forrester wave dlp suites q4 2010

Making Leaders Successful Every Day

October 12, 2010 | Updated: October 14, 2010

The Forrester Wave™: Data Leak Prevention Suites, Q4 2010by Andrew Jaquithfor Security & Risk Professionals

www.forrester.com

© 2010, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To purchase reprints of this document, please email [email protected]. For additional information, go to www.forrester.com.

For Security & Risk Professionals

ExEcUTivE SUmmARyIn Forrester’s 94-criteria evaluation of data leak prevention (DLP) vendors, we found that Symantec and Websense led the pack. Both have comprehensive DLP suites with high levels of refinement, ease of use, and a deep bench of technology partners they can integrate with. McAfee, RSA, and CA Technologies were very close behind: All bring strong technology and significant technical breadth and depth to their DLP suites. All five of these products give enterprise security managers sophisticated tools for detecting and preventing the dissemination of sensitive corporate information. Verdasys has done an admirable job “skimming off the cream” of the high-end DLP market, focusing on knowledge-intensive intellectual property opportunities. Fidelis Security Systems, in turn, gives network security managers the tools to control leaks inside an enterprise’s network. Trend Micro has a lot of work to do before it is competitive with the Leaders.

TAbLE OF cOnTEnTSEnterprises Need to Protect Their Sensitive Information

DLP Suites Have become complex And Highly customizable

Data Leak Prevention Suite Evaluation Overview

We Used Three Dimensions To Evaluate vendors

Evaluated vendors Have Extensive capabilities And Experience

DLP Products Have Evolved Into Feature-Packed Suites

Vendor Profiles

Leaders: Symantec, Websense, mcAfee, RSA, And cA Provide broad And Deep Features

Strong Performers: verdasys And Fidelis Offer Specialized client And network Solutions

contender: Trend micro Lags behind Other vendors

More DLP Options Exist

Supplemental Material

nOTES & RESOURcESForrester conducted DLP product evaluations in the spring and summer of 2010 and interviewed eight DLP vendors: cA Technologies, Fidelis Security Systems, mcAfee, RSA, Symantec, Trend micro, verdasys, and Websense. We also spoke with 11 of these vendors’ enterprise customers.

Related Research Documents“Data Leak Prevention: Scenarios For Testing vendor Products”June 15, 2010

“market Overview: Enterprise Rights management”June 3, 2010

“Own nothing. control Everything.”January 22, 2010

“Data Security Predictions For 2010”December 2, 2009

October 12, 2010 | Updated: October 14, 2010

The Forrester Wave™: Data Leak Prevention Suites, Q4 2010Symantec And Websense Lead, With mcAfee, RSA, And cA close behindby Andrew Jaquithwith Stephanie balaouras and Alex crumb

2

4

6

9

12

12

mailto:[email protected]

www.forrester.com

www.forrester.com

http://www.forrester.com/go?docid=57211&src=54974pdf






© 2010, Forrester Research, inc. Reproduction ProhibitedOctober 12, 2010 | Updated: October 14, 2010

The Forrester Wave™: Data Leak Prevention Suites, Q4 2010 For Security & Risk Professionals

2

ENTERPRISES NEED TO PROTEcT THEIR SENSITIVE INFORMATION

Data security has moved to the top of the priorities list for chief information security officers (CISOs) in 2010 — even in a subdued economy. In a recent Forrester survey of enterprise IT decision-makers, nearly 15% of respondents said that they have already deployed DLP (see Figure 1). Another 12% are planning to implement it in 2010, and a further 36% don’t have firm plans but are interested.1 Data security trumped disaster recovery, identity and access management, and regulatory compliance. Unlike tangible assets such as bricks, mortar, and wheelbarrows, digital information is fungible, duplicates itself with zero marginal cost, and can move in the blink of an eye. Although enterprise CISOs are charged with protecting all of the information the enterprise produces, they tell Forrester that four types of data concern them the most:

