1

Cybersecurity Beyond
Technology
Introducing Business Threat Intelligence

Authors:

Nikolaos Tsouroulas
Head of Cybersecurity Product Management, Telefonica

Igor Garcia-Tapia
Cybersecurity Expert Analyst, Telefonica

Julio Gomez Ortega

Cybersecurity Expert Analyst, Telefonica

Gartner Research:

Rob McMillan
Research Director, Gartner, Inc.
2

In this issue

Executive Summary 3
The Implications of Digital Transformation 4

Cybersecurity Both as a Business Risk and Business Enabler 5

The Limitations of Current Threat Intelligence Approaches 6
Infoxication 6
Over-reliance on Hindsight 8
Business Contextualization 8
Cybersecurity Risk Beyond Malware 10
The Importance of Data Science 11
Educating People and Organizations 12
Conclusion 13
Research From Gartner:
How Gartner Defines Threat Intelligence 14
About Telefonica Business Solutions 18
 3

Executive Summary

As companies embrace digital technologies, the importance

of cybersecurity is ever-more paramount. While traditional
IT security primarily focused on protecting networks, devices
and servers from viruses, malware and other similar threats,
in this digital world, Cybersecurity needs to go beyond the
boundaries of technology and become a permanent shield for
business assets.

Many security teams continue to work in silos, isolated from

other business units and unable to effectively understand the
impact of cyber threats on the business itself. In addition,
many business units and executives still do not have the
required expertise and experience to adequately identify and
manage such risks. Organizational trends, such as the rise of
the Digital Risk Officer, are showing the way forward but they
are unlikely to achieve their goals without the right tools.

Security practices and solutions need to adapt to this new

reality. Current security products and services focus on threats
to technology and infrastructures rather than their impact on
the business as a whole, and rely heavily on offering protection
against known threats rather than unknown business risks.

Threat Intelligence is a key-area in this emerging landscape.

Its a capability that is now recognized as an invaluable tool in
any CISOs arsenal. However, we believe that it is yet to reach
its full potential because it is still restricted by traditional
thinking and has not broken free of its roots in traditional pure
IT security.

In this newsletter we will introduce a new concept Business

Threat Intelligence, that builds on top of the experience
of Threat Intelligence, bringing it closer to the business,
increasing its detection and analysis of unknown threats, and
elevating it from a CISO tool to a tool for the whole C-Level of
any organization.

Source: Telefonica
4

The Implications of Digital

Transformation

The spread of digital technologies from IT

departments to business areas has presented
companies with unprecedented benefits and
opportunities. New sales channels such as
e-commerce have been created, marketing
campaigns have now expanded their reach and
personalization, companies can listen and interact
with their clients through social networks and
the creation of global supply chains increase
productivity and reduce costs.

This spread has also meant that most

administrative and business units now share
dependencies and responsibilities with their
IT department. In many cases these closer
relationships have also resulted in a blurring of
departmental borders; with digital technologies
enabling the successful achievement of the
objectives of most departments.

This intensification of cooperation and support

has also resulted in an identical growth of
Information Security departments as the
protectors of the assets and data that result
from the expansion of digital capabilities.
The importance of these Information Security
departments highlights the critical role that
technology plays in the smooth functioning of
a business. If the legal department or the sales
unit stops working for 24 hours, the rest of the
organisation can generally continue working, for
example, but if the IT infrastructure fails, it is
near-impossible for the business to function.

