The managed security service (MSS) market is fragmented across the Asia/Pacific region, with marked differences in customer expectations and the sophistication of vendor offerings. In this first Gartner MarketScope for Managed Security Services in the Asia/Pacific Region, 12 vendors met the inclusion criteria, while several strong local providers, such as Network Box and Dimension Data, weren't included due to their lack of geographic spread. Multinational providers dominate markets in many Asia/Pacific countries, and they consist of three general groups:

• Telecommunications/WAN providers (BT Global Services, Orange Business Services and Verizon Business)
• Integrators with strong outsourcing operations (Unisys)
• Pure-play security providers with diversified service portfolios (IBM Internet Security Systems, Symantec and VeriSign)

Asia/Pacific providers are growing in number and revenue. This growth is based on a general expansion of the market, and on customer preferences for domestic or regional vendors (DMZGlobal, Earthwave and Paladion). A few Asia/Pacific providers are active in markets outside the region (Seccom Networks and Wipro Technologies). Expansion into Europe and the Americas is a common ambition among many Asia/Pacific providers that have successfully built markets in multiple countries in that region.

Although most providers focus their services on managing and monitoring traditional infrastructure protection mechanisms (such as perimeter firewalls, intrusion detection systems and intrusion prevention systems), some local providers focus on unified threat management (UTM) appliances. Local providers have found that services focused on small and midsize businesses (SMBs) are an effective method for entering the MSS market. Larger, multinational providers tend to focus predominantly on larger enterprises, and are just beginning to package their offerings for the SMB market. Given the smaller size of most Asia/Pacific customers (compared with U.S. organizations), services tailored for SMB budgets and functional requirements are a good fit for many Asia/Pacific clients.

Clients indicated that two issues formed the key criteria for vendor selection:

• Capability of the MSS provider (MSSP) to understand and integrate with client infrastructures and processes
• Clarity and predictability of costs

The first issue has influenced many clients to prefer incumbent service providers. Established system integrators and IT outsourcers have taken advantage of this issue by building security services into their offerings, and by leveraging knowledge of and experience with customer infrastructures and processes (Dimension Data, IBM Internet Security Systems and Unisys). As the MSS market in Asia/Pacific matures, MSSP offerings will become more standardized, which may diminish the advantage enjoyed by incumbent outsourcers and integrators.

Clients mentioned language and cultural dissimilarities as issues that influenced their selection of MSSPs. The Asia/Pacific region encompasses many languages and cultures (MSSPs that participated in this research included organizations with activities in Australia, Hong Kong, India, Indonesia, Malaysia, New Zealand, People's Republic of China, Philippines, Singapore, South Korea, Taiwan, Thailand and Vietnam). MSSP investments in local facilities and staff were a common characteristic among MSSPs that achieved market penetration in multiple countries. Some MSSPs have overcome language and cultural barriers by partnering with local firms for service delivery — particularly for on-site integration and support activities.

Multiple reference customers complained of a lack of clarity in the definition of services, costs and service-level agreements (SLA) in MSSP proposals, contracts and billing. Although price variations are evident in MSS offerings, the lack of a standardized service description introduces complexity into the pricing model and the customer's assessment of service value. Pricing depends on multiple factors, including the scope of the contract, maturity of customer infrastructure architecture, anticipated levels of interaction between the client and the MSSP staff, size of provider and quality of service.

Price sensitivity varies across the Asia/Pacific region. Multiple providers and clients indicated that MSS pricing must be based on local economic factors, rather than a global pricing standard. Although some of the large, multinational MSSPs provide variable pricing based on the service delivery location, the smaller, locally based MSSPs generally are more aggressive with pricing services to suit the local market. Price is only one variable in the evaluation of costs and benefits associated with provider services. In several cases, reference clients using the same MSSP reported divergent assessments of the "value for money" of the service. Reference clients in Australia, New Zealand, India and Singapore indicated a strong understanding of the potential cost and performance benefits of MSS, while reference clients in Hong Kong, Malaysia and Indonesia weren't convinced that the MSS benefits outweighed the costs.

