Market Share Analysis: Security Consulting, Worldwide, 2012
The security consulting service market grew 5.8% from 2011 to 2012, driven largely by advanced attacks, incident response and mobile security demands.
- The top 10 consulting providers accounted for 51% of the total security consulting service market.
- Security-specific system integration providers like FishNet Security and Accuvant that focus efforts on just security rather than support a broader portfolio with general IT services offerings have seen strong growth during the last year.
- The Greater China region posted the strongest year-over-year growth, at 27%, fueled by the expansion of regional regulatory mandates and the addressing of data security concerns from the increasing Chinese economic and supply chain integration worldwide.
- As more global organizations increase interactions with third-party entities based in China, the organizations are incorporating security requirements that these entities must fulfill, which increase local demand for security consulting.
Table of Contents
- Market Share Data
- Overall Market Segment Performance Analysis
- Top Vendors Analyzed
- Other Notable Vendors
- Mergers and Acquisitions
In Table 1, Gartner estimates the market share of major service providers in the worldwide security consulting service market.
Source: Gartner (May 2013)
The security consulting service market grew 5.8% from 2011 to 2012. In 2012, the top 10 security consulting firms accounted for 51% of the market. Security-specific system integrators, such as FishNet and Accuvant, had significant revenue growth on a percentage basis. Audit firms accounted for the largest overall revenue growth in the marketplace from 2011 to 2012 since they command the greatest overall portion of revenue in the market.
Gartner believes many organizations continue to seek security-specific specialists and guidance to address the heightened risks seen in the IT landscape. Based on Gartner's IT key metrics data (see "IT Key Metrics Data 2013: Key Information Security Measures: by Industry"), the most spending in the security marketplace has been in industries like software publishing, Internet services, government, professional services and insurance. These organizations represent the biggest opportunities for consulting providers in the security consulting market.
Many organizations are looking to cope with compliance or security-related risks and to address advanced techniques used by hackers in recent well-publicized and successful data breaches and denial-of-service attacks. These high-profile events elevate market demand by increasing the visibility of security risks globally and serve as an inflection point that some are losing the battle against attackers that target companies and networks globally. Many of the top 10 security consulting providers have adjusted their go-to-market strategy by offering incident response services, advanced threat protection and assessment services, as well as other extended security services to address additional risks introduced by newly deployed mobile devices and applications.
Security consulting market participants face a challenging landscape of regional dynamics and competitors that must be continually factored into the development of each participant's offerings. These continuous changes are necessary in service markets to ensure service companies continuously connect to clients' changing consulting demands. Organizations worldwide continue to roll out virtualization technologies and cloud infrastructure, and therefore, need consultants to evaluate the security ramifications of these rollouts. Additionally, organizations continue to drive cost-efficiencies by utilizing third parties for commoditized business operational functions and manufacturing. Use of third-party entities drives an expansion of security risks, which results in demand for extensive risk assessment engagements that require additional resources and security consulting.
When organizations span across regions, clients often demand low travel costs, consultants who speak their own language(s) and customized offerings that adhere to the latest regulatory and risk landscape changes. These competitive dynamics are especially important for highly competitive deals at larger clients. Many large organizations are mandated by their management to seek competitive shortlists and bids from multiple participants, and these factors help their competitive position within the security consulting client base.
Regulations and other legal mandates, as well as geopolitical hacking concerns, are often specific to the country where a particular organization is located or where a client organization is doing business. This means that security consulting providers must continually maintain a significant knowledgebase relevant to each country or geography where they do business. Providers must customize their solutions appropriately and regularly educate their security consultants, as well as update relevant security assessment programs to compensate for the changing consulting needs (which is not always an easy proposition). Each of these factors adds to the complexity of competition, especially for market participants desiring to expand into other countries or specific regions where they have no expertise. For more information on regional regulatory mandates worldwide, see "Competitive Landscape: Professional Security Consulting Services, Worldwide, 2013."
Greater China has the strongest growth rate, at 27% (see Table 2), followed by the emerging Asia/Pacific region, with 17.7% growth. These significant growth numbers are attributed to regional regulatory expansion and increased demand within retail and financial services sectors to address Payment Card Industry Data Security Standards (PCI DSS).
