they do by targeting certain areas of your environment to outsource. While they currently have a reasonable cost margin, it will get harder to compete with the telco providers if they are able to offer lower-cost cloud alternatives. With the IT outsourcers, managed security services are often bundled within a larger IT infrastructure outsourcing deal. Major players in this space include Accenture, Computer Sciences Corporation (CSC), Fujitsu, Hewlett-Packard (HP) (combined with the former EDS), IBM, and Wipro Technologies.

Value-added resellers (VARs) and system integrators (SIs). Growing rapidly, this market

segment primarily provides services to the government and SMBs. They typically focus on integration and ease of use. Cost is usually a significant factor, and they try to get to the lowest cost by selling multiple services. While many of these players are best known or most invested in government and SMB sectors, they are starting to focus on other segments as well. The VARs and SIs have developed specialized solutions for point problems and excel at delivering them with efficiency and accuracy. Major players in this space include Northrop Grumman and Unisys.

Specialized managed security service providers. The number of specialized MSSPs has

declined, but there are still some very strong service providers. SecureWorks is the largest of the group but has only recently started to move outside of North America while customers frequently mention Solutionary and FishNet Security as other viable options primarily in the North American market. Integralis often comes up as an option in the EMEA market. Specialized providers take great pride that they have the right competencies and capabilities they only focus on managed security services. While they have plans to grow, these providers tend to be smaller and geographically limited. They typically have very intimate relationships with their clients, are usually easier to deal with, and are more likely to work with you to find a custom solution. Start with specialized providers if youre only looking to outsource security and arent concerned about having a larger IT offering.

March 10, 2010

2010, Forrester Research, inc. Reproduction Prohibited

Market Overview: Managed Security Services

For Security & Risk Professionals

11

Major players in this space include FishNet, Integralis, SecureWorks, Solutionary, and Trustwave.5

Security product vendors. This market segment doesnt fit the typical MSSP profile. Of these

vendors, only Symantec really has a formal managed security services portfolio. However, the other vendors within this group do offer certain annuity projects that mimic other MSS offerings. As youd expect, product vendors typically have a security-centric perspective. They have a good understanding of security threats and are good at integrating security hardware and software, but theyre often limited in the services they can offer outside of their own products. These vendors have very few professional services and tend to rely on VARs and SIs to maintain the products and services that they offer. Major players in this space include McAfee, Symantec, and VeriSign.

KEY FaCTORS THaT WIll InFluEnCE YOuR DECISIOn Traditionally, MSSPs focused on taking over some of the mundane operational responsibilities from organizations; therefore, the decision criteria was fairly simple. Companies were satisfied as long as the service provider offered the service at a reasonable cost and had bigger and better tools. But managed services will need to deliver a lot more as the complexity of your environment increases, the threat landscape changes, and the business requirements keep evolving. Todays Decision Criteria are Focused On Tactical and Operational Capabilities Today, many companies employ managed security services because of a tactical need such as help with compliance, threat management, or 24x7 support. The service provider landscape has done a reasonable job of addressing these needs, so for the most part the services are commoditized. To select a provider, make sure it has the following baseline capabilities:

Level of trust. Turn to trusted vendors, telcos, or security service providers for managed

security services. This is one of the reasons that telcos with a large customer base are doing well in the current market. Similarly, large outsourcing companies get a lot of their business through existing clients. Its important to work with someone who understands your environment and with whom you have established a certain level of trust. Many Forrester clients cite this as a primary reason for selecting a particular service provider.

Pricing. Pricing has always been an important element in picking the managed services

provider. The recent economic downturn and the commoditization of this space have put a lot of downward pressure on pricing. Many companies that entered into multi-year deals with managed services providers are regretting those decisions because prices have come down much more than what was provisioned in the original contract.

2010, Forrester Research, inc. Reproduction Prohibited

March 10, 2010

12

Market Overview: Managed Security Services

For Security & Risk Professionals

Global footprint and coverage. The increasing number of regulations around the flow of data

to and from various geographies (e.g., the European Union) and across various industries (e.g., financial services) has become an important element in selecting a managed services provider. Although the primary concern is to keep data localized, managed security services providers are increasingly expected to serve international organizations with local/regional resources (people and data centers).

