ISG Provider Lens™ Cyber Security - Solutions & Services - U.S. 2020 - Managed Security Services
General Trends
Most business processes, which involve storing, processing and communicating information including valuable assets, personal information and corporate intellectual property (IP), have gone digital. With the growing frequency and sophistication of cyberattacks on enterprise infrastructures, security has become a crucial need for all firms. For public companies, the board directors must now be educated or trained in cyber security as they are now instrumental in the cyber risk management process. Cyber security continues to be a challenge due to several factors such as new regulatory requirements, stricter penalties for non-compliance, migration of many business components to the cloud, new application development, and merger and acquisition activities (M&A). Consequently, it now involves hardened security controls such as data encryption, multifactor authentication (MFA), arduous breach notification protocols, and the active use of data loss/leakage prevention (DLP) tools.
The confidentiality, integrity and availability (CIA) of data remain central to cyber security. Data protection has become increasingly important. Security control suites such as access to data and egress monitoring are both included in this report as identity and access management (IAM) and DLP respectively. Other security measures such as the effective encryption of all personal data at rest (DAR) are equally important. Three types of security service offerings are increasing in importance to enterprises pursuing the principles of CIA.
These are strategic security services, technical security services and managed security services. Strategic security services cover security assessment, gap analysis, security strategy development, mitigative selection, procurement support and the risk-based allocation of resources. Technical security services include deployment, setup and maintenance for procured security tooling. Managed security services represent a solution for the partial or complete outsourcing of security as a service. All three are growing practice areas as security continues to converge and software providers partner with service providers to broaden their access to the market. Providers of all three of these service types are evaluated in this report, and each type of security service has its own leadership quadrant.
From an organizational perspective, a combination of regulatory requirements and best practices has led to the creation of new executive positions such as CISO, chief risk officer (CRO) and chief compliance officer (CCO). Enterprise risk management (ERM) has emerged, integrating many corporate risk functions and providing a two-way communication channel to the board of directors via a governing risk committee. Cyber security and risk management are becoming increasingly integrated as a result. Revised security and risk management frameworks together with regulatory practices push enterprises to become more proactive in their security processes rather than simply relying on perimeter defense. This drives the need for better monitoring of suspicious cyber activity through internal and external sources of intelligence. Machine learning (ML) and artificial intelligence
(AI) are enabling better analytic processes to prioritize and alert enterprise security officers of potentially dangerous events. High-priority alerts need to be acted on quickly and effectively. As a result, critical event response teams (CERTs), automated escalation protocols and technical response teams have emerged to undertake the mitigation, containment and recovery from damaging events and potential attacks. In essence, digital security has evolved to become cyber risk management and resiliency as some degree of attacks and data loss is expected. Also, from an organizational perspective, the selection of a security solution provider is expected be a more rigorous procedure involving a broader range of influencers due to the risk management aspect discussed above.
The cyber security industry has been estimated to be worth $125 billion. Overall, it was growing around 8 percent per year until the rise of the COVID-19 pandemic and is now forecast to grow 2 to 3 percent in 2020. However, the different security domains within the overall industry are growing at different rates. Cloud services are forecast to grow closer to 30 percent in 2020, and IAM, DLP and security services are estimated to grow slightly faster than the larger security industry, thus raising their relative importance as part of an overall cyber security solution. It is anticipated that managed service providers will continue to take market share from legacy on-premise security service providers in the future as security solutions become more complicated and challenging to self-implement and third-party cloud-based solutions become increasingly cost effective. Technical partnerships between the two types of providers have enabled this.
The recent pandemic has led to a significant increase in the number of people working from home. This has put further pressure on enterprises to ensure that PC and mobile device endpoints as well as local (routers) and IoT connectivity are secure. Work-from-home (WFH) security practices also need to be integrated with screen locking, access protection (such as multi-factor authentication/MFA) and physical security (cable locks, locked filing
cabinet for storage, etc.). In the event of loss or theft, hard drive encryption can provide additional security along with the data owner’s ability to remotely wipe sensitive data and applications on devices. It is likely that the proportion of employees connecting to enterprise systems remotely will remain at a higher level even after the pandemic has passed, and these additional security controls and compliance with WFH policies will prevail.
IAM Software Market Trends
Enterprise IT systems are transforming rapidly to adapt to the growing threat and regulatory environments. The evolution of cyberattacks has had a significant impact on IAM providers and their customers. Legacy IT systems relied on in-house, on-premise software solutions such as lightweight directory access protocol (LDAP) and Microsoft AD. Many enterprises still have these systems today. The migration of services to the cloud has elevated the need for a different approach to IAM. With the rapid increase in external cyberattacks and internal threats (intentional and unintentional), the need for reliable, user-friendly IAM has grown to an unprecedented, new level. This has been fueled by newer, more restrictive privacy regulations such as CCPA, DFS 23 NYCRR 500 and GDPR, with new and additional requirements and substantially higher fines in the event of breaches. These factors have driven the IAM market to continue evolving in both the product feature portfolio and the go-to-market strategies of service providers.
