Thanks to a few end-of-2021 personal challenges, I was not able to write this blog earlier. I decided, however, that it’s never too late to announce research in which we invested over four months (and over a year of prework and research): The Forrester Wave™: Cybersecurity Consulting Providers In Asia Pacific, Q4 2021. This is especially relevant since vendor and client questions are coming at me thick and fast, and I want to share some of my key learnings with you. This report (available to Forrester clients) showcases our evaluation of the 10 most significant cybersecurity consulting providers in Asia Pacific (APAC). Our end-user clients leverage these insights to select the right provider for their needs and to determine some of the criteria they should be considering in their selections. Vendors leverage these insights to improve their strategies and get a view of where the market is headed.

I am humbled and overwhelmed by the enormity of the privilege of analyzing and then sharing these insights.

This Forrester Wave was conducted two years into a global pandemic, which brought with it many new dynamics. Remote work requires not only new security approaches, but also new approaches to consulting. Consumers, employees, buyers, and partners want the organizations they deal with to have their best interests at heart, as well as a clear set of values that they put before short-term profits. Cybersecurity consulting providers are not spared from this expectation.

Also, thanks to the pandemic and other factors, we are living through the “Great Resignation.” In cybersecurity, Forrester predicts a brain drain, as experienced security pros exist the industry. These dynamics created not only new, but also significant challenges and opportunities in the cybersecurity consulting market. Buyers should consider a consultancy that will:

  • Puts its money where its mouth is when it comes to attracting and retaining the best talent. In this market, talent has always been important. Clients choose vendors based on the talent they promise to bring to the table and are very dissatisfied when they’re promised a particular set of talent or skills and get something less than. My discussions also showed a deep dissatisfaction when there’s a variance between the skills of delivery resources as well as consultants being replaced due to provider retention issues. As a buyer, dig deeper to discern lofty promises from reality. Our Forrester Wave briefings were full of providers bragging about their talent-related marketing messages of industry scholarships, elaborate training platforms, and dazzling diversity, equity, and inclusion (DEI) policies. At the end of the day, however, actions and outcomes were what mattered, and the providers that did well were the ones that achieved real outcomes, such as tying earnings to DEI goals, and had customers that were unequivocally satisfied with talent-related criteria.
  • Challenge you to use remote work delivery models, even post-pandemic. Mercifully, the pandemic put a stop to the practice of expecting consultants to be hauled into a client’s office four days a week, often with the sole purpose of “being seen.” Most vendors in this evaluation got the memo, all bragging about their ability to pivot to remote work and supplying their team members with the latest and greatest technologies to support this shift. What differentiated the Leaders, however — and what you should look for as a buyer — was their deep understanding of the benefits of remote work. This should include many factors such as cost savings (to you and them), flexibility, and wellness — that of their teams and to society in general. Leaders intend to use these new ways of working ambitiously to achieve net-zero carbon goals and will challenge you to support them in their goals.
  • Offer services aligned with cybersecurity’s future, not its past. What I learned during this evaluation is that innovation is a precarious criteria, one that doesn’t always stand the test of time. Not all vendors that impressed us with their innovation in 2019 were considered innovative in 2021. The pandemic, among many other things, seemed to have impacted productivity and creativity and, in turn, innovation. And the thing is, innovation is important to you, the buyer. You need innovation to elevate security’s role in the organization, reduce costs, and focus on more strategic endeavors. Look for vendors that offer innovative intellectual property (IP), which could include extending their existing offerings to account for people and culture, those that partner with others to differentiate their IP, or those that innovate via acquisitions. One thing is for certain: Do not settle for vendors that rest on their laurels or put profit before vision. That is a losing recipe.

I would like to acknowledge all participating vendors included in this research. Participating is no small feat, and we greatly appreciate all the time and effort you invested. I also appreciate the respectful and collaborative way in which we continue to work together through these evaluations. I am now in my fourth year of doing this, and I’m always amazed at the relationships I’ve built, even though I am, at times, sharing difficult messages with the participating vendors.