Source: Gartner (May 2013)
In Table 3, we examine the distribution of security consulting revenue versus the distribution of consulting revenue in our IT services market share. The distribution is fairly even when comparing the two markets; however, there are some regional differences, with higher proportions of security consulting in particular regions. The dominating factor in these dynamics is that some organizations are behind others in more mature economies, and therefore, are addressing regulatory and security demands as the market (which is largely dominated by North America, with 43.8% of the distribution) expands across the globe.
Source: Gartner (May 2013)
Figure 1 shows the differences regionally on a percentage basis. It is easy to see that some areas of the globe are likely to expand their security consulting needs dramatically during the next several years as they further address their own data center and security demands and as regulatory requirements evolve to address systemic risks. Gartner believes the largest opportunities for global security service providers continue to originate in the emerging Asia/Pacific and Greater China regions, with relatively strong forecast growth through 2016 (see "Forecast: Information Security, Worldwide, 2010-2016, 4Q12 Update").
One of the many reasons security consulting market revenue is so large in North America is that the United States has more data centers than any other country in the world. Gartner estimates that the total number of midsize, enterprise and large data centers in the United States will top 5,447 (see "Forecast: Data Centers, Worldwide, 2010-2016, 4Q12 Update"). This means that this region has the most significant amount of infrastructure that must address security risks and regulatory requirements. This large infrastructural aspect, combined with growing regulatory pressures during the last few years (especially for data privacy and data breach notification), has significantly increased consulting demand to address organizational concerns about security consulting efforts.
Source: Gartner (May 2013)
In Figure 2, Gartner found the largest revenue growth in the security consulting market came from the Greater China region, with a growth rate of 27% from 2011 to 2012. Organizations in Greater China continue to increase their security expenditures to address security risks and regulatory pressures both inside and outside of the country. As more external organizations increase interactions with organizations based in China, these new partnerships often incorporate security-specific mandates. Further, the desire of the external partners to engage local security consultants to evaluate Chinese companies creates heightened regional demand. Regional growth in Greater China is also being affected by China's interest in engaging in business with organizations in the emerging Asia/Pacific region, where legal mandates for data protection have emerged recently (for example, Singapore's data protection laws).
Gartner revenue estimates for emerging Asia/Pacific place this region with the second-highest growth rate of 17.7%. This regional growth is driven largely by data protection regulatory demands, as well as security assessment and compliance consulting to perform PCI DSS preassessments. During vendor interviews, Gartner observed that several regional banks were in the process of focusing on compliance with the PCI standards, and that the PCI standards council and the card networks were pressuring regional organizations to comply.
Source: Gartner (May 2013)
In Table 4, clients can examine the top five security consulting providers by region and revenue in each region. In Western Europe, PwC continues to dominate by competing heavily in deals against KPMG, Deloitte, Ernst & Young and Accenture. In Sub-Saharan Africa, the top provider is Ernst & Young, focusing its marketing efforts on IT risk and assurance services in the region. In North America, Deloitte dominates in the No. 1 position, above Ernst & Young, Booz Allen Hamilton, PwC and IBM. Deloitte offers an extensive lineup of security consulting offerings, including enterprise application integrity, identity and access management, and it is well-known for risk management and privacy consulting practices. In Asia/Pacific and Greater China, organizations tend to shortlist the more technically focused consulting firms over audit and accounting firms.
Source: Gartner (May 2013)
Based on Gartner estimates, Deloitte is the world's largest IT consulting firm, as well as the largest security consulting services firm (see "Market Share: IT Services, 2012" for Gartner's IT consulting estimates). The company grew 14%, with its IT consulting revenue growing from $878 million to just more than $1 billion in 2012. Deloitte offers a comprehensive array of security consulting services as part of its Audit and Enterprise Risk Services, which include risk assessment, compliance assessment, security framework development and many other security-related consulting offerings. During the last several years, Deloitte has focused quite a bit on growing its security practice. The company has established solid branding around its Center for Security & Privacy Solutions, which helps it engage and brand itself with corporate clients. The company has seen some recent activity with government clients by directly marketing to the concerns of government clients for its cybersecurity service offerings. The company recently released survey results from its "tech trends" Dbriefs webcast survey of 1,749 business professionals, which indicated that one in four respondents reported at least one cyberattack during the past year, which provided it with a strong marketing message for its security practice globally. One reason Deloitte succeeds against the four other top firms is that its global delivery network is the largest and most mature compared with those firms.
