THE FORRESTER WAVE: EUROPEAN CYBERSECURITY CONSULTING PROVIDERS, Q3 2021 - PWC

Page created by Pauline Richardson
 
CONTINUE READING
LICENSED FOR INDIVIDUAL USE ONLY

The Forrester Wave™: European Cybersecurity
Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up

by Paul McKay
July 1, 2021

Why Read This Report
In our 21-criterion evaluation of European cybersecurity consulting
providers, we identified the 15 most significant ones — Accenture, Atos,
Boston Consulting Group, Capgemini, Deloitte, DXC Technology, EY, IBM
Security, KPMG, NCC Group, Orange Cyberdefense, PwC, Sopra Steria,
Tata Consultancy Services, and Wipro — and researched, analyzed, and
scored them. This report shows how each provider measures up and helps
security and risk professionals select the right one for their needs.

This PDF is only licensed for individual use when downloaded from forrester.com or reprints.forrester.com. All other distribution prohibited.
FORRESTER.COM
FOR SECURITY & RISK PROFESSIONALS

The Forrester Wave™: European Cybersecurity Consulting
Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up

            by Paul McKay
            with Martin Gill, Melissa Bongarzone, and Peggy Dostie
            July 1, 2021

Customers Will See Value If They Push Harder On Outcomes-Based
Pricing
The COVID-19 pandemic has had a profound impact on the ways in which European security leaders
work with their security service providers. The first and most obvious change is that almost all work
has had to be conducted remotely to preserve human safety and comply with government mandates
to work from home. The more important change, however, is the move toward outcomes and risk
sharing models for pricing the value customers receive from security consultancy providers. High
price is one of the most frequently cited complaints customers have about their providers. However,
very few customers actively seek to embrace emerging outcome-based or risk-sharing pricing
models that most providers are now happy to explore. This needs to be led by customers as much as
providers, who cannot do it on their own. European cybersecurity consulting customers should look
for providers that are:

 • Evolving their pricing strategies to price by outcomes and value delivered. Vendors now offer
   many different mechanisms to price consultancy engagements. However, customers default to
   time and materials or fixed price models because their procurement teams want to compare firms
   against each other on a rate card basis. European CISOs need to challenge this behavior and
   help colleagues move toward a different approach to pricing, where providers have commercial
   incentives to do the best job they can for you. Vendors are now offering more subscription-based
   pricing, pay by results, IP-based pricing, and risk sharing agreements. Customers should explore
   all options and to consign fee agreements based on the clock ticking to the history books.

 • Developing differentiated IP that delivers results instead of lab-based innovation theatre.
   Several providers have invested in trendy innovation labs, premium coffee, wizzy screens, and
   writing walls covered in Post-it Notes. Most of this has been rendered redundant and gathers dust
   thanks to the global pandemic. Innovation theatre is getting old hat now, and customers know it.
   Customers want differentiated IP from providers, either produced by the provider themselves or in
   partnership with a security vendor. The best firms use innovation and R&D facilities to help enhance

                    Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA
                    +1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com
                    © 2021 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester®,
                    Technographics®, Forrester Wave, TechRadar, and Total Economic Impact are trademarks of Forrester
                    Research, Inc. All other trademarks are the property of their respective companies. Unauthorized copying or
                    distributing is a violation of copyright law. Citations@forrester.com or +1 866-367-7378
FOR SECURITY & RISK PROFESSIONALS                                                                                             July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up

    their impact, rather than just creating shiny labs for the sake of it. Customers should focus on
    understanding how providers solve their business and security challenges (and the ones you have
    not thought of yet) with unique IP that you would be unable to obtain from anyone else.

 • Reinventing their delivery models to achieve environmental and financial sustainability. One
   of the biggest surprises in this research was that reference customers reported that remote service
   delivery really wasn’t a problem. Most consulting firms had appropriate remote work technology and
   were able to deliver value for customers during the pandemic. Previously, clients and consultants
   alike insisted on the essential need for colocation four to five days a week for many projects, driving
   expenses and CO2 emissions in the process. Virtual delivery allows providers to leverage the best
   resource globally to do the job, and some clients report receiving far more favorable pricing than
   they had before the pandemic. This trend is here to stay, so expect much heavier use of near-shore
   delivery centers and for client travel in future to be much more purposeful, travelling when there is
   value in doing so, rather than doing it out of past habits and expectations.

