future of mssp-an overview

Making Leaders Successful Every Day

March 10, 2010

Market Overview: Managed Security Servicesby Khalid Karkfor Security & Risk Professionals

www.forrester.com

© 2010, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To purchase reprints of this document, please email [email protected]. For additional information, go to www.forrester.com.

For Security & Risk Professionals

ExEcutivE SuMMaRyThe managed security services market is growing at a healthy clip due to a confluence of several factors, most notably staffing and skill pressures, an ever-evolving threat landscape, and an increasing compliance burden. As a result, not only are we seeing a significant change in the services offered, but the demands from the customers are also changing and shaping some of those changes. It’s safe to assume that using a managed security services provider (MSSP) today is a lot more than just a cheap alternative to doing the same work in-house. MSSPs are not just managing devices; they also provide insightful analysis that can help with business decisions.

tablE OF cOntEntSThe MSS Market Is Growing During The Economic Downturn

Steady Growth and vendor consolidation Point to a Maturing Market

changing Market Dynamics bring in new customers and Market Opportunities

Organizations Turn To MSSPs More For Competency Than For Cost

changing business Expectations are Defining new Service Offerings

Managed Security Services Come In Different Flavors

Key Factors That Will Influence Your Decision

today’s Decision criteria are Focused On tactical and Operational capabilities

Future Decision criteria Will Focus On the value and Risk Management

vendor Overview

REcOMMEnDatiOnS

How To Choose The Right Managed Security Services Provider For You

nOtES & RESOuRcESin developing this report, Forrester drew from a wealth of analyst experience, insight, and research through advisory and inquiry discussions with end users, vendors, and regulators across industry sectors.

Related Research Documents“the Forrester Wave™: content Security Suites, Q2 2009”april 16, 2009

“case Study: Standard chartered bank uses an MSSP to Optimize its Security Monitoring”September 29, 2008

“the Forrester Wave™: Managed Security Services, Q4 2007”October 4, 2007

March 10, 2010

Market Overview: Managed Security Services look beyond cost Savings and 24x7 Support to Select an MSSP by Khalid Karkwith Jonathan Penn, Robert Whiteley, and lindsey coit

2

5

9

11

16

mailto:[email protected]

www.forrester.com

www.forrester.com

http://www.forrester.com/go?docid=45528&src=56068pdf






© 2010, Forrester Research, inc. Reproduction ProhibitedMarch 10, 2010

Market Overview: Managed Security Services For Security & Risk Professionals

2

THE MSS MaRKET IS GROWInG DuRInG THE ECOnOMIC DOWnTuRn

A few years back — as companies grappled with IT outsourcing — it was safe to assume that the IT security organization was exempt because, as many chief information security officers (CISOs) told us, “We would never outsource security.” Guess what? Today, one in four now outsource their email filtering, and another 12% are very interested in doing so in the next 12 months. Another 13% already outsource their vulnerability management — a treasure trove for potential hackers — and an additional 19% say they are “very interested” in doing so in the next 12 months. Although security spending stayed flat for the most part in 2009, Forrester estimates that the managed services market grew by roughly 8%.1

Today, managed security services (MSS) offerings exist in various forms, from pure system management to more sophisticated log analysis using a number of delivery mechanisms, from software-as-a-service (SaaS) and cloud services to on-premises device monitoring and management (see Figure 1).

Steady Growth and Vendor Consolidation Point To a Maturing Market

Not only has the market been growing steadily over the past few years, but the service provider and market dynamics have also changed due to a series of mergers, acquisitions, partnerships, and reprioritization of MSS portfolios. After a tumultuous 2009, we have seen:

· The MSSP market size eclipse $4 billion. Forrester estimates the global size of the managed security services market to be $4.5 billion, which includes outsourced and SaaS security services as well as other annualized security operations.2 Although the market is still consolidating, the top 20 vendors already command close to 80% of the market share (see Figure 2).3

· Mergers and acquisitions enhance current capabilities. The recent acquisition of VeriSign MSS by SecureWorks and the previous acquisitions of Counterpane, Cybertrust, and ISS have all been fairly successful at not just growing the MSSP market share for the acquirers but also at providing the financial wherewithal to invest in areas such as threat intelligence and to build new and enhanced services.

· Partnerships expand international presence. Another trend is companies expanding beyond the traditional geographic boundaries to serve an increasingly global client base. Recent announcements of Solutionary partnering with e-Cop in Singapore and SecureWorks acquiring DNS point to this trend.

