THE FORRESTER WAVE: EUROPEAN CYBERSECURITY CONSULTING PROVIDERS, Q3 2021 - PWC
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
LICENSED FOR INDIVIDUAL USE ONLY The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021 The 15 Providers That Matter Most And How They Stack Up by Paul McKay July 1, 2021 Why Read This Report In our 21-criterion evaluation of European cybersecurity consulting providers, we identified the 15 most significant ones — Accenture, Atos, Boston Consulting Group, Capgemini, Deloitte, DXC Technology, EY, IBM Security, KPMG, NCC Group, Orange Cyberdefense, PwC, Sopra Steria, Tata Consultancy Services, and Wipro — and researched, analyzed, and scored them. This report shows how each provider measures up and helps security and risk professionals select the right one for their needs. This PDF is only licensed for individual use when downloaded from forrester.com or reprints.forrester.com. All other distribution prohibited. FORRESTER.COM
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: European Cybersecurity Consulting
Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up
by Paul McKay
with Martin Gill, Melissa Bongarzone, and Peggy Dostie
July 1, 2021
Customers Will See Value If They Push Harder On Outcomes-Based
Pricing
The COVID-19 pandemic has had a profound impact on the ways in which European security leaders
work with their security service providers. The first and most obvious change is that almost all work
has had to be conducted remotely to preserve human safety and comply with government mandates
to work from home. The more important change, however, is the move toward outcomes and risk
sharing models for pricing the value customers receive from security consultancy providers. High
price is one of the most frequently cited complaints customers have about their providers. However,
very few customers actively seek to embrace emerging outcome-based or risk-sharing pricing
models that most providers are now happy to explore. This needs to be led by customers as much as
providers, who cannot do it on their own. European cybersecurity consulting customers should look
for providers that are:
• Evolving their pricing strategies to price by outcomes and value delivered. Vendors now offer
many different mechanisms to price consultancy engagements. However, customers default to
time and materials or fixed price models because their procurement teams want to compare firms
against each other on a rate card basis. European CISOs need to challenge this behavior and
help colleagues move toward a different approach to pricing, where providers have commercial
incentives to do the best job they can for you. Vendors are now offering more subscription-based
pricing, pay by results, IP-based pricing, and risk sharing agreements. Customers should explore
all options and to consign fee agreements based on the clock ticking to the history books.
• Developing differentiated IP that delivers results instead of lab-based innovation theatre.
Several providers have invested in trendy innovation labs, premium coffee, wizzy screens, and
writing walls covered in Post-it Notes. Most of this has been rendered redundant and gathers dust
thanks to the global pandemic. Innovation theatre is getting old hat now, and customers know it.
Customers want differentiated IP from providers, either produced by the provider themselves or in
partnership with a security vendor. The best firms use innovation and R&D facilities to help enhance
Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA
+1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com
© 2021 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester®,
Technographics®, Forrester Wave, TechRadar, and Total Economic Impact are trademarks of Forrester
Research, Inc. All other trademarks are the property of their respective companies. Unauthorized copying or
distributing is a violation of copyright law. Citations@forrester.com or +1 866-367-7378FOR SECURITY & RISK PROFESSIONALS July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up
their impact, rather than just creating shiny labs for the sake of it. Customers should focus on
understanding how providers solve their business and security challenges (and the ones you have
not thought of yet) with unique IP that you would be unable to obtain from anyone else.
• Reinventing their delivery models to achieve environmental and financial sustainability. One
of the biggest surprises in this research was that reference customers reported that remote service
delivery really wasn’t a problem. Most consulting firms had appropriate remote work technology and
were able to deliver value for customers during the pandemic. Previously, clients and consultants
alike insisted on the essential need for colocation four to five days a week for many projects, driving
expenses and CO2 emissions in the process. Virtual delivery allows providers to leverage the best
resource globally to do the job, and some clients report receiving far more favorable pricing than
they had before the pandemic. This trend is here to stay, so expect much heavier use of near-shore
delivery centers and for client travel in future to be much more purposeful, travelling when there is
value in doing so, rather than doing it out of past habits and expectations.
Evaluation Summary
The Forrester Wave™ evaluation highlights Leaders, Strong Performers, Contenders, and Challengers.
It’s an assessment of the top vendors in the market and does not represent the entire vendor
landscape. You’ll find more information about this market in our reports on the European cybersecurity
consulting market.
We intend this evaluation to be a starting point only and encourage clients to view product evaluations
and adapt criteria weightings using the Excel-based vendor comparison tool (see Figure 1 and see
Figure 2). Click the link at the beginning of this report on Forrester.com to download the tool.
