Deloitte Acquires Vigilant – Harbinger of a Push By Consultancies Into The MSSP World

This week Deloitte announced the acquisition of Vigilant. This is important news for several reasons. With over 14,000 consultants that specialize in information security, Deloitte is the largest and broadest of any security consultancy globally. Deloitte provides customized security solutions across a broad number of vertical industries, including financial services, aerospace, defense, retail, manufacturing, technology, communications, energy and pharmaceuticals. The company's offerings include[i]:

• Application security — secure coding practices, code review
• Business continuity/disaster recovery planning
• Consumerization — iOS, Android, Endpoint Security
• Regulatory compliance certification, assessment, and audit services (excluding penetration and vulnerability testing)
• Information security certification, compliance assessment, and audit services (excludes vulnerability and penetration testing, includes SOC 2, and ISO 27001 certification)
• Data loss prevention
• Fraud investigation
• Governance — strategy, design, and implementation
• Identity and access management
• Computer emergency response team (CERT) services
• Information security architecture — strategy, design, and implementation
• Network security — strategy, design, and implementation
• Penetration testing (includes cloud, infrastructure, mobile, SCADA, social engineering, and/or wireless)
• Physical security — strategy, design, and implementation
• Privacy — strategy, design, and implementation
• Risk identification and management
• Security awareness — strategy, design, and implementation
• Security organization management — strategy, design, and implementation
• Threat and vulnerability assessment (cloud, network, mobile, physical, social engineering, wireless)

Deloitte with the purchase of Vigilant now broadens Deloitte’s capabilities even further by adding continuous monitoring and threat intelligence to its service offerings. Vigilant is an interesting acquisition for Deloitte because Deloitte has not actively participated in the continuous monitoring services market prior to this event. This is a bold move and shows Deloitte’s interest to provide a more complete security portfolio – that will now span from security advisory to security operations. The new brand for the combined company will be Vigilant by Deloitte®. 

Vigilant is an interesting company and was one of the companies we covered in our March 2013 emerging managed security services wave.[ii] Vigilant’s suite of cyber threat management services complements Deloitte’s security consulting practice. Vigilant's Fusion Service for SIEM offers modules for SIEM systems management. The modules include event / threat use case development, threat intelligence, and incident response. Vigilant combines these into customized services for SIEM program management.  

Vigilant's business model prior to Deloitte’s acquisition is to provide support for Fortune 500 clients and their on-premises-based SIEMs. This co-sourcing model leaves the equipment, security software, and data in the customer's data center. Vigilant manages the client technologies from its SOC, leaving the equipment, security software, and data in the customer's data center. The company also has very good threat intelligence capabilities, and as noted in other research, this is a significant differentiator for MSSPs. Forrester does not see this changing, because the continuous monitoring and threat intelligence capabilities the Vigilant provides bring another important capability to Deloitte’s already substantial client base, and also because Vigilant’s service model uses the client’s on-premises-based SIEM as opposed to investing in its own SIEM infrastructure. This provides Vigilant’s clients more control of their SIEM environment. Continuing this model in the new combined company represents strong adjacency to Deloitte’s current consulting service delivery model.

This is the beginning of a trend where traditional advisory service consultancies will dive into the managed security services business. The MSSP business is attractive to these companies for a variety of reasons, including broader client footprint, annuity based contracts, more consistent and predictable cash flow and improved service margins that quality MSSPs typically enjoy.