© 2010, Forrester Research, inc. Reproduction Prohibited March 10, 2010


3

Figure 1 common Managed Security Services and Forrester’s Estimate Of Market Penetration

Source: Forrester Research, Inc.56068

Domain

Security event monitoring

Managed endpoints

Log management

Threat intelligence

Vulnerability management

Application security services

Incident response services

Content security

Policy/compliance

Identity and access management

Types of services

• Log monitoring, event correlation, and analysis• DDoS protection

• Managed desktop antimalware• Managed desktop data security • Managed desktop change/configuration control• Managed server HIDS• Managed server change/configuration control

• Log collection, retention, integrity/chain of custody, access/review auditing, and reporting

• Threat/malware/vulnerability intelligence and alert services

• Internal and external vulnerability scans• Patching, upgrades, configuration enforcement,

and change control

• Application penetration testing and vulnerability scans

• Code analysis and review• Managed application firewalls

• Incident planning and response• Forensics and investigations

• Email monitoring and filtering• Email encryption• Email archiving• Web monitoring and filtering

• Regulatory compliance assessments• Policy compliance assessments• Third-party assessments• Security benchmarking

• Managed/hosted network perimeter services• Managed/hosted application firewalls• Managed/hosted SIEM

• Access administration• Two-factor authN• Federation• Credential services

Forrester’s estimatedmarket penetration

• Internal and external vulnerability scans• Patching, upgrades, configuration enforcement,

and change control

15%-20%

10%-15%

5%-10%

25%-30%

0%-5%

5%-10%

10%-15%

5%-10%

15%-20%

Managed devices (i.e., hosted and managed CPE security devices not just the logs of those devices)

15%-20%

10%-15%



4

Figure 2 Market Share Of top Managed Security Services Providers

Changing Market Dynamics Bring In new Customers and Market Opportunities

Not only are the internal and external threat paradigms changing rapidly, but the changing business conditions are also affecting the types of services that customers request. In today’s MSS market we see that:

· Both supply and demand of MSS are on the rise. Companies are willing to outsource more of their environment than ever before. Traditionally, outsourcing was only used for day-to-day security functions such as network firewall monitoring and email filtering — areas discrete and unintegrated from the rest of IT such as email security and Web filtering. While these are still among the most prevalent services, increasingly more companies are turning to an MSSP to manage additional security functions that are highly operationalized (event monitoring) and integrated (log management ) within the IT environment.

· Security services are being bundled with larger IT outsourcing deals. In recent years we’ve seen a vast number of service providers marketing and selling security services as part of a larger IT and telecom services bundle. While this is a growing trend, there are still some large outsourcing companies, such as IBM and Wipro Technologies, that primarily sell security as a standalone offering, so expect this trend to only continue as all companies move to integrated offerings.


Source: Forrester estimate based on information provided by managed security service providers

IBM10%

Symantec9%

BT7%

Verizon Business7%

Fujitsu6%

CSC4%

Wipro3%

Other23%

Bell Canada2%

Getronics2%

T-Systems3%

HP7%

Northrop Grumman3%

Lockheed Martin3%

AT&T4%

SecureWorks3%

2%Raytheon

CGI2%



5

· Professional services capabilities are improving. Many companies are looking for both an outsourcer and a strategic partner to help them transform their security capabilities. In fact, one CISO we spoke to uses the term “co-sourcing” rather than “outsourcing,” to emphasize just how vital the MSSP-customer relationship is. While many MSSPs have started to respond to this need by offering consulting services, not all providers are equally proficient. Expect MSSPs to further invest in professional services capabilities to provide appropriate integration and consulting to run your environment efficiently.

· Cloud services are ushering in a new set of customers and requirements . . . Over the past few months, Forrester has received several inquiries on telcos offering cloud services such as distributed denial of service (DDoS) protection and “clean pipe” services. Traditional MSSPs are only starting to take this area on, and a number of them are building infrastructure and offerings in this space. Network service providers that own the pipe have an inherent advantage in this area because they can look across their backbones and detect and prevent potential attacks earlier than most of the other service providers. Forrester is also seeing specialized cloud service providers such as MessageLabs (now Symantec Hosted Services), Postini (now part of Google), and Zscaler successfully offering focused cloud security services.

