2013 Infonetics Mobile Security Ent Survey 02-04-13

Mobile Security Strategies and Vendor Leadership:
North American Enterprise Survey

February 4, 2013
TABLE OF CONTENTS
TOP TAKEAWAYS.................................................................................................................................. 1
INTRODUCTION ..................................................................................................................................... 2
Market Background......................................................................................................................................2
Methodology and Demographics Overview.....................................................................................................2
DRIVERS AND BARRIERS ....................................................................................................................... 3

MOBILE DEVICE SECURITY DEPLOYMENT STRATEGIES ............................................................................ 7
MOBILE SECURITY INCIDENTS ............................................................................................................... 11
CLOUD AND SAAS FOR MOBILE DEVICE SECURITY................................................................................... 14
PURCHASING AND EXPENDITURES......................................................................................................... 16
SOLUTION SUPPLIERS INSTALLED AND UNDER EVALUATION ................................................................... 20
TOP MOBILE SECURITY SOLUTION SUPPLIERSRESPONDENT PERCEPTION ............................................ 21
MOBILE DEVICE SECURITY SOLUTION SUPPLIER LEADERSHIP ................................................................. 23
BOTTOM LINE ....................................................................................................................................... 25
METHODOLOGY AND DEMOGRAPHICS..................................................................................................... 26
This is a paid service intended for the recipient organization only; reproduction and sharing with third parties is prohibited.
Copyright 2013 by Infonetics Research, Inc. All rights reserved.
i
MOBILE SECURITY STRATEGIES AND VENDOR LEADERSHIP: NORTH AMERICAN ENTERPRISE SURVEY
LIST OF EXHIBITS
EXHIBIT 1
MOBILE DEVICE SECURITY DEPLOYMENT DRIVERS............................................................ 4
EXHIBIT 2
MOBILE DEVICE SECURITY DEPLOYMENT BARRIERS.......................................................... 5
EXHIBIT 3
COMPANY-OWNED DEVICES............................................................................................. 7
EXHIBIT 4
EMPLOYEE-OWNED DEVICES............................................................................................ 8
EXHIBIT 5
SECURITY PRODUCTS FOR MOBILE DEVICES ..................................................................... 9
EXHIBIT 6
KEY SECURITY TECHNOLOGIES FOR MOBILE CLIENTS ........................................................ 11
EXHIBIT 7
MOBILE SECURITY INCIDENTS ......................................................................................... 12
EXHIBIT 8
THREATS AFFECTING RESPONDENTS MOBILE DEVICE USERS ............................................ 13
EXHIBIT 9
USING CLOUD OR HYBRID-CLOUD SOLUTIONS ................................................................... 14
EXHIBIT 10
DRIVERS FOR DEPLOYING HOSTED/SAAS MOBILE SECURITY SOLUTIONS ............................ 15
EXHIBIT 11
SECURING BUDGET AHEAD OF THREAT EVENTS ................................................................ 16
EXHIBIT 12
PREFERRED SOLUTION PROVIDER TYPES .......................................................................... 18
EXHIBIT 13
MOBILE DEVICE SECURITY EXPENDITURES ....................................................................... 19
EXHIBIT 14
MOBILE SECURITY SOLUTION SUPPLIERS INSTALLED AND UNDER EVALUATION.................. 20
EXHIBIT 15
TOP MOBILE SECURITY SOLUTION SUPPLIERS: RESPONDENT PERCEPTION ........................ 21
EXHIBIT 16
SUPPLIER FAMILIARITY ................................................................................................... 22
EXHIBIT 17
MOBILE DEVICE SECURITY SOLUTION SUPPLIER LEADERSHIP............................................ 24
EXHIBIT 18
RESPONDENTS INFLUENCE PURCHASE DECISIONS............................................................ 26
EXHIBIT 19
RESPONDENT ORGANIZATION SIZE ................................................................................... 27
ii
TOP TAKEAWAYS
Nearly every enterprise in North America is a target for mobile security solutions as theyre either
managing mobile devices that they own, rolling out a structured BYOD program, or getting control of
rogue employee-owned mobile devices that have been connected to the network over the last 2 years.
Employees are replacing desktop and laptop usage with smartphones and tablets, and those devices
need to be connected and protected just like desktops and laptops. Success selling security solutions in
this space is really about 2 things: letting IT become a mobility enabler and helping them secure all types
of mobile devices with the same level of protection as desktops and laptops.
Given the number and diversity of mobile security solutions, what do vendors need to do to make their
solution stand out? Based on the data in this survey we believe:
Vendors need to solve the whole mobile connectivity and security problem; its not just about
structured BYOD but also company-owned mobile devices and rogue employee-owned devices.
Companies are looking to lock down mobile devices and control which applications they can use.
Any comprehensive mobile device security solution should provide an app management and
control capability.
As many respondents have concerns about the completeness of protection in existing mobile
security platforms, vendors must develop products and services that can be updated in place and
include the ability to add entirely new threat detection mechanisms without disrupting existing
deployments.
SSL VPN clients will be widely used for company-wide mobile device security rollouts; theyre
free and available for users to download right from their devices application marketplace. We
believe that moving forward, SSL VPNs will be a cornerstone of many companies mobile device
security strategy because they solve an immediate connection security requirement, are familiar
and easy to use, are often free (at first at least), and will likely all support additional
security/control functions.
Looking at respondent technology and vendor plans, we believe the lions share of the
mainstream mobile device security revenue opportunity will go to established client and network
security vendors like Symantec, McAfee, Kaspersky, Microsoft, Cisco, Juniper, and Check Point.
We wont be surprised in the least to see several acquisitions in 2013 (like the Citrix/Zenprise
deal in December 2012) as more big companies try to develop an end-to-end mobile device
management and security solution.
1
INTRODUCTION
Market Background
Like it or not, a new wave of mobile devices is being connected to corporate networks, and many
companies are connecting mobile devices to enterprise networks to decrease capital cost and increase
productivity. Infonetics forecasts billions of new mobile devices (smartphones and tablets) shipping
between 2012 and 2016, and these devices are truly changing the way people work and blurring the lines
between personal and corporate assets.
For many IT organizations around the globe, theres an immediate need to do something about the mobile
device security problem. Mobile devices offer the functionality of business devices but are often mixed
between personal and business use, connect to multiple wireless networks and technologies with different
security requirements, can be easily lost or stolen, and offer a tantalizing new piece of information for
hackers (location, since most are GPS-enabled); they are already being targeted by focused and broad
attacks.
Methodology and Demographics Overview