Ernst & Young is estimated as the world's second-largest security consulting company. Its security consulting revenue grew from $826 million in 2011 to $966 million in 2012, a 16.9% growth rate. The company offers both risk and assurance services in which it focuses on developing risk management capabilities within its clients. The company offers threat and vulnerability assessment services, which include traditional infrastructure assessments, social engineering assessments, application assessments, data loss prevention assessments, as well as application security training, ongoing enablement services and cloud security assessments. The company has recently oriented its marketing toward assessment of advanced threats, also called "advanced persistent threats," to take advantage of revenue demand in this area of client concern. The company also published a privacy trends 2013 report that helps market its privacy development and data protection consulting engagement capabilities. Significant services that support its strong growth rate against competitors include its disaster recovery and business continuity, regulatory compliance and investigation services for fraud and incident response, which are in high demand with many customers worldwide.
PwC is the third-largest technology service provider in the security consulting market, growing from $671 million in 2011 to $807 million in 2012, with a strong growth rate of 20.3%. The company has an extensive IT security, privacy and risk practice that is focused on reduction in cybercrime risks, effective spending for security, risk management that extends to third parties, brand integrity protection, improved asset management and reduction in the cost of security-related compliance. The company offers traditional data center and infrastructure consulting, as well as cloud-specific security, as do many of the other top firms in the security consulting market. The company also provides digital forensics for incident response and legal e-discovery client needs as organizations continue to respond to advanced attacks and targeted malware.
IBM is the fourth-largest security consulting service provider in the security consulting service marketplace, with an estimated $721 million revenue in 2011 that declined 1.5% in 2012 to $710 million. Although IBM is a significant security software provider, it also has a significant security consulting practice designed to provide clients with security consulting services for security governance, infrastructure security assessment, application security assessment, data security assessment, identity and access management program development, and physical security consulting engagements. The company also offers extensive incident response, legal e-discovery and forensic analysis services as security consulting offerings. The company has done well in the Greater China region, where customers continue to see the company as a significant business partner and brand.
KPMG is estimated to be the world's fifth-largest security consulting company. The company grew its revenue from an estimated $478 million in 2011 to $514 million in 2012. As part of KPMG's risk consulting practice, it offers IT advisory services that contain practice areas to support client goals like information protection, business resilience, IT governance risk and compliance consulting. In the company's management consulting practice area, it offers IT governance consulting. The company's latest marketing efforts focus on transforming risks into business opportunities for growing their clients' profits. The company also offers digital forensic and e-discovery consulting services, which help clients address digital discovery for legal cases and incident responses and to investigate a potential data breach.
Booz Allen Hamilton was estimated by Gartner as the sixth-largest security consulting service provider globally. Its estimated security consulting revenue of $430 million in 2011 grew to $454 million in 2012, with a 5.6% growth rate. Although the company has an extensive array of service offerings for the commercial sector, Booz Allen Hamilton had its greatest success with government-related security consulting efforts as it has a long history as a government contractor in the United States. This long history makes it easier to gain revenue from these entities as a trusted provider in extensive engagements that require "top secret" and "secret" security clearance. Many of its engagements involve consulting with federal entities, such as the National Security Agency and Department of Homeland Security, as well as other relationships with Department of Defense agencies. It also continues to be a significant provider for many other sensitive government-related security consulting engagements. The company specializes in incident response, pre-emptive response, integrated remediation and cybersecurity intelligence solutions, utilizing advanced cyberanalytics and its extensive computer network defense security operations center capabilities to enhance its security consulting offerings.
Accenture is a global management consulting and technology service company. Its extensive portfolio of consulting services includes security risk management and assessment services. Accenture's revenue in the security consulting market grew by 4.4%, from an estimated $385 million in 2011 to $402 million in 2012. Although Accenture is most well-known for its implementation services, it also offers a broad array of security consulting services that include application security assessment, security strategy development, risk management, security governance, business continuity and disaster recovery planning, data protection consulting, privacy consulting, and security transformation. The company also offers compliance preassessment and remediation consulting for PCI DSS. Accenture focuses much of its growth efforts on the healthcare vertical, but also services many other verticals with its portfolio of offerings, which allows it to execute well in these areas of its business.