IAM is comprised of two functionally differentiated areas: identity governance and administration (IGA) and access control (AC). IGA is concerned with who has access to what and is primarily focused on governance and risk management. AC is primarily concerned with identity authentication and access provision, subject to the access rules and constraints of IGA. AC also controls what authorized users can do with data in the system. The two functional areas typically have different vendors providing solutions, though there are a few such as IBM that offer leading solutions in both areas. The frontrunners in each specialization are not necessarily the same as those vendors offering a strong combined functionality of both IGA and AC.
Cloud computing is driving two important trends in the changing, competitive IAM landscape. Many vendors are moving IAM from on-premise to the cloud or are building solutions that accommodate both. More customers are also demand pay-as-you-go models or IAM-as-a-service (IDaaS). These trends have a major impact on established vendors on two different fronts. Porting products that are designed for on-premise usage to run in the cloud require significant investment by the vendor but offers little in the way of product differentiation as the functionality mostly stays the same. In addition, shifting from a traditional licensing model that involves paying upfront plus a monthly fee significantly affects the provider’s cash flow and, potentially, its ability to invest in R&D.
As a result, many established providers are witnessing a rapid growth of cloud-native IAM products at a competitive pricing through an as-a-service business model.
There are many benefits to cloud-based IAM. The service provides single sign-on (SSO) to SaaS solutions such as Microsoft 365, Google G-Suite, Salesforce and other SaaS-based enterprise resource planning (ERP) and human capital management (HCM) options. Cloud-based federated SSO provides secure identification for authorized data access in one place while serving as a proxy to all other applications. IAM solutions can eliminate the sprawl of privacy data to multiple applications and thereby reduce the risk of data breaches.
MFA is a legal requirement in some jurisdictions and is a best practice in IAM. Two factor authentication (2FA) is generally the default method where MFA is required. Customer IAM (CIAM) is also a growing trend, primarily driven by compliance requirements. Social authentication, which involves an end user signing in through Google, LinkedIn, or another social network ID, is typically not used for authentication into corporate environments.
Competitive positioning is changing significantly along with changes to IAM features being offered. It is likely that this will continue along both fronts into the foreseeable future. Legacy IAM software providers are adding cloud-based services or partnering with managed service providers to be a part of a cloud-based solution. IAM is converging and integrating with other security tools areas such as data protection and data encryption to present as a single, complete solution. Managed security service providers are the vehicles by which much of this is taking place.
In the future, IAM will be different than it is today. Managed service providers (MSPs) will increase their share in the IAM market. More authentication features, such as three-factor and even four-factor authentication, will become commonplace for some use cases. It is early to say whether multi-tenant IAM will prevail as a service, but some providers believe it will. By enabling scalable multi-tenant, cloud-hosted IDaaS, they envision becoming global providers of identity services that would allow everyone to have a single digital identity rather than multiple ones for different enterprise platforms and systems. Blockchain IAM is also being tested by some providers, but there are not yet any identified systems in production that have been identified. For these reasons, IAM has emerged as a highly dynamic security solution both now and for the foreseeable future.
DLP Software Market Trends
Enterprise IT systems, together with today’s threat and regulatory environments, are undergoing rapid change. DLP providers are being forced to respond quickly to keep up. These combined changes have significant consequences for almost all enterprise information security programs. With the increasing threats from both external cyberattacks and internal threats (intentional and unintentional), the need for reliable, user-friendly DLP is gaining importance. New privacy regulations such as the California Consumer Privacy Act (CCPA) and others, are much more restrictive than in the past and come with substantially higher fines for non-compliance in the event of breaches. This has ensured DLP a place at the top of the list in data protection. DLP has become a required security control, according to some regulations and regulatory bodies. DLP is also an essential component of security frameworks (ISO, NIST, COBIT, etc.) and an important input to user and entity behavioral analysis (UEBA). Consequently, most enterprises consider DLP an essential element to their data protection programs. The DLP market not only continues to change from a product feature perspective but also in the way the protective solution is being acquired by customers and, therefore, the go-to-market strategies pursued by DLP providers.