· . . . but some service providers may just be transferring the infrastructure to their data centers. Customers get the benefit of infrastructure being shifted away from their own real estate, but they are not getting the same economic advantage that a true, multitenant cloud architect provides. Telcos can offer a true multitenant architecture that is closer to the client from a network perspective. Other cloud services are also being offered by purpose-built service providers such as MessageLabs, Postini, and Zscaler.

ORGanIzaTIOnS TuRn TO MSSPs MORE FOR COMPETEnCY THan FOR COST

Initially, lower cost was the primary driver for moving to a managed services provider, but cost only ranks fourth in decision criteria today. There are a number of other drivers pushing companies to use MSSPs (see Figure 3). CISOs tell us that they turn to MSSPs to:

· Improve the quality of protection. The security resources in many organizations are stretched too thin already, leading to increased workload, more stress, and the potential for more mistakes. Some organizations simply don’t have the desired security expertise in certain areas or can’t afford it, leading to large gaps in the security portfolio. Rather than invest internally, an MSSP can help fill the gaps and reduce the workload from existing resources.

· Gain 24x7 support. The threat landscape has become too complex and too sophisticated to rely on a 9 to 5 security support model. Internal resources would require two additional shifts along with the costs and manpower associated with them, while an outsourcing provider can do it for a fraction of the cost — and in many cases may even provide local on-site support.



6

· Get better skill sets and competencies. One CISO of a large entertainment company that uses extensive MSS recently told us, “It is important to understand the fact that your staff will not be competent in all aspects of security — it’s better to outsource certain areas and let the real professionals handle those issues.” Security analysts at managed security companies have more depth, breadth, and experience because they deal with a wide variety of clients and environments.

· Reduce costs. Continued economic pressures have forced many security organizations to significantly scale back — either in the form of budget cuts, head count reduction, or in some cases, both. Faced with fewer resources, many security organizations have been forced to employ MSS to meet their obligations. Interestingly, many of these companies plan on continuing with this model even when times get better.

· Decrease complexity. Over time, large enterprises amass an impressive array of security technologies and processes that churn out a tremendous amount of data. As a result, it’s not surprising that one of the most common challenges cited by security managers is sifting through this data and bringing it all together to create a comprehensive view of their information security. Having someone else do the sifting and presenting a neat dashboard to review is certainly an appealing concept for many CISOs.

Figure 3 Drivers For Employing MSS Have changed Significantly From the Past


Gain 24x7 coverage

Improve quality of protection

Greater competency

Reduced cost

Improve regulatory compliance

Reduced complexity

Decrease liability concerns

Because the rest of the ITenvironment is outsourced

34%

34%

28%

27%

21%

20%

18%

4%

“How important were the following in your firm’s decision to adopt managed security services?” (respondents that answered “very important”)

Base: 1,214 North American and European IT security decision-makers interested in managed security servicesSource: Enterprise And SMB Security Survey, North America And Europe, Q3 2009



7

Changing Business Expectations are Defining new Service Offerings

Over time, the expectations and role of the information security group have changed significantly. Today, security managers are expected to run the operations as well as provide value-added services in support of business objectives such as enhancing privacy, achieving compliance, and protecting intellectual property (see Figure 4). Security managers are now demanding additional services from MSSPs, which in return are responding by transforming their traditional services from:

· Operational metrics to return on investment (ROI) and efficiency metrics. Organizations are not necessarily looking to cut their security costs; they are more interested in spending the money on the right priorities. To get there, they need to be armed with the right operational metrics. Many MSSPs are addressing this need by providing comprehensive dashboards and drilldown capabilities to give the right level of visibility to their clients. Some are even quantifying the risks in dollars and providing ROI and efficiency metrics for management consumption.

· Infrastructure protection to application security. MSSPs today offer a lot more than device monitoring and email filtering. Log aggregation is no longer enough. A majority of attacks today focus not on the infrastructure but on the applications residing on this infrastructure.4 Service providers are offering managed application firewalls, application security scanning, and penetration testing to make the applications more secure. These services will continue to grow as more people realize the significance of application security and as regulatory requirements such as PCI highlight this as a potential area of concern.

· Regulatory compliance to risk management. As a consequence of the maturing managed services market, expectations around regulatory compliance have also changed. CISOs are not just asking the MSSPs to help them comply with particular regulations but to advise on future investments and focus areas. Many MSSPs are being asked to perform basic security and risk assessments based on a standard or framework — not a regulation. The goal is to address the core risks rather than putting on a Band-Aid solution to appease an auditor’s regulatory check.