As part of this research, Gartner contacted MSSP clients across the Asia/Pacific region. Most of them were based in Australia or India, while several others were located in Singapore and Hong Kong. Reference clients included end-user companies, government agencies and service resellers. Several client companies were unwilling to discuss their MSS arrangements, which prevented their MSSPs from participating in this study, despite the MSSP's apparent success in the market.

Although MSS has gained a solid footing in several countries in the Asia/Pacific region, the regional market is fragmented, with little penetration into various geographies and industries. Continued market maturation depends on several factors:

• Increased transparency into service pricing and definitions — in local languages and currencies
• Pricing models tuned to local economic factors
• Increased investments in security operations centers (SOCs — see Note 1) in countries other than Australia and India
• Support personnel who speak local languages/dialects

Reference clients provided by the MSSPs consistently rated MSSPs as Good or Excellent, with a few clients indicating that they were unsure about the quality or value of the service they were receiving. These basic ratings enabled most providers to attain a Positive rating, with a few achieving a Strong Positive rating on the basis of their continued investments in innovation and facilities in multiple countries. Three vendors were ranked as Promising, based on innovative approaches to service delivery tempered by limits on the client base and regional presence, and on the availability of reference accounts in the Asia/Pacific region. As indicated in the evaluation criteria below, this MarketScope emphasizes overall viability, geographic orientation and the quality of the customer experience.

All vendors provide management portals for interactions between MSSPs and the client staff. The specific information provided through these portals, and the communication mechanisms employed to augment portal information services, vary widely across providers, with the larger, multinational corporations (MNCs) providing more-comprehensive portfolios of communication methods and information transfers. Portal content and interactions are primarily determined by the provider and don't reflect customer-defined terminology, processes, assets or vulnerabilities. This MSSP-centric approach is reflected in SLAs, which are predominantly focused on internal metrics established by the MSSP. Although the SLAs are reinforced by penalty clauses, customers are unable to consistently identify the relevance of SLAs to critical internal processes and assets.

Providers distinguished themselves by their investments in service improvements and additions, such as:

• Managed services for identity management, authentication management or access management
• Data leak prevention
• Managed security information and event management (SIEM), including log management
• Virtual SOCs (VSOCs — see Note 2)
• Support for customer-managed SOCs

Providers with the capability to guide and support client efforts to demonstrate compliance with local and international regulatory requirements were more successful in all Asia/Pacific countries. Customer premises equipment (CPE) is the most-common MSS deployment model; however, in-the-cloud (ITC) services are growing and are mostly provided by MNCs with a telecommunications or WAN management emphasis (such as Orange Business Services and Verizon Business). Only a few companies offer UTM services (such as Network Box), but they're enjoying considerable success with SMB clients across the Asia/Pacific region.

This MarketScope assessment was performed on the basis of survey data collected in February and March 2008, and on client reference information collected in April and May 2008.

MSS includes remote, subscription-based monitoring and/or management of firewalls, intrusion detection and intrusion prevention functions via customer-premises-based or network-based devices.

To be included in this MarketScope, an MSSP must:

• Have more than 200 customer devices under management or monitoring in the Asia/Pacific region
• Provide the following, via discrete managed services, directly (not resold) to Asia/Pacific user organizations:
  • Managed administration of security infrastructure components
  • Managed remote security incident monitoring and response services
• Be headquartered in the Asia/Pacific region, or have a substantial regional head office in the Asia/Pacific region
• Have a direct or formal channel presence in at least two of the following Asia/Pacific regions:
  • Australia/New Zealand
  • China/Hong Kong
  • Singapore/Malaysia
  • India
• Reference accounts relevant to Gartner customers in the Asia/Pacific region

Not included in this MarketScope are:

• Vendors that have MSS offerings, such as distributed denial-of-service protection or vulnerability scanning, but not device monitoring and management
• Providers of primarily Web/e-mail hygiene services, and trust services (such as certification authorities)

Other providers offer MSS primarily to hosting customers, with limited offerings to others. As these providers expand the scope of their MSS offerings, they may be included in future MarketScopes.

