Professional Documents
Culture Documents
VIEW SUMMARY
The security consulting service market grew 5.8% from 2011 to 2012, driven largely by advanced
attacks, incident response and mobile security demands.
EVIDENCE
Gartne r use d a pe rce ntage allocation m ode l from
m ark e t e stim ate s in "Mark e t Share : IT Se rvice s,
2012" and e x am ine d the "consulting"
subse gm e nt to arrive at our e stim ate s for se curity
consulting for e ach provide r in this m ark e t share
for the se curity consulting se rvice m ark e t.
Overview
Key Findings
The top 10 consulting providers accounted for 51% of the total security consulting service
market.
Security-specific system integration providers like FishNet Security and Accuvant that focus
efforts on just security rather than support a broader portfolio with general IT services
offerings have seen strong growth during the last year.
The Greater China region posted the strongest year-over-year growth, at 27%, fueled by the
expansion of regional regulatory mandates and the addressing of data security concerns from
the increasing Chinese economic and supply chain integration worldwide.
As more global organizations increase interactions with third-party entities based in China, the
organizations are incorporating security requirements that these entities must fulfill, which
increase local demand for security consulting.
TABLE OF CONTENTS
CONTENTS
Market Share Data
Overall Market Segment Performance Analysis
Regional Markets
Top Vendors Analyzed
Deloitte
Ernst & Young
PwC
IBM
KPMG
Booz Allen Hamilton
Accenture
HP
SAIC
EMC (RSA Security Division)
Other Notable Vendors
Accuvant
FishNet Security
Mergers and Acquisitions
NOTE 1
MARKET DEFINITION
Se curity consulting se rvice s are se curity-spe cific
advisory se rvice s to he lp com panie s analyze and
im prove e fficie ncy of busine ss ope rations and
te chnology strate gie s for se curity. Se curity
consulting se rvice s include se curity-re late d
busine ss and IT consulting, and se curity
assurance , but e x clude s se curity audit work that
re sults in atte station of se curity controls for audit
purpose s. Also, our se curity consulting se rvice
de finition doe s not include product or se rvice
im ple m e ntation consulting e fforts or nonse curityre late d consulting or m anage d se rvice s.
Ex am ple s of se curity consulting activitie s include :
Asse ssm e nts of com pliance against se curity
m andate s (e x cluding e fforts that include a
final atte station for audit purpose s)
Busine ss and IT se curity risk asse ssm e nts
Application code se curity re vie w
Strate gic se curity program re vie w
Se curity program de ve lopm e nt activitie s
Se curity program m aturity asse ssm e nts
O the r se curity-re late d consulting e fforts
TABLES
Table 1.
Table 2.
Table 3.
Table 4.
Top Five Security C onsulting Providers by Region and by Revenue (Millions of Dollars)
Table 5.
FIGURES
www.gartner.com/technology/reprints.do?id=1-1FQZ117&ct=130522&st=sb
1/9
12/12/13
Figure 2.
Table 1. Top 10 Security Consulting Providers' Worldwide Market Share, 2011-2012 (Millions of
Dollars)
Annual Growth
Rate (%)
2012 Market
Share (%)
1,001
14.0
9.3
826
966
16.9
8.9
PwC
671
807
20.3
7.5
IBM
721
710
-1.5
6.6
KPMG
478
514
7.5
4.8
Booz Allen
Hamilton
430
454
5.6
4.2
Accenture
385
402
4.4
3.7
HP
336
347
3.4
3.2
SAIC
163
177
8.6
1.6
EMC
(RSA Security
Division)
149
167
11.7
1.5
2011
Rank
2012
Rank
Rank
Change
2011
Revenue
2012
Revenue
Deloitte
878
+1
-1
12
10
+2
Company
Regional Markets
Security consulting market participants face a challenging landscape of regional dynamics and
competitors that must be continually factored into the development of each participant's offerings.