© 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 2
Citations@forrester.com or +1 866-367-7378FOR SECURITY & RISK PROFESSIONALS July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up
FIGURE 1 Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
European Cybersecurity Consulting Providers
Q3 2021
Strong
Challengers Contenders Performers Leaders
Stronger
current PwC
offering
Boston Consulting Group
Accenture
Deloitte
EY
IBM Security
Capgemini NCC Group
Tata Consultancy Services
KPMG
Atos DXC Technology
Orange Cyberdefense
Wipro
Sopra Steria
Weaker
current
offering
Weaker strategy Stronger strategy
Market presence*
*A gray bubble indicates a nonparticipating vendor.
© 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 3
Citations@forrester.com or +1 866-367-7378FOR SECURITY & RISK PROFESSIONALS July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up
FIGURE 2 Forrester Wave™: European Cybersecurity Consulting Providers Scorecard, Q3 2021
up
ro
G
ng
*
gy
lti
lo
ge nsu
no
i
gh r’s
o
in
At ture
EY ech
g
C
m
tin
ei te
y
tte
on
rit
T
w res
n
oi
ce
cu
XC
os
st
ap
M
el
r
Bo
Ac
Fo
Se
IB
C
D
D
Current offering 50% 4.23 2.38 4.38 3.15 4.08 2.38 3.77 3.31
Key differentiators 8% 5.00 3.00 5.00 3.00 3.00 3.00 3.00 3.00
European customer satisfaction 8% 3.00 3.00 5.00 3.00 5.00 3.00 3.00 3.00
Executive engagement and business acumen 8% 3.00 1.00 5.00 3.00 5.00 3.00 3.00 3.00
Security team engagement 8% 5.00 3.00 5.00 3.00 5.00 3.00 5.00 3.00
Delivery model sustainability 8% 3.00 3.00 5.00 5.00 3.00 3.00 5.00 3.00
Pricing models and asset-based pricing 8% 5.00 1.00 5.00 3.00 5.00 1.00 3.00 3.00
Firm IP and value creation 8% 5.00 3.00 5.00 3.00 3.00 1.00 5.00 3.00
Partnership IP and value creation 8% 5.00 3.00 3.00 3.00 5.00 1.00 5.00 3.00
European cyberpractice recruitment and retention 8% 3.00 3.00 5.00 3.00 3.00 1.00 5.00 3.00
Security strategy consulting capabilities 8% 3.00 1.00 5.00 3.00 5.00 3.00 3.00 3.00
Governance, risk, and compliance capabilities 8% 5.00 1.00 5.00 3.00 3.00 3.00 3.00 3.00
Technical security assessment capabilities 8% 5.00 3.00 3.00 3.00 3.00 3.00 3.00 5.00
Technical consulting implementation capabilities 8% 5.00 3.00 1.00 3.00 5.00 3.00 3.00 5.00
All scores are based on a scale of 0 (weak) to 5 (strong).
*Indicates a nonparticipating vendor
© 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 4
Citations@forrester.com or +1 866-367-7378FOR SECURITY & RISK PROFESSIONALS July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up
FIGURE 2 Forrester Wave™: European Cybersecurity Consulting Providers Scorecard, Q3 2021 (Cont.)
up
ro
G
ng
*
gy
lti
lo
ge nsu
no
i
gh r’s
o
in
At ture
EY ech
g
C
m
tin
ei te
y
tte
on
rit
T
w res
n
oi
ce
cu
XC
os
st
ap
M
el
r
Bo
Ac
Fo
Se
IB
C
D
D
Strategy 50% 4.60 2.20 3.80 3.00 3.80 2.60 3.80 3.40
Cybersecurity consulting practice vision 20% 3.00 3.00 5.00 3.00 3.00 3.00 5.00 3.00
Cybersecurity consulting service improvement 20% 5.00 1.00 3.00 3.00 3.00 3.00 3.00 3.00
roadmap
European go-to-market strategy 20% 5.00 3.00 3.00 3.00 5.00 3.00 5.00 3.00
European R&D initiatives 20% 5.00 3.00 5.00 3.00 3.00 1.00 3.00 5.00
European partnership ecosystems 20% 5.00 1.00 3.00 3.00 5.00 3.00 3.00 3.00
Market presence 0% 4.67 2.33 1.33 3.33 4.67 3.00 3.00 5.00
European revenues 33% 5.00 2.00 2.00 2.00 5.00 3.00 3.00 5.00
European practice size 33% 5.00 2.00 1.00 5.00 5.00 3.00 3.00 5.00
European customer base 33% 4.00 3.00 1.00 3.00 4.00 3.00 3.00 5.00
All scores are based on a scale of 0 (weak) to 5 (strong).