Using a panel of qualified IT decision-makers, we conducted a web survey in January 2013 with 103
medium and large organizations (more than 100 employees) that have security solutions for mobile
devices in place now.
To qualify, respondents had to have detailed knowledge of the mobile security solutions used by their
organizations and have influence over purchase decisions for those products. All respondents are either
primary decision-makers or have a lot of influence.
Please see Methodology and Demographics for details on the sample.
2
DRIVERS AND BARRIERS

The top drivers for deploying mobile security closely mirror drivers for overall security deployments;
companies need to protect themselves from accidental or malicious loss of data. Our respondents echo
this sentiment: the top deployment drivers are theft prevention and accidental data leakage prevention.
Every day, theres a new story about data loss in the media, from bank account information to patient
records, and most companies have valuable electronic assets to protect, are subject to regulation, or
both. Respondents are also looking to get control of rogue mobile devices that savvy employees connect
on their own.
Respondents rated the importance of various drivers in the decision to purchase security solutions for
mobile devices on a scale of 1 to 7, where 1 means not a driver, 4 means somewhat of a driver, and 7
means definitely a driver. The next chart shows the percentage of respondents rating each feature a 6 or
7, or a driver.
Though only 57% of respondents indicate that rolling out a structured BYOD program is driving the
deployment of mobile device security, the 72% that are trying to gain control of rogue user-connected
devices are essentially tackling the unstructured BYOD problem.
Companies are looking to lock down mobile devices and control which applications they can use. The
application purchase and deployment model is very different in the mobile world than in the world of
desktops and laptops; users feel free to visit app stores and make daily purchases for their devices. The
fact that many mobile devices are also mixed personal/business use devices (a key driver for 67% of
respondents) compounds the problem of application control, and though we see app control as a big
driver in the network security market (spawning a new class of firewalls called next gen firewalls), the
real need for app control is in the mobile device space. Any comprehensive mobile device security
solution should provide an app management and control capability.
3
Exhibit 1
Mobile Device Security Deployment Drivers

n=103
Protect against theft of data/financial loss
73%
Manage and secure rogue devices

connected by users
72%
Prevent accidental leakage of

confidential data/intellectual property
72%
Control use of unauthorized applications
71%
Drivers
Enable secure remote

access for mobile devices
69%
Secure employee mobile devices used for

personal and business purposes
67%
Regulatory/compliance requirement
66%
Enforce web/e-mail usage

policies on mobile devices
66%
Protect against threats

aimed at Android devices
64%
Addition of corporate-owned
tablets to the network
62%
Protect against threats