MSS markets are maturing rapidly in the more-prosperous Asia/Pacific countries. Clients' heightened awareness of security risk management and regulatory (industry and legislative) concerns has resulted in steady growth in MSS demand across SMB and enterprise organizations. The diverse nature of Asia/Pacific countries has supported the development of multiple local providers that focus on domestic security concerns. Multinational providers have invested in market development across the region, and have raised customer expectations for and understanding of MSS offerings. As Asia/Pacific countries grow and become more visible in the global economy, the need for demonstrably effective security performance will expand and create a demand for well-defined MSS. Clients' preference for providers with SOCs stimulates investments from local and MNC providers in local facilities, and stimulates staff development, creating a solid base for future expansion of local and remote MSS.

Gartner has forecast a 12% compound annual growth rate for Asia/Pacific MSS from 2006 to 2011. The market forecast for 2008 is $219 million (see "Forecast: IT Security Services, Worldwide, 2006-2011").

Although BT has been active as a telecommunications and network provider in the Asia/Pacific region for several decades, it only entered the MSSP market during the past three years. The purchases of Counterpane Internet Security, Infonet and INS (International Network Services) enabled BT's market entry, and supported BT in providing a broad portfolio of services to the region. BT's Asia/Pacific clients receive MSS through a combination of local BT staff and VSOCs in India and Japan, because BT hasn't established a dedicated SOC facility in the region. BT's recent purchase of Frontline Technologies greatly expanded its professional IT management services in the region, and provided it with access to the iASPire network operations center (NOC) in Singapore. Integration with customer infrastructure has been managed well, with a blend of CPE, ITC and UTM product and service offerings deployed; however, customers are complaining about a lack of clarity in SLAs and service proposals, which may hamper BT's efforts to accurately represent its capabilities. Continued success in the region will depend on BT's capability to leverage Frontline customer management to expand security services.

Strengths: BT's investment in Frontline indicates a strong commitment to the region, and customers consistently give BT good marks for service and responsiveness.

Challenges: As an MNC, BT must continue to develop service portfolios and pricing models that are fine-tuned to the needs of customers in each country. The integration of Frontline's professional service staff and offerings will have a major impact on customer confidence.

Optimal-Use Case: Organizations that require a common approach to security implemented globally

Rating: Strong Positive

Established in 2001 as an MSSP in New Zealand, DMZGlobal is now owned by TelstraClear, the New Zealand subsidiary of Telstra Corporation, which is the primary telecommunications company for Australia. Although DMZGlobal provides MSS through Telstra, it also maintains direct service delivery and sales. DMZGlobal is a small provider that just barely meets the inclusion criteria for this MarketScope, but it has strong potential as a supplier of white-label security services to be resold by IT services and telecommunications organizations in the region. Provisioning quality services at competitive prices has strengthened DMZGlobal's position in its local market, but portal enhancements are required to maintain a competitive advantage as other providers move into DMZGlobal's traditional client base. DMZGlobal's geographic coverage is limited, and future expansion may be constrained by limits set by Telstra. Continued success in the region will depend on DMZGlobal's capability to expand its sales channels and service delivery channels through partnerships and investments in additional SOCs.

Strengths: DMZGlobal's SOC facilities and staff receive high customer ratings for skill, flexibility and understanding clients' business drivers.

Challenges: Telstra maintains relationships with other MSSPs for internal and external applications. DMZGlobal's continued growth requires a clear strategy that's demonstrably supported by Telstra for the expansion of services and target markets across the region.