These continuous changes are necessary in service markets to ensure service companies
continuously connect to clients' changing consulting demands. Organizations worldwide continue to
roll out virtualization technologies and cloud infrastructure, and therefore, need consultants to
evaluate the security ramifications of these rollouts. Additionally, organizations continue to drive
cost-efficiencies by utilizing third parties for commoditized business operational functions and
manufacturing. Use of third-party entities drives an expansion of security risks, which results in
demand for extensive risk assessment engagements that require additional resources and security
consulting.
www.gartner.com/technology/reprints.do?id=1-1FQZ117&ct=130522&st=sb
2/9
12/12/13
When organizations span across regions, clients often demand low travel costs, consultants who
speak their own language(s) and customized offerings that adhere to the latest regulatory and risk
landscape changes. These competitive dynamics are especially important for highly competitive
deals at larger clients. Many large organizations are mandated by their management to seek
competitive shortlists and bids from multiple participants, and these factors help their competitive
position within the security consulting client base.
Regulations and other legal mandates, as well as geopolitical hacking concerns, are often specific to
the country where a particular organization is located or where a client organization is doing
business. This means that security consulting providers must continually maintain a significant
knowledgebase relevant to each country or geography where they do business. Providers must
customize their solutions appropriately and regularly educate their security consultants, as well as
update relevant security assessment programs to compensate for the changing consulting needs
(which is not always an easy proposition). Each of these factors adds to the complexity of
competition, especially for market participants desiring to expand into other countries or specific
regions where they have no expertise. For more information on regional regulatory mandates
worldwide, see "Competitive Landscape: Professional Security Consulting Services, Worldwide,
2013."
Greater China has the strongest growth rate, at 27% (see Table 2), followed by the emerging
Asia/Pacific region, with 17.7% growth. These significant growth numbers are attributed to regional
regulatory expansion and increased demand within retail and financial services sectors to address
Payment Card Industry Data Security Standards (PCI DSS).
Region
Eastern Europe
Emerging Asia/Pacific
Eurasia
2011
Revenue
2012
Revenue
2012
Market Share (%)
97
102
0.9
5.5
231
271
2.5
17.7
68
77
0.7
12.3
Greater C hina
284
361
3.3
27.0
Latin America
354
397
3.7
12.2
1,206
1,277
11.8
5.9
123
135
1.2
9.5
4,530
4,724
43.8
4.3
107
118
1.1
10.3
3,207
3,333
30.9
3.9
10,207
10,795
100.0
5.8
Mature Asia/Pacific
Middle East and North Africa
North America
Sub-Saharan Africa
Western Europe
Total
In Table 3, we examine the distribution of security consulting revenue versus the distribution of
consulting revenue in our IT services market share. The distribution is fairly even when comparing
the two markets; however, there are some regional differences, with higher proportions of security
consulting in particular regions. The dominating factor in these dynamics is that some organizations
are behind others in more mature economies, and therefore, are addressing regulatory and
security demands as the market (which is largely dominated by North America, with 43.8% of the
distribution) expands across the globe.
2011
Security
Consulting (%)
2012
Security
Consulting (%)
2011
IT Services
Consulting (%)
2012
IT Services
Consulting (%)
Eastern Europe
0.9
0.9
1.4
1.3
Emerging
Asia/Pacific
2.3
2.5
2.4
2.7
Eurasia
0.7
0.7
0.8
0.8
Greater C hina
2.8
3.3
2.9
3.5
Latin America
3.5
3.7
3.8
3.9
11.8
11.8
14.3
14.7
1.2
1.2
1.5
1.5
Region
Mature Asia/Pacific
Middle East and
www.gartner.com/technology/reprints.do?id=1-1FQZ117&ct=130522&st=sb
3/9
12/12/13
North Africa
North America
Sub-Saharan
Africa
Western Europe
Total
44.4
43.8
36.0
37.0
1.0
1.1
1.2
1.2
31.4
30.9
35.8
33.5
100.0
100.0
100.0
100.0
Figure 1 shows the differences regionally on a percentage basis. It is easy to see that some areas
of the globe are likely to expand their security consulting needs dramatically during the next several
years as they further address their own data center and security demands and as regulatory
requirements evolve to address systemic risks. Gartner believes the largest opportunities for global
security service providers continue to originate in the emerging Asia/Pacific and Greater China
regions, with relatively strong forecast growth through 2016 (see "Forecast: Information Security,
Worldwide, 2010-2016, 4Q12 Update").