· Financial information. CISOs worry about cardholder data, bank details, insurance information, and any other account data that could be used for financial fraud. In the United States, 48 state data breach disclosure statutes legally oblige enterprises to protect consumer financial information. Financial institutions are also subject to other mandates, such as the US Federal Trade Commission’s Red Flags Rules.2 Payment Card Industry Data Security Standard (PCI DSS) is a key driver, too: Although PCI-DSS is not a statute per se, it’s a contractual agreement that many enterprises are subject to.3

· Nonpublic personal information. Government identifiers, passport numbers, Social Security Numbers, and public pension numbers are of great concern. These identifiers are attractive to identity thieves because governments and corporations have widely used them in the past to uniquely identify citizens, consumers, and employees. Various regulations and statutes, including the state data breach disclosure laws, require businesses and governments to protect nonpublic personal information.

· Personal health information (PHI). Of concern are insurance account numbers, treatment details, and medical records. In the US, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) of the 2009 American Recovery and Reinvestment Act (ARRA) compel healthcare-covered entities and their business associates to protect nonpublic protected health information.4

· Intellectual property. CISOs worry about a broad class of information from which the enterprise derives long-term competitive advantage, such as earnings forecasts, product plans, trade secrets, legal documents, and other confidential data. Although the term “intellectual property” is commonly used to refer to copyrights, patents, and trade secrets — all three of which have different legal distinctions — most enterprises seek to protect all of these types equally.

The elevation in importance of data security has, in turn, spurred interest in several security product categories, notably DLP. The uptick in adoption is impressive considering the overall state of the security market: flat or slightly up. That makes DLP one of the few budget line items to grow

© 2010, Forrester Research, inc. Reproduction Prohibited October 12, 2010 | Updated: October 14, 2010


3

significantly this year. Based on this data and conversations with customers, Forrester believes that the technology adoption cycle for DLP has moved from the survival phase to the growth phase. Mainstream customers are now kicking the tires and exploring their options.

Figure 1 Enterprises Plan To Adopt DLP Suites To Protect Their Sensitive information

Source: Forrester Research, Inc.54974

Planning to implement in the next 12 months

Implemented

Interested but no plans 36%

15%

12%

“What are your firm’s plans to adopt DLP?”

Base: 1,031 enterprise IT decision-makers

Source: Forrsights Security Survey, Q3 2010

DLP Suites Have Become complex And Highly customizable

It would be easy to protect sensitive information if every enterprise’s information-handling policies were the same. But no two enterprises have the same standards for risk management, information classification, or sensitive data handling. Moreover, every enterprise has a unique risk profile and is subject to a unique set of data protection rules, statutes, and contractual obligations. Because the challenges associated with protecting sensitive enterprise information are complex, solutions on the market for detecting and preventing data leaks are equally complex. The simple, email-focused data leak tools of yesteryear have evolved into highly customizable platforms that allow enterprises to build sophisticated policies that reflect the complexities of their own risk profiles. Forrester views the DLP market as follows:

· DLP suites detect and prevent unwanted dissemination of sensitive information. DLP suites include those that detect and optionally prevent violations to corporate policies regarding the use, storage, and transmission of sensitive information. By “sensitive information,” we mean the four core information types enterprises care about most: financial information, nonpublic personal information, nonpublic protected health information, and intellectual property.

· DLP suites inspect information intercepted over multiple channels. This includes channels such as email, HTTP, FTP, file shares, printers, USB/portable media, databases, instant messaging, and endpoint hard disks. Once the content is intercepted and analyzed, policy enforcement points at the gateway, server, or endpoint allow the operation to continue, block it, or protect the content as required by policy. Enforcement decisions are made dynamically based on whether the inspected content violates handling policies.



4

· Not all products used to stop data leaks qualify as DLP. DLP products must be content-aware rather than merely an authorization tool that grants or denies access to information based on identity, role, or other rule. For example, device control technologies that block access to USB ports or CD/ROM are not DLP products. Neither are full-disk or file-based encryption products.

