The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021,” launched today. Fifteen firms are featured in this report, representing a cross section of large international security consulting providers and more regionally based security pure plays. The European security consultancy market has seen a large transformation in the past 16 months in how it delivers value to clients. From our conversations with customers and providers during the evaluation, we found that: 

  • Remote delivery did not cause much impact to client projects. I was expecting quite a lot of complaints about how terrible Zoom was and how delayed projects had become because of the problems with remote working. To my surprise, very few complaints surfaced. Most centered around the familiar themes of price, value for money, overpromising, and under-delivery, which are par for the course for this market. However, the success of remote delivery shows that a lot of clients and the firms themselves will continue to work in this way, with substantial financial savings and environmental impact. The impact of this change is somewhat underestimated as the single biggest cause of emissions for consulting firms is client travel, and this shift represents a golden opportunity to make this change permanent.
  • The traditional reliance on “onsite” and “in-country” consultants will erode. Firms in this study reported that the remote work model had other benefits. Firms were able to make much greater use of their remote delivery capabilities in near-shore delivery locations in Europe and globally. Some firms with a more premium reputation were able to offer more competitive pricing to their customers, with some reporting that “we didn’t know you could do that.” Onsite work will persist but should be based around work that requires intensive, in-person collaboration, rather than relying on the long-held tradition that consultants should be onsite to “sell” more consultants or clients’ desire to see the consultant’s payment in blood in person.
  • Consulting firms need to move away from innovation theatre — it’s so 2015. One painful feature of several Forrester Wave evaluations was observing questionable, wobbly camera work from several firms trying to demonstrate physical lab spaces with machinery, IT equipment, and innovation rooms/lab facilities during the middle of a pandemic. Firms were focusing on the fact that they have these spaces, as opposed to what they’re actually using such spaces for. Having flashy facilities and expensive coffee isn’t enough. Consulting firms need to focus on how these facilities deliver new IP and create services that deliver tangible client outcomes. Customers should ask firms what the point is and what they will get from it in tangible outcomes.
  • Use pricing models based on outcomes and risk-sharing mechanisms. Security consulting firms are reacting to increasing pressure on their margins from savvy negotiators and ex-consultants who now work for clients. Consulting firms in this study still price most of their work using the traditional time-and-materials and fixed-price models (making up 60% to 90% of deals). However, many firms are using risk-sharing models, outcomes-based models, asset pricing, and pay-as-you-go service models to create new and more cost-effective ways of consuming their services. A project to rationalize a security toolset may accept payment by taking a percentage of savings obtained by following the consultant’s advice, as opposed to being charged for the time incurred to deliver the advice. 

Are you a Forrester client wanting to find out more about how the different providers ranked against each other? Read “The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021.”