aimed at iOS devices
59%
Rolling out structured BYOD

solutions for employees
57%
0%
20%
40%
60%
80%
Percent of Respondents Rating 6 or 7
Regulatory/compliance requirements are a key driver for 66% of respondents. Nearly everyone
recognizes the inherent need for security, but the added pressure of having to meet regulatory
requirements drives significant security spending. Additionally, much of this spending hasnt halted during
the recession like more discretionary security spending has because auditors and regulators dont stop
coming around just because the economy is bad. Mobile devices represent uncharted territory for many
regulated industries, and BYOD programs in regulated environments complicate compliance from Capitol
Hill to Wall Street; a complete mobile device security technology and product solution should be able to
address needs at a variety of regulated environments, and vendors should share case studies that
demonstrate successful deployments. Though most of the well-covered regulations that involve IT
security (FIPS, PCI, SOX, etc.) dont have specific provisions or requirements for mobile devices yet,
theyre included by default as they act as standard mail and web clients for many users.
4
All respondents have invested (time, money, or both) in mobile security, but theres always more to
spend, more devices to protect, and new products and technologies available, so we asked respondents
about barriers to new investments in mobile device security solutions. They rated the impact of various
barriers in the decision to purchase additional mobile device security solutions on a scale of 1 to 7, where
1 means not a barrier, 4 means somewhat of a barrier, and 7 means definitely a barrier. The chart below
shows the percentage of respondents rating each feature a 6 or 7, or a barrier.
Overall, responses to this question are low, or lower than the drivers for new purchases, which is typical. The
cost of solutions and issues with completeness of protection are tied for first, each rated a barrier by half of
respondents. Cost will come down over time, and vendors are always adding new protection technologies to
their solutions, so these barriers will fade as products mature. However, keeping solutions updated (rated a
strong barrier by 40%) is even harder in the mobile device world than the desktop/laptop world because so
many of these devices are employee owned and may never be seen or touched by IT staff.
Barriers
Exhibit 2
Mobile Device Security Deployment Barriers

n=103
Completeness of protection
46%
Cost
46%
Keeping solutions
patched/updated
40%
Management difficulty
40%
User complaints/system
performance impact
36%
Difficult to deploy
33%
Current risk doesn't justify impact
27%
0%
10%
20%
30%
40%
50%
5
Digging in to completeness of protection a bit more, we believe that it will always be difficult for a single
security product, whether its client-based, server-based, or network-based, to provide 100% protection.
Threats always lead threat protection; how far ahead varies, but theyre always ahead, which gives
buyers the notion that their security solutions never provide complete protection. This is hard to combat
from a messaging standpoint; the most important thing vendors can do is develop products and services
that can be updated in place to add additional forms of protection as new threats emerge. This is more
than simply updating threat signaturesits providing the ability to add entirely new threat detection
mechanisms without having to disrupt existing deployments.
Cloud-based solutions, which well talk about later, focus on the problems with protection completeness,
patching/updating, complaints about system performance, cost, and deployment difficulty. Theyre not a
panacea, but offering a mix of cloud, client, and network-based solutions will likely be a requirement for
100% coverage of mobile devices.
6
MOBILE DEVICE SECURITY DEPLOYMENT STRATEGIES

We asked respondents which company-owned devices they have deployed mobile security solutions for,
and which company-owned devices for which they plan to make additional purchases in the future. iOS
for iPhone is currently in the lead (48% already deployed, 28% planning future purchases), followed
closely by Android and BlackBerry. The mix of devices that require security solutions is one of the most
trying aspects of selecting and deploying a mobile device security solution, and that's not going to change
soon. Windows phone 8 and iPad lead the list for future purchases; though Windows phone 8 hasnt been
a terribly strong performer in the consumer market, this question deals with company-owned devices, a
market that the Windows mobile platform has always performed well in relative to their own consumer
performance in the past-and this looks to continue, especially considering that Windows Phone 8 is by far
the strongest smartphone offering from Microsoft to date.
Exhibit 3
Company-Owned Devices
n=103, 103
28%
iPhone
48%
31%
Android smartphones
46%
19%
BlackBerry
46%
35%
Devices
iPad
40%
18%
Windows Phone 5/6/7
37%
31%
Android tablets
34%
37%
Windows Phone 8
27%
15%
Kindle or other eReader
17%
New investments
Already invested
15%
Symbian
13%
0%
10%
20%
30%
40%
50%
Percent of Respondents
7
Clearly, a comprehensive solution will offer security and management capability for all the platforms listed
below and more, but the problem is more complicated than that; Android, for example, is not really a
single platform. There are many versions of the OS in use (multiple releases of the OS itself, and
specialized or tweaked versions rolled out by specific carriers), and it is often tricky to get a piece of
security software to work properly across all versions of the OS in use. This is part of the reason, today at
least, that comprehensive solutions are still quite expensive; there is significant manpower required to
code all of the versions necessary to provide complete coverage.
Having consistent protection for all devices is generally a driver for network- and cloud-based solutions, and
the rapid ramp of mobile device use and BYOD rollouts are forcing companies to look at them immediately;
in many cases, the smartphone and tablet security problem cant be solved with a client software purchase.
We also asked respondents which employee-owned devices are allowed on their networks now, and the
strong consumer platforms (iPhone, iPad, Android smartphones/tablets) are all allowed at over 30% of
respondent companies. Many respondents have already made investments in client solutions for these
platforms from company-owned devices, and its often fairly transparent to offer the same clients for user
devices.
Exhibit 4
Employee-Owned Devices
n=103
iPhone
48%
User-Owned Devices
Android tablets
46%
iPad
40%
Kindle or other eReader
40%
BlackBerry
37%
Windows Phone 8
37%
Android smartphones
32%
Windows Phone 5/6/7
27%
Symbian
13%
0%
10%
20%
30%
40%
50%
8
We then asked respondents to tell us what kind of security products they use for company-owned and
employee-owned devices. In both cases, AV clients lead the list (though theyre only truly available for
Android, BlackBerry, and Windows Phone), followed by network-based security solutions (many firewalls
offer some ability to secure/control data and application traffic originating from mobile devices).
SSL VPN clients come in third on the list; in many cases SSL VPN clients for mobile devices are free and
available for users to download right from their devices application marketplace. We believe that SSL
VPNs will be a cornerstone of many companies mobile device security strategy moving forward because
they solve an immediate connection security requirement, are familiar and easy to use, are often free (at
first, at least), and will likely all support additional security/control functions.
Exhibit 5
Security Products for Mobile Devices