DATA LEAk PREVENTION SuITE EVALuATION OVERVIEw

To assess the state of the DLP market and see how the vendors stack up against each other, Forrester evaluated the strengths and weaknesses of eight DLP vendors.

we used Three Dimensions To Evaluate Vendors

After examining past research, user need assessments, and service provider and expert interviews, Forrester developed a comprehensive set of evaluation criteria. We evaluated eight DLP vendors against 94 criteria, which we grouped into three high-level buckets:

· Current offering. We evaluated core capabilities for protecting information processed by managed and unmanaged endpoints, information management, incident management, productivity enhancement, channels, and feature support. We also spoke with customer references to validate vendor strategies and capabilities.

· Strategy. We evaluated how each service provider described its DLP suite and its differentiators, along with its go-to-market strategy, future vision, key technology partners, and growth plans.

· Market presence. We evaluated the installed base of DLP deployments each vendor has, along with vendor revenues, sales and team sizes, reseller engagement, and system integrator partnerships.

Evaluated Vendors Have Extensive capabilities And Experience

Forrester included eight vendors in the assessment: CA, Fidelis, McAfee, RSA, Symantec, Trend Micro, Verdasys, and Websense. We evaluated vendor offerings that were generally available and shipping as of June 1, 2010. Each of the firms evaluated has (see Figure 2):

· A DLP suite that addresses key requirements for data in motion, in use, and/or at rest. While not all of the vendors in this Forrester Wave call their products “data leak prevention” products, all have core features to inspect content and channel traffic, detect violations to corporate data-handling policies, and provide various options for remediating incidents.

· At least 50 customers. As with the above criteria, we used this limitation to ensure that the largest Forrester clients could have confidence that these providers had experience with the challenges that enterprises of this size face today.



5

Figure 2 Evaluated vendors: Product information And Selection criteria

Source: Forrester Research, Inc.

Vendor

CA Technologies

Symantec

Fidelis Security Systems

McAfee

RSA

Trend Micro

Verdasys

Websense

Product(s) evaluated

DLP

Data Loss Prevention

XPS

DLP

DLP

LeakProof

Digital Guardian

Data Security Suite

Product versionevaluated

R12

10.5

6.0

9.0

7.6

5.0

5.2.2

7.5.3

Version release date

October 2009

April 2010

October 2009

March 2010

Q4 2009

N/A (rolling versions)

June 2010

Vendor selection criteria

A DLP suite that addresses key requirements for data in motion, in use, and/or at rest. While not all of the vendors in this Forrester Wave call their products “data leak prevention” products, all have core features to inspect content and channel traffic, detect violations to corporate data-handling policies, and provide various options for remediating incidents.

At least 50 customers. As with the above criteria, we used this limitation to ensure that the largest Forrester clients could have confidence that these providers had experience with the challenges that enterprises of this size face today.

Substantial vendor market presence. Because enterprises tend to shun vendors that lack financial stability or a proven track record of sales success, Forrester limited the vendors we evaluated to those that had estimated annual revenues of $20 million or more (for pure-play DLP vendors) or consolidated revenues of $200 million or more (for those with broader security portfolios than just DLP).

Both strategy and implementation competencies. All of the evaluated firms have the ability to advise on DLP deployment road maps, standardization best practices, and the mapping of DLP policies to the data security requirements. Most of the vendors also employ or partner with training and certified implementation experts across a wide range of DLP practices and specific technologies.

The product version has been released and is generally available prior to June 1, 2010.



6

· Substantial vendor market presence. Because enterprises tend to shun vendors that lack financial stability or a proven track record of sales success, Forrester limited the vendors we evaluated to those that had estimated annual revenues of $20 million or more (for pure-play DLP vendors) or consolidated revenues of $200 million or more (for those with broader security portfolios than just DLP).

· Both strategy and implementation competencies. All of the evaluated firms have the ability to advise on DLP deployment road maps, standardization best practices, and the mapping of DLP policies to the data security requirements. Most of the vendors also employ or partner with training and certified implementation experts across a wide range of DLP practices and specific technologies.