Optimal-Use Case: Organizations in New Zealand or Australia that require a strong local provider, but don't require services outside these countries

Rating: Promising

Earthwave provides a large MSS portfolio supported by multiple SOCs located in Australia. Earthwave delivers all services through local partners/resellers. This approach has enabled it to focus investments on the development of service capabilities, while leveraging local expertise provided by partners. Although ITC services are available from Earthwave, the bulk of its services is based on a combination of CPE and ITC services. Strong partnerships with equipment manufacturers enable Earthwave to maintain a technology lead over many competitors, and to strengthen customer relationships through the introduction of innovative solutions. Earthwave has demonstrated its capability to package services and pricing to meet local expectations and budgets in multiple countries. Earthwave's continued success depends on its management of the sales/service channel, and its capability to increase support for customers outside Australia. Customers consistently rate Earthwave's performance as Excellent, and indicate that the transparency of Earthwave's SLAs, business models and offerings is a strong factor in customers' selection of the vendor.

Strengths: By focusing exclusively on an MSSP business model, Earthwave has created an effective service portfolio at an aggressive price. Its extensive partnership network and tight integration with local providers gives good support to widely distributed clients.

Challenges: Expansion of markets outside Australia will require Earthwave to invest in SOC capabilities outside the country.

Optimal-Use Case: Asia/Pacific organizations that require well-defined MSS that's delivered regionally

Rating: Positive

IBM has successfully leveraged its purchase of Internet Security Systems into a broad portfolio of security services delivered globally. IBM's extensive presence throughout the Asia/Pacific region provides a nearly ubiquitous sales/service entry point for Internet Security Systems' remote and local (Tokyo) SOCs. The integration of Internet Security Systems' customer management into IBM's two-tier partnership model has enabled the rapid expansion of security services into customer relationships, but also has led to customer complaints of inappropriate sales pressures, rather than optimization of services. Internal separation of service portfolios doesn't mirror the customer's viewpoint, and has produced delays in security incident escalation and response, as well as discrepancies in the knowledge of customer infrastructures between local and remote support teams. Despite these issues, IBM Internet Security Systems has consistently performed well in customer assessments. Success in the Asia/Pacific region depends on IBM Internet Security Systems maintaining strong performance for IT and security service customers, and resolving performance issues related to internal organizational boundaries.

Strengths: Tight integration with other IBM services, and a clear record of innovation and performance in Internet Security Systems services, provides strong support for client requirements.

Challenges: Critical to improving customers' experiences with IBM Internet Security Systems will be streamlining internal procedures for incident management and reporting, to remove communications and process gaps.

Optimal-Use Case: MNCs that require a global provider with strong vulnerability management capabilities

Rating: Strong Positive

Orange Business Services has effectively expanded the Asia/Pacific security service coverage that was established by Equant, prior to its merger with France Telecom. Orange's global WAN capabilities have enabled the provisioning of comprehensive WAN security for multinational clients, based on the remote management of CPE. Recent investments in Indian facilities and staff have added an SOC in India, compared with the established SOCs in Australia, the U.S. and Europe. Orange has targeted its efforts at MNCs and large corporations requiring secure WAN services. This approach limits its market potential, but enables the global optimization of services and pricing for target customers. Orange's investment in internal service and staff development is evident in many corporate and individual security certifications, but local companies' uptake of services remains low. Innovation hasn't been a strong feature of Orange's development path, or of the established portal services, but its recent UTM offering was an early worldwide rollout of this service. The Positive rating is sustained by consistent performance regarding customer requirements.

Strengths: Building on the experience of Equant, Orange has extensive knowledge and a proven track record in managing networks in every Asia/Pacific country.

Challenges: Emphasis on Orange's networking services as the backbone of security service provisioning restricts Orange's market for MSS; however, Orange has developed relationships that enable security service provisioning via other networks. MSS growth is closely aligned with the expansion of Orange's network services.