*Indicates a nonparticipating vendor
© 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 5
Citations@forrester.com or +1 866-367-7378FOR SECURITY & RISK PROFESSIONALS July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up
FIGURE 2 Forrester Wave™: European Cybersecurity Consulting Providers Scorecard, Q3 2021 (Cont.)
y
nc
se
W es ulta
Se C ia
C fen
C nge p
ta er
gh r’s
u
rv ons
g
O Gro
Pw rde
Ta St
tin
ei te
G
ic
w res
a
ro
e
M
C
pr
yb
ip
ra
r
C
KP
So
Fo
N
Current offering 50% 3.00 3.15 2.23 4.69 1.62 2.85 2.23
Key differentiators 8% 3.00 3.00 1.00 5.00 1.00 3.00 3.00
European customer satisfaction 8% 5.00 3.00 3.00 5.00 3.00 3.00 1.00
Executive engagement and business acumen 8% 3.00 3.00 1.00 5.00 1.00 3.00 1.00
Security team engagement 8% 3.00 3.00 3.00 5.00 1.00 3.00 3.00
Delivery model sustainability 8% 3.00 3.00 3.00 3.00 3.00 3.00 1.00
Pricing models and asset-based pricing 8% 3.00 3.00 3.00 5.00 3.00 3.00 3.00
Firm IP and value creation 8% 3.00 3.00 1.00 5.00 3.00 3.00 3.00
Partnership IP and value creation 8% 3.00 3.00 3.00 5.00 1.00 3.00 3.00
European cyberpractice recruitment and retention 8% 1.00 3.00 3.00 5.00 1.00 3.00 3.00
Security strategy consulting capabilities 8% 3.00 3.00 1.00 5.00 1.00 1.00 1.00
Governance, risk, and compliance capabilities 8% 3.00 3.00 1.00 5.00 1.00 3.00 1.00
Technical security assessment capabilities 8% 3.00 5.00 3.00 5.00 1.00 3.00 3.00
Technical consulting implementation capabilities 8% 3.00 3.00 3.00 3.00 1.00 3.00 3.00
All scores are based on a scale of 0 (weak) to 5 (strong).
*Indicates a nonparticipating vendor
© 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 6
Citations@forrester.com or +1 866-367-7378FOR SECURITY & RISK PROFESSIONALS July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up
FIGURE 2 Forrester Wave™: European Cybersecurity Consulting Providers Scorecard, Q3 2021 (Cont.)
y
nc
se
W es ulta
Se C ia
C fen
C nge p
ta er
gh r’s
u
rv ons
g
O Gro
Pw rde
Ta St
tin
ei te
G
ic
w res
a
ro
e
M
C
pr
yb
ip
ra
r
C
KP
So
Fo
N
Strategy 50% 3.40 3.40 1.80 4.20 1.00 3.00 3.00
Cybersecurity consulting practice vision 20% 3.00 3.00 1.00 5.00 1.00 3.00 3.00
Cybersecurity consulting service improvement 20% 3.00 3.00 1.00 5.00 1.00 3.00 3.00
roadmap
European go-to-market strategy 20% 5.00 3.00 3.00 5.00 1.00 3.00 3.00
European R&D initiatives 20% 3.00 5.00 1.00 3.00 1.00 3.00 3.00
European partnership ecosystems 20% 3.00 3.00 3.00 3.00 1.00 3.00 3.00
Market presence 0% 5.00 3.00 2.00 4.33 1.33 2.00 2.33
European revenues 33% 5.00 2.00 1.00 5.00 1.00 2.00 2.00
European practice size 33% 5.00 2.00 2.00 4.00 2.00 2.00 3.00
European customer base 33% 5.00 5.00 3.00 4.00 1.00 2.00 2.00
All scores are based on a scale of 0 (weak) to 5 (strong).
*Indicates a nonparticipating vendor
Vendor Offerings
Forrester included 15 vendors in this assessment: Accenture, Atos, Boston Consulting Group,
Capgemini, Deloitte, DXC Technology, EY, IBM Security, KPMG, NCC Group, Orange Cyberdefense,
PwC, Sopra Steria, Tata Consultancy Services, and Wipro.
Vendor Profiles
Our analysis uncovered the following strengths and weaknesses of individual vendors.
Leaders
• PwC excels in the boardroom and specialty technical services linked to crisis response. PwC
continues to invest in its ability to serve in the boardroom and deliver relevant strategic advice. It is
developing technology-enabled IP, not just in its technical services such as incident response and
threat intelligence, but is increasingly investing in capabilities including its Cyber Risk Reporting
Platform and joining together other assets such as its Connected Risk Engine and Cyber Value
© 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 7
Citations@forrester.com or +1 866-367-7378FOR SECURITY & RISK PROFESSIONALS July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up
at Risk methodology. In the technology domain, it is expanding its investments into managed
services, a newer space for PwC. PwC continues to push to offer more services on a subscription
and pay-for-performance basis.
PwC maintained its leadership position, developing IP that meets emerging client needs.