Evaluation Summary
The Forrester Wave™ evaluation highlights Leaders, Strong Performers, Contenders, and Challengers.
It’s an assessment of the top vendors in the market and does not represent the entire vendor
landscape. You’ll find more information about this market in our reports on the European cybersecurity
consulting market.

We intend this evaluation to be a starting point only and encourage clients to view product evaluations
and adapt criteria weightings using the Excel-based vendor comparison tool (see Figure 1 and see
Figure 2). Click the link at the beginning of this report on Forrester.com to download the tool.

                      © 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.             2
                      Citations@forrester.com or +1 866-367-7378
FOR SECURITY & RISK PROFESSIONALS                                                                                                      July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up

FIGURE 1 Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021

    European Cybersecurity Consulting Providers
    Q3 2021

                                                                             Strong
              Challengers               Contenders                       Performers                                             Leaders

         Stronger
          current                                                                                                              PwC
          offering
                                                                              Boston Consulting Group
                                                                                                                      Accenture
                                                                                                     Deloitte

                                                                                                                      EY
                                                                                     IBM Security

                                                                             Capgemini                        NCC Group

                                                        Tata Consultancy Services
                                                                                                           KPMG

                                                                  Atos                 DXC Technology
                                Orange Cyberdefense
                                                                                                 Wipro

                                              Sopra Steria

          Weaker
          current
          offering

                     Weaker strategy                                                                                    Stronger strategy

                                                                      Market presence*

      *A gray bubble indicates a nonparticipating vendor.

                       © 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.                     3
                       Citations@forrester.com or +1 866-367-7378
FOR SECURITY & RISK PROFESSIONALS                                                                                              July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up

FIGURE 2 Forrester Wave™: European Cybersecurity Consulting Providers Scorecard, Q3 2021

                                                                                                up
                                                                                              ro
                                                                                             G
                                                                                          ng

                                                                                           *
                                                                                      gy
                                                                                      lti

                                                                                    lo
                                                                        ge nsu

                                                                                 no
                                                                                  i
                                                                       gh r’s

                                                                                o

                                                                               in
                                                                  At ture

                                                                  EY ech
                                                                              g

                                                                              C

                                                                            m
                                                                           tin
                                                                    ei te

                                                                            y
                                                                          tte
                                                                        on

                                                                         rit
                                                                          T
                                                                  w res

                                                                         n

                                                                       oi
                                                                     ce

                                                                     cu
                                                                    XC
                                                                     os

                                                                     st

                                                                    ap

                                                                    M
                                                                    el
                                                                     r

                                                                  Bo
                                                                  Ac
                                                                  Fo

                                                                  Se
                                                                  IB
                                                                  C

                                                                  D

                                                                  D
      Current offering                                               50%         4.23 2.38 4.38 3.15 4.08 2.38 3.77 3.31
      Key differentiators                                              8%        5.00 3.00 5.00 3.00 3.00 3.00 3.00 3.00
      European customer satisfaction                                   8%        3.00 3.00 5.00 3.00 5.00 3.00 3.00 3.00
      Executive engagement and business acumen                         8%        3.00 1.00 5.00 3.00 5.00 3.00 3.00 3.00
      Security team engagement                                         8%        5.00 3.00 5.00 3.00 5.00 3.00 5.00 3.00
      Delivery model sustainability                                    8%        3.00 3.00 5.00 5.00 3.00 3.00 5.00 3.00
      Pricing models and asset-based pricing                           8%        5.00 1.00 5.00 3.00 5.00 1.00 3.00 3.00
      Firm IP and value creation                                       8%        5.00 3.00 5.00 3.00 3.00 1.00 5.00 3.00
      Partnership IP and value creation                                8%        5.00 3.00 3.00 3.00 5.00 1.00 5.00 3.00
      European cyberpractice recruitment and retention                 8%        3.00 3.00 5.00 3.00 3.00 1.00 5.00 3.00
      Security strategy consulting capabilities                        8%        3.00 1.00 5.00 3.00 5.00 3.00 3.00 3.00
      Governance, risk, and compliance capabilities                    8%        5.00 1.00 5.00 3.00 3.00 3.00 3.00 3.00
      Technical security assessment capabilities                       8%        5.00 3.00 3.00 3.00 3.00 3.00 3.00 5.00
      Technical consulting implementation capabilities                 8%        5.00 3.00 1.00 3.00 5.00 3.00 3.00 5.00

      All scores are based on a scale of 0 (weak) to 5 (strong).
      *Indicates a nonparticipating vendor

                       © 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.             4
                       Citations@forrester.com or +1 866-367-7378
FOR SECURITY & RISK PROFESSIONALS                                                                                              July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up

FIGURE 2 Forrester Wave™: European Cybersecurity Consulting Providers Scorecard, Q3 2021 (Cont.)