As a consequence, both IT and Information Security
Chiefs are experiencing increased pressures and
responsibilities as the enablers of practically all
business activities, as well as being the repositories
of the organizations technological knowhow. This
last point is particularly true for Information Security
departments, where the struggle to protect the
organization from constantly evolving threats requires
analysts to be agile and creative thinkers with a
broader understanding of digital technologies to keep
one step ahead.
These new relationships are also forcing CISOs
to develop new skills that go beyond technology.
Modern CISOs need to be experts in big data and the
associated implications. They need to understand
the legal and regulatory issues associated with the
exploitation of customer information. They need
to understand the physical security aspects that
are related to their technologies and they need to
understand how to analyse their supply chain security.
Similarly, they need to be aware of the impact security
breaches have on digital marketing, public relations
and brand reputation. They also need to be able to
translate all of these differing issues into coherent
risk management strategies. Gartner coined the term
Digital Risk Officer (DRO)1 to describe this evolved
CISO role.
Cybersecurity Both as a Business Risk
and Business Enabler
The growth in the number and severity of security
attacks, as well as the reputational damage caused by
leaks and incidents in the last few years, has forced
companies to assign greater strategic importance to
the security of their organizations.
As an example, imagine a company has its customer
database stolen and published on the Internet. The
1
Gartner, Create a Digital Risk Officer Role in Your Organization, Paul E. Proctor, May 2016
5
Information Security department, assuming it has
Threat Intelligence capabilities, will probably identify
the leak first and sound the alarm. The incident would
need to be reported to the highest levels where a
point person or department would be assigned to
coordinate a response. The Legal Counsel will have
to participate because they need to analyse the legal
implications of the incident. The Marketing and
Communication areas may have to make an official
announcement and face intense media scrutiny. The
Customer Service teams will need to prepare for an
avalanche of complaints by affected customers, and
the list goes on and on. The CISO will be the person
that each department will go to for answers. How bad
is it? Who did this? How? Why? What should we
tell affected customers? What can we do to avoid it
occurring again?
Incidents like this are ever-present and can severely
damage the reputation of a business. Unfortunately,
prevention and security plans will never be completely
infallible and budgets will always be limited.
For this reason, security must be handled the same
way as other business risks. Security strategies must
shift their focus from the virtually impossible task of
protecting all the assets of the organization against all
known and future threats. Instead, moving to identify
and assess all the potential risks and threats the
company faces and subsequently prepare strategies to
manage those identified potential risks.
Most importantly of all security risks, like the risks of
other business areas, must be analysed in the context
of the business as a whole, and not as a separate silo.
Threat Intelligence services need to evolve and adopt
new approaches in order to meet this emerging reality.
Source: Telefonica
 6

The Limitations of Current Threat

Intelligence Approaches

Traditional Threat Intelligence approaches can

generally follow one of two models that focus
either on detecting and notifying as many
suspicious assets as possible or on researching
and publishing technical reports describing the
most current techniques that attackers are using.

The first model improves the detection capabilities

of an organization. So, their value is based on
the amount and the relevance of the published
information (hashes, IP addresses, domains).
The second model dedicates research capabilities
to each publication, so their value lies in the
quality of their publications.

It should be noted that in both cases the focus

is on publishing relevant information that can
help in the detection of current threats, but the
responsibility of solving any potential risk derived
from this information falls only on the consumer.
Furthermore, both approaches are often
accompanied by a number of limitations such as
collateral infoxication and context.

Infoxication
It is sometimes difficult for humans to see the
forest for the trees. This is true in the sense of
being so focussed on details that they miss the
big picture, as well as in the sense of becoming
overwhelmed by the ever increasing data that
surrounds them (the trees) that it obscures the
view of the context (the forest). While this state
of Infoxication, a combination of the words
Information and Intoxication, can apply to all
facets of human activity, it is especially prevalent
when dealing with complex problems.
 7

In the realm of traditional threat intelligence,
a Security Manager may, for example, overly
emphasize drilling down on the details related to the
what, where, when and who aspects of what
they are seeing, rather than focussing their efforts
on answering the why. This distinction is important
as strategic decisions and risk assessments depend
heavily on the latter.
Similarly, organizations with concerns about their
security tend to acquire huge amounts of data in an
attempt to cover as many threats as possible. While
this practice is initially useful, soon the amount of
data makes it difficult to understand what to do with
it. Some authors define this moment with a curve
called the Capability Chasm2.
Part of the cause of this chasm is the fact that the
prevention approach does not differentiate between
incidents that can be ignored, or whose processing
can be delayed, from others that actually matter
in terms of impact on the business. Data is not
necessarily equivalent to useful information, nor
does it necessarily provide any kind of useful insight.
In other words, when hundreds of malware hashes
are being received through a Threat Intelligence

Crossing the Capability Chasm

Crossing the Capability Chasm

By @JohnLaTwC

Stuck on the ledge without

executive support
Lost in the haze of minor incidents
because your prevention approach
doesnt give you the whitespace to
Defensive Effectiveness

find the data that matters

Fall into the trap of spending Failing to scale the Cliffs

budget on appliances and of Discovery because the
not quality analysts investments to make the
detection breakthroughs were
never made, perpetuating
the status quo