It demonstrated exceptional quality deliverables across a range of strategic and technical
competencies such as cyber risk analytics and identity and access management. PwC has depth in
technical areas that link to its boardroom agenda, but clients looking for technical implementation
capabilities for more commodity services and specialty services like OT security will find PwC
lacking capabilities in these areas because of its strategic focus on investing in technology
capabilities linked to the boardroom. PwC reference customers praised its highly skilled teams,
agility, responsiveness, and its understanding of clients’ businesses. PwC reference customers
were critical of its ability to manage projects to budget and its lack of internal alignment in sharing
information and best practices across the PwC network. Customers needing a firm that is leading
edge in its strategic and technical thinking should consider PwC.
• Accenture dominates the field with its exceptional technology-driven offerings. Accenture has
been on a buying spree for its European business, with acquisitions of both the legacy Symantec
business and security testing specialist Context IS. This has significantly added to its capabilities
and skill sets over the past 12 months as well as its existing plans to expand its “cyber fusion”
centers to new locations including Naples since our last assessment. Accenture also goes beyond
traditional partnerships and alliances via its co-investment model with strategic partners to develop
joint solutions to market.
Accenture dominates with exceptional technical IP, in what it creates itself and what it creates
with partners. Its identity and access management IP demonstrates the ability to create unique,
differentiated offerings with its partners that deliver concrete client value. Accenture showed
industry-specific offerings, such as a testing offering for automotive supply chain components,
going beyond the theoretical slide ware it demonstrated in our prior Forrester Wave assessment.
Accenture reference customers highlighted its industry context and knowledge, flexible staff,
exceptional program and change management skills, and knowledge in OT as particular strengths.
However, Accenture reference customers said that its claims to operate as a single global company
didn’t play out in practice, with knowledge sharing and collaboration among country practices
requiring improvement. In addition, reference customers stated that its pricing for local onshore
staff was “eye wateringly expensive.” Customers seeking a transformation partner that has
exceptional technical abilities and are happy to pay a premium for this should consider Accenture.
• BCG excels with its strategic nous but lacks technical implementation capabilities. Boston
Consulting Group has a mixed cyberpractice, with capabilities split across its Technology
Advantage practice and subsidiaries including BCG Platinion and BCG Gamma. BCG hires
selectively to bring experienced security professionals to its clients, mixing this expertise with
industry specialists from its generalist consulting pool. BCG continues to invest in growing its
© 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 8
Citations@forrester.com or +1 866-367-7378FOR SECURITY & RISK PROFESSIONALS July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up
practice by producing IP such as its DevSecOps framework and Cyber Doppler tool for risk
quantification. COVID-19 has changed its views on global staffing models, which historically
followed the classic four days at client site, one day in the office model. BCG expects to be more
purposeful in its approach to client travel to be more environmentally and financially sustainable in
the future.
BCG excels with high-quality strategic advice, deliverables, and technical IP. While BCG claims
to have technically competent staff, it specializes in strategic consulting projects and lacks
deep technology implementation skills, relying on partners including EPAM, Infosys, and Wipro.
Clients should be wary of this. BCG customers praised BCG’s ability to operate at all levels of
the organization, the high quality and effectiveness of its consultants, and its commitment and
flexibility. However, BCG customers also complained about its very high prices and its tendency
to move too fast for the organization to sustain the changes that they introduce in projects.
Customers looking for an experienced strategic advisor who can make high levels of impact in the
boardroom should consider BCG.
• Deloitte continues to dominate due to size but has an average improvement roadmap.
Deloitte has expanded its nearshore European delivery centers in response to client pressures
for local delivery of technical specialty skills at affordable price points. Recently added centers
in Thessaloniki, Greece, add additional skills on a 24/7 basis for delivery of managed services,
technical testing services, and more specific technical skill sets. Deloitte plans to expand its service
portfolio to a broader range of clients and continue its investments in its managed services and
technology implementation capabilities.
Deloitte excels with outstanding client feedback throughout our assessment. Its strengths are in
communicating the value of cyber to executives while building technical credibility. Although it
satisfies clients today and is one of the largest practices by revenue and headcount, its roadmap
for addressing emerging client needs is overly simplistic for sophisticated buyers. The IP it
generated from its own R&D efforts is undifferentiated and has had less client impact than leading
firms in this assessment. Deloitte reference customers highlighted its knowledge and expertise,
the quality of its deliverables, and its interaction with customers at all levels as professional
and flexible. They highlighted a lack of peer groups to exchange ideas with other CISOs and
the occasional difficulties in finding niche skill sets as areas for improvement. Customers that
don’t mind paying a premium for a large firm with a broad range of strategic and technical
implementation capabilities should consider Deloitte.