· Monitoring and alerting to analysis and intelligence. The sophistication and targeted nature of attacks are becoming too much for small security staffs to handle. As a result, many are turning to MSSPs, which in turn are offering more than the run-of-the-mill monitoring and alerting service and are now providing “intelligence” capabilities that are specific to the environment of the organization. Service providers are classifying data and applications, maintaining device inventory, and applying the vulnerability and threat intelligence they get to this information so that they can provide relevant and contextual information to their clients.



8

Figure 4 MSSP Focus areas and Operations centers


Integralis

AT&T

Bell Canada 3

BT

Boxing Orange

CentraComm 2

CGI

Fujitsu

IBM 9

ITC Infotech

Healthcare, government (state and federal), and financial companies

Government, financial, and health

Government, finance, and leisure & entertainment

Manufacturing, healthcare, and energy

Financial, healthcare, and public (education & federal)

Financial services, distribution, and public sector

Consumer packaged goods, manufacturing, and financial services

Government, healthcare, and finance

HP

Montreal, Ottawa, Vancouver

Bluffton, Ohio; Findlay, Ohio

7

Logica

NIIT Technologies

Public sector; industry, distribution & transport (IDT); and energy & utilities

Insurance, travel, and banking

Bangalore, India

Financial services & retail, government, and healthcare

9 Public sector, finance & insurance,and retail & manufacturing

SOC locationVendor

3

SecureWorks 5 Atlanta; Chicago; Myrtle Beach; Providence; UK Financial, utilities, and retail

Leeds, UK; Sunderland, UK2

1 Sweden

Atlanta; Southfield, Mich.; Boulder; Colo.; Toronto, Canada; Brisbane, Australia; Brussels; Hortolandia, Brazil; Tokyo; Bangalore, India

Ottawa; Gatineau, Canada; Phoenix; Basingstoke, UK

5

4

Solihull, UK; Tatebayashi, Japan; Maarssen, Netherlands; Kazan, Russia; Sunnyvale, Calif.; Dallas; Montreal; Quebec

7

Top three industries

Los Angeles; Chantilly, Va.; Princeton, N.J.;London; Edinburgh, UK; Paris; Milan; Sao Paulo

Financial services (banking & insurance), government, and manufacturing

Virginia, North Carolina, New Jersey

1

Plano, Texas; Zaragoza, Spain;Kuala Lumpur, Malaysia; Daresbury, UK

Stuttgart, Germany; Gurgaon and Mumbai, India

Aliso Viejo, Calif.; Hartford, Conn.; Theale, UK; Ismaning, Germany; Paris; Stockholm; Singapore

3

No. of s

ecurity

operatio

ns centers



9

Figure 4 MSSP Focus areas and Operations centers (cont.)

ManaGED SECuRITY SERVICES COME In DIFFEREnT FlaVORS

We anticipate that MSS growth will accelerate if the economy remains soft. As it is, the market for MSS is currently growing faster than any other segment in the security budget. The MSS landscape is currently divided into five segments:

· Telecommunications providers. This segment of the market has really come forward as the most dominant. It has the potential to fundamentally change market dynamics, and we expect it to take over MSS in the coming years. Telecommunications providers already have a substantial existing customer base that they can reach out to and offer additional security


Verizon

Secure Designs

Solutionary

Symantec 4

TataCommunications

Telefonica

T-Systems

Unisys

Wipro

Retail, financial services, and healthcare

Financial services, healthcare, and retail

Financial services, manufacturing, and government

Finance, manufacturing, andtechnology

Financial institutions, national security administrations, and industrial services

Auto, telco, and public

Financial services, government, and healthcare

BFM, retail, and energy & utility

Alexandria, Va.; Sydney; Green Park, UK;Pune, India

Amsterdam; Wellington, New Zealand; Salt Lake City; Reston, Va.; Bangalore, India

4

3

5 Leuven, Belgium; Luxembourg; Ashburn, Va.; Cary, N.C.; Canberra; Australia

SOC locationVendor No. of s

ecurity

operatio

ns centers

2 North Carolina

Germany, Czech Republic, Hungary3

10*

Trustwave 3 Chicago; Madison, Wis.; Warsaw, Poland Financial institutions, retail, and hospitality & food service

7

Financial services, federal government, and retail

Top three industries

Chennai, India; Singapore; Herndon, Va.; London

Omaha, Neb.; Pittsburgh; Singapore; Malaysia; Hong Kong; Germany; Beijing; Taiwan;Bangkok, Thailand; Japan

Arizona; New York; Denver; Reading, UK; India; Romania; Toulouse, France

*This includes three Solutionary SOCs and seven SOCs through partnership with e-Cop.