Optimal-Use Case: Organizations that already use Orange's WAN services, and MNCs that require a common security service provided globally in nearly every country

Rating: Positive

Paladion provides MSS as an extension of a strong professional service practice focused on security risk assessment and management. This "high touch" service enables Paladion to develop customer solutions that are customized to specific environments and performance requirements. Paladion works exclusively with CPE and offers remote management and monitoring, as well as a cosourced approach, with Paladion staff stationed at customer sites, working in concert with customer staff. Although this approach enables high levels of customization and close integration, it also severely limits Paladion's capability to expand services into remote locations without first establishing professional services there. Pricing is very aggressive and customer satisfaction is high, although customers have noted Paladion's staffing levels as an issue affecting service growth. Paladion gains a Promising rating due to its innovative, cosourced service delivery model and application security services. Paladion's continued success in MSS depends on its capability to build and maintain staff numbers, and skill levels, in target markets.

Strengths: Paladion's professional service staff is highly skilled and provides excellent support for customers making the transition to MSS.

Challenges: Paladion's expansion in the region will require significant investments in staff and facilities, if Paladion maintains strict adherence to its engagement model.

Optimal-Use Case: Asia/Pacific-based organizations that require strong professional service support for the design, implementation and management of security infrastructures and processes

Rating: Promising

Seccom Networks operates an NOC and an SOC in Australia, and provides CPE-based MSS throughout the Asia/Pacific region and ITC services for Australian clients. Seccom's core offering is based on the Fortinet product family. Customers can provide their own Level 1 and Level 2 change control for Seccom equipment, if they choose to, or Seccom can provide complete service management. Seccom uses local sales partners to establish a local presence, and has succeeded in establishing productive partner relationships in most Asia/Pacific countries. Seccom offers comprehensive support for Fortinet systems and can expand support relationships into MSS relationships. Seccom has suffered from insufficient staff resources, but recent growth appears to be satisfying most customers. Expansion into the U.S. market was recently announced, with the appointment of a senior U.S. executive to lead the service expansion. Seccom's continued success depends on its capability to successfully manage a large partner network, to maintain sufficient facilities and staff to satisfy customer requirements, and to support geographic expansion.

Strengths: Seccom's deep knowledge of the Fortinet product line enables it to provide strong support for Fortinet deployments and management.

Challenges: Expansion into more-remote markets inside and outside the Asia/Pacific region will require investments in additional facilities, staff and service capabilities to meet local market requirements for functionality and service quality. Seccom's exclusive focus on Fortinet products restricts its market to organizations that are prepared to commit to Fortinet's capabilities.

Optimal-Use Case: Organizations requiring support for Fortinet deployments, and organizations that are infrastructure-neutral and require a regional MSS provider

Rating: Positive

Symantec has established a solid presence throughout the Asia/Pacific region and has effectively leveraged its reputation in malware control to build a successful MSS. SOCs in Australia and India support service delivery in the region, including a robust portal environment that supports management and technical reporting. Symantec develops professional services in the region to support customer needs for security consulting and service "onboarding." Symantec's global approach to service definition and delivery provides a good fit with MNCs and large enterprises, but lacks the flexibility sought by SMB clients. Symantec merits a Strong Positive rating based on its extensive customer service channel, global intelligence capability and extensive partner network.

Strengths: Symantec's exclusive focus on security has enabled the construction of a deep portfolio of security services, products, intelligence and delivery channels.

Challenges: Local expansion of Symantec's MSS market will require effective professional services in multiple countries, as well as increased flexibility in service and pricing models.

Optimal-Use Case: Enterprises (local, regional and multinational) that require MSS with strong malware management, intelligence and prevention capabilities

Rating: Strong Positive

Unisys provides MSS as an extension of its IT management, business process outsourcing and system integration service portfolios. As a result, the client base for security services is limited to established clients for these other services. Unisys offers security services that extend into the core of customer infrastructure and include direct management of desktop endpoint protection systems, as well as traditional perimeter controls. Customers have praised Unisys' services, despite occasional lapses in quality related to internal organizational changes. Continued success for Unisys will depend on its capability to define MSS as a core offering that can be marketed directly to clients that aren't already using other Unisys services.

