Market Share Analysis: Security Consulting, Worldwide, 2012

16 May 2013 ID:G00245586
Analyst(s): Lawrence Pingree

VIEW SUMMARY

The security consulting service market grew 5.8% from 2011 to 2012, driven largely by advanced attacks, incident response and mobile security demands.

Overview

Key Findings

  • The top 10 consulting providers accounted for 51% of the total security consulting service market.
  • Security-specific system integration providers like FishNet Security and Accuvant that focus efforts on just security rather than support a broader portfolio with general IT services offerings have seen strong growth during the last year.
  • The Greater China region posted the strongest year-over-year growth, at 27%, fueled by the expansion of regional regulatory mandates and the addressing of data security concerns from the increasing Chinese economic and supply chain integration worldwide.
  • As more global organizations increase interactions with third-party entities based in China, the organizations are incorporating security requirements that these entities must fulfill, which increase local demand for security consulting.

Table of Contents

Market Share Data

In Table 1, Gartner estimates the market share of major service providers in the worldwide security consulting service market.

Table 1. Top 10 Security Consulting Providers' Worldwide Market Share, 2011-2012 (Millions of Dollars)


2011 Rank


2012 Rank


Rank Change



Company


2011 Revenue


2012 Revenue

Annual Growth Rate (%)

2012 Market Share (%)

1

1

-

Deloitte

878

1,001

14.0

9.3

2

2

-

Ernst & Young

826

966

16.9

8.9

4

3

+1

PwC

671

807

20.3

7.5

3

4

-1

IBM

721

710

-1.5

6.6

5

5

-

KPMG

478

514

7.5

4.8

6

6

-

Booz Allen Hamilton

430

454

5.6

4.2

7

7

-

Accenture

385

402

4.4

3.7

8

8

-

HP

336

347

3.4

3.2

9

9

-

SAIC

163

177

8.6

1.6

12

10

+2

EMC
(RSA Security Division)

149

167

11.7

1.5

Source: Gartner (May 2013)

Overall Market Segment Performance Analysis

The security consulting service market grew 5.8% from 2011 to 2012. In 2012, the top 10 security consulting firms accounted for 51% of the market. Security-specific system integrators, such as FishNet and Accuvant, had significant revenue growth on a percentage basis. Audit firms accounted for the largest overall revenue growth in the marketplace from 2011 to 2012 since they command the greatest overall portion of revenue in the market.

Gartner believes many organizations continue to seek security-specific specialists and guidance to address the heightened risks seen in the IT landscape. Based on Gartner's IT key metrics data (see "IT Key Metrics Data 2013: Key Information Security Measures: by Industry"), the most spending in the security marketplace has been in industries like software publishing, Internet services, government, professional services and insurance. These organizations represent the biggest opportunities for consulting providers in the security consulting market.

Many organizations are looking to cope with compliance or security-related risks and to address advanced techniques used by hackers in recent well-publicized and successful data breaches and denial-of-service attacks. These high-profile events elevate market demand by increasing the visibility of security risks globally and serve as an inflection point that some are losing the battle against attackers that target companies and networks globally. Many of the top 10 security consulting providers have adjusted their go-to-market strategy by offering incident response services, advanced threat protection and assessment services, as well as other extended security services to address additional risks introduced by newly deployed mobile devices and applications.

Regional Markets

Security consulting market participants face a challenging landscape of regional dynamics and competitors that must be continually factored into the development of each participant's offerings. These continuous changes are necessary in service markets to ensure service companies continuously connect to clients' changing consulting demands. Organizations worldwide continue to roll out virtualization technologies and cloud infrastructure, and therefore, need consultants to evaluate the security ramifications of these rollouts. Additionally, organizations continue to drive cost-efficiencies by utilizing third parties for commoditized business operational functions and manufacturing. Use of third-party entities drives an expansion of security risks, which results in demand for extensive risk assessment engagements that require additional resources and security consulting.

When organizations span across regions, clients often demand low travel costs, consultants who speak their own language(s) and customized offerings that adhere to the latest regulatory and risk landscape changes. These competitive dynamics are especially important for highly competitive deals at larger clients. Many large organizations are mandated by their management to seek competitive shortlists and bids from multiple participants, and these factors help their competitive position within the security consulting client base.

