A significant take-away from my recent research on Cybersecurity consulting is how much the competitive market for providers changed in just one year. As a result of external mega-trends, consultants are rethinking their approach to cybersecurity consulting. Previously, consulting capabilities offered were driven mainly by regulatory requirements; which was followed by a shift to advanced threat detection as breaches became more common. During this time, the focus was on tools, and maturity, vulnerability and penetration assessments to prevent attacks. But the breathtaking onset of the Fourth Industrial Revolution, namely digital transformation, is a game-changer for consultants and clients as far as the overall approach and the capabilities needed to secure organizations' environments. The World Economic Forum said that, "The Fourth is evolving at an exponential rather than a linear pace. The breadth and depth of these changes herald the transformation of entire systems of production, management, and governance."
Cybersecurity, no longer "just" an IT issue, is now about enterprise transformation with a top-down, end-to-end business approach aligned with IT priorities. This encompasses strategy to execution, involving every function and every employee; using new and emerging technologies to minimize threats to the fullest extent, including analytics, AI, robotics, automation, cloud security, and Security Dev Ops. Consulting firms explain to clients that risks cannot be entirely eliminated, but can be minimized with preparation, risk management and governance aligned with business strategies. Cybersecurity and data privacy must be embedded in all business strategies to ensure that consumers trust organizations with their data; and that Boards are satisfied that every step possible is taken to avoid brand and reputational damage.
Consulting firms are proactively responding; creating a change in market dynamics, with many firms attempting to provide a vaster breadth of offerings. Historically, there were distinct tiers of providers offering different capabilities. Management consulting firms focused on strategy and risk consulting, security consulting, breach readiness, change management, talent shortages and managed security services to an extent.
We are witnessing a convergence of capabilities among consulting firms through acquisitions, partnerships/alliances and organic growth, creating a new ecosystem. Digital transformation and the resultant exponential increase in security and data threats mandates that consultants take a business-driven approach to a technical problem.
Managed security services, specifically, are a major source of revenue for many providers as clients are finding that using outside consulting expertise (for oversight monitoring, co-sourcing or outsourcing) where they lack talent, infrastructure, and expertise is most effective. Consultants can offer clients access to cybersecurity intelligence centers globally, SOCs, innovation labs, shared threat intelligence and advanced detection, among other services.
A sign of these changes is Bain & Company's (traditionally a pure management consulting firm) announcement on October 19th, that the firm is engaging in a partnership with Endava, an IT services firm which provides next-gen technology to clients for digital transformation. The partnership goes beyond cybersecurity but certainly envelops it. Bain's commitment to this is underscored by its ownership stake. With technology and security playing an increasingly important role for clients, traditional consulting providers recognize that they have to rapidly accelerate their digital and security capabilities.
The Bain example is just one of many of consulting firms adding to their arsenal to provide a more complete client experience. For instance, The Boston Consulting Group is relying more and more on their Platinion subsidiary for technology implementations; and more firms are moving into the managed service space either on their own (EY's Cybersecurity as a Service (CaaS)), or through alliances. Additionally, pure play technology firms (Optiv and others) are looking at opportunities to partner with firms that are more strategy-oriented.
It will be interesting to see how the competition shakes out as capabilities and services offered converge. Ultimately, how each consulting firm distinguishes itself will prove to be a defining moment for the cybersecurity consulting market.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.