Madrid, Spain; Lima, Peru; Miami

5



10

services. Primarily infrastructure-focused, the telcos look to add value by bundling security services with their telecom services. This segment of the market will also change the cost dynamics for two reasons: 1) economy of scale resulting from already having a high volume of customers, and 2) heavy investment in cloud computing where a network-based cloud delivery offers a multitenant, low-cost alternative. The telco segment is also starting to offer reasonable consulting capabilities; while they’re not yet equivalent to the leading consulting players, they’re growing in maturity and capability.

Major players in this space include AT&T, BT Group, T-Systems International, Tata Communications, and Verizon.

· IT outsourcing companies. IT outsourcers offer a higher value-add as well as an onshore/offshore mixed model. These service providers are focused first and foremost on reducing cost, which they do by targeting certain areas of your environment to outsource. While they currently have a reasonable cost margin, it will get harder to compete with the telco providers if they are able to offer lower-cost cloud alternatives. With the IT outsourcers, managed security services are often bundled within a larger IT infrastructure outsourcing deal.

Major players in this space include Accenture, Computer Sciences Corporation (CSC), Fujitsu, Hewlett-Packard (HP) (combined with the former EDS), IBM, and Wipro Technologies.

· Value-added resellers (VARs) and system integrators (SIs). Growing rapidly, this market segment primarily provides services to the government and SMBs. They typically focus on integration and ease of use. Cost is usually a significant factor, and they try to get to the lowest cost by selling multiple services. While many of these players are best known or most invested in government and SMB sectors, they are starting to focus on other segments as well. The VARs and SIs have developed specialized solutions for point problems and excel at delivering them with efficiency and accuracy.

Major players in this space include Northrop Grumman and Unisys.

· Specialized managed security service providers. The number of specialized MSSPs has declined, but there are still some very strong service providers. SecureWorks is the largest of the group — but has only recently started to move outside of North America — while customers frequently mention Solutionary and FishNet Security as other viable options primarily in the North American market. Integralis often comes up as an option in the EMEA market. Specialized providers take great pride that they have the right competencies and capabilities — they only focus on managed security services. While they have plans to grow, these providers tend to be smaller and geographically limited. They typically have very intimate relationships with their clients, are usually easier to deal with, and are more likely to work with you to find a custom solution. Start with specialized providers if you’re only looking to outsource security and aren’t concerned about having a larger IT offering.



11

Major players in this space include FishNet, Integralis, SecureWorks, Solutionary, and Trustwave.5

· Security product vendors. This market segment doesn’t fit the typical MSSP profile. Of these vendors, only Symantec really has a formal managed security services portfolio. However, the other vendors within this group do offer certain annuity projects that mimic other MSS offerings. As you’d expect, product vendors typically have a security-centric perspective. They have a good understanding of security threats and are good at integrating security hardware and software, but they’re often limited in the services they can offer outside of their own products. These vendors have very few professional services and tend to rely on VARs and SIs to maintain the products and services that they offer.

Major players in this space include McAfee, Symantec, and VeriSign.

KEY FaCTORS THaT WIll InFluEnCE YOuR DECISIOn

Traditionally, MSSPs focused on taking over some of the mundane operational responsibilities from organizations; therefore, the decision criteria was fairly simple. Companies were satisfied as long as the service provider offered the service at a reasonable cost and had bigger and better tools. But managed services will need to deliver a lot more as the complexity of your environment increases, the threat landscape changes, and the business requirements keep evolving.

Today’s Decision Criteria are Focused On Tactical and Operational Capabilities

Today, many companies employ managed security services because of a tactical need such as help with compliance, threat management, or 24x7 support. The service provider landscape has done a reasonable job of addressing these needs, so for the most part the services are commoditized. To select a provider, make sure it has the following baseline capabilities:

· Level of trust. Turn to trusted vendors, telcos, or security service providers for managed security services. This is one of the reasons that telcos — with a large customer base — are doing well in the current market. Similarly, large outsourcing companies get a lot of their business through existing clients. It’s important to work with someone who understands your environment and with whom you have established a certain level of trust. Many Forrester clients cite this as a primary reason for selecting a particular service provider.