DLP PRODucTS HAVE EVOLVED INTO FEATuRE-PAckED SuITES

Forrester’s evaluation uncovered a market in which DLP suite feature sets have largely converged. We observed considerable similarity in the uniformity of features between the products, unsurprising for a market that has moved past the survival stage of adoption and moved into growth. Of the eight vendors we evaluated, five scored well enough to be considered Leaders (see Figure 3):

· Symantec and Websense lead the pack. Both Symantec and Websense have comprehensive DLP suites with high levels of refinement, ease of use, and a deep bench of technology partners that they can integrate with. Neither vendor has any substantial weaknesses in its respective offerings, and both have strong revenue streams from their respective DLP products. That said, these two vendors’ go-to-market strategies could not be more different. Symantec, the dominant vendor in the market, relies on its own DLP “capability maturity model” and its consulting partners to guide its deployment and selling processes. This strategy relies on selling DLP as a methodology on par with ERP or CRM. Websense, by contrast, views DLP as an adjunct to its Web content security businesses. It sells its Data Security Suite (DSS) to customers who want fast, effective security leak prevention without a lot of hassle. Customer feedback on both companies was consistently strong.

· McAfee, RSA, and CA offer highly competitive options. Although not as highly rated across the board as Symantec and Websense, McAfee, RSA, and CA all bring strong technology and significant technical breadth and depth to their products. McAfee offers a DLP technology platform that we rated as effective as Symantec’s. Customers cited RSA for its accuracy and low rate of false positives. For its part, CA’s dramatic product enhancements have enabled it to considerably grow its sales to emerge as a Leader.



7

· Verdasys and Fidelis offer competitive solutions for specialized DLP needs. Verdasys and Fidelis are the “yin and yang” of DLP: One offers a very competitive but complex endpoint DLP product, while the other provides sophisticated network-based DLP. Verdasys has done an admirable job skimming the cream off the high-end DLP market, focusing on knowledge-intensive intellectual property opportunities. Fidelis, in turn, gives network security managers the tools to control leaks inside an enterprise’s network. These two companies, frankly, should merge.

· Trend Micro contends for sales in less-sophisticated enterprises. Like the Verdasys DLP product, Trend Micro’s LeakProof is an endpoint-only product. Forrester found that it trailed the Leaders’ products in most areas, with shallower features and less sophistication.

This evaluation of the DLP market is intended to be a starting point only. Readers are encouraged to view detailed product evaluations and adapt the criteria weightings to fit their individual needs through the Forrester Wave Excel-based service provider comparison tool.



8

Figure 3 Forrester Wave™: Data Leak Prevention Suites, Q4 ’10


Go online to download

the Forrester Wave tool

for more detailed product

evaluations, feature

comparisons, and

customizable rankings.

Risky Bets Contenders Leaders

Strong Performers

Strategy Weak Strong

Currentoffering

Weak

Strong

Market presence

CA

Symantec

Websense

Fidelis

RSA

McAfee

Trend Micro

Verdasys



9

Figure 3 Forrester Wave™: Data Leak Prevention Suites, Q4 ’10 (cont.)


CURRENT OFFERING Protection for managed endpoints Protection for unmanaged endpoints Information management Incident management Productivity Features Customer references

STRATEGY Product strategy Cost

MARKET PRESENCE Installed base Revenue Execution

Forr

este

r’sW

eigh

ting

50%20%20%20%15%10%15%

0%

50%100%

0%

0%30%40%30%

CA

3.663.633.324.003.603.304.000.00

4.004.000.00

3.243.153.702.70

Fide

lis

2.761.593.522.204.002.303.150.00

3.403.400.00

2.412.452.901.70

McA

fee

4.034.053.994.103.805.003.550.00

4.004.000.00

3.633.753.703.40

RSA

3.703.474.153.504.003.703.400.00

4.004.000.00

3.383.103.803.10

Sym

ante

c

4.033.704.074.004.604.403.650.00

4.754.750.00

3.983.204.703.80

Tren

d M

icro

2.222.691.232.401.802.702.750.00

2.452.450.00

2.323.002.501.40

Verd

asys

2.973.741.232.803.603.003.850.00

3.053.050.00

2.963.003.502.20

Web

sens

e

3.983.794.713.604.203.703.750.00

4.604.600.00

3.473.753.303.40

All scores are based on a scale of 0 (weak) to 5 (strong).