Drown in too much data and

be surrounded by data which
isnt relevant

Effort

Source: @JohnLaTwC

2
https://twitter.com/johnlatwc/status/597466313280225280
8
feed, how do you determine which one is the most
dangerous for your business and therefore the one
that most urgently requires your attention?
The reality is that most organizations are only
capable of digesting a limited amount of data,
converting it into actionable information. As an
ever increasing amount of data becomes available,
investments have to be made not only in big data
technologies for the gathering, processing and
visualizing of the data, but also in data science
knowhow, to extract insights based on potential
business impact.
This is extremely important as there is always a
finite amount of capacity available. Making every last
inch of an organization secure while not affecting
productivity and collaboration is of course a noble
goal, but the reality is that limited resources require
priorities to be made, and productivity should always
come first.
Over-reliance on Hindsight
Another limitation is that traditional Threat
Intelligence, and security services in general report
incidents and threats that are already catalogued
in their libraries. They evolve by incorporating
new threats only after an incident has occurred
somewhere and a post-incident analysis has been
conducted. In other words, they operate by looking
to the past and not dedicating sufficient efforts
to proactively identifying new threats before they
actually cause harm.
Analysing these types of incidents can provide useful
insight about the threats facing an organization,
allowing policy to evolve with the tactical situation
and providing data for the formulation of new
strategies. However, focussing on past events in this
way presents a risk in itself as security chiefs may
fall in the trap of preparing to fight the last war.
While these types of capabilities that look to the
past should still be considered a necessary part
of a defence strategy. It is true that they cover
known threats that can cause significant damage to
systems, reputation and income, but they generally
do little to prepare organizations against risks
lurking in blind spots that could be key to gaining
a competitive advantage or detecting new potential
threats such as black swan events.
New data science techniques can change the
paradigm, by incorporating more future-looking
analysis to identify abnormal patterns and risks.
Threat Intelligence should be able to warn about new
and un-known threats. For example, abnormal traffic
patterns can be indicative of a new type of attack,
increased chatter on the dark web might alert about
a new fraud mechanism or other weakness in some
part of the company or a new threat actor to take
into account.
We have identified situations where monitoring
information that in theory is not related to
cybersecurity, for example customer sentiment
and events that affect the image of a company,
can be indicators of what a CISO should prepare
for in terms of campaigns against the companys
infrastructure. We have seen how banks, retailers,
governments and many other organizations have
been victims of different types of attacks (DDoS,
defacements, attack to VIPs, breaches, etc.) as a
result of public discontent. This discontent that can
be monitored online and used in order to understand
the why behind future attacks and therefore
anticipate the likely who, how and when.
Business Contextualization
This highlights another typical shortcoming of
existing Threat Intelligence approaches. Security
teams tend to focus too much on data that helps
describe a certain threat from a purely technological

and security perspective, providing limited business
context. In this sense, the term business context
means linking a threat directly to the core business
and not just to the technology.
Threat Intelligence Services that focus more on
research and less on producing feeds, dont usually
provide context that is specific to the customer. A
Threat Intelligence Service may provide excellent
threat analyses every month, but none of which are
relevant to a customer because they either do not
9
affect their sector, technology or geographic area or
the link is not explored or understood. Furthermore,
in many cases an assumption is made that what
affects an electricity company in Asia, for example,
must also affect the entire sector worldwide. While
this may be the case it is in no way a certainty nor
should the risk be assumed to be the same. When
this is the case, an explanation that goes beyond
shared technology is not provided.
Source: Telefonica
10

Cybersecurity Risk Beyond Malware

While Threat Intelligence is frequently

associated to malware and APT detection
and prevention, there are many other
associated digital threats linked to other
business areas. These include the digital
monitoring of physical security threats to
VIPs and installations, the protection of
brand reputation and the management of
public relations crises, or the support to core
business activities such as fraud protection,
supply chain risk management. It is
paramount to leverage cybersecurity knowhow
and capabilities as part of competitive
intelligence activities to support strategic
decision-making.

Currently, many organizations either ignore

the added value that threat Intelligence
capabilities can bring to these business
areas, or they require additional services to
cover each one of them. In most cases, the
responsibility for all of these risk areas fall
under different departments and they are
rarely shared. As such there is little possibility
of correlating data or of detecting behavioural
patterns that cross multiple areas.