• EY has made strides to improve its technology implementation capabilities. EY continues
to invest in its European Growth Platform to bring together and consolidate its practices across
Europe. EY has acquired new capabilities such as a federal government practice in Germany. It is
investing in IP development and has been releasing interesting IP, for example in the OT space, via
its OT Orchestrator asset and new IP based around Microsoft Sentinel. EY has a unique offering
to upskill its staff with a technology-focused MBA, which is a unique approach to maintaining and
improving the skills of its staff on top of the usual technical training its competitors offer.
© 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 9
Citations@forrester.com or +1 866-367-7378FOR SECURITY & RISK PROFESSIONALS July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up
EY has made significant improvements in its technology implementation capabilities and
IP development since our last Forrester Wave assessment. EY demonstrated strength in
OT capabilities, and in services such as vendor risk management and security strategy and
advisory work. EY reference customers expressed satisfaction with the quality of its work, the
responsiveness and flexibility of its staff, and its global reach. EY reference customers also
remarked that it needs to improve its ability to find staff from its practice quickly, remarked that EY
continues to lack technical skills in some areas compared to other providers, and found price to
be an issue on occasion. Customers looking for a firm that combines business expertise, strategic
competence, and is known for delivering high-quality work should consider EY.
Strong Performers
• IBM has strong technical capabilities and is trying to prioritize its offerings on cloud. IBM
is undergoing a large change, as it separates out its legacy infrastructure outsourcing business,
pivoting the remainder of IBM to focus on the hybrid cloud, security, and digital services. IBM
continues to use its research capability to launch new security services, for example its services
related to confidential computing and fully homomorphic encryption. IBM Security is streamlining
its “periodic table” of service offerings to a tighter set, seeking to focus on and enhance its cloud-
centric offerings.
IBM demonstrated well-presented deliverables which worked well with both a technical and
business audience. IBM’s agile contracting approach is a good variation on the traditional multiyear
fixed price model for projects that use agile methodologies, with customers reporting lower prices.
IP demonstrated met current client requirements well and was clearly being used effectively in
service delivery to reduce costs but lacked the differentiation of others in this study. IBM reference
customers noted that it excelled in its technical knowledge, global expertise, and experienced
consultants. However, IBM reference customers said that IBM’s “prices were really high,”
onboarding new staff was too slow, and IBM’s red tape and governance at project milestones were
overengineered and did not add value to projects. IBM is a good fit for firms that require a firm with
strong technical credentials to assist in transforming their organization’s security function.
• NCC Group excels in technical assessments and research capabilities. NCC is a UK-based
pure play security consulting and software assurance firm that has long been associated with
technical assessment work and penetration testing in the UK and wider afield. It has recently
expanded its offerings to include a remediate service offering that helps firms implement solutions
to the findings of its testing and advisory consulting work. NCC dedicates a large proportion of
staff time (up to 20%) for own research projects, culminating in a lot of specialist security research
and the development and release of open source tools, setting it apart on this dimension in a
crowded field.
NCC excels in its testing work and its research capabilities have made demonstrable improvements
in security beyond its direct work on client projects. NCC is more in line with the market in its
security strategy, risk advisory work, where deliverables were traditional and functional but lacked
© 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 10
Citations@forrester.com or +1 866-367-7378FOR SECURITY & RISK PROFESSIONALS July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up
executive impact. NCC reference customers note the outstanding technical knowledge of staff,
knowledge of threat vectors and attackers, and consistency of resource allocation and staffing.
NCC reference customers said that consulting capabilities outside of Europe are not as strong as
they would like, consultant knowledge was occasionally inconsistent, and outputs of reports could
be repetitive and need to be streamlined. Customers looking for a consulting firm with renowned
technical specialists and that have complex technical testing needs should consider NCC.
• KPMG struggles to differentiate its services, IP, compared to other firms in the market.
KPMG continues to invest in its cybersecurity capabilities in Europe via its status as a global
priority in KPMG priority investments program. KPMG is continuing to shift its delivery models
to a “virtual overlay model” accelerated by the COVID-19 pandemic to invest in delivery centers
of excellence with more remote delivery planned in future. KPMG has continued to invest in its
“Powered by KPMG” offerings, combining vendor alliance partner technology with KPMG process
IP and knowledge.
KPMG has developed IP and technology platforms but has been slower to invest than other leading
consultancies, and the disparity is now showing. KPMG IP addresses common client problems
but is less successful in showing cutting-edge thinking to address emerging client needs. KPMG
reference customers demonstrated high levels of satisfaction with KPMG’s breadth and quality of
staff, market insights, and the way they engaged with client staff. They criticized KPMG’s executive
presentations for lacking key narratives and poor formatting, cited a lack of hands-on experiences
in technology implementation, and limited contracting options and delivery models. Customers
wanting a firm that delivers competent and quality services across the whole range of service
offerings should consider KPMG.