Regulations and other legal mandates, as well as geopolitical hacking concerns, are often specific to the country where a particular organization is located or where a client organization is doing business. This means that security consulting providers must continually maintain a significant knowledgebase relevant to each country or geography where they do business. Providers must customize their solutions appropriately and regularly educate their security consultants, as well as update relevant security assessment programs to compensate for the changing consulting needs (which is not always an easy proposition). Each of these factors adds to the complexity of competition, especially for market participants desiring to expand into other countries or specific regions where they have no expertise. For more information on regional regulatory mandates worldwide, see "Competitive Landscape: Professional Security Consulting Services, Worldwide, 2013."

Greater China has the strongest growth rate, at 27% (see Table 2), followed by the emerging Asia/Pacific region, with 17.7% growth. These significant growth numbers are attributed to regional regulatory expansion and increased demand within retail and financial services sectors to address Payment Card Industry Data Security Standards (PCI DSS).

Table 2. Annual Revenue by Region: Security Consulting Services, Worldwide, 2011-2012 (Millions of Dollars)


Region

2011
Revenue

2012
Revenue

2012
Market Share (%)

2011-2012 Growth (%)

Eastern Europe

97

102

0.9

5.5

Emerging Asia/Pacific

231

271

2.5

17.7

Eurasia

68

77

0.7

12.3

Greater China

284

361

3.3

27.0

Latin America

354

397

3.7

12.2

Mature Asia/Pacific

1,206

1,277

11.8

5.9

Middle East and North Africa

123

135

1.2

9.5

North America

4,530

4,724

43.8

4.3

Sub-Saharan Africa

107

118

1.1

10.3

Western Europe

3,207

3,333

30.9

3.9

Total

10,207

10,795

100.0

5.8

Source: Gartner (May 2013)

In Table 3, we examine the distribution of security consulting revenue versus the distribution of consulting revenue in our IT services market share. The distribution is fairly even when comparing the two markets; however, there are some regional differences, with higher proportions of security consulting in particular regions. The dominating factor in these dynamics is that some organizations are behind others in more mature economies, and therefore, are addressing regulatory and security demands as the market (which is largely dominated by North America, with 43.8% of the distribution) expands across the globe.

Table 3. Distribution of Security Consulting Versus IT Services Consulting by Region, 2011-2012



Region

2011
Security Consulting (%)

2012
Security Consulting (%)

2011
IT Services Consulting (%)

2012
IT Services Consulting (%)

Eastern Europe

0.9

0.9

1.4

1.3

Emerging Asia/Pacific

2.3

2.5

2.4

2.7

Eurasia

0.7

0.7

0.8

0.8

Greater China

2.8

3.3

2.9

3.5

Latin America

3.5

3.7

3.8

3.9

Mature Asia/Pacific

11.8

11.8

14.3

14.7

Middle East and North Africa

1.2

1.2

1.5

1.5

North America

44.4

43.8

36.0

37.0

Sub-Saharan Africa

1.0

1.1

1.2

1.2

Western Europe

31.4

30.9

35.8

33.5

Total

100.0

100.0

100.0

100.0

Source: Gartner (May 2013)

Figure 1 shows the differences regionally on a percentage basis. It is easy to see that some areas of the globe are likely to expand their security consulting needs dramatically during the next several years as they further address their own data center and security demands and as regulatory requirements evolve to address systemic risks. Gartner believes the largest opportunities for global security service providers continue to originate in the emerging Asia/Pacific and Greater China regions, with relatively strong forecast growth through 2016 (see "Forecast: Information Security, Worldwide, 2010-2016, 4Q12 Update").

One of the many reasons security consulting market revenue is so large in North America is that the United States has more data centers than any other country in the world. Gartner estimates that the total number of midsize, enterprise and large data centers in the United States will top 5,447 (see "Forecast: Data Centers, Worldwide, 2010-2016, 4Q12 Update"). This means that this region has the most significant amount of infrastructure that must address security risks and regulatory requirements. This large infrastructural aspect, combined with growing regulatory pressures during the last few years (especially for data privacy and data breach notification), has significantly increased consulting demand to address organizational concerns about security consulting efforts.

Figure 1. Security Consulting Service Market Share, Worldwide, Percentage by Region, 2012
Figure 1.Security Consulting Service Market Share, Worldwide, Percentage by Region, 2012

Source: Gartner (May 2013)

In Figure 2, Gartner found the largest revenue growth in the security consulting market came from the Greater China region, with a growth rate of 27% from 2011 to 2012. Organizations in Greater China continue to increase their security expenditures to address security risks and regulatory pressures both inside and outside of the country. As more external organizations increase interactions with organizations based in China, these new partnerships often incorporate security-specific mandates. Further, the desire of the external partners to engage local security consultants to evaluate Chinese companies creates heightened regional demand. Regional growth in Greater China is also being affected by China's interest in engaging in business with organizations in the emerging Asia/Pacific region, where legal mandates for data protection have emerged recently (for example, Singapore's data protection laws).