n=103, 103
67%
Anti-virus client
49%
54%
Network-based security
Security Products
47%
42%
Integrated client (SSL

VPN/MDM/AV)
34%
42%
SSL VPN client

38%
38%
Integrated client (MDM/AV)
34%
Company-owned
34%
MDM client
User-owned
28%
0%
20%
40%
60%
80%
9
We asked respondents to name the most important technologies for their mobile security solutions to
support, and there are 2 standouts: anti-malware and firewall. There are 2 basic lineages for mobile
security products: device management/MDM and traditional client security (AV/firewall). Our respondents
are responsible for managing security, so their perspective is skewed toward traditional security functions,
but theres a definite blurring of the lines between mobile device management and mobile security.
Remote locate and remote wipe, for example, are definitely security functions, but theyre most commonly
available in MDM products. As many of the technology companies with a vested interest in mobile device
security have spent the last 3 years building or acquiring technology for mobile security, there are now
many blended offerings (like Junipers Pulse client) that are hard to categorize as MDM or pure mobile
security.
Education about what mobile security solutions really offer is needed, but we wanted to ask respondents
what they believe are key features for mobile security client platforms. All these features (and more) will
likely be part of most mobile security client offerings, though theyll have to be stitched together in
different ways depending on the platform. Consumer and enterprise solutions for mobile devices will
tackle these features on a per-device basis, so where enterprise products will really distinguish
themselves is in their ability to stitch together a unified picture of all mobile devices at a given company;
this starts with having broad platform coverage and then moves to the ability to set and apply policy
across different device platforms from a single management console. The industry is not there yet, but
well need to be there within the next 2 years to really solve enterprise mobile device security problems.
Though its difficult to provide protection for data in motion (firewall, anti-malware) on some of the closed
mobile device platforms, vendors need to clearly explain what pure security features are available per
platform so that buyers understand what the tradeoffs are and how they may want to adjust policies
based on the operating system and the real level of protection theyre able to offer.
10
Exhibit 6
Key Security Technologies for Mobile Clients

n=103
Anti-virus
60%
Firewall
50%
Web filtering/security
28%
Security Technologies
VPN
20%
DLP
18%
Control of installed
applications
17%
Disk/file/SD card
encryption
16%
Device location
15%
Remote wipe
15%
Control OS version and

configuration
14%
Remote configuration
12%
Provisioning
10%
0%
20%
40%
60%
80%
MOBILE SECURITY INCIDENTS

We asked respondents if their company had already experienced a significant mobile device security
incident that established a need to invest in security solutions or accelerated the deployment of solutions,
and 38% said that they had already. The number of mobile threats in the wild has been on an incredibly
rapid ramp over the last 3 years; looking at threat analysis from a variety of mobile security platform
vendors, it appears that in 2013 there will be roughly 1 million malicious or high-risk Android apps alone.
We expect that 2 years from now nearly 100% of respondents will experience significant mobile device
security incidents.
11
Exhibit 7
Mobile Security Incidents

n=103
No
61%
Yes
38%
Don't know
1%
12
We then asked respondents which mobile device threats they experienced. One-third of respondents had
experienced web- or e-mail-borne malware, and one-third have dealt with a lost or stolen device with
sensitive or proprietary data. On the lost/stolen device front, its interesting to note that only 16% of
respondents (or less) think that remote wipe, device location, or disk/file/SD card encryption are key
technologies for their mobile security solution. These are the security measures used to protect a
company from loss due to a stolen or lost device, so clearly theres significant education needed in the
market regarding how to protect data at rest on devices and data in motion and how to blend the 2 types
of protection.
Nearly a quarter of respondents reported malicious apps from official app stores, and a quarter also
reported malicious apps from other locations (web sites and unofficial app stores). Over the next 2 years,
this will likely become the primary mobile-device-specific threat vector, and we wouldnt be surprised to
see this pass up lost/stolen devices and web/e-mail malware infections as the top actual threat
encountered by enterprises.
Exhibit 8
Threats Affecting Respondents Mobile Device Users