VENDOR PROFILES

Leaders: Symantec, websense, McAfee, RSA, And cA Provide Broad And Deep Features

· Symantec. Three years ago, Symantec bought the then-market leader, Vontu. Fast forward to 2010, and it is still the leader by a country mile. Symantec’s DLP revenues are more than double those of its closest competitor — evidence, perhaps, that Symantec has finally found a way to not mess up its acquisitions. From the product standpoint, Symantec’s DLP suite is an all-around strong performer with few weaknesses, with high levels of refinement and feature depth throughout. We also like Symantec’s longer-term vision for integrating DLP into adjacent information management processes like eDiscovery, archiving, and entitlement management. Going forward, Symantec’s biggest challenge is complacency. To help make DLP a billion-dollar market, Symantec must find the courage to commoditize its own products by offering a cheaper, stripped-down “DLP express” version that every enterprise, not just those with money and large IT staffs, can deploy. Those caveats aside, Symantec should be seen as a strong candidate for any enterprise’s shortlist.

· Websense. Best known for its Web-content-filtering products, Websense has quietly built the second-largest DLP product company in the industry. Websense’s Data Security Suite (DSS) matches Symantec nearly feature-for-feature at a much lower price. Its DLP features for



10

protecting against leaks on unmanaged endpoints are excellent. Its clean and simple interface is geared toward fast installations and time-to-value. Standout features include its “DLP for Download” test drive program, installation wizards, and built-in features that normally cost extra with other vendors, such as USB encryption. Of all the vendors in this Forrester Wave, Websense is the vendor best positioned to cross the chasm into the mass market. These are the types of enterprises that want “DLP express” products to help solve regulatory and toxic data problems without complex integration challenges or high prices. Websense’s primary challenge is one of visibility: Because it doesn’t have a desktop foothold like McAfee or Symantec, it has to fight harder to get into the CISO’s office. Based on the strength of its current offering, that should no longer be a hard sell.

· McAfee. Since our last DLP Forrester Wave, McAfee has been busy integrating its network DLP product (the well-regarded Reconnex product) and its client DLP product (Israeli startup Onigma). McAfee’s hard work has paid off. In the past two years, it has closed its primary feature gaps, such as fingerprinting, and integrated its suite into ePolicy Orchestrator (ePO), the security management technology it is well-known for. McAfee DLP scored the highest for endpoint DLP features. It combines Verdasys-style tagging of information sources with the standard DLP features found in the other suites. The DLP suite also includes multiple features designed to reduce the overall hassle factor: tuning tools to quickly make exceptions to rules, its unique “capture database,” and features for employee self-release and bypass. McAfee DLP’s strong feature set should appeal to most enterprises, especially those with existing installations of the company’s ePO, ToPS, or Endpoint Encryption products.

· RSA. RSA’s DLP product strategy is the most interesting of all of the vendors we surveyed. In addition to its direct model for selling its DLP suite, RSA has also aggressively embedded a subset of its suite into products from partners like Cisco (with its IronPort email appliance) and Microsoft (into ForeFront Online Protection for Exchange and its File Classification Infrastructure). RSA’s two-pronged strategy is working: Hundreds of customers have sought to step up from Cisco’s embedded DLP feature to RSA’s full suite. From a product perspective, RSA’s DLP suite scored very well overall, with strong network DLP features for protecting information processed on unmanaged endpoints. Its classification rule sets are well-regarded by customers and competitors alike for their accuracy and relatively low rate of false positives. Considering that storage vendor EMC owns RSA, Forrester was surprised to see that RSA’s information life-cycle strategy is relatively weak compared with, for example, Symantec. Its integration with third-party enterprise rights management (ERM) tools is similarly underdeveloped, and in our view, has an over-reliance on its partnership with Microsoft’s RMS technology. Those concerns aside, RSA’s DLP suite is a good choice for large enterprises, particularly those with heavy investments in Microsoft technologies like SharePoint.