Availability of specialized resources and skilled analysts. Another reason for international

presence is the quality of interaction with the client. Its hard to get high-quality security operation center (SOC) analysts to work the graveyard shift, so MSSPs need to be in multiple regions so that analysts in Australia can work their 9 to 5 and support US clients during US off-hours. Its important to know where your MSSPs security operations centers are and that alone may not be sufficient. For example, some MSSPs may claim they have an SOC in a particular geography, but they may still be hauling data back to another geography for additional monitoring and analysis.

Dashboards for reporting and compliance. Over the years, this capability has become a key

differentiation for a mature service provider: to be able to provide not just the operational status but to also give a full picture of areas such as regulatory compliance, tracking service-level agreements (SLAs), and managing incidents. But beware: Some of the existing reporting and dashboards available through service providers need a complete overhaul to be able to provide intuitive and useful information to their clients.

Integration with existing infrastructure. Although this may not be the top decision criterion,

it ends up creating the most headaches later on. Some service providers use technologies in the back end that may not integrate well with your environment. Many have preferred solutions due to partnerships that force you to accept those solutions without much choice. Having learned from previous fiascos, savvy companies are now asking probing questions around partnerships and underlying technologies. You should look under the hood to determine integration scenarios.

Future Decision Criteria Will Focus On The Value and Risk Management We believe the dynamics in the market will begin to rapidly mature MSSP offerings. Thus, its important to focus on forward-looking capabilities. To truly differentiate MSSPs, you should focus your selection criteria on:

Consulting. In the past 12 to 15 months, Forrester has received a number of inquiries from

organizations that were looking not for a managed services provider but for a strategic partner that could offer the whole spectrum of security services, including consulting and integration services. This has become especially important in todays environment where the lines are being blurred between managed, consulting, integration, and auditing services. Look for

March 10, 2010

2010, Forrester Research, inc. Reproduction Prohibited

Market Overview: Managed Security Services

For Security & Risk Professionals

13

security service providers that present their security services portfolio as an integrated suite. If the managed services providers havent enhanced their capabilities across consulting and integration, then push for strong partnerships.

Quality of interaction. The quality of the interactions with your provider is very subjective

and varies from organization to organization. For example, many customers are currently dissatisfied with interactions such as staff iteration, competency of the analysts, or inconsistent support levels.

Flexibility and scalability. Scalability will also be a huge factor in delivering quality service. If a
service provider only operates in North America, it will not meet the requirements of a globally spread-out organization. Similarly, some service providers are constrained by the existing platforms that they built years ago. As a result, they cant offer the same flexibility as some new entrants that have the advantage to create new, robust delivery platforms for delivering services that are dynamic and addressing the rapidly changing market conditions.

Application security. A vast majority of attacks today are at the application layer. Look

for MSSPs that are building capabilities such as Web application scanning to identify the vulnerabilities, as well as capabilities around data classification, discovery, and remediation to protect sensitive corporate data.

Threat correlation and intelligence. MSSPs have been offering threat intelligence services

to their clients for a number of years. A handful of the MSSPs have great research teams that produce great threat reports but are still missing contextualization of these reports for a particular company. Look for better asset information and correlation capabilities, which provide context-specific threat information.

SaaS and cloud offerings. Although security-in-the-cloud services such as DDoS protection

and SaaS offerings such as email and Web filtering are slightly different from traditional managed security services, these will play an increasingly important role in determining the MSSP vendor. Forrester has received a sharp increase in inquiries on cloud and SaaS services in the past few months as companies look to reduce their operational and infrastructure management costs. Many network service providers (telcos) have an edge in this capability because they own the pipes to the client, and adequate bandwidth is a prerequisite to application, platform, and infrastructure services.

Vendor Overview The good news is that the market is consolidating and maturing very quickly, but the bad news is that MSSPs are a little behind on meeting these market changes. While there are hundreds of vendors offering managed security services in various forms, there are a few worth noting (see Figure 5).