As an example, in one case we identified a

correlation between the exposure a client
had in the press and social media, and the
number of attacks to its technical assets.
In other words, when people were talking
about the company more than usual on social
channels (regardless of what the conversation
was about), the number of attacks to
the websites and the rest of the public
infrastructure also increased.
 11

The Importance of Data Science However, a haphazard attempt to try and crawl the
entire internet will generally result in failure as efforts
Modern organizations that have invested in Digital
become too widely stretched. A clear understanding
Technologies and the Internet as integral parts of
of the strategic uncertainties that decision-makers
doing business are exposed to numerous and increased
are facing allows for a methodical and prioritized
number of risks. They generate massive amounts of
approach to data collection focussing on information
data internally and are both exposed and affected by
relevant to the known uncertainties, referred to as
what is going on the Internet as the whole.
known-unknowns.

Blocking a known malware strain or monitoring mature

Strategic vision requires context. Data is generally
hacktivist group is not that difficult. Identifying twitter
useless at the strategic level, where information
chatter that can be a precursor to a campaign against
and intelligence is required to support the decision
our company is much more difficult but also perhaps
making process. Data science is essential for this
more valuable. Focusing on our own IT infrastructure
transformation of data into information, but it is
make things more manageable but what if our business
the ability to transform information into actionable
is disrupted or our IP stolen by means of a vulnerability
intelligence that is the real game changer.
or an attack against a small vendor hidden somewhere
in our supply chain?
The discovery of new risks and threats requires
greater effort than cataloguing known threats and
There is a lot of data and information out there
the returns take longer to manifest themselves. The
today that allows us to detect such unknown risks. A
rewards, however, can provide businesses a competitive
distinction has to be made, however, between being in
advantage over their peers as well as a reduced
possession and being able to access the data. Effort
risk of being surprised by new strategic risks and
has to be invested in the identification and cataloguing
threats. A properly functioning Intelligence system
of all of the data being generated or received as well as
should, therefore, also dedicate efforts to persistently
its normalization and processing.
discover blind spots where unknown risks, threats
and opportunities may be lurking. These unknown-
Externally, the massive amount of information available
unknowns can, for instance, take the form of black
in open sources should also be targeted. Social media,
swan events which, once passed and with hindsight, the
press, specialist forums, blogs and others can be
warning signs become clear, so why not make an effort
correlated with internal sources and provide much
to try and detect those signs before the event?
needed context. Consumers complaining on social
networks about product defects may be related to
In many cases, the data necessary to uncover
unexpected design flaws. Elections are an example
these unknown risks is either already present in an
of the beginning of uncertain changes. Similarly,
organizations database, or is readily available through
understanding the electoral promises and party
open sources. The problem is the human tendency
platforms of political candidates allows organizations to
to recognize known patterns and group-think. These
plan for each probable outcome, limiting any negative
effects can be mitigated through the use of Data Mining
effects on their balance sheets.
and Knowledge Discovery processes as well as through
the use of work dynamics such as the devils advocate,
competing hypotheses, differential analysis and similar.
12

Educating People and Organizations However, this interplay between security and the
business that we are describing will only succeed if
Nevertheless, technology on its own cannot solve all
companies are prepared to effectively understand
of these issues. Business Threat Intelligence can only
and enable cybersecurity as a business priority. The
succeed if supported by a team of multidisciplinary
security vendor or internal team brought on-board
analysts with the required abilities to understand both
to deliver Business Threat Intelligence will need to
the security technology and the business.
work in an environment where awareness, openness,
transparency and commitment to change in terms of
Big Data, Data Science, Machine Learning, Deep
Cybersecurity and Digital Risks are present throughout
Learning as well as intelligence professionals are
the organization. All the C-Level executives and their
just a few of the specializations that can be used to
teams need to contribute and work with the CISO and/
build a team of intelligence analysts. They each have
or DRO in order to fully identify business risks and work
the capabilities necessary for identifying strategic
together in the strategy to implement them.
blind-spots and new threat actors before they strike
by using the latest technology and best practices
to support other departments as well as corporate Source: Telefonica
decision-makers in a common business language
everyone understands.
 13

Conclusion

At EleventPaths we have been working during the past years

with key customers to adapt our CyberThreat3service to their
needs and we believe that the insights we have collected
represents an evolutionary step for Threat Intelligence services
in general.