The delivery landscape for DLP cloud computing is also changing. Firstly, many DLP providers must continue to offer solutions for legacy, on-premise systems. Secondly and simultaneously, they need to provide a separate solution for applications and services provided through the cloud. In some cases, this means a cloud-based DLP service or the use of cloud access security brokers (CASBs). DLP can be provided through a single cloud-based service depending on the enterprise’s needs and risk tolerance. For this, they are demanding pay-as-you-go (PAYG) models (DLP as a service) as opposed to annual licensing commitments. This is significantly impacting providers from two sides. Products that are designed for on-premise usage that run in the cloud demand considerable investment by the provider while the functionality essentially stays the same. In addition, shifting from a traditional, licensing model that involves pre-payment to a pay-per-month model affects the provider’s cash flow and potentially affects its ability to invest in product development. The result being many established providers are witnessing a rapid growth of cloud-native DLP products offered as-a-service with competitive pricing. DLP software providers are increasingly partnering with managed security service providers (MSSPs) as an essential part of their go-to-market (GTM) strategies to cover a wider market for their products.
DLP tools undertake three primary tasks: discovery, processing and action-taking. For a complete solution, these must be applied to data-in-use (DIU), data-in-motion (DIM), data-at-rest (DAR), and to data used or stored in cloud applications. Different challenges are presented for structured and unstructured data and each must be addressed. Unstructured data is by far the most difficult as it requires capabilities to discover or identify potentially confidential data in numerous formats (Microsoft Excel, Adobe PDF, JPEG, etc.). This creates many different data situations where the possibilities are multiplied together, and DLP tools differ substantially in their abilities to reliably undertake content inspection under all these conditions.
CIOs or CISOs typically make the final decision for DLP solutions purchases. However, information security committees or councils are also regularly involved in selecting a solution, as well as in the policies and standards guiding the overall DLP program. Their guidance is important to balance security and risk tolerance with the potential negative effects on the business when automated reporting or transaction blocking is implemented. These governance entities often have a broad membership with representatives from many corporate departments. The CTO, CRO, CCO and CFO may all be involved or, at least influence, the selection decision. Representatives from HR, Legal and the businesses are also often considered critical contributors. Finally, data owners typically have a significant voice as to how the DLP solution will be used.
Those selecting DLP solutions for their enterprises should view their needs from a wide perspective. Many factors determine the DLP solution or suite of solutions that is optimal for each enterprise. Such factors include the sensitivity of the data being protected, the velocity with which it changes, the need for a visibly compliant solution, tolerance for risk, investigative resource requirements and the net effect on productivity. Appetite for outsourcing, the need for vendor support, partner network, and a product development roadmap that looks to keep solutions current with the changing data security landscape should also be considered.
Strategic Services Trends
The U.S. strategic security services market is driven by companies looking to improve their cyber security programs. Evaluation of current enterprise programs typically generates a gap analysis that can be used as the foundation from which a new security strategy can be developed or an existing one be modified. Many consulting firms offer strategic security consulting in the form of program or security domain (for example, IAM) assessments, compliancy audits, and gap analyses for optimizing resource allocation. Assessments can also measure compliance by scoring a client’s program and capabilities against specific regulations (for example, CCPA, NYDFS, and GDPR), or frameworks and industry standards (for example, CMMI, NIST CSF, and FFIEC CAT). Consultants may employ other methodologies to quantify program and function efficacy or efficiency. Compliancy audits compare the client’s security program’s structure, governance, processes and security and risk management controls against regulatory requirements that apply to the enterprise. These are often consulting firms with their roots in accounting and audit. Their abilities to provide more technical security services for security tool deployment, configuration and maintenance differ considerably.
Some, but not all, technology and managed security services providers offer strategic consulting services, and of those offering security strategy, not all have a robust consulting capability. Some traditional technology outsourcing companies have developed or are buying strategic consulting practices to evaluate programs and identify sales opportunities with existing or new potential clients. Some strategy consulting firms that have the expertise to assess security program maturity, find gaps and make recommendations are buying and building the technical capability to deliver further on their recommendations. In short, there is a lot of acquisition and expansionist activity taking place in the security services arena. Such activities include hiring specialists, entering new partnerships, opening cyber security labs for training, sandboxing experimentation, learning centers and other new service offerings.
As part of program improvement initiatives, U.S. companies are evaluating which skills should remain in-house and whether it is possible to hire and retain qualified personnel to do cyber security work. Strategy consultants help customers answer common questions such as how much security should be outsourced to a managed security provider and what pieces should remain in-house. Strategic security consultants are also helping clients answer more difficult, less technical, questions such as what the enterprise’s risk tolerance for adverse cyber events is. Now that boards of directors must both attest to their knowledge of risks the business faces and provide direction as to how risks should be managed, the role of strategic security consulting has expanded further. Their direct lead-in to the development of security and risk solutions for identified gaps against internal and external requirements includes supporting vendor selection and management and ensures their importance to software vendors and technical and managed security service providers alike. Small and medium-size businesses with less in-house capacity find an attractive overall solution in security providers that offer all three security services as a one-stop cohesive opportunity.