· Pricing. Pricing has always been an important element in picking the managed services provider. The recent economic downturn and the commoditization of this space have put a lot of downward pressure on pricing. Many companies that entered into multi-year deals with managed services providers are regretting those decisions because prices have come down much more than what was provisioned in the original contract.



12

· Global footprint and coverage. The increasing number of regulations around the flow of data to and from various geographies (e.g., the European Union) and across various industries (e.g., financial services) has become an important element in selecting a managed services provider. Although the primary concern is to keep data localized, managed security services providers are increasingly expected to serve international organizations with local/regional resources (people and data centers).

· Availability of specialized resources and skilled analysts. Another reason for international presence is the quality of interaction with the client. It’s hard to get high-quality security operation center (SOC) analysts to work the graveyard shift, so MSSPs need to be in multiple regions so that analysts in Australia can work their 9 to 5 and support US clients during US off-hours. It’s important to know where your MSSP’s security operations centers are — and that alone may not be sufficient. For example, some MSSPs may claim they have an SOC in a particular geography, but they may still be hauling data back to another geography for additional monitoring and analysis.

· Dashboards for reporting and compliance. Over the years, this capability has become a key differentiation for a mature service provider: to be able to provide not just the operational status but to also give a full picture of areas such as regulatory compliance, tracking service-level agreements (SLAs), and managing incidents. But beware: Some of the existing reporting and dashboards available through service providers need a complete overhaul to be able to provide intuitive and useful information to their clients.

· Integration with existing infrastructure. Although this may not be the top decision criterion, it ends up creating the most headaches later on. Some service providers use technologies in the back end that may not integrate well with your environment. Many have “preferred solutions” due to partnerships that force you to accept those solutions without much choice. Having learned from previous fiascos, savvy companies are now asking probing questions around partnerships and underlying technologies. You should look under the hood to determine integration scenarios.

Future Decision Criteria Will Focus On The Value and Risk Management

We believe the dynamics in the market will begin to rapidly mature MSSP offerings. Thus, it’s important to focus on forward-looking capabilities. To truly differentiate MSSPs, you should focus your selection criteria on:

· Consulting. In the past 12 to 15 months, Forrester has received a number of inquiries from organizations that were looking not for a managed services provider but for a strategic partner that could offer the whole spectrum of security services, including consulting and integration services. This has become especially important in today’s environment where the lines are being blurred between managed, consulting, integration, and auditing services. Look for



13

security service providers that present their security services portfolio as an integrated suite. If the managed services providers haven’t enhanced their capabilities across consulting and integration, then push for strong partnerships.

· Quality of interaction. The quality of the interactions with your provider is very subjective and varies from organization to organization. For example, many customers are currently dissatisfied with interactions such as staff iteration, competency of the analysts, or inconsistent support levels.

· Flexibility and scalability. Scalability will also be a huge factor in delivering quality service. If a service provider only operates in North America, it will not meet the requirements of a globally spread-out organization. Similarly, some service providers are constrained by the existing platforms that they built years ago. As a result, they can’t offer the same flexibility as some new entrants that have the advantage to create new, robust delivery platforms for delivering services that are dynamic and addressing the rapidly changing market conditions.

· Application security. A vast majority of attacks today are at the application layer. Look for MSSPs that are building capabilities such as Web application scanning to identify the vulnerabilities, as well as capabilities around data classification, discovery, and remediation to protect sensitive corporate data.

· Threat correlation and intelligence. MSSPs have been offering threat intelligence services to their clients for a number of years. A handful of the MSSPs have great research teams that produce great threat reports but are still missing contextualization of these reports for a particular company. Look for better asset information and correlation capabilities, which provide context-specific threat information.

· SaaS and cloud offerings. Although security-in-the-cloud services such as DDoS protection and SaaS offerings such as email and Web filtering are slightly different from traditional managed security services, these will play an increasingly important role in determining the MSSP vendor. Forrester has received a sharp increase in inquiries on cloud and SaaS services in the past few months as companies look to reduce their operational and infrastructure management costs. Many network service providers (telcos) have an edge in this capability because they own the pipes to the client, and adequate bandwidth is a prerequisite to application, platform, and infrastructure services.

Vendor Overview

The good news is that the market is consolidating and maturing very quickly, but the bad news is that MSSPs are a little behind on meeting these market changes. While there are hundreds of vendors offering managed security services in various forms, there are a few worth noting (see Figure 5).