Gartner revenue estimates for emerging Asia/Pacific place this region with the second-highest growth rate of 17.7%. This regional growth is driven largely by data protection regulatory demands, as well as security assessment and compliance consulting to perform PCI DSS preassessments. During vendor interviews, Gartner observed that several regional banks were in the process of focusing on compliance with the PCI standards, and that the PCI standards council and the card networks were pressuring regional organizations to comply.

Figure 2. Annual Security Consulting Revenue Growth by Region, 2011-2012
Figure 2.Annual Security Consulting Revenue Growth by Region, 2011-2012

Source: Gartner (May 2013)

In Table 4, clients can examine the top five security consulting providers by region and revenue in each region. In Western Europe, PwC continues to dominate by competing heavily in deals against KPMG, Deloitte, Ernst & Young and Accenture. In Sub-Saharan Africa, the top provider is Ernst & Young, focusing its marketing efforts on IT risk and assurance services in the region. In North America, Deloitte dominates in the No. 1 position, above Ernst & Young, Booz Allen Hamilton, PwC and IBM. Deloitte offers an extensive lineup of security consulting offerings, including enterprise application integrity, identity and access management, and it is well-known for risk management and privacy consulting practices. In Asia/Pacific and Greater China, organizations tend to shortlist the more technically focused consulting firms over audit and accounting firms.

Table 4. Top Five Security Consulting Providers by Region and by Revenue (Millions of Dollars)

Region

2012

2011

Western Europe

PwC

254

216

KPMG International

245

234

Deloitte

222

196

Ernst & Young

202

173

Accenture

174

176

Sub-Saharan Africa

Ernst & Young

24

20

KPMG International

11

10

PwC

10

10

Accenture

2

2

Deloitte

1

1

North America

Deloitte

596

534

Ernst & Young

521

446

Booz Allen Hamilton

445

421

PwC

374

304

IBM

201

212

Middle East and North Africa

Ernst & Young

19

16

Booz Allen Hamilton

9

8

Deloitte

7

6

KPMG International

7

6

PwC

5

5

Mature Asia/Pacific

IBM

213

213

Ernst & Young

87

74

PwC

81

66

Deloitte

77

59

KPMG International

65

57

Latin America

Ernst & Young

48

41

IBM

46

49

PwC

39

35

Deloitte

29

26

Accenture

28

26

Greater China

IBM

53

54

Deloitte

25

19

KPMG International

25

21

Ernst & Young

24

21

PwC

18

15

Eurasia

Ernst & Young

10

8

KPMG International

9

8

Deloitte

5

5

IBM

5

5

BearingPoint

3

3

Emerging Asia/Pacific

IBM

40

33

Deloitte

32

26

Ernst & Young

19

16

PwC

17

15

Accenture

17

15

Eastern Europe

Ernst & Young

10

8

KPMG International

7

6

Deloitte

6

6

PwC

6

5

Accenture

3

4

Source: Gartner (May 2013)

Top Vendors Analyzed

Deloitte

Based on Gartner estimates, Deloitte is the world's largest IT consulting firm, as well as the largest security consulting services firm (see "Market Share: IT Services, 2012" for Gartner's IT consulting estimates). The company grew 14%, with its IT consulting revenue growing from $878 million to just more than $1 billion in 2012. Deloitte offers a comprehensive array of security consulting services as part of its Audit and Enterprise Risk Services, which include risk assessment, compliance assessment, security framework development and many other security-related consulting offerings. During the last several years, Deloitte has focused quite a bit on growing its security practice. The company has established solid branding around its Center for Security & Privacy Solutions, which helps it engage and brand itself with corporate clients. The company has seen some recent activity with government clients by directly marketing to the concerns of government clients for its cybersecurity service offerings. The company recently released survey results from its "tech trends" Dbriefs webcast survey of 1,749 business professionals, which indicated that one in four respondents reported at least one cyberattack during the past year, which provided it with a strong marketing message for its security practice globally. One reason Deloitte succeeds against the four other top firms is that its global delivery network is the largest and most mature compared with those firms.