• Capgemini does the job but lags in addressing emerging client challenges via its IP.
Capgemini has recently bolstered its cybersecurity practice via the acquisition of Altran, adding
OT engineering capability and the UK GRC consultancy IRM’s software offerings to its portfolio.
Capgemini continues to invest in its home market of Europe, for example via its partnership with
Boeing to build a Cybersecurity Experience Center in Utrecht in the Netherlands. Capgemini is also
expanding its use of pay as you go “as a service” based models with a view to introducing further
price flexibility and predictability for its clients.
Capgemini demonstrated competent technical and executive-facing deliverables. Capgemini has
improved its IP generation capabilities since our last assessment, but its offerings concentrate
on commonly seen client challenges and its IP is not especially differentiated relative to leading
firms in the market. Capgemini reference customers were satisfied with the services they received,
praising Capgemini’s technical knowledge, industry understanding, and pragmatic management of
contracts as strengths. They called out staff availability and occasional gaps in technical expertise
as areas for improvement. Customers looking for a service provider that can straddle both the
business and technology domains with a full-service portfolio should consider Capgemini.
© 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 11
Citations@forrester.com or +1 866-367-7378FOR SECURITY & RISK PROFESSIONALS July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up
• TCS’s industrialized security offerings meet clients need and are price competitive. Tata
Consultancy Services positions itself as an end-to-end IT services provider that can cover all
aspects of security from advisory to technical implementation and managed services. TCS is
investing heavily in R&D to develop IP based around platforms to offer industrialized, repeatable
services, like its Identifence IP and Vendor Risk Management offerings. TCS continues to invest in
local European capabilities in its Madrid- and Manchester-based Threat Management centers as
well as its substantial offshore resource pools in India.
TCS is forward thinking in its plans to improve its IP portfolio and develop asset-based offerings.
TCS’s IP delivers current client value but is less differentiated than Leaders and is less clear on
its strategy to meet emerging client needs. TCS was unable to present detailed evidence of client
deliverables, but customers were generally satisfied with the services they received. Reference
customers highlighted TCS’s flexibility, price point for delivery, and customer service-oriented
mindset. They pointed to communications issues with offshore staff, high associate turnover, and
rigid, slow-moving TCS internal processes as areas for improvement. Customers wanting a service
provider with experience of delivering at scale and that can offer price competitive offerings should
turn to TCS.
Contenders
• Wipro has big ambition, but inconsistent customer feedback holds it back. Wipro recently
reorganized its global cyber risk services business into its broader Infrastructure, Cloud, Digital
Operations, Risk, and Cyber-security services (iCORE) unit, bringing in new global leadership and
gaining a seat on Wipro’s executive committee of the CEO. Wipro continues to invest in its delivery
capabilities in Europe via local hiring and plans to open new cyberdefense delivery center facilities in
Germany in the next 12 months. Wipro continues to invest in cybersecurity firms via Wipro Ventures
which are then used in service delivery of both consulting and managed services offerings.
Wipro has several cyber risk services platforms and IP that it builds to supplement its services.
Its roadmap and ambition are forward thinking in terms of how the consulting market will evolve,
though current IP deals with commoditized issues. Wipro’s competitive stance is undermined
by inconsistent feedback from customers. Wipro’s remains technically focused, with executive
deliverables being more suited to technical rather than business leadership. Wipro reference
customers praised Wipro’s flexibility, technical knowledge, price competitiveness, and global
coverage. However, they critiqued Wipro’s willingness to say yes and overcommit and under-deliver,
poor communication with offshore staff, and weak C-level presentations as areas for improvement.
• DXC struggles to stand out in the market with its traditional consulting offerings. DXC
Technology’s consulting business is undergoing a period of change following some of the initial
integration pains of bringing HPE and CSC together to create DXC in 2017. The security consulting
business is based around securing the core enterprise and offers a range of managed services,
consulting advisory, and implementation options. It has instigated a program called “new DXC” to
try and transform the business.
© 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 12
Citations@forrester.com or +1 866-367-7378FOR SECURITY & RISK PROFESSIONALS July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up
DXC’s offerings remain traditional and closely linked to its broader IT outsource and managed
services business. DXC’s planned improvements will deliver capabilities widely available in the
market from other firms, failing to establish a clear leadership position. The “new DXC” program
has yet to identify what is new or fundamentally changing about DXC that will change its fortunes
in future. DXC did not provide customer references as part of this evaluation process. Customers
who use DXC for other services may consider DXC security managed services as an addition to the
portfolio. DXC declined to participate in the full Forrester Wave evaluation process.