                                                                                                up
                                                                                              ro
                                                                                             G
                                                                                          ng

                                                                                           *
                                                                                      gy
                                                                                      lti

                                                                                    lo
                                                                        ge nsu

                                                                                 no
                                                                                  i
                                                                       gh r’s

                                                                                o

                                                                               in
                                                                  At ture

                                                                  EY ech
                                                                              g

                                                                              C

                                                                            m
                                                                           tin
                                                                    ei te

                                                                            y
                                                                          tte
                                                                        on

                                                                         rit
                                                                          T
                                                                  w res

                                                                         n

                                                                       oi
                                                                     ce

                                                                     cu
                                                                    XC
                                                                     os

                                                                     st

                                                                    ap

                                                                    M
                                                                    el
                                                                     r

                                                                  Bo
                                                                  Ac
                                                                  Fo

                                                                  Se
                                                                  IB
                                                                  C

                                                                  D

                                                                  D
       Strategy                                                      50%         4.60 2.20 3.80 3.00 3.80 2.60 3.80 3.40
       Cybersecurity consulting practice vision                      20%         3.00 3.00 5.00 3.00 3.00 3.00 5.00 3.00
       Cybersecurity consulting service improvement                  20%         5.00 1.00 3.00 3.00 3.00 3.00 3.00 3.00
       roadmap

       European go-to-market strategy                                20%         5.00 3.00 3.00 3.00 5.00 3.00 5.00 3.00
       European R&D initiatives                                      20%         5.00 3.00 5.00 3.00 3.00 1.00 3.00 5.00
       European partnership ecosystems                               20%         5.00 1.00 3.00 3.00 5.00 3.00 3.00 3.00

       Market presence                                                 0%        4.67 2.33 1.33 3.33 4.67 3.00 3.00 5.00
       European revenues                                             33%         5.00 2.00 2.00 2.00 5.00 3.00 3.00 5.00
       European practice size                                        33%         5.00 2.00 1.00 5.00 5.00 3.00 3.00 5.00
       European customer base                                        33%         4.00 3.00 1.00 3.00 4.00 3.00 3.00 5.00

      All scores are based on a scale of 0 (weak) to 5 (strong).
      *Indicates a nonparticipating vendor

                       © 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.             5
                       Citations@forrester.com or +1 866-367-7378
FOR SECURITY & RISK PROFESSIONALS                                                                                               July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up

FIGURE 2 Forrester Wave™: European Cybersecurity Consulting Providers Scorecard, Q3 2021 (Cont.)

                                                                                      y
                                                                                   nc
                                                                                 se

                                                                   W es ulta
                                                                   Se C ia
                                                                       C fen
                                                                   C nge p

                                                                      ta er
                                                                        gh r’s

                                                                               u

                                                                       rv ons
                                                                              g

                                                                   O Gro

                                                                   Pw rde

                                                                   Ta St
                                                                           tin
                                                                     ei te

                                                                          G

                                                                          ic
                                                                   w res

                                                                          a

                                                                        ro
                                                                         e
                                                                       M

                                                                       C

                                                                       pr
                                                                     yb

                                                                     ip
                                                                     ra
                                                                      r