Ernst & Young

Ernst & Young is estimated as the world's second-largest security consulting company. Its security consulting revenue grew from $826 million in 2011 to $966 million in 2012, a 16.9% growth rate. The company offers both risk and assurance services in which it focuses on developing risk management capabilities within its clients. The company offers threat and vulnerability assessment services, which include traditional infrastructure assessments, social engineering assessments, application assessments, data loss prevention assessments, as well as application security training, ongoing enablement services and cloud security assessments. The company has recently oriented its marketing toward assessment of advanced threats, also called "advanced persistent threats," to take advantage of revenue demand in this area of client concern. The company also published a privacy trends 2013 report that helps market its privacy development and data protection consulting engagement capabilities. Significant services that support its strong growth rate against competitors include its disaster recovery and business continuity, regulatory compliance and investigation services for fraud and incident response, which are in high demand with many customers worldwide.

PwC

PwC is the third-largest technology service provider in the security consulting market, growing from $671 million in 2011 to $807 million in 2012, with a strong growth rate of 20.3%. The company has an extensive IT security, privacy and risk practice that is focused on reduction in cybercrime risks, effective spending for security, risk management that extends to third parties, brand integrity protection, improved asset management and reduction in the cost of security-related compliance. The company offers traditional data center and infrastructure consulting, as well as cloud-specific security, as do many of the other top firms in the security consulting market. The company also provides digital forensics for incident response and legal e-discovery client needs as organizations continue to respond to advanced attacks and targeted malware.

IBM

IBM is the fourth-largest security consulting service provider in the security consulting service marketplace, with an estimated $721 million revenue in 2011 that declined 1.5% in 2012 to $710 million. Although IBM is a significant security software provider, it also has a significant security consulting practice designed to provide clients with security consulting services for security governance, infrastructure security assessment, application security assessment, data security assessment, identity and access management program development, and physical security consulting engagements. The company also offers extensive incident response, legal e-discovery and forensic analysis services as security consulting offerings. The company has done well in the Greater China region, where customers continue to see the company as a significant business partner and brand.

KPMG

KPMG is estimated to be the world's fifth-largest security consulting company. The company grew its revenue from an estimated $478 million in 2011 to $514 million in 2012. As part of KPMG's risk consulting practice, it offers IT advisory services that contain practice areas to support client goals like information protection, business resilience, IT governance risk and compliance consulting. In the company's management consulting practice area, it offers IT governance consulting. The company's latest marketing efforts focus on transforming risks into business opportunities for growing their clients' profits. The company also offers digital forensic and e-discovery consulting services, which help clients address digital discovery for legal cases and incident responses and to investigate a potential data breach.

Booz Allen Hamilton

Booz Allen Hamilton was estimated by Gartner as the sixth-largest security consulting service provider globally. Its estimated security consulting revenue of $430 million in 2011 grew to $454 million in 2012, with a 5.6% growth rate. Although the company has an extensive array of service offerings for the commercial sector, Booz Allen Hamilton had its greatest success with government-related security consulting efforts as it has a long history as a government contractor in the United States. This long history makes it easier to gain revenue from these entities as a trusted provider in extensive engagements that require "top secret" and "secret" security clearance. Many of its engagements involve consulting with federal entities, such as the National Security Agency and Department of Homeland Security, as well as other relationships with Department of Defense agencies. It also continues to be a significant provider for many other sensitive government-related security consulting engagements. The company specializes in incident response, pre-emptive response, integrated remediation and cybersecurity intelligence solutions, utilizing advanced cyberanalytics and its extensive computer network defense security operations center capabilities to enhance its security consulting offerings.

Accenture

Accenture is a global management consulting and technology service company. Its extensive portfolio of consulting services includes security risk management and assessment services. Accenture's revenue in the security consulting market grew by 4.4%, from an estimated $385 million in 2011 to $402 million in 2012. Although Accenture is most well-known for its implementation services, it also offers a broad array of security consulting services that include application security assessment, security strategy development, risk management, security governance, business continuity and disaster recovery planning, data protection consulting, privacy consulting, and security transformation. The company also offers compliance preassessment and remediation consulting for PCI DSS. Accenture focuses much of its growth efforts on the healthcare vertical, but also services many other verticals with its portfolio of offerings, which allows it to execute well in these areas of its business.