n=103
Trojan/worm/virus/spyware
delivered to mobile device
from Web or e-mail
33%
Lost/stolen device with

sensitive or proprietary
data
33%
31%
Threats
WiFi snooping
Malicious SMS/MMS
28%
Malicious application
downloaded from third
party or unofficial
application store
23%
Malicious application
downloaded from official
application store
23%
0%
10%
20%
30%
40%
13
CLOUD AND SAAS FOR MOBILE DEVICE SECURITY

We asked respondents specifically if they plan to roll out cloud-based security (or hybrid cloud/client
security) for mobile devices. 77% have purchased a cloud-based or hybrid cloud/client-based solution to
replace traditional security clients or will consider doing so for mobile devices.
Weve discussed many of the drivers for moving to the cloud, but for mobile device security it quite simply
boils down to this: there are too many different types of devices connecting from too many different
locations for the average IT security department to effectively deploy clients and expect consistent and
complete coverage. Mobile devices may push many IT departments over the edge when evaluating
cloud-based security solutions in general because theyre charged with supporting operating systems for
which they cant get clients, there are many users connecting with smartphones IT departments dont
even know about, and the wide variety of device types and frequency of device turnover (relative to
laptops and desktops) means constantly re-deploying security client software.
There are many companies that like the idea of the cloud in theory but will end up staying with their client
solutions, and the 77% here includes those that will follow a hybrid path, using the cloud and clients. In
addition, many of the most visible cloud-based solutions are offered by well-known client vendors; theyve
recognized the shift and gotten ahead of the curve by developing cloud solutions. The move to the cloud
may be slow, or it may be fast, but either way it wont upset the fundamental financial dynamics of the
mobile security market from a supplier standpoint because most vendors will offer both types of solutions
(and hybrids).
Exhibit 9
Using Cloud or Hybrid-Cloud Solutions

n=103
Yes
77%
No
11%
Don't know
12%
14
Respondents looking at the cloud (the 77% who responded yes to the previous question) do so for a
variety of reasons, from saving money to solving the patching problem. Respondents rated the
importance of various drivers in the decision to purchase cloud-based or SaaS solutions for mobile device
security on a scale of 1 to 7, where 1 means not a driver, 4 means somewhat of a driver, and 7 means
definitely a driver. The next chart shows the percentage of respondents rating each feature a 6 or 7, or a
driver.
All of the drivers we asked about are important to at least a third of respondents, and theyre all the ones
we expect to really move customers toward cloud/SaaS solutions for mobile device security over the next
2 years; vendors who arent building out or enabling cloud solutions with their technology will miss the
boat for the mass enterprise mobile device security market in 2014 and beyond.
Exhibit 10
Drivers for Deploying Hosted/SaaS Mobile Security Solutions

n=80
Cost
60%
Need a solution that protects

user-owned devices
54%
Drivers
Need to reduce time to deploy

security for mobile devices
53%
SaaS/cloud-based solutions
don't impact device performance
49%
Need to reduce or eliminate time

spent patching and updating signatures
48%
No single-vendor client software

solution covers all my devices
43%
Don't have enough staff to roll

out software for mobile devices
35%
0%
20%
40%
60%
Percent of Cloud Services Respondents Rating 6 or 7
15
PURCHASING AND EXPENDITURES

We asked respondents if they would be able to secure budget specifically for mobile device security
solutions before a significant threat event affected their company, and the answer was a resounding yes.
Theyve invested in mobile security solutions already, and many now have a dedicated budget for it. Its
important to remember that respondents are security buyers looking to solve a mobile device security
problem, but just as IPSec VPNs forced security and networking departments to work together and drove
security into the mainstream as a connectivity technology, the use of security to ensure proper
connectivity for mobile devices will blur the lines between device management and security. This means
that many security buyers suddenly found themselves with new budget (and a big evaluation task) as they
were told from above that they need to roll out a comprehensive mobile device connection initiative.
Looking at threat protection specifically, investing in security for smartphones is a tough decision; theres
already a shortage of money, so unless a regulator is breathing down their necks or they are forwardthinking IT security departments, some buyers will wait for something to happen before they jump to
invest in smartphone security. Threats aimed at iPhones, SMS and MMS threats, and the wild-wild-West
known as the Android marketplace have caused many companies to take a hard look at mobile device
security.
Exhibit 11
Securing Budget Ahead of Threat Events