• Atos services are functional but basic, and its roadmap significantly lags the market. Atos
is seeking to modernize its consulting practice to take advantages of new market trends. It is
investing in hiring new staff and developing new skills in cloud, OT, and 5G. Atos’s current portfolio
is a mix of security maturity and strategy reviews; governance, risk, and compliance capability;
and technical implementation services, with particular specializations in its own emerging product
suite (e.g., Idnomic in IAM, Horus HSM for IoT). It has also recently bolstered its capabilities in
Europe via acquisitions such as Paladion in the managed services space and SEC.Consult in the
OT and IoT spaces. Atos has also recently expanded its capabilities in the Benelux region via the
acquisition of Digital.Security.
Atos’ current consulting capabilities are functional and basic. Deliverables are technically
functional and are appreciated by clients but lack impact for senior business executives. IP lacks
the technical capabilities shown by other firms for similar offerings. Atos’ future roadmap will put
in place some basic practice level capabilities that ought to be in place already. Atos reference
customers we spoke to praised the technical competence of staff, their flexibility, and experience
they brought to projects. However, they also cited high prices, staff turnover, and issues with
timely project and program management as areas for improvement. Customers looking to use a
consulting firm with a pan-European focus and seasoned consultants should consider Atos.
• Orange Cyberdefense’s consulting capabilities lag their MSS offerings. Orange Cyberdefense
has acquired its consulting capability by blending SecureLink, SecureData, and OCD staff together
into a single consulting capability. OCD aims to build a consulting capability that leverages its
managed services pedigree to bring together a technically competent consulting capability that
goes beyond “audit” recommendations. It has the expected range of consulting capabilities,
technical assessment, and is focusing on investing in its OT capabilities in the consulting space as
a key investment priority.
Orange lacks the polish of leaders and strong performers in the market. Deliverables are
largely audit focused and aimed at a technical audience, with basic, functional formatting and
presentation. IP development in the consulting space lags that in Orange’s managed services
business, duplicating much of what is available from competitors. Orange reference customers
are broadly satisfied, praising staff flexibility, their hands-on and practical nature, and their
responsiveness as strengths. They desired improvements in the presentation skills of staff and
© 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 13
Citations@forrester.com or +1 866-367-7378FOR SECURITY & RISK PROFESSIONALS July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up
noted that red-tape in the sales process slowed down Orange’s responsiveness when providing
quotes. Customers seeking a technically competent firm known for delivering pragmatic technical
advice should look to Orange Cyberdefense.
Challengers
• Sopra Steria’s basic current offering and weak IP leaves it lagging. Sopra Steria is an IT
services business headquartered in Paris, with a security consulting and managed services
practice serving clients in the Nordics, France, Netherlands, UKI, Belgium, and Germany. It
continues to build its cybersecurity capabilities out of its cybersecurity services center in Toulouse.
Sopra Steria is closely associated with the Security Visa scheme launched by ANSII and is listed
under several of the accredited schemes as a service provider.
Sopra Steria significantly lagged the field on almost every domain of our assessment. Sopra’s
current IP offerings are outclassed by all other providers and its roadmap aims to establish it as
a follower, rather than a frontrunner in the space. Deliverables and IP presented to validate its
credentials were basic, badly presented, and almost exclusively aimed at a technical audience.
Reference customers provided were exclusively French, so we are unable to verify the experience
of pan-European customers. Reference customers noted working with a small number of high-
quality individuals based in Toulouse who were competent, flexible, and focused on building
a quality relationship. However, they noted on-time delivery as a weakness, along with a lack
of bench strength and poor name recognition as areas for improvement. Existing Sopra Steria
customers in the IT services space in France should consider leveraging Sopra’s security
capabilities to support their programs.
Evaluation Overview
We evaluated vendors against 21 criteria, which we grouped into three high-level categories:
• Current offering. Each vendor’s position on the vertical axis of the Forrester Wave graphic
indicates the strength of its current offering. Key criteria for these solutions include key
differentiators, customer satisfaction, partner and own IP development, talent management and
service offerings covering security strategy engagements, governance, risk, and compliance
engagements, and security technology assessment and implementation engagements.
• Strategy. Placement on the horizontal axis indicates the strength of the vendors’ strategies. We
evaluated vendors strategy, vendor roadmaps and service improvement plans, go-to-market
strategies and investment plans in R&D and partnerships and alliances.
• Market presence. Represented by the size of the markers on the graphic, our market presence
scores reflect each vendor’s revenue in Europe, European practice size, and European customer
count.
© 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 14
Citations@forrester.com or +1 866-367-7378FOR SECURITY & RISK PROFESSIONALS July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up
Vendor Inclusion Criteria
Forrester included 15 vendors in the assessment: Accenture, Atos, Boston Consulting Group,
Capgemini, Deloitte, DXC Technology, EY, IBM Security, KPMG, NCC Group, Orange Cyberdefense,
PwC, Sopra Steria, Tata Consultancy Services, and Wipro. Each of these vendors has:
• Revenue of at least $40 million in Europe. Each vendor reports at least $40 million in revenue for
cybersecurity consulting services in the European Economic Area as well as in UK and Switzerland.