                                                                     C
                                                                   KP

                                                                   So
                                                                   Fo

                                                                   N
       Current offering                                               50%         3.00 3.15 2.23 4.69 1.62 2.85 2.23
       Key differentiators                                              8%        3.00 3.00 1.00 5.00 1.00 3.00 3.00
       European customer satisfaction                                   8%        5.00 3.00 3.00 5.00 3.00 3.00 1.00
       Executive engagement and business acumen                         8%        3.00 3.00 1.00 5.00 1.00 3.00 1.00
       Security team engagement                                         8%        3.00 3.00 3.00 5.00 1.00 3.00 3.00
       Delivery model sustainability                                    8%        3.00 3.00 3.00 3.00 3.00 3.00 1.00
       Pricing models and asset-based pricing                           8%        3.00 3.00 3.00 5.00 3.00 3.00 3.00
       Firm IP and value creation                                       8%        3.00 3.00 1.00 5.00 3.00 3.00 3.00
       Partnership IP and value creation                                8%        3.00 3.00 3.00 5.00 1.00 3.00 3.00
       European cyberpractice recruitment and retention                 8%        1.00 3.00 3.00 5.00 1.00 3.00 3.00
       Security strategy consulting capabilities                        8%        3.00 3.00 1.00 5.00 1.00 1.00 1.00
       Governance, risk, and compliance capabilities                    8%        3.00 3.00 1.00 5.00 1.00 3.00 1.00
       Technical security assessment capabilities                       8%        3.00 5.00 3.00 5.00 1.00 3.00 3.00
       Technical consulting implementation capabilities                 8%        3.00 3.00 3.00 3.00 1.00 3.00 3.00

      All scores are based on a scale of 0 (weak) to 5 (strong).
      *Indicates a nonparticipating vendor

                        © 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.             6
                        Citations@forrester.com or +1 866-367-7378
FOR SECURITY & RISK PROFESSIONALS                                                                                              July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up

FIGURE 2 Forrester Wave™: European Cybersecurity Consulting Providers Scorecard, Q3 2021 (Cont.)

                                                                                     y
                                                                                  nc
                                                                                se

                                                                  W es ulta
                                                                  Se C ia
                                                                      C fen
                                                                  C nge p

                                                                     ta er
                                                                       gh r’s

                                                                              u

                                                                      rv ons
                                                                             g

                                                                  O Gro

                                                                  Pw rde

                                                                  Ta St
                                                                          tin
                                                                    ei te

                                                                         G

                                                                         ic
                                                                  w res

                                                                         a

                                                                       ro
                                                                        e
                                                                      M

                                                                      C

                                                                      pr
                                                                    yb

                                                                    ip
                                                                    ra
                                                                     r

                                                                    C
                                                                  KP

                                                                  So
                                                                  Fo

                                                                  N
       Strategy                                                      50%         3.40 3.40 1.80 4.20 1.00 3.00 3.00
       Cybersecurity consulting practice vision                      20%         3.00 3.00 1.00 5.00 1.00 3.00 3.00
       Cybersecurity consulting service improvement                  20%         3.00 3.00 1.00 5.00 1.00 3.00 3.00
       roadmap

       European go-to-market strategy                                20%         5.00 3.00 3.00 5.00 1.00 3.00 3.00
       European R&D initiatives                                      20%         3.00 5.00 1.00 3.00 1.00 3.00 3.00
       European partnership ecosystems                               20%         3.00 3.00 3.00 3.00 1.00 3.00 3.00

       Market presence                                                 0%        5.00 3.00 2.00 4.33 1.33 2.00 2.33
       European revenues                                             33%         5.00 2.00 1.00 5.00 1.00 2.00 2.00
       European practice size                                        33%         5.00 2.00 2.00 4.00 2.00 2.00 3.00
       European customer base                                        33%         5.00 5.00 3.00 4.00 1.00 2.00 2.00

      All scores are based on a scale of 0 (weak) to 5 (strong).
      *Indicates a nonparticipating vendor

Vendor Offerings
Forrester included 15 vendors in this assessment: Accenture, Atos, Boston Consulting Group,
Capgemini, Deloitte, DXC Technology, EY, IBM Security, KPMG, NCC Group, Orange Cyberdefense,
PwC, Sopra Steria, Tata Consultancy Services, and Wipro.

Vendor Profiles
Our analysis uncovered the following strengths and weaknesses of individual vendors.

Leaders

 • PwC excels in the boardroom and specialty technical services linked to crisis response. PwC
   continues to invest in its ability to serve in the boardroom and deliver relevant strategic advice. It is
   developing technology-enabled IP, not just in its technical services such as incident response and
   threat intelligence, but is increasingly investing in capabilities including its Cyber Risk Reporting
   Platform and joining together other assets such as its Connected Risk Engine and Cyber Value

                       © 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.             7
                       Citations@forrester.com or +1 866-367-7378
FOR SECURITY & RISK PROFESSIONALS                                                                                             July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up

    at Risk methodology. In the technology domain, it is expanding its investments into managed
    services, a newer space for PwC. PwC continues to push to offer more services on a subscription
    and pay-for-performance basis.