n=64
Yes
84%
Don't know
11%
No
5%
16
Security vendors looking to sell comprehensive mobile device security solutions ahead of the mainstream
curve need to explain why these solutions are needed today-that means explaining what new threats a
company opens itself up to when it rolls out a broad mobile device connection plan. For most enterprises,
this means protecting data at rest (encrypting key files), controlling use of storage and removable storage,
and providing the capability to lock down or remotely wipe smartphones if theyre lost or stolen, then
adding protection from malicious apps, malware, and other data in motion threats down the road by
updating the client or allowing users to activate additional features by purchasing new license keys.
The blurring between mobile device management and pure security for mobile devices is already
appearing in the budgeting process, and pure mobile device security vendors need to be aware that the
money for their products is likely to be earmarked for connectivity, not security.
We asked respondents from whom they would purchase their mobile device security solution, and for now
at least, many companies plan to go to their existing network security vendor (the same vendor theyre
likely getting SSL VPN clients for mobile devices from). It has long been speculated that when it comes
time to ramp up mobile security deployments, the established client vendors will be the winners, but this
data conflicts with that. Going with the same vendor they buy desktop clients from seems the logical
choice for customers hampered by incomplete coverage, difficulty of patching/managing their deployment,
and a general desire to have a consistent security deployment. Unfortunately for companies like
Symantec and McAfee, growing dissatisfaction with desktop security clients and the ease of deploying
SSL VPNs and tuning firewalls to provide some level of security are driving customers towards
companies like Cisco, Juniper, Dell SonicWALL, F5, and others.
Overall, the lions share of the mainstream opportunity will go to established client and network security
vendors like Symantec, McAfee, Kaspersky, Microsoft, Cisco, Juniper, and Check Point, but there are still
a few MDM-focused vendors forging their own path. We wont be surprised in the least to see several
acquisitions in 2013 (like the Citrix/Zenprise deal in December 2012) as more big companies try to
develop an end-to-end mobile device management and security solution. Likely acquirers include big
device companies like Samsung, HTC, and Apple, the OS vendors, large service providers looking to
differentiate their services, and large IT infrastructure companies with their eye on mobile devices (last
year we predicted Citrix in this very report; this year it could be someone like HP or IBM). Remaining
standalone MDM vendors like MobileIron are other likely acquisition targets in 2013.
17
Exhibit 12
Preferred Solution Provider Types

n=103
Network security vendor
48%
Purchase Source
Service provider or
solutions provider
38%
Mobile security specialist

product vendor
33%
Mobile device
management
specialist product vendor
32%
VAR/solutions provider
28%
Desktop client security

vendor
27%
0%
10%
20%
30%
40%
50%
18
Respondents indicated their 2012 mobile device security expenditures for 3 categories (software for
devices, network solutions, and hosted/cloud services), and we asked them to project 2013 spending as
well. Respondents average spending was $573K in 2012, growing 36% to $788K in 2013, with all
categories showing growth.
Exhibit 13
Mobile Device Security Expenditures

n=103, 103, 103
$800
$202
Expenditures (US$K)
$600
$237
$127
$400
$173
$349
$273
$200
$0
2012
2013
Calendar Year
Hosted/cloud-based services for mobile security
Network-based security solutions for mobile devices
Client security software for smartphones/tablets
19
SOLUTION SUPPLIERS INSTALLED AND UNDER EVALUATION

In an open-ended question, we asked respondents whose mobile device security solutions they use now and
whose they are evaluating for use by 2014.
Symantec, McAfee, Microsoft, and Cisco lead the list, but the numbers for all suppliers are low for now
and 2014. The market really is wide open right now as many buyers are just starting to sketch out what
kind of long-term solution they need and come to grips with who will supply it.
Exhibit 14
Mobile Security Solution Suppliers Installed and Under Evaluation

n=103, 103
25%
Symantec/Norton
28%
15%
McAfee
17%
9%
Suppliers
Microsoft
12%
6%
Cisco
8%
5%
Apple
5%
4%
Kaspersky
4%
Under evaluation
3%
Avast
Installed
4%
0%
10%
20%
30%
20
TOP MOBILE SECURITY SOLUTION SUPPLIERSRESPONDENT PERCEPTION

In an open-ended question, we asked respondents who they consider to be the top 3 mobile device
security suppliers, a measure called unaided brand awareness, which provides a good view of overall
brand strength. Typically, the larger the vendor (e.g., broad product portfolio) and the more visible their
brand (e.g., TV commercials, product placement), the better they fare in this question. The top 7 vendors
in this chart are all more-or-less household names. If youre not one of these vendors and youre trying to
sell mobile device security solutions, you need a revolutionary technology that makes you a tasty
acquisition target, or you need a laser focus on a small niche market or solution that doesnt require you
to have broad brand awareness. Juniper is a good example of a company that has attacked this market
with laser focus and has built a great customer base and significant partner relationships (with IBM in
particular), and though they dont have the kind of household name value that some of the companies in
this list have, theyre building a strong mobile device security business in the early stages of the market.
Exhibit 15
Top Mobile Security Solution Suppliers: Respondent Perception

n=103
Symantec/Norton
35%
Microsoft
22%
Suppliers
McAfee
21%
IBM
20%
Cisco
16%
Kaspersky
8%
Apple
8%
0%
10%
20%
30%
40%
21
ENTERPRISE FAMILIARITY WITH MOBILE SECURITY SOLUTION SUPPLIERS

