March 13, 2018
During every Forrester Wave™ evaluation I conduct, I spend time sifting through vendor responses, data, client surveys, and reference interviews and develop an outline of recurring themes — the good, the bad, the new, the old, etc. After the Wave goes live, I collect all of that information, bundle it together, and produce a “Lessons” report. The latest edition, Lessons From The Forrester Wave™: Information Security Consulting Services, Q3 2017 is now available! Security buyers and sellers can take this report and use it to create a buyer’s guide to security services.
What I Learned During This Research
There are characteristics and behaviors indicating that a successful partnership is possible:
- Look for consistency when speaking to client references of potential vendors. When we compared participants that finished as Leaders to others in the Wave, a big difference was consistency. Leaders had client multiple client references that said similar things about them. It didn’t matter if it was flexibility, reliability, speed, or competency — what mattered were that the descriptions recurred throughout reference interviews and freeform survey results. Participants that were not Leaders had more inconsistency in how clients described them.
- Interview consultants before an engagement to save pain in the middle of it. One security leader requested interviews with any of the potential consultants that would work on projects. Some candidates fit, others did not. This allowed the security leader to hand-select a team of consultants that could not only accomplish the project but work well within the culture of the company. It’s time-consuming for everyone involved but helps reduce the issues that might pop up down the road.
- Great firms will make suggestions to help you course-correct before earning your business. If a firm responds to your request with a statement of work that covers the request in its entirety, it may not be the right one for you. Clients that were delighted with their consulting partners said that the firm pushed back on requests, offered alternatives, and clearly explained how the organization would sabotage itself if it decided to pursue its original goal. The cynic might say, “Sure, everyone tries to upsell” — but that’s where having the expertise, willingness, and courage to explain that doing it this way today makes sense but sets you up for failure tomorrow. This wasn’t an initiative to make more money today — it was to help you avoid spending even more money tomorrow.
Normal Versus Bad: AKA The Devil You Know
Sometimes, it’s tough to know if the consulting firm you work with now is good, decent, or awful. No one wants to create a situation where they fire decent, buy awful, and live to regret it for months or years. Turns out you can’t escape some problems, while others spell doom:
- Not as bad as it might seem: Slow turnaround for pricing, scoping, and billing. Long turnaround times for these items seems to plague the industry. No matter how happy clients were, a common complaint for most firms was that they were too slow to scope, price, and bill for engagements. Clients wanted to give them money, but it took them too long to tell the client how much and too long to bill the client when they were done. If these are the worst of your problems, it isn’t that bad. Not that we condone the behavior, but it could be worse.
- Disaster is brewing: Lack of skills and inability to communicate. Not knowing the technology and architecture became the source of many ruined engagements. Despite promising experts, firms that required clients to train consultants on technology they were supposed to be experts in caused significant issues for clients. In addition, when consultants couldn’t communicate with stakeholders, things went south quickly. Each of these problems stands out as a key early warning for an engagement that either will go wrong — or already has.
If you have any questions about our research, need help judging your current consulting partners, or are thinking about introducing a new one to the mix, feel free to reach out to me via email, Twitter, or Linkedin.
- cloud security
- managed security services providers (MSSPs)
- security & risk
- security performance management