2010, Forrester Research, inc. Reproduction Prohibited

March 10, 2010

14

Market Overview: Managed Security Services

For Security & Risk Professionals

Figure 5 Managed Security Services breadth Of Services Deployed Globally

Comprehensive services Broad services Targeted services Limited services Minimal services Breadth of services Description Market leader in customer satisfaction and innovation. A balanced set of oerings focused on customer needs augmented with experienced and competent sta and good execution. Excellent penetration specically in UK and generally in Europe. A number of acquisitions recently in the US. Good integration of consulting services with managed services. Largest MSSP in terms of market share. Great brand and reputation. No competition in the breadth and depth of service oerings all in one place. Getting better at coordination among various IBM teams involved. One of the stronger European services providers, with reasonable presence in North America, that has great experience and a good security services portfolio. Focused primarily on infrastructure protection and device monitoring. Focused on system integration and managed hardware solutions. It is an evolving practice that has good potential. Largest specialized player with strong growth and growing international presence. Balanced portfolio and excellent customer service and retention. Has grown rapidly by providing excellent customer service and good vision. A specialized MSSP with a well-balanced portfolio primarily focused on the North American market. Large customer base, broad set of oerings, great at endpoint security, log management, and has its own SIM and threat intelligence. Excellent choice for Symantec shops. Overall managed services portfolio not as mature as some other global telcos, but addition of recent services such as threat intelligence and application security balance out its portfolio. AT&T has extensive experience in network management and strong consulting capabilities, especially with recent acquisition of VeriSign consulting practice. An IT outsourcing provider that has traditionally delivered security services as a component of large outsource deals. General capability provided in a distributed geographic model through local partnerships with key specialist services such as Check Point, Symantec, RSA, and others. IT services company focused on delivering security consulting, systems integration consulting, and managed security services to its clients. One of the new entrants in the space with a relatively small number of customers but a great brand and excellent product vision. Using the telco heritage to its advantage and also oering white-labeled services to smaller regional providers.
Source: Forrester Research, Inc.

Company Verizon

BT

IBM

Integralis

HP SecureWorks Solutionary

Symantec

AT&T

Fujitsu

Logica Tata Communications

56068

March 10, 2010

2010, Forrester Research, inc. Reproduction Prohibited

Market Overview: Managed Security Services

For Security & Risk Professionals

15

Figure 5 Managed Security Services breadth Of Services Deployed Globally (cont.)

Comprehensive services Broad services Targeted services Limited services Minimal services Breadth of services Description Trustwave started o as a service provider primarily oering PCI compliance related services a few years back but has since expanded organically as well as through acquisitions. On the services side it has maintained its hold on the PCI market by oering innovative and timely solutions that meet and exceed customer expectations. Great technical capabilities, focused primarily on infrastructure projects and deals. Good experience working on large projects (especially in government sector) where security services need to be integrated with other IT infrastructure. Excellent penetration, specically in Germany. A good portion of the revenue comes from the government sector, not as visible in the commercial sector but has a balanced portfolio, good experience working on large infrastructure projects, and oers some value add analytics services. Only Indian oshore provider with a standalone security practice. Majority of work was initially focused on identity and access management but over the years has diversied its practice and oers a viable alternative to onshore providers.

Company

Trustwave

T-Systems

Unisys

Wipro

Bell Canada

Focused only on the Canadian market but has been willing to work with other providers to augment capabilities. The clients are primarily on the rewall and infrastructure management side, and more than half of its revenue comes from the government sector. A relatively small UK MSS provider that specializes in value-added service areas such as security information and event management. A telecommunications provider oering managed security services primarily focused on the North American market
IT services company oering business consulting, systems integration, and IT & business process outsourcing services

Boxing Orange CentraComm CGI NIIT Technologies

An Indian player in the remote infrastructure and management and managed security services specializing in areas of incident and event management
Designs, monitors, and manages network perimeter defense plans for the micro/entry SMB segment (<100 users on the network at each location); also oers systems design consulting compliance and outsourced security advisory services.

Secure Designs

Telefonica ITC Infotech

56068

Largest telco in Spain that has a security portfolio focused on device monitoring and infrastructure protection. Starting to build threat management and correlation capabilities.
One of the other IT services company from India oering an oshore option to clients
Source: Forrester Research, Inc.

2010, Forrester Research, inc. Reproduction Prohibited

March 10, 2010

16

Market Overview: Managed Security Services

For Security & Risk Professionals

R E c O M M E n D at i O n S

HOW TO CHOOSE THE RIGHT ManaGED SECuRITY SERVICES PROVIDER FOR YOu
youre faced with many choices when selecting an MSSP. How do you know which one is best for you? When choosing a service provider:

Perform your due diligence, and focus on culture. When it comes to offerings and
competencies, understand the service providers strengths and weaknesses select a provider that excels in the area youre looking to outsource. its also extremely important to look at the culture of the provider. culture is probably the most important factor that determines whether a relationship is going to succeed. Get comfortable with your provider by talking to some of their customer references.

look into onshore versus offshore. if you have a lot of experience with offshoring, then an
offshore model can add a lot of value. but if you dont, then you might hit a bit of a bumpy road early on. if youre interested in an offshore model, be sure to explore any possible compliance regulations, service disruptions, and geo-political risks that can accompany offshoring.