Cyberattacks, phishing campaigns and ransomware are also on the rise and driving the demand for strategic security services. Companies understand that manipulation of financial markets, social media or elections is cyber warfare with the goal of nation-states gaining economic advantage, and none wants to have their reputation damaged by being associated with such criminal activity. Despite their goals and objectives, clients still need to look for risk-balanced security solutions to satisfy their shareholders.
As a result of all these pressures, maturity and compliance assessments have become regular occurrences as companies endeavor to document readiness, demonstrate security program improvement and ensure regulatory compliance with ever more demanding privacy laws. A more mature security program can be positive business differentiator and provide an attractive selling point for companies when they negotiate with prospective customers of their core business. A third-party verification is preferable to an unvalidated self-assessment, and consequently, threat intelligence is used to inform security decisions. Also, systems failing vulnerability tests require technical patches, upgrades or replacements. Strategic security services are increasingly valuable for clients to satisfy their customers, regulators and shareholders.
Technical Services Trends
Many security solutions and technical security service providers compete in the U.S. market covering all aspects of IT and business. It falls to technical security service providers to determine how best to integrate all these vendor solutions with customer systems and business processes. Despite the considerable number of technical service providers in the U.S. market, gaps still exist. Leading service providers are developing proprietary platforms and interfaces to integrate the varied vendor solutions and plug security gaps.
The U.S. market is fragmented with hundreds of security providers offering services for integration, system stress-testing and training. However, most do not have adequate expertise, or delivery capacity for enterprise-level engagements. Some may operate only in a specific region of the country; others may focus on certain sectors, tools or systems. These local players are recognized referral resources for software solution vendors. They take a local slice of business where there is a targeted, ad hoc or small and some-what regular engagement with the end customer. Consequently, these smaller, niche players are not included in ISG’s Provider Lens Report because they do not handle enterprise-wide implementations.
Service partnerships have developed into the leading sales channel for vendors. They support client relationships and are trusted to estimate system capacity, write requirements and train customer staff. Security products require high-performing appliances and intricate cloud and network configurations. Technical security consultants also match requirements to appliance models and software and design the implementation architecture and project plan.
When considering a new security solution, knowledgeable customers recognize that the skillset of the technical security service provider who will actually engineer, architect and integrate the solution is of equal importance as the functionality of the tool itself. Furthermore, customers are looking to bundle software, hardware and long-term service support for increased savings opportunity. Diversity of security tools and partnerships with vendors ensures that U.S. customers are given the best security solution advice and configuration from service providers.
Managed Security Services Trends
Managed security services are changing from traditional monitor and react models to a more proactive one that includes both defensive and offensive capabilities. Managed detection and response (MDR) includes components of the traditional model where a service provider monitors for anomalies in networks, servers, firewalls, log activity, web traffic, etc., and generates alerts when conditions are outside of expectations. Increasingly, customers are engaging providers to coordinate the incident response team. Cyber security and fusion centers have emerged, not to replace SOCs, but to expand and extend security operations. These centers leverage advanced technologies such as artificial intelligence (AI), machine learning (ML), edge computing, blockchain and other tools that can ingest large volumes of data and produce smart analytics, deliver layered security, push back criminals and open lines of business communication and collaboration, while giving insights into how threats morph, move and multiply.
New security services are critical as configurations change how day-to-day business is conducted across all permutations of LAN, WAN, cloud and web. Many applications that were traditionally in-house and on-premises are now hosted, managed or used as-a-service. Portfolio offerings such as managed (digital) identity (IDaaS), threat hunting, counter-intelligence and cloud security for private, public and hybrid designs are increasingly available. Bundled service packages are now common add-ons, for example, managed detection and response (MDR), endpoint detection and response (EDR), and security and compliance packages, or generalized security hygiene packages. Specialized SOC services exist for industries such as automotive or financial services, as well as for other concentrations such as operational technologies and connected devices (IoT, IIoT and ICS/SCADA).
Customers engage service providers in several different ways. Customers may fully-outsource security operations, ceding control and decision-making to service providers and their automated response protocols tied to customized risk tolerances. Other customers will use a subscription or license agreement scenario for a SIEM platform so they can maintain control over operations. Quite a few customers engage MSSPs on a hybrid-basis to supplement some existing in-house capacity or skillset with services that fill the gaps or enhance vigilance.
Finally, customers in the U.S. are seeking innovative performance-based contracts where older-style response-time SLAs are irrelevant to a ransomware attack. They seek to share the risk with security service providers when a breach or attack is not prevented. Focus might be placed on functionality and availability of the tool or platform, ensuring analysts act promptly when anomalies occur, and successfully automating actions wherever possible.
Access to the full report requires a subscription to ISG Research. Please contact us for subscription inquiries.