Threat Intelligence should no longer be considered a tool

purely for CSIRTs and CISOs, the same way that CISOs are
no longer only responsible for information and IT but for
identifying and protecting against key business risks and
providing support to C-Level decision-makers.

We call this Business Threat Intelligence because - at

the end of the day- the fundamental aim is to protect the
core business of a company. Business Threat Intelligence
represents a new way of addressing cyber-risk by focussing
efforts on prioritizing digital business assets over technology,
including brand reputation and other intangible assets.

There is also a notable shift in preference from information

quantity to information quality. A greater effort is made on
understanding what concerns our customers have and what
support they actually need to manage a risk beyond specific
pieces of data.

Focusing equally on detecting known, known-unknown, and

unknown-unknown threats to the business, as opposed to
simply cataloguing and reacting to threats that are widely
recognized and understood.

Most importantly, Business Threat Intelligence is designed

to support high-level decision-makers, with an emphasis on
strategic business threats. Communicating in the language
of business risk and applying technological, intelligence and
data science knowhow as necessary to help understand the
strategic environment.

Source: Telefonica

3
https://www.elevenpaths.com/technology/cyberthreats/index.html
 14

Research From Gartner:

How Gartner Defines Threat Intelligence

Threat intelligence is evidence-based knowledge

(e.g., context, mechanisms, indicators,
implications and action-oriented advice) about
existing or emerging menaces or hazards to
assets. CISOs should plan for current threats, as
well as those that could emerge in the long term
(e.g., in three years).

Key Findings
The leading indicators of risk to an
organization are difficult to identify when
an adversarys thoughts, capabilities and
actions are unknown.

No one, including CISOs, can control threats

to their organization they can only be
aware and be prepared for their arrival.

CISOs are being challenged to provide

evidence to support risk assessments
and business cases; however, high-quality
evidence can be difficult to obtain.

Recommendations
CISOs should plan for current security threats,
as well as those that may emerge in the longer
term, such as three years from now.

CISOs who use threat intelligence services

need to understand the characteristics they
require from such a service and should
choose their service providers accordingly.
 15

Analysis An unsecure IT infrastructure configuration

Definition
Threat intelligence is evidence-based knowledge,
including context, mechanisms, indicators,
implications and action-oriented advice about an
existing or emerging menace or hazard to assets. This
intelligence can be used to inform decisions regarding
the subjects response to that menace or hazard.
Context
Two conditions are necessary for a security incident
to occur (see Figure 1):
Unsecure operational or business processes
Unsecure acts committed by staff or other
people, by a mistake or a by deliberate act
The threat is the agent (that is, a menace or hazard)
that takes advantage of the vulnerability. In most
cases, CISOs have no direct control over threats to
their organizations. They can only be aware of the
threats and be prepared for their arrival. They can
exist in a variety of forms, including:

A vulnerability or weakness must exist in some People for example, hackers actively working
element of an organizations operations or its to inflict damage to the physical, financial or
supply chain. intangible assets of the organization

A threat must exploit that vulnerability. Malware

A vulnerability may exist in a variety of forms, for
example:
Unsecure software due to a bug, bad
programming practices or a bad design
The term intelligence has several meanings (see
Note 1), the two that are the most relevant to this
research are:
Information communicated, news, notices or advice

Figure 1. The Prerequisites for a Security Incident

A threat exploits a vulnerability to generate an incident.

In the vast majority of A security incident is
In the vast majority of cases, you have almost what you wish to avoid.
cases, you have little or
complete control over You have only limited
no control over threats.
vulnerabilities. control over the
You must be aware of consequences.
them, avoid them where
possible and develop
specific defenses when
avoidance is impossible.

Source: Gartner (February 2016)

16

Knowledge imparted or acquired through study, Conditions under which the threat is likely to
research or experience general information successfully exploit a vulnerability

In its traditional sense, intelligence is the product Variants of the threat

of a process, rather than a series of raw data points
(see Figure 2). Current activities implying the threat

Attributes Outcomes for the organization should the threat

successfully execute
Threat intelligence is specific information that has
been generated through some form of processing,
Indicators that the threat is acting against the
such as collection, collation, validation, evaluation
organization or otherwise impairing the assets of
and interpretation. It includes value-added
the organization
information that is apparent only from further
analysis or from the correlation of multiple data
Defenses against the threat
points. Examples of this information include the:

Goals of the threat actor or developer

Figure 2. Typical Intelligence Life Cycle

Intelligence Life Cycle

Start
Here

Direction: Collection: Processing:

Define and refine Gather data from Translate, if required
the objectives multiple sources, Evaluate reliability
open and closed
Collate from multiple
Electronic, human sources
and others

Feedback: Dissemination: Analysis:

Adjust as required
Deliver intelligence Decide what this
to the consumer information means
Assess its
significance
Recommend action

Source: Gartner (February 2016)

 17

Threat intelligence may include information such as Note 1 Definition of Intelligence

an assessment of the reliability of the source of the
As defined by Websters 1913 Dictionary, retrieved
information and the reliability of the information
15 May 2013.
itself. It may have a period of relevance, from the
very brief (for example, operational intelligence
about existing activity, which may be relevant for only
the duration of that activity) to the very long (for Evidence
example, strategic intelligence about the long-term
Most threat intelligence service providers (government
plans that leaders of a country or other community
and commercial) do not make their intelligence content
may be making).
publicly available. However, an example was published
in early 2013 by Mandiant: APT1: Exposing One of
For many organizations that consume threat
Chinas Cyber Espionage Units.
intelligence, a key challenge is how to consume and
act on that intelligence. It can be used to inform
A more-generic list of threats, which organizations
decisions in preparation for the threat, such as how
should consider as part of their security planning,
to avoid it or reduce its potential impact. It can be
is provided in Annex C of the ISO/IEC standard
used to respond to an incident stemming from the
Information technology Security techniques
threat, such as identification, assessment, forensic
Information security risk management, ISO/IEC
support and remediation.
27005:2011, Second Edition, 1 June 2011.

What Threat Intelligence Isnt

Source: Gartner Research G00299526, Rob McMillan,
Its not obvious, trivial or self-evident information 23 February 2016
about a threat that any untrained individual of
otherwise reasonable intelligence would be able
to discern for him or herself.

Its not information about vulnerabilities;

however, most threat intelligence service
providers also provide such information.

Its not support for incident response (for

example, forensic support and compromised
credential recovery), although incident response
support service providers may consume threat
intelligence.

Its not limited to network traffic analysis or

system log analysis.
About Telefonica
Business Solutions
Telefonica Business Solutions, a leading provider of
a wide range of integrated communication solutions
for the B2B market, manages globally the Enterprise
(Large Enterprise and SME), MNC (Multinational
Corporations), Wholesale (fixed and mobile
carriers, ISPs and content providers) and Roaming
businesses within the Telefonica Group. Business
Solutions develops an integrated, innovative and
competitive portfolio for the B2B segment including
digital solutions (m2m, Cloud, Security, e-Health or
Digital Marketing) and telecommunication services
(international voice, IP, bandwidth capacity, satellite
services, mobility, integrated fixed, mobile, IT
services and global solutions). Telefonica Business
Solutions is a multicultural organization, working in
over 40 countries and with service reach in over 170
countries.

https://twitter.com/TelefonicaB2B

Cybersecurity Beyond Technology is published by Telefonica. Editorial

content supplied by Telefonica is independent of Gartner analysis. All
Gartner research is used with Gartners permission, and was originally
published as part of Gartners syndicated research service available to

Contact us
For more information contact us.
https://www.telefonica.com
all entitled Gartner clients. 2017 Gartner, Inc. and/or its affiliates.
All rights reserved. The use of Gartner research in this publication
does not indicate Gartners endorsement of Telefonicas products
and/or strategies. Reproduction or distribution of this publication in
any form without Gartners prior written permission is forbidden. The
information contained herein has been obtained from sources believed
to be reliable. Gartner disclaims all warranties as to the accuracy,
completeness or adequacy of such information. The opinions expressed
herein are subject to change without notice. Although Gartner
research may include a discussion of related legal issues, Gartner
does not provide legal advice or services and its research should not
be construed or used as such. Gartner is a public company, and its
shareholders may include firms and funds that have financial interests
in entities covered in Gartner research. Gartners Board of Directors
may include senior managers of these firms or funds. Gartner research
is produced independently by its research organization without input
or influence from these firms, funds or their managers. For further
information on the independence and integrity of Gartner research, see
Guiding Principles on Independence and Objectivity on its website.