I just launched a Now Tech that lists out the major firms participating in the European cybersecurity consulting market, which has undergone a radical transformation in the last 12 months. Forrester Analytics Business Technographics® Security Survey, 2020, shows that clients have increased their use of consultants by 4% since 2019. They need skilled people to help them support their critical security initiatives and have relied more heavily on consulting firms as hiring freezes hindered their efforts. Consultancies have moved from a model where they mostly perform work on customer sites to almost entirely delivering 100% remotely because of the pandemic and continued travel and office restrictions in many European countries. This is an astonishing change to the classic “four days onsite, Fridays in the office” model practiced for decades by consulting firms. Here are some of the key points we found out in this research that chief information security officers should consider:

  • Expectations are changing around delivery models and location of work. The COVID-19 pandemic has upended the traditional “four days on client site, one day in the office” model of performing consulting. Virtually all consulting work from all providers has been provided fully remotely. European security leaders have had to be creative and understanding about these limitations, which has created new possibilities. Clients should consider making some aspect of remote delivery permanent in engagements when return to operations is permitted sometime in 2021. Bring consultants onsite when you need to collaborate, or where work is challenging to perform remotely. Otherwise, embrace remote working.
  • Consulting firms are increasing their partnership and alliance capabilities. Consulting firms talk a good game about extensive lists of cybersecurity partnerships and alliances. Few firms can articulate where they’ve created a joint offer or proposition, delivered outcomes for clients that were impossible without the partnership, or created new sustainable revenue streams for both parties in the process. If firms propose a joint contracting approach with a security product vendor, validate the strength of the offering and prior track record of delivery. Be wary of being the initial “marquee” client that proves the alliance. Security leaders need to demand to speak to reference customers to validate that the promised riches have indeed been realized at peer organizations and are not simply slideware smoke and mirrors.
  • Firms are starting to use pricing models based on outcomes and risk-sharing mechanisms. Security consulting firms are reacting to increasing pressure on their margins from savvy negotiators and ex-consultants who now work for clients. Consulting firms in this study still price most of their work using the traditional time-and-materials and fixed-price models (making up 60% to 90% of deals). However, many firms are using risk-sharing models, outcomes-based models, asset pricing, and pay-as-you-go service models to create new and more cost-effective ways of consuming their services. For example, a project to rationalize a security toolset may accept payment by taking a percentage of savings obtained by following the consultant’s advice, as opposed to being charged for the time incurred to deliver the advice.

This research is the first prelude before my updated Forrester European Consulting Wave™, for which we have just begun the research process. Keep an eye out for this evaluative research in the early summer. For Forrester clients wanting to find out more about the current market landscape, read “Now Tech: European Cybersecurity Consulting Providers, Q1 2021.”