HP

HP, one of the largest comprehensive software and service portfolio companies, had estimated revenue of $336 million in 2011 that grew to $347 million in 2012, with a growth rate of 3.4%. Although the company continues to move through several disruptive events, including an accounting scandal and its recent Autonomy purchase, HP continues to grow, despite growth rates lower than the overall market. To combat this situation, it has enhanced its security consulting offerings during the last year. For example, the company expanded its consulting services to include security operations center planning and development to extend its current offerings for vulnerability management program development, digital investigation services, security metrics and reporting consulting, security risk, and control assessment. The company takes a life cycle approach to information security with its ATOM (also referred to as assess, transform, optimize and manage) security life cycle. Organizations seeking to optimize their information security operations enjoy this innovative approach and often select HP as their preferred security consulting provider due to this focus area.

SAIC

SAIC is the ninth-largest security consulting service organization globally, with estimated 2011 revenue of $163 million, growing by 8.6% to $177 million in 2012. With an extensive government contracting background, SAIC offers security consulting services to both government and commercial entities. The company's offerings help these clients assess their security programs and current security risk posture, as well as help educate client organizations on best practices for systems and application security. The company recently joined the Microsoft Security Development Lifecycle Pro Network to support its rollout of application security review and testing services. SAIC also specializes in PCI DSS preaudit assessments, security program development, digital forensics, e-discovery, security incident response, and disaster recovery and business continuity consulting. Notably, the company also focuses on security consulting for supply chain security risks, which has been top of mind for many government entities, especially given recent passage of a U.S. congressional spending bill restricting federal entities' purchases of Chinese-made electronics. Gartner has also seen during the last year increased demand of organizations seeking ways to evaluate the security controls of third-party supplier organizations, which also benefits SAIC's security consulting practice.

EMC (RSA Security Division)

The RSA security division of EMC is the world's 10th-largest security consulting service company. RSA's estimated security consulting revenue of $149 million in 2011 grew to $167 million in 2012, with a growth rate of 11.7%. The company has extensive security experience, with a broad portfolio of product offerings to complement its security consulting services. In the security consulting landscape, RSA provides extensive services to help customers with assured availability, business continuity, fraud and identity management, governance, risk, compliance, information governance, mobile device security and trusted cloud. The company focuses on advanced threats, and helping organizations build security operations centers is a key ingredient to its growth within the security market.

Other Notable Vendors

The following security consulting providers have been selected either because they have had significant growth in the security consulting market or they are often included in Gartner clients' shortlists.

Accuvant

Accuvant has the strongest overall revenue growth in the security service market, with an estimated 25% gain in overall security service revenue. Gartner believes this growth is attributed largely to its purely security-focused market participation. The company offers security program strategy and program development, security research and intelligence consulting services, risk assessment and penetration testing services, as well as application security consulting and malware analysis services. The company also specializes in performing smart meter security assessments for the energy sector.

FishNet Security

FishNet has grown its security consulting practice through a number of acquisitions across the United States. With most of the company's overall revenue coming from security technology resale activities and adjunct implementation services, the company continues to have a significant and growing security consulting service practice. In 2011, the company earned an estimated $81 million in the security consulting market and grew its security consulting revenue by an estimated 16% to $94 million. In January 2013, Investcorp acquired a majority stake in FishNet.

Mergers and Acquisitions

Table 5 shows the notable mergers and acquisitions in 2011.

Table 5. Notable Mergers and Acquisitions, Security Consulting Market, 2011

Acquirer

Acquired

Acquisition Date

Details

Ernst & Young

Hacktics

January

Added to its Web application security testing and consulting

Ernst & Young

Cataphora

September

Acquired the assets for e-discovery

PwC

Ascure

August

IT security and business continuity consulting

Source: Gartner (May 2013)

Evidence

Gartner used a percentage allocation model from market estimates in "Market Share: IT Services, 2012" and examined the "consulting" subsegment to arrive at our estimates for security consulting for each provider in this market share for the security consulting service market.

Note 1
Market Definition

Security consulting services are security-specific advisory services to help companies analyze and improve efficiency of business operations and technology strategies for security. Security consulting services include security-related business and IT consulting, and security assurance, but excludes security audit work that results in attestation of security controls for audit purposes. Also, our security consulting service definition does not include product or service implementation consulting efforts or nonsecurity-related consulting or managed services.

Examples of security consulting activities include:

  • Assessments of compliance against security mandates (excluding efforts that include a final attestation for audit purposes)
  • Business and IT security risk assessments
  • Application code security review
  • Strategic security program review
  • Security program development activities
  • Security program maturity assessments
  • Other security-related consulting efforts