One of the many reasons security consulting market revenue is so large in North America is that the
United States has more data centers than any other country in the world. Gartner estimates that
the total number of midsize, enterprise and large data centers in the United States will top 5,447
(see "Forecast: Data Centers, Worldwide, 2010-2016, 4Q12 Update"). This means that this region
has the most significant amount of infrastructure that must address security risks and regulatory
requirements. This large infrastructural aspect, combined with growing regulatory pressures during
the last few years (especially for data privacy and data breach notification), has significantly
increased consulting demand to address organizational concerns about security consulting efforts.
Figure 1. Security Consulting Service Market Share, Worldwide, Percentage by Region, 2012
In Figure 2, Gartner found the largest revenue growth in the security consulting market came from
the Greater China region, with a growth rate of 27% from 2011 to 2012. Organizations in Greater
China continue to increase their security expenditures to address security risks and regulatory
pressures both inside and outside of the country. As more external organizations increase
interactions with organizations based in China, these new partnerships often incorporate securityspecific mandates. Further, the desire of the external partners to engage local security consultants
to evaluate Chinese companies creates heightened regional demand. Regional growth in Greater
China is also being affected by China's interest in engaging in business with organizations in the
emerging Asia/Pacific region, where legal mandates for data protection have emerged recently (for
example, Singapore's data protection laws).
Gartner revenue estimates for emerging Asia/Pacific place this region with the second-highest
growth rate of 17.7%. This regional growth is driven largely by data protection regulatory demands,
as well as security assessment and compliance consulting to perform PCI DSS preassessments.
During vendor interviews, Gartner observed that several regional banks were in the process of
focusing on compliance with the PCI standards, and that the PCI standards council and the card
networks were pressuring regional organizations to comply.
www.gartner.com/technology/reprints.do?id=1-1FQZ117&ct=130522&st=sb
4/9
12/12/13
In Table 4, clients can examine the top five security consulting providers by region and revenue in
each region. In Western Europe, PwC continues to dominate by competing heavily in deals against
KPMG, Deloitte, Ernst & Young and Accenture. In Sub-Saharan Africa, the top provider is Ernst &
Young, focusing its marketing efforts on IT risk and assurance services in the region. In North
America, Deloitte dominates in the No. 1 position, above Ernst & Young, Booz Allen Hamilton, PwC
and IBM. Deloitte offers an extensive lineup of security consulting offerings, including enterprise
application integrity, identity and access management, and it is well-known for risk management
and privacy consulting practices. In Asia/Pacific and Greater China, organizations tend to shortlist
the more technically focused consulting firms over audit and accounting firms.
2012
2011
PwC
254
216
KPMG International
245
234
Deloitte
222
196
202
173
Accenture
174
176
24
20
KPMG International
11
10
PwC
10
10
Accenture
Deloitte
Deloitte
596
534
521
446
445
421
PwC
374
304
IBM
201
212
19
16
Deloitte
Western Europe
Sub-Saharan Africa
North America
www.gartner.com/technology/reprints.do?id=1-1FQZ117&ct=130522&st=sb
5/9
12/12/13
KPMG International
PwC
213
213
87
74
PwC
81
66
Deloitte
77
59
KPMG International
65
57
48
41
IBM
46
49
PwC
39
35
Deloitte
29
26
Accenture
28
26
IBM
53
54
Deloitte
25
19
KPMG International
25
21
24
21
PwC
18
15
Mature Asia/Pacific
IBM
Latin America
Greater C hina
Eurasia
10
KPMG International
Deloitte
IBM
BearingPoint
IBM
40
33
Deloitte
32
26
19
16
PwC
17
15
Accenture
17
15
Emerging Asia/Pacific
Eastern Europe
10
KPMG International
Deloitte
PwC
Accenture
www.gartner.com/technology/reprints.do?id=1-1FQZ117&ct=130522&st=sb
6/9
12/12/13
just more than $1 billion in 2012. Deloitte offers a comprehensive array of security consulting
services as part of its Audit and Enterprise Risk Services, which include risk assessment, compliance
assessment, security framework development and many other security-related consulting offerings.