Though familiarity with a suppliers offering does not necessarily translate into contract wins, vendors need
buyer awareness to be evaluated as potential suppliers. Without a degree of familiarity, suppliers dont even get
invited to the table. Respondents rated their familiarity with each of a list of mobile device security solution
suppliers on a scale of 1 to 7, where 1 is not familiar and 7 is definitely familiar, a measure called aided
awareness.
The percentage of respondents rating each supplier a 6 or a 7, or familiar, is shown in the next chart.
Exhibit 16
Supplier Familiarity
n=103
71%
McAfee
70%
Microsoft
68%
Suppliers
Cisco
Apple
65%
Symantec/Norton
65%
IBM
61%
RIM (BlackBerry)
52%
Kaspersky
45%
Trend Micro
43%
Juniper/Smobile
40%
0%
20%
40%
60%
80%
McAfee, Microsoft, Cisco, Apple, and Symantec lead in aided awareness. Respondents are familiar with a
wide range of players, even if they dont consider many of those players to be market leaders. Its
interesting to see that Juniper, who has a fairly progressive multi-function mobile client, has increased
awareness significantly since last years report.
22
Apple is fairly well positioned as well, aided by the release of iOS 4 (which included a reasonably solid set
of enterprise features) and the fact that almost every enterprise has to deal with Apple users and devices
whether they want to or not.
MOBILE DEVICE SECURITY SOLUTION SUPPLIER LEADERSHIP

We asked respondents to name the top 3 vendors for each of 8 important buying criteria (this is a
prompted questionrespondents could only pick from a provided list of 10 vendors). The next chart
shows the percentage of respondents who consider each vendor to be among the top 3 for each criterion.
The clear leaders are Cisco, Symantec, and McAfee; these vendors hold the top 3 spots for every
criterion except technology innovation and pricing, trading the lead in some cases. Cisco had one of the
first IPSec clients available on Apples AppStore (along with Juniper) but bests Juniper in overall brand
awareness, which is what really pushes them over the edge here. Symantec and McAfee are simply the 2
largest security client players, and the weight they carry in that market is carrying over to the mobile
device security market (the weight of the brand at least, as these figures arent at all comparable to
revenue or market share in this space).
Kaspersky, Trend Micro, and Juniper make up the middle tier; Kaspersky and Trend are the #3 and #4 AV
players worldwide in terms of revenue market share, and Juniper is like Cisco, a network security player
and trusted enterprise vendor with a mobile device security offering. The bottom tier of vendors are MDMfocused vendors, who suffer largely because our respondents are security managers, and Check Point, a
network security company with lower overall brand visibility than Cisco and Juniper.
What this chart really represents is which companies are expected by buyers to be leading players long
term, meaning it should be easier for the vendors at the top to get customers assuming their solutions are
comparable feature-wise. The suppliers lower in the chart have a tougher road to hoe, but as Juniper is
showing, sold products, good execution, and great partners can drive revenue even if customers dont
look to you by default.
23
Exhibit 17
Mobile Device Security Solution Supplier Leadership

n=103
60%
40%
20%
0%
Technology
innovation
Security Management Price-toperformance

ratio
AirWatch
Kaspersky
Symantec/Norton
Pricing
Cisco
McAfee
Trend Micro
Financial Service and Product

stability
support
roadmap
Juniper
MobileIron
Zenprise/Citrix
24
BOTTOM LINE
The mobile device security market is a large market crowded with a long list of players, and brand
mindshare is dominated household brands like Symantec, Apple, and Cisco. Companies looking to exploit
new opportunities in mobile device security should focus their energy and attention on helping companies
discover which devices are already connected to the network, developing polices for those devices, and
delivering the technology needed to put those policies in motion. A great way to start is to identify a
connectivity problem and then turn that customer into a connectivity AND security customer. SSL VPN
vendors have a leg-up here, and their advantage is starting to show in actual user plans.
Making progress in this market (generating brand awareness, driving revenue, and gaining market share)
will only be possible if vendors solve these real customer problems:
Many IT departments dont know how many (or which) mobile devices are on the network already
Client protection is not available for all their devices and OSs
Its hard to ensure theyre getting the same functionality and level of protection on all devices
Users complain about performance and find ways to get around security measures
Deployments are large, expensive, and unwieldy
Even with security solutions in place, devices are lost, stolen, infected, and compromised
25
METHODOLOGY AND DEMOGRAPHICS