14

Figure 5 Managed Security Services — breadth Of Services Deployed Globally


Company

VerizonMarket leader in customer satisfaction and innovation. A balanced set of offerings focused on customer needs augmented withexperienced and competent staff and good execution.

IBM

Excellent penetration specifically in UK and generally in Europe. A number of acquisitions recently in the US. Good integration of consulting services with managed services.

BT

Largest MSSP in terms of market share. Great brand and reputation. No competition in the breadth and depth of service offerings all in one place. Getting better at coordination among various IBM teamsinvolved.

SolutionaryHas grown rapidly by providing excellent customer service and good vision. A specialized MSSP with a well-balanced portfolio primarily focusedon the North American market.

SymantecLarge customer base, broad set of offerings, great at endpoint security, log management, and has its own SIM and threat intelligence. Excellent choice for Symantec shops.

DescriptionBreadth of

services

SecureWorksLargest specialized player with strong growth and growing international presence. Balanced portfolio and excellent customer service and retention.

Focused on system integration and managed hardware solutions. It isan evolving practice that has good potential.HP

AT&T

Overall managed services portfolio not as mature as some otherglobal telcos, but addition of recent services such as threatintelligence and application security balance out its portfolio. AT&T has extensive experience in network management and strong consulting capabilities, especially with recent acquisition of VeriSign consulting practice.

Integralis

One of the stronger European services providers, with reasonable presence in North America, that has great experience and a good security services portfolio. Focused primarily on infrastructure protection and device monitoring.

Fujitsu

Logica

Comprehensive services Broad services Targeted servicesLimited services Minimal services

IT services company focused on delivering security consulting, systemsintegration consulting, and managed security services to its clients.

An IT outsourcing provider that has traditionally delivered security servicesas a component of large outsource deals. General capability provided in adistributed geographic model through local partnerships with key specialistservices such as Check Point, Symantec, RSA, and others.

Tata Communications

One of the new entrants in the space with a relatively small number ofcustomers but a great brand and excellent product vision. Using the telco heritage to its advantage and also offering white-labeled services to smaller regional providers.



15

Figure 5 Managed Security Services — breadth Of Services Deployed Globally (cont.)


Bell Canada

Focused only on the Canadian market but has been willing to work with other providers to augment capabilities. The clients are primarily on the firewall and infrastructure management side, and more than half of its revenue comes from the government sector.

Secure Designs

CGI

CentraComm A telecommunications provider offering managed securityservices primarily focused on the North American market

ITC Infotech

A relatively small UK MSS provider that specializes in value-addedservice areas such as security information and event management.Boxing Orange

NIITTechnologies

An Indian player in the remote infrastructure and management andmanaged security services specializing in areas of incident and event management

Wipro

Only Indian offshore provider with a standalone security practice. Majority of work was initially focused on identity and access management but over the years has diversifiedits practice and offers a viable alternative to onshore providers.

Unisys

A good portion of the revenue comes from the government sector, not as visible in the commercial sector but has a balanced portfolio, good experience working on large infrastructure projects, and offers some value add analytics services.

TelefonicaLargest telco in Spain that has a security portfolio focused on devicemonitoring and infrastructure protection. Starting to build threatmanagement and correlation capabilities.

IT services company offering business consulting, systems integration,and IT & business process outsourcing services

Designs, monitors, and manages network perimeter defense plans for the micro/entry SMB segment (<100 users on the network at each location); also offers systems design consulting compliance and outsourced security advisory services.

Company DescriptionBreadth of

services

Comprehensive services Broad services Targeted servicesLimited services Minimal services

T-Systems

Great technical capabilities, focused primarily on infrastructure projectsand deals. Good experience working on large projects (especially in government sector) where security services need to be integrated withother IT infrastructure. Excellent penetration, specifically in Germany.

One of the other IT services company from India offering an offshore option to clients

Trustwave started off as a service provider primarily offering PCI compliancerelated services a few years back but has since expanded organically as well as through acquisitions. On the services side it has maintained its hold onthe PCI market by offering innovative and timely solutions that meet andexceed customer expectations.

Trustwave



16

R E c O M M E n D a t i O n S

HOW TO CHOOSE THE RIGHT ManaGED SECuRITY SERVICES PROVIDER FOR YOu

you’re faced with many choices when selecting an MSSP. How do you know which one is best for you? When choosing a service provider:

· Perform your due diligence, and focus on culture. When it comes to offerings and competencies, understand the service provider’s strengths and weaknesses — select a provider that excels in the area you’re looking to outsource. it’s also extremely important to look at the culture of the provider. culture is probably the most important factor that determines whether a relationship is going to succeed. Get comfortable with your provider by talking to some of their customer references.