During the last several years, Deloitte has focused quite a bit on growing its security practice. The
company has established solid branding around its Center for Security & Privacy Solutions, which
helps it engage and brand itself with corporate clients. The company has seen some recent activity
with government clients by directly marketing to the concerns of government clients for its
cybersecurity service offerings. The company recently released survey results from its "tech trends"
Dbriefs webcast survey of 1,749 business professionals, which indicated that one in four
respondents reported at least one cyberattack during the past year, which provided it with a
strong marketing message for its security practice globally. One reason Deloitte succeeds against
the four other top firms is that its global delivery network is the largest and most mature compared
with those firms.
Table of Contents
PwC
PwC is the third-largest technology service provider in the security consulting market, growing from
$671 million in 2011 to $807 million in 2012, with a strong growth rate of 20.3%. The company has
an extensive IT security, privacy and risk practice that is focused on reduction in cybercrime risks,
effective spending for security, risk management that extends to third parties, brand integrity
protection, improved asset management and reduction in the cost of security-related compliance.
The company offers traditional data center and infrastructure consulting, as well as cloud-specific
security, as do many of the other top firms in the security consulting market. The company also
provides digital forensics for incident response and legal e-discovery client needs as organizations
continue to respond to advanced attacks and targeted malware.
Table of Contents
IBM
IBM is the fourth-largest security consulting service provider in the security consulting service
marketplace, with an estimated $721 million revenue in 2011 that declined 1.5% in 2012 to $710
million. Although IBM is a significant security software provider, it also has a significant security
consulting practice designed to provide clients with security consulting services for security
governance, infrastructure security assessment, application security assessment, data security
assessment, identity and access management program development, and physical security
consulting engagements. The company also offers extensive incident response, legal e-discovery
and forensic analysis services as security consulting offerings. The company has done well in the
Greater China region, where customers continue to see the company as a significant business
partner and brand.
Table of Contents
KPMG
KPMG is estimated to be the world's fifth-largest security consulting company. The company grew its
revenue from an estimated $478 million in 2011 to $514 million in 2012. As part of KPMG's risk
consulting practice, it offers IT advisory services that contain practice areas to support client goals
like information protection, business resilience, IT governance risk and compliance consulting. In the
company's management consulting practice area, it offers IT governance consulting. The company's
latest marketing efforts focus on transforming risks into business opportunities for growing their
clients' profits. The company also offers digital forensic and e-discovery consulting services, which
help clients address digital discovery for legal cases and incident responses and to investigate a
potential data breach.
Table of Contents
www.gartner.com/technology/reprints.do?id=1-1FQZ117&ct=130522&st=sb
7/9
12/12/13
provider globally. Its estimated security consulting revenue of $430 million in 2011 grew to $454
million in 2012, with a 5.6% growth rate. Although the company has an extensive array of service
offerings for the commercial sector, Booz Allen Hamilton had its greatest success with governmentrelated security consulting efforts as it has a long history as a government contractor in the United
States. This long history makes it easier to gain revenue from these entities as a trusted provider in
extensive engagements that require "top secret" and "secret" security clearance. Many of its
engagements involve consulting with federal entities, such as the National Security Agency and
Department of Homeland Security, as well as other relationships with Department of Defense
agencies. It also continues to be a significant provider for many other sensitive government-related
security consulting engagements. The company specializes in incident response, pre-emptive
response, integrated remediation and cybersecurity intelligence solutions, utilizing advanced
cyberanalytics and its extensive computer network defense security operations center capabilities
to enhance its security consulting offerings.
Table of Contents
Accenture
Accenture is a global management consulting and technology service company. Its extensive
portfolio of consulting services includes security risk management and assessment services.