Strengths: Unisys has well-established IT management capabilities, which provide strong support for complex integration and infrastructure management projects. Unisys can augment MSS with ancillary services, including identity management, identity verification and surveillance systems.

Challenges: Expansion of Unisys' MSS client base is limited to its established client base for other IT services. Marketing MSS as a stand-alone service will require investments in marketing and internal processes.

Optimal-Use Case: Organizations that use Unisys for nonsecurity IT services

Rating: Positive

VeriSign's portfolio of security services is based on capabilities gained from its acquisition of Guardent. VeriSign relies on channel alliances and managed service partners for sales and customer support in most Asia/Pacific countries. Partners deliver VeriSign services through the TeraGuard platform, which requires significant upfront investment from the partner. VeriSign is attempting to sell its MSS division, including the iDefense Labs intelligence services, which customers view as high-value services. Although clients report high levels of satisfaction with service delivery, VeriSign's global service model results in services that are viewed as U.S.-centric, with modifications required to fit local requirements. VeriSign attains a Positive ranking based on its consistent performance for clients, but Gartner clients should closely monitor VeriSign's progress during the sell-off of its MSS division to minimize the impact of potential service disruptions (see "Wait for More Detailed VeriSign Enterprise Security Plans").

Strengths: The TeraGuard platform offers a well-defined set of services that provides transparency into SLAs and proposals.

Challenges: The potential sale of VeriSign's MSS capabilities places the longevity of its functionality and delivery models in question. Resolving this issue is critical to the long-term development of VeriSign's MSS in the region.

Optimal-Use Case: Organizations that have local access to a VeriSign partner, and providers that have sufficient local demand to support investing in TeraGuard for local deployments

Rating: Positive

Verizon Business is a global telecommunications provider that has diversified into security services via acquisition of Cybertrust (previously Baltimore Technologies, SecureNet, TruSecure and Ubizen). It operates SOCs in Australia (Canberra) and supports customer SOCs in other Asia/Pacific countries. Regional MSS is primarily based on CPE, but Verizon Business also provides a large, managed gateway service for the Australian federal government. Verizon Business maintains a direct sales and customer support staff in multiple countries, including a professional service staff that offers a variety of security consulting services. Although firewall management services meet customer needs, Verizon Business' incident escalation and reporting processes could be improved in some areas.

Strengths: The acquisition of Cybertrust provides Verizon Business with a diverse set of security assets that enables the provisioning of robust services backed up by strong security intelligence.

Challenges: The effective integration of Cybertrust capabilities with Verizon Business' sales and service channels will determine its rate of growth in the region.

Optimal-Use Case: MNCs requiring globally deployed security services, and major enterprises requiring managed gateways and support for local SOC development

Rating: Strong Positive

Wipro is based in India and provides outsourced IT management and system integration services. The primary focus of Wipro's offshore security service efforts have been in the Middle East and Europe, but investments in Malaysia, Indonesia and South Korea are supporting market development efforts in the Asia/Pacific region. Wipro's professional service offering has been well-received throughout the region, and has enhanced the visibility of Wipro security services; however, MSS uptake has been limited outside India. Wipro's security services are well-structured, comprehensive and strongly supported by skilled staff. We've rated Wipro as Promising because customer references are unavailable in the region. Gartner clients should exercise caution and obtain multiple customer references as part of assessing Wipro's MSS offerings in the Asia/Pacific region.

Strengths: Wipro's professional service staff provides a strong knowledge base for designing and managing security infrastructure integration projects. Wipro has demonstrated a capability to provide flexible, aggressive pricing without sacrificing quality of service.

Challenges: Wipro's emphasis on expansion into the Middle East and Europe hasn't been matched by activities in the Asia/Pacific region. Wipro must increase marketing and service delivery investments in Singapore, China and Australia to expand its market into the Asia/Pacific region.

Optimal-Use Case: Organizations that rely on Wipro for professional services, and enterprises based in India or Malaysia

Rating: Promising