• At least 10% of global cybersecurity consulting revenue with European customers. Each
vendor generates at least 10% of its global cybersecurity consulting revenue in the European
Economic Area as well as in Switzerland.
• At least 50 consultants on staff based in Europe. Each firm has at least 50 consulting staff based
in a European office location in the European Economic Area countries, UK, and Switzerland.
• Broad service coverage across Europe. Each participant has a broad footprint of cybersecurity
consulting customers and revenue across several European countries, demonstrating applicability
beyond a single country or two.
• A comprehensive cybersecurity consultancy portfolio for European customers. Each vendor
offers a complete suite of cybersecurity consulting services to customers across Europe.
• Significant interest from Forrester customers. Each vendor has significant interest from our
clients in the form of inquiries, advisories, interactions at events, and other conversations.
© 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 15
Citations@forrester.com or +1 866-367-7378FOR SECURITY & RISK PROFESSIONALS July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up
Engage With An Analyst
Gain greater confidence in your decisions by working with Forrester thought leaders to apply
our research to your specific business and technology initiatives.
Analyst Inquiry Analyst Advisory Webinar
To help you put research Translate research into Join our online sessions
into practice, connect action by working with on the latest research
with an analyst to discuss an analyst on a specific affecting your business.
your questions in a engagement in the form Each call includes analyst
30-minute phone session of custom strategy Q&A and slides and is
— or opt for a response sessions, workshops, available on-demand.
via email. or speeches.
Learn more. Learn more. Learn more.
Forrester’s research apps for iOS and Android.
Stay ahead of your competition no matter where you are.
Supplemental Material
Online Resource
We publish all our Forrester Wave scores and weightings in an Excel file that provides detailed product
evaluations and customizable rankings; download this tool by clicking the link at the beginning of this
report on Forrester.com. We intend these scores and default weightings to serve only as a starting
point and encourage readers to adapt the weightings to fit their individual needs.
The Forrester Wave Methodology
A Forrester Wave is a guide for buyers considering their purchasing options in a technology
marketplace. To offer an equitable process for all participants, Forrester follows The Forrester Wave™
Methodology Guide to evaluate participating vendors.
In our review, we conduct primary research to develop a list of vendors to consider for the evaluation.
© 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 16
Citations@forrester.com or +1 866-367-7378FOR SECURITY & RISK PROFESSIONALS July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up
From that initial pool of vendors, we narrow our final list based on the inclusion criteria. We then gather
details of product and strategy through a detailed questionnaire, demos/briefings, and customer
reference surveys/interviews. We use those inputs, along with the analyst’s experience and expertise in
the marketplace, to score vendors, using a relative rating system that compares each vendor against
the others in the evaluation.
We include the Forrester Wave publishing date (quarter and year) clearly in the title of each Forrester
Wave report. We evaluated the vendors participating in this Forrester Wave using materials they
provided to us by April 1, 2021, and did not allow additional information after that point. We encourage
readers to evaluate how the market and vendor offerings change over time.
In accordance with The Forrester Wave™ and New Wave™ Vendor Review Policy, Forrester asks
vendors to review our findings prior to publishing to check for accuracy. Vendors marked as
nonparticipating vendors in the Forrester Wave graphic met our defined inclusion criteria but declined
to participate in or contributed only partially to the evaluation. We score these vendors in accordance
with The Forrester Wave™ And The Forrester New Wave™ Nonparticipating And Incomplete
Participation Vendor Policy and publish their positioning along with those of the participating vendors.
Integrity Policy
We conduct all our research, including Forrester Wave evaluations, in accordance with the Integrity
Policy posted on our website.
© 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 17
Citations@forrester.com or +1 866-367-7378forrester.com
We help business and technology leaders use
customer obsession to accelerate growth.
PRODUCTS AND SERVICES
› Research and tools
› Analyst engagement
› Data and analytics
› Peer collaboration
› Consulting
› Events
› Certification programs
Forrester’s research and insights are tailored to your
role and critical business initiatives.
ROLES WE SERVE
Marketing & Strategy Technology Management Technology Industry
Professionals Professionals Professionals
CMO CIO Analyst Relations
B2B Marketing Application Development
B2C Marketing & Delivery
Customer Experience Enterprise Architecture
Customer Insights Infrastructure & Operations
eBusiness & Channel • Security & Risk
Strategy Sourcing & Vendor
Management
CLIENT SUPPORT
For information on hard-copy or electronic reprints, please contact Client Support at
+1 866-367-7378, +1 617-613-5730, or clientsupport@forrester.com. We offer quantity
discounts and special pricing for academic and nonprofit institutions.
161534You can also read