· CA. From its traditional stronghold in financial services, CA’s DLP product has expanded from its endpoint heritage (the former Orchestria product) to a full-fledged suite, including



11

network DLP. CA has added features such as fingerprinting, information inventory (data-at-rest), and scanning tools. These and other additions have brought its DLP suite closer to parity with Symantec and Websense. CA offers best-in-class email filtering and integrates well with information life-cycle technologies such as archiving and eDiscovery. Its USB features, with built-in encryption, negate the need to purchase a third-party product. Perhaps as a result of all the improvements in the newest version of the product (r12), CA’s DLP suite sales are growing faster than any other vendor’s, and a best-in-class 60% of its customers have already upgraded.

Strong Performers: Verdasys And Fidelis Offer Specialized client And Network Solutions

· Verdasys. Based in Waltham, Massachusetts, brash endpoint-only vendor Verdasys has carved out an enviable niche for itself. Verdasys specializes in providing complex solutions to enterprises with complex intellectual property challenges, such as electronics manufacturers, carmakers, and pharmaceutical companies. Verdasys Digital Guardian provides rich, detailed controls for managing the spread of toxic data and secrets emanating from managed endpoints. Its controls for Webmail, email, Web, and USB controls are very strong. Its “Enterprise Information Protection” vision is, in essence, a template for deeply integrating data security controls into business processes and enforcing them through its deeply embedded endpoint agent, which Verdasys gleefully describes as a “rootkit.” As a result, Verdasys’ deal sizes are much larger than those of its peers: millions of dollars rather than the low hundreds of thousands. Verdasys provides desktop agents for Windows and Linux but does not provide network-based DLP features, making it a poor choice for customers worried about leaks from unmanaged endpoints. However, Verdasys resells Fidelis XPS network DLP and can process alerts and incidents forwarded from that product.. Verdasys is poorly positioned to supply “DLP express” solutions for mass-market customers. But the vendor should be on the shortlists of companies that have significant industrial secrets or intellectual property assets to protect — and checkbooks and stamina to make it happen.

· Fidelis. Network DLP specialist Fidelis XPS helps security or network operations managers to detect leaks on large company networks. Its innovative “heads-up” Information Flow Map shows DLP violations in real time. Fidelis XPS has good support for filtering Web traffic and emails and for fingerprinting secrets such as company plans and trade documents. It also has several highly distinctive key features, such as the ability to detect and block peer-to-peer traffic, rogue network channels, botnets, or malicious insiders. As a network-only DLP vendor, Fidelis doesn’t have its own capabilities for monitoring endpoint activities, although it can forward events to Verdasys. It also lacks the feature depth of the leading DLP vendors’ suites. For example, Fidelis does not have a “named data” feature that matches toxic data elements against specific database rows/columns, its fingerprinting controls are relatively weak, and its management dashboard is workmanlike but not refined enough for CISOs. That said, Fidelis is appropriate for enterprises that want to take a network-centric, monitoring-based approach to preventing data leaks.



12

contender: Trend Micro Lags Behind Other Vendors

· Trend Micro. Trend Micro’s 2007 purchase of endpoint-only DLP vendor Provilla gave the company an entry into the DLP market with LeakProof. The product provides best-in-class USB and removable media protection and very good controls for filtering clipboard paste operations on the client. However, LeakProof provided merely adequate features in most of the other areas Forrester evaluated. Its overall features set seems more appropriate for small and midsize enterprises than for large enterprises, which require features like advanced named-data filtering features that match against database rows and columns, and network-based DLP for unmanaged endpoints — things that LeakProof doesn’t have. Trend Micro has a lot of work to do before its LeakProof product is competitive with those of the Leaders. LeakProof should fit well into smaller enterprises that have fleets of homogeneous Windows PC and nothing else. But enterprises with more demanding needs should look elsewhere.

MORE DLP OPTIONS ExIST

In addition to these eight vendors, which we chose because of their large-enterprise focus, financial stability, and market presence, enterprises should know that many other capable DLP vendors exist. These serve smaller market segments than were covered in this Forrester Wave, are less established in the market, or have other areas of focus beyond just DLP. Some of these vendors include:

· Code Green Networks. Code Green is a vendor with a balanced DLP suite that serves the small enterprise segment.

· GTB Technologies. GTB Technologies takes a granular, rules-based approach to DLP that includes endpoint, network, and inventory scanning.