HP, one of the largest comprehensive software and service portfolio companies, had estimated revenue of $336 million in 2011 that grew to $347 million in 2012, with a growth rate of 3.4%. Although the company continues to move through several disruptive events, including an accounting scandal and its recent Autonomy purchase, HP continues to grow, despite growth rates lower than the overall market. To combat this situation, it has enhanced its security consulting offerings during the last year. For example, the company expanded its consulting services to include security operations center planning and development to extend its current offerings for vulnerability management program development, digital investigation services, security metrics and reporting consulting, security risk, and control assessment. The company takes a life cycle approach to information security with its ATOM (also referred to as assess, transform, optimize and manage) security life cycle. Organizations seeking to optimize their information security operations enjoy this innovative approach and often select HP as their preferred security consulting provider due to this focus area.
SAIC is the ninth-largest security consulting service organization globally, with estimated 2011 revenue of $163 million, growing by 8.6% to $177 million in 2012. With an extensive government contracting background, SAIC offers security consulting services to both government and commercial entities. The company's offerings help these clients assess their security programs and current security risk posture, as well as help educate client organizations on best practices for systems and application security. The company recently joined the Microsoft Security Development Lifecycle Pro Network to support its rollout of application security review and testing services. SAIC also specializes in PCI DSS preaudit assessments, security program development, digital forensics, e-discovery, security incident response, and disaster recovery and business continuity consulting. Notably, the company also focuses on security consulting for supply chain security risks, which has been top of mind for many government entities, especially given recent passage of a U.S. congressional spending bill restricting federal entities' purchases of Chinese-made electronics. Gartner has also seen during the last year increased demand of organizations seeking ways to evaluate the security controls of third-party supplier organizations, which also benefits SAIC's security consulting practice.
The RSA security division of EMC is the world's 10th-largest security consulting service company. RSA's estimated security consulting revenue of $149 million in 2011 grew to $167 million in 2012, with a growth rate of 11.7%. The company has extensive security experience, with a broad portfolio of product offerings to complement its security consulting services. In the security consulting landscape, RSA provides extensive services to help customers with assured availability, business continuity, fraud and identity management, governance, risk, compliance, information governance, mobile device security and trusted cloud. The company focuses on advanced threats, and helping organizations build security operations centers is a key ingredient to its growth within the security market.
The following security consulting providers have been selected either because they have had significant growth in the security consulting market or they are often included in Gartner clients' shortlists.
Accuvant has the strongest overall revenue growth in the security service market, with an estimated 25% gain in overall security service revenue. Gartner believes this growth is attributed largely to its purely security-focused market participation. The company offers security program strategy and program development, security research and intelligence consulting services, risk assessment and penetration testing services, as well as application security consulting and malware analysis services. The company also specializes in performing smart meter security assessments for the energy sector.
FishNet has grown its security consulting practice through a number of acquisitions across the United States. With most of the company's overall revenue coming from security technology resale activities and adjunct implementation services, the company continues to have a significant and growing security consulting service practice. In 2011, the company earned an estimated $81 million in the security consulting market and grew its security consulting revenue by an estimated 16% to $94 million. In January 2013, Investcorp acquired a majority stake in FishNet.
Table 5 shows the notable mergers and acquisitions in 2011.
Source: Gartner (May 2013)
Gartner used a percentage allocation model from market estimates in "Market Share: IT Services, 2012" and examined the "consulting" subsegment to arrive at our estimates for security consulting for each provider in this market share for the security consulting service market.
Security consulting services are security-specific advisory services to help companies analyze and improve efficiency of business operations and technology strategies for security. Security consulting services include security-related business and IT consulting, and security assurance, but excludes security audit work that results in attestation of security controls for audit purposes. Also, our security consulting service definition does not include product or service implementation consulting efforts or nonsecurity-related consulting or managed services.
Examples of security consulting activities include:
- Assessments of compliance against security mandates (excluding efforts that include a final attestation for audit purposes)
- Business and IT security risk assessments
- Application code security review
- Strategic security program review
- Security program development activities
- Security program maturity assessments
- Other security-related consulting efforts