· look into onshore versus offshore. if you have a lot of experience with offshoring, then an offshore model can add a lot of value. but if you don’t, then you might hit a bit of a bumpy road early on. if you’re interested in an offshore model, be sure to explore any possible compliance regulations, service disruptions, and geo-political risks that can accompany offshoring.

· Consider the question of cloud. Many organizations are skeptical of cloud services. but you need to focus beyond your immediate architecture. Do you see your company embracing cloud computing over the next couple of years? if so, then consider telecom providers, which typically offer the best choice and are currently investing a lot in this area. cloud services go much beyond the traditional managed SOc and include SaaS and specialized point services such as email and Web filtering.

· Evaluate your need for consulting capabilities. Examine the service provider’s consulting capabilities. this will help you with integrating the managed services into your environment and also shorten the ramp-up time. the client can get a lot more value if the consulting and managed services are coherent and coordinated.

· Retain key decision-making responsibilities. an MSSP can provide you with the bare minimum, but you still need to understand your environment and what it requires. a messy environment will remain a messy environment — outsourcing won’t magically resolve this. Make sure you have the right governance structures and it processes in place before you look to outsource parts of your environment. as you build up the relationship, make sure you always retain authority over setting policy and other strategic functions.



17

EnDnOTES1 Source: Enterprise And SMB Security Survey, North America And Europe, Q3 2009.

2 The big news for the IT security market in 2009 is that it will fare relatively well. Cost and justification pressures are exerting themselves, but through increasing business-level visibility led by data-breach headlines, security spend continues to rise and take a growing share of overall IT spend. Security initiatives will focus on four things: protecting data, streamlining costly or manually intensive tasks, providing security for an evolving IT infrastructure, and both understanding and properly managing IT risks within a more comprehensive enterprise framework. The focus on efficiently delivering security to support business and IT initiatives will drive organizations to shift their purchasing behaviors. While the largest standalone security vendors remain strong within the threat-management market categories and small vendors continue to proliferate, we will see a new breed of security guerrillas delivering business and IT services and solutions for which security is imbedded. As such, the most successful vendors will expand their capabilities — directly or through partnerships — and most effectively blur the lines between security product, managed security service (MSS), and consulting. See the April 22, 2009, “Market Overview: IT Security In 2009” report.

3 Some service providers are merely transferring the customer infrastructure in their data centers and calling this service a cloud offering. The customers in this case are not getting the same economic advantage that a true, multitenant cloud architecture provides.

4 Source: Symantec Global Internet Security Threat Report: Trends for 2009 (http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf).

5 NTT Communications acquired Integralis on June 30, 2009. Source: “NTT Communications announces agreed takeover offer in cash for Integralis AG,” Integralis press release, June 30, 2009 (http://www.integralis.co.uk/about-integralis/press/BusinessCombinationAgreementsigned.html).



Forrester Research, Inc. (Nasdaq: FORR)

is an independent research company

that provides pragmatic and forward-

thinking advice to global leaders in

business and technology. Forrester

works with professionals in 20 key roles

at major companies providing

proprietary research, customer insight,

consulting, events, and peer-to-peer

executive programs. For more than 26

years, Forrester has been making IT,

marketing, and technology industry

leaders successful every day. For more

information, visit www.forrester.com.

Headquarters

Forrester Research, Inc.

400 Technology Square

Cambridge, MA 02139 USA

Tel: +1 617.613.6000

Fax: +1 617.613.5000

Email: [email protected]

Nasdaq symbol: FORR

www.forrester.com

M a k i n g l e a d e r s S u c c e s s f u l E v e r y D a y

56068

For information on hard-copy or electronic reprints, please contact Client Support

at +1 866.367.7378, +1 617.613.5730, or [email protected].

We offer quantity discounts and special pricing for academic and nonprofit institutions.

For a complete list of worldwide locationsvisit www.forrester.com/about.

Research and Sales Offices

Forrester has research centers and sales offices in more than 27 cities

internationally, including Amsterdam; Cambridge, Mass.; Dallas; Dubai;

Foster City, Calif.; Frankfurt; London; Madrid; Sydney; Tel Aviv; and Toronto.

www.forrester.com

mailto:[email protected]