Today, my inaugural evaluation of the European consulting services provider market published, as I write this blog from the city of Barcelona. Along with “The Forrester Wave™: Cybersecurity Consulting Services In Asia Pacific, Q4 2019,” which published yesterday (see here), this marks the first time that we have explicitly assessed the European security consulting services provider market. Here is what we saw in the market.

The Land-And-Expand Model Of Consulting Is Dying, If Not Already Dead . . .

In my old jobs in various consulting firms, when I started as a graduate over a decade ago, clients liked to see their consultants still busy toiling away on their site when they went home at night, safe in the knowledge that they were getting their money’s worth. Firms and clients find this model resource-intensive, both in terms of personal sacrifices consultants make to do it and in the considerable cost and expense of shipping an army of consultants from their home office to the client site. While still practiced and still necessary for some projects, customer expectations have changed. Clients want their consultancies to deliver value more cost-effectively and expect technology to be used to increase efficiency.

. . . Which Is Driving Investment In Near-Shore Delivery Capabilities And Asset-Based Consulting

Consultancies are investing heavily in their European delivery capabilities, with many services now delivered via near-shore delivery capabilities and with significant cost savings achieved by doing as much as possible remotely, saving customers on expensive travel and expense bills as well as creating new ways for technology to vastly improve the service that firms offer. European customers are demanding that these capabilities are near to their geographical location to ensure that staff in delivery centers understand the languages and cultural norms most effectively of the customers they serve.

This is most prevalent in services such as risk assessments, third-party risk assessments, and offerings in identity management, application security, and DevSecOps culture. Firms increasingly license their IP in a manner similar to a product. Service providers are building volume-based models for assessment and testing services that deliver cheaper outcomes without sacrificing quality. In some cases, we even saw firms take on flexible resource contracts in which they charged on a monthly subscription basis for the security consulting advice they gave, even if it meant, in some months, that the firm made a loss.

Firms Are Becoming More Targeted In The Services They Take To Market

I personally look at advising for the selection of a consulting firm a bit like selecting the right attachment on a Swiss Army knife. Customers take the same approach and typically use several consulting firms to deliver their security program. European clients closely match the capability and strengths of the firm to the task at hand. Firms have responded by pruning their service offerings and becoming more targeted and purposeful of what they stand for and, most importantly, what they don’t do. No security leaders participating in this research relied solely on one firm to perform all of their security consulting activities.

Find out how the 15 providers I assessed in this market stacked up and other insights on the security consulting market in Europe. See the full research report here.