· Palisade Systems. Palisade Systems’ midmarket DLP appliance and SaaS offerings exemplify the “set and forget” simplicity that harried SMB staffs require.

· NextLabs. NextLabs’ product includes both DLP and built-in ERM technology for encrypting sensitive enterprise documents.

SuPPLEMENTAL MATERIAL

Online Resource

The online version of Figure 3 is an Excel-based service provider comparison tool that provides detailed product evaluations and customizable rankings.



13

Data Sources used In This Forrester wave

Forrester used two data sources to assess the strengths and weaknesses of each solution:

· Service provider surveys. Forrester surveyed service providers on their capabilities as they relate to the evaluation criteria. Once we analyzed the completed service provider surveys, we conducted service provider calls to gather additional details and validate service provider qualifications.

· Customer reference calls. To validate product and service provider qualifications, Forrester also conducted reference calls with three of each service provider’s current customers.

The Forrester wave Methodology

We conduct primary research to develop a list of service providers that meet our criteria to be evaluated in this market. From that initial pool of service providers, we then narrow our final list. We choose these service providers based on: 1) product fit; 2) customer success; and 3) Forrester client demand. We eliminate service providers that have limited customer references and products that don’t fit the scope of our evaluation.

After examining past research, user need assessments, and service provider and expert interviews, we develop the initial evaluation criteria. To evaluate the service providers and their products against our set of criteria, we gather details of product qualifications through a combination of lab evaluations, questionnaires, demos, and/or discussions with client references. We send evaluations to the service providers for their review, and we adjust the evaluations to provide the most accurate view of service provider offerings and strategies.

We set default weightings to reflect our analysis of the needs of large user companies — and/or other scenarios as outlined in the Forrester Wave document — and then score the service providers based on a clearly defined scale. These default weightings are intended only as a starting point, and readers are encouraged to adapt the weightings to fit their individual needs through the Excel-based tool. The final scores generate the graphical depiction of the market based on current offering, strategy, and market presence. Forrester intends to update service provider evaluations regularly as product capabilities and service provider strategies evolve.

ENDNOTES1 Source: Forrsights Security Survey, Q3 2010.

2 “The Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) have issued regulations (the Red Flags Rules) requiring financial institutions and creditors to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003.” Source: “FTC Business Alert,” Federal Trade Commission, June 2008 (http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm).



14

3 Staffing the traditional security operations center (SOC) is expensive. Forrester anticipates that the SOC will become virtualized in the future, in a next-generation transformation that we call “SOC 2.0.” See the April 20, 2010, “SOC 2.0: Virtualizing Security Operations” report.

4 “The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.” Source: US Department of Health and Human Services (http://www.hhs.gov/ocr/privacy/).


Forrester Research, Inc. (Nasdaq: FORR)

is an independent research company

that provides pragmatic and forward-

thinking advice to global leaders in

business and technology. Forrester

works with professionals in 19 key roles

at major companies providing

proprietary research, customer insight,

consulting, events, and peer-to-peer

executive programs. For more than 27

years, Forrester has been making IT,

marketing, and technology industry

leaders successful every day. For more

information, visit www.forrester.com.

Headquarters

Forrester Research, Inc.

400 Technology Square

Cambridge, MA 02139 USA

Tel: +1 617.613.6000

Fax: +1 617.613.5000

Email: [email protected]

Nasdaq symbol: FORR

www.forrester.com

m a k i n g L e a d e r s S u c c e s s f u l E v e r y D a y

54974

For information on hard-copy or electronic reprints, please contact Client Support

at +1 866.367.7378, +1 617.613.5730, or [email protected].

We offer quantity discounts and special pricing for academic and nonprofit institutions.

For a complete list of worldwide locationsvisit www.forrester.com/about.

Research and Sales Offices

Forrester has research centers and sales offices in more than 27 cities

internationally, including Amsterdam; Cambridge, Mass.; Dallas; Dubai;

Foster City, Calif.; Frankfurt; London; Madrid; Sydney; Tel Aviv; and Toronto.

www.forrester.com

mailto:[email protected]