Using a panel of qualified IT decision-makers, we conducted a web survey in January 2013 with 103
organizations that have security solutions for mobile devices in place now.
To qualify, respondents had to have detailed knowledge of the mobile security solutions used by their
organizations and have influence over purchase decisions for those products. All respondents are either
primary decision-makers or have a lot of influence. This is a key part of the screening process to ensure that we
receive responses from people who are knowledgeable decision-makers who influence the buying process.
Exhibit 18
Respondents Influence Purchase Decisions

n=103
A lot of
influence
36%
Primary
decisionmaker
56%
Some
influence
8%
26
56% of respondents are from medium companies (100-999 employees), and the remainder are from large
companies (1,000 employees or more). Though mobile device use is ubiquitous, medium and large
companies are much more likely than small companies to invest in security infrastructure for mobile
devices and are the target customers for most companies developing enterprise class mobile security
products and services.
Exhibit 19
Respondent Organization Size

n=103
101-1,000
56%
Over 1,000
44%
As always, I invite your comments.

Jeff Wilson
Principal Analyst, Security
+1 (408) 583.3337
jeff@infonetics.com
27

2013 Infonetics Mobile Security Ent Survey 02-04-13

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2013 Infonetics Mobile Security Ent Survey 02-04-13

Uploaded by

Copyright:

Available Formats

Mobile Security Strategies and Vendor Leadership:

North American Enterprise Survey

DRIVERS AND BARRIERS ....................................................................................................................... 3

MOBILE DEVICE SECURITY DEPLOYMENT DRIVERS............................................................ 4

MOBILE DEVICE SECURITY DEPLOYMENT BARRIERS.......................................................... 5

SECURITY PRODUCTS FOR MOBILE DEVICES ..................................................................... 9

KEY SECURITY TECHNOLOGIES FOR MOBILE CLIENTS ........................................................ 11

MOBILE SECURITY INCIDENTS ......................................................................................... 12

THREATS AFFECTING RESPONDENTS MOBILE DEVICE USERS ............................................ 13

USING CLOUD OR HYBRID-CLOUD SOLUTIONS ................................................................... 14

DRIVERS FOR DEPLOYING HOSTED/SAAS MOBILE SECURITY SOLUTIONS ............................ 15

SECURING BUDGET AHEAD OF THREAT EVENTS ................................................................ 16

PREFERRED SOLUTION PROVIDER TYPES .......................................................................... 18

MOBILE DEVICE SECURITY EXPENDITURES ....................................................................... 19

MOBILE SECURITY SOLUTION SUPPLIERS INSTALLED AND UNDER EVALUATION.................. 20

TOP MOBILE SECURITY SOLUTION SUPPLIERS: RESPONDENT PERCEPTION ........................ 21

SUPPLIER FAMILIARITY ................................................................................................... 22

MOBILE DEVICE SECURITY SOLUTION SUPPLIER LEADERSHIP............................................ 24

RESPONDENTS INFLUENCE PURCHASE DECISIONS............................................................ 26

RESPONDENT ORGANIZATION SIZE ................................................................................... 27

Methodology and Demographics Overview

DRIVERS AND BARRIERS

Mobile Device Security Deployment Drivers

Manage and secure rogue devices

Prevent accidental leakage of

Control use of unauthorized applications

Enable secure remote

Secure employee mobile devices used for

Enforce web/e-mail usage

Protect against threats

Protect against threats

Rolling out structured BYOD

Percent of Respondents Rating 6 or 7

Mobile Device Security Deployment Barriers

Current risk doesn't justify impact

Percent of Respondents Rating 6 or 7

MOBILE DEVICE SECURITY DEPLOYMENT STRATEGIES

Windows Phone 5/6/7

Kindle or other eReader

Kindle or other eReader

Windows Phone 5/6/7

Security Products for Mobile Devices

Integrated client (SSL

SSL VPN client

Key Security Technologies for Mobile Clients

Control OS version and

MOBILE SECURITY INCIDENTS

Mobile Security Incidents

Threats Affecting Respondents Mobile Device Users

Lost/stolen device with

CLOUD AND SAAS FOR MOBILE DEVICE SECURITY

Using Cloud or Hybrid-Cloud Solutions

Drivers for Deploying Hosted/SaaS Mobile Security Solutions

Need a solution that protects

Need to reduce time to deploy

Need to reduce or eliminate time

No single-vendor client software

Don't have enough staff to roll

Percent of Cloud Services Respondents Rating 6 or 7

PURCHASING AND EXPENDITURES

Securing Budget Ahead of Threat Events

Preferred Solution Provider Types

Network security vendor

Mobile security specialist