Accenture's revenue in the security consulting market grew by 4.4%, from an estimated $385 million
in 2011 to $402 million in 2012. Although Accenture is most well-known for its implementation
services, it also offers a broad array of security consulting services that include application security
assessment, security strategy development, risk management, security governance, business
continuity and disaster recovery planning, data protection consulting, privacy consulting, and
security transformation. The company also offers compliance preassessment and remediation
consulting for PCI DSS. Accenture focuses much of its growth efforts on the healthcare vertical, but
also services many other verticals with its portfolio of offerings, which allows it to execute well in
these areas of its business.
Table of Contents
HP
HP, one of the largest comprehensive software and service portfolio companies, had estimated
revenue of $336 million in 2011 that grew to $347 million in 2012, with a growth rate of 3.4%.
Although the company continues to move through several disruptive events, including an
accounting scandal and its recent Autonomy purchase, HP continues to grow, despite growth rates
lower than the overall market. To combat this situation, it has enhanced its security consulting
offerings during the last year. For example, the company expanded its consulting services to include
security operations center planning and development to extend its current offerings for vulnerability
management program development, digital investigation services, security metrics and reporting
consulting, security risk, and control assessment. The company takes a life cycle approach to
information security with its ATOM (also referred to as assess, transform, optimize and manage)
security life cycle. Organizations seeking to optimize their information security operations enjoy this
innovative approach and often select HP as their preferred security consulting provider due to this
focus area.
Table of Contents
SAIC
SAIC is the ninth-largest security consulting service organization globally, with estimated 2011
revenue of $163 million, growing by 8.6% to $177 million in 2012. With an extensive government
contracting background, SAIC offers security consulting services to both government and
commercial entities. The company's offerings help these clients assess their security programs and
current security risk posture, as well as help educate client organizations on best practices for
systems and application security. The company recently joined the Microsoft Security Development
Lifecycle Pro Network to support its rollout of application security review and testing services. SAIC
also specializes in PCI DSS preaudit assessments, security program development, digital forensics,
e-discovery, security incident response, and disaster recovery and business continuity consulting.
Notably, the company also focuses on security consulting for supply chain security risks, which has
been top of mind for many government entities, especially given recent passage of a U.S.
congressional spending bill restricting federal entities' purchases of Chinese-made electronics.
Gartner has also seen during the last year increased demand of organizations seeking ways to
evaluate the security controls of third-party supplier organizations, which also benefits SAIC's
security consulting practice.
Table of Contents
www.gartner.com/technology/reprints.do?id=1-1FQZ117&ct=130522&st=sb
8/9
12/12/13
Table of Contents
Accuvant
Accuvant has the strongest overall revenue growth in the security service market, with an
estimated 25% gain in overall security service revenue. Gartner believes this growth is attributed
largely to its purely security-focused market participation. The company offers security program
strategy and program development, security research and intelligence consulting services, risk
assessment and penetration testing services, as well as application security consulting and
malware analysis services. The company also specializes in performing smart meter security
assessments for the energy sector.
Table of Contents
FishNet Security
FishNet has grown its security consulting practice through a number of acquisitions across the
United States. With most of the company's overall revenue coming from security technology resale
activities and adjunct implementation services, the company continues to have a significant and
growing security consulting service practice. In 2011, the company earned an estimated $81 million
in the security consulting market and grew its security consulting revenue by an estimated 16% to
$94 million. In January 2013, Investcorp acquired a majority stake in FishNet.
Table of Contents
Acquired
Acquisition
Date
Details
Ernst &
Young
Hacktics
January
Ernst &
Young
C ataphora
September
PwC
Ascure
August
2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be
reproduced or distributed in any form without Gartners prior written permission. If you are authorized to access this publication, your use of it is subject to the
Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable.
Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies
in such information. This publication consists of the opinions of Gartners research organization and should not be construed as statements of fact. The opinions
expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal
advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that
have financial interests in entities covered in Gartner research. Gartners Board of Directors may include senior managers of these firms or funds. Gartner research
is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the
independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity.
About Gartner | C areers | Newsroom | Policies | Site Index | IT Glossary | C ontact Gartner
www.gartner.com/technology/reprints.do?id=1-1FQZ117&ct=130522&st=sb
9/9