Consider the question of cloud. Many organizations are skeptical of cloud services. but you
need to focus beyond your immediate architecture. Do you see your company embracing cloud computing over the next couple of years? if so, then consider telecom providers, which typically offer the best choice and are currently investing a lot in this area. cloud services go much beyond the traditional managed SOc and include SaaS and specialized point services such as email and Web filtering.

Evaluate your need for consulting capabilities. Examine the service providers consulting
capabilities. this will help you with integrating the managed services into your environment and also shorten the ramp-up time. the client can get a lot more value if the consulting and managed services are coherent and coordinated.

Retain key decision-making responsibilities. an MSSP can provide you with the bare
minimum, but you still need to understand your environment and what it requires. a messy environment will remain a messy environment outsourcing wont magically resolve this. Make sure you have the right governance structures and it processes in place before you look to outsource parts of your environment. as you build up the relationship, make sure you always retain authority over setting policy and other strategic functions.

March 10, 2010

2010, Forrester Research, inc. Reproduction Prohibited

Market Overview: Managed Security Services

For Security & Risk Professionals

17

EnDnOTES
1 2

Source: Enterprise And SMB Security Survey, North America And Europe, Q3 2009. The big news for the IT security market in 2009 is that it will fare relatively well. Cost and justification pressures are exerting themselves, but through increasing business-level visibility led by data-breach headlines, security spend continues to rise and take a growing share of overall IT spend. Security initiatives will focus on four things: protecting data, streamlining costly or manually intensive tasks, providing security for an evolving IT infrastructure, and both understanding and properly managing IT risks within a more comprehensive enterprise framework. The focus on efficiently delivering security to support business and IT initiatives will drive organizations to shift their purchasing behaviors. While the largest standalone security vendors remain strong within the threat-management market categories and small vendors continue to proliferate, we will see a new breed of security guerrillas delivering business and IT services and solutions for which security is imbedded. As such, the most successful vendors will expand their capabilities directly or through partnerships and most effectively blur the lines between security product, managed security service (MSS), and consulting. See the April 22, 2009, Market Overview: IT Security In 2009 report. Some service providers are merely transferring the customer infrastructure in their data centers and calling this service a cloud offering. The customers in this case are not getting the same economic advantage that a true, multitenant cloud architecture provides. Source: Symantec Global Internet Security Threat Report: Trends for 2009 (http://eval.symantec.com/ mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf). NTT Communications acquired Integralis on June 30, 2009. Source: NTT Communications announces agreed takeover offer in cash for Integralis AG, Integralis press release, June 30, 2009 (http://www.integralis. co.uk/about-integralis/press/BusinessCombinationAgreementsigned.html).

2010, Forrester Research, inc. Reproduction Prohibited

March 10, 2010

Making leaders Successful Every Day

Headquarters Forrester Research, Inc. 400 Technology Square Cambridge, MA 02139 USA Tel: +1 617.613.6000 Fax: +1 617.613.5000 Email: forrester@forrester.com Nasdaq symbol: FORR www.forrester.com For a complete list of worldwide locations visit www.forrester.com/about. Research and Sales Offices Forrester has research centers and sales offices in more than 27 cities internationally, including Amsterdam; Cambridge, Mass.; Dallas; Dubai; Foster City, Calif.; Frankfurt; London; Madrid; Sydney; Tel Aviv; and Toronto.

For information on hard-copy or electronic reprints, please contact Client Support at +1 866.367.7378, +1 617.613.5730, or clientsupport@forrester.com. We offer quantity discounts and special pricing for academic and nonprofit institutions.

Forrester Research, Inc. (Nasdaq: FORR) is an independent research company that provides pragmatic and forwardthinking advice to global leaders in business and technology. Forrester works with professionals in 20 key roles at major companies providing proprietary research, customer insight, consulting, events, and peer-to-peer executive programs. For more than 26 years, Forrester has been making IT, marketing, and technology industry leaders successful every day. For more information, visit www.forrester.com.

56068