    PwC maintained its leadership position, developing IP that meets emerging client needs.
    It demonstrated exceptional quality deliverables across a range of strategic and technical
    competencies such as cyber risk analytics and identity and access management. PwC has depth in
    technical areas that link to its boardroom agenda, but clients looking for technical implementation
    capabilities for more commodity services and specialty services like OT security will find PwC
    lacking capabilities in these areas because of its strategic focus on investing in technology
    capabilities linked to the boardroom. PwC reference customers praised its highly skilled teams,
    agility, responsiveness, and its understanding of clients’ businesses. PwC reference customers
    were critical of its ability to manage projects to budget and its lack of internal alignment in sharing
    information and best practices across the PwC network. Customers needing a firm that is leading
    edge in its strategic and technical thinking should consider PwC.

 • Accenture dominates the field with its exceptional technology-driven offerings. Accenture has
   been on a buying spree for its European business, with acquisitions of both the legacy Symantec
   business and security testing specialist Context IS. This has significantly added to its capabilities
   and skill sets over the past 12 months as well as its existing plans to expand its “cyber fusion”
   centers to new locations including Naples since our last assessment. Accenture also goes beyond
   traditional partnerships and alliances via its co-investment model with strategic partners to develop
   joint solutions to market.

    Accenture dominates with exceptional technical IP, in what it creates itself and what it creates
    with partners. Its identity and access management IP demonstrates the ability to create unique,
    differentiated offerings with its partners that deliver concrete client value. Accenture showed
    industry-specific offerings, such as a testing offering for automotive supply chain components,
    going beyond the theoretical slide ware it demonstrated in our prior Forrester Wave assessment.
    Accenture reference customers highlighted its industry context and knowledge, flexible staff,
    exceptional program and change management skills, and knowledge in OT as particular strengths.
    However, Accenture reference customers said that its claims to operate as a single global company
    didn’t play out in practice, with knowledge sharing and collaboration among country practices
    requiring improvement. In addition, reference customers stated that its pricing for local onshore
    staff was “eye wateringly expensive.” Customers seeking a transformation partner that has
    exceptional technical abilities and are happy to pay a premium for this should consider Accenture.

 • BCG excels with its strategic nous but lacks technical implementation capabilities. Boston
   Consulting Group has a mixed cyberpractice, with capabilities split across its Technology
   Advantage practice and subsidiaries including BCG Platinion and BCG Gamma. BCG hires
   selectively to bring experienced security professionals to its clients, mixing this expertise with
   industry specialists from its generalist consulting pool. BCG continues to invest in growing its

                      © 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.             8
                      Citations@forrester.com or +1 866-367-7378
FOR SECURITY & RISK PROFESSIONALS                                                                                             July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up

    practice by producing IP such as its DevSecOps framework and Cyber Doppler tool for risk
    quantification. COVID-19 has changed its views on global staffing models, which historically
    followed the classic four days at client site, one day in the office model. BCG expects to be more
    purposeful in its approach to client travel to be more environmentally and financially sustainable in
    the future.

    BCG excels with high-quality strategic advice, deliverables, and technical IP. While BCG claims
    to have technically competent staff, it specializes in strategic consulting projects and lacks
    deep technology implementation skills, relying on partners including EPAM, Infosys, and Wipro.
    Clients should be wary of this. BCG customers praised BCG’s ability to operate at all levels of
    the organization, the high quality and effectiveness of its consultants, and its commitment and
    flexibility. However, BCG customers also complained about its very high prices and its tendency
    to move too fast for the organization to sustain the changes that they introduce in projects.
    Customers looking for an experienced strategic advisor who can make high levels of impact in the
    boardroom should consider BCG.

 • Deloitte continues to dominate due to size but has an average improvement roadmap.
   Deloitte has expanded its nearshore European delivery centers in response to client pressures
   for local delivery of technical specialty skills at affordable price points. Recently added centers
   in Thessaloniki, Greece, add additional skills on a 24/7 basis for delivery of managed services,
   technical testing services, and more specific technical skill sets. Deloitte plans to expand its service
   portfolio to a broader range of clients and continue its investments in its managed services and
   technology implementation capabilities.

    Deloitte excels with outstanding client feedback throughout our assessment. Its strengths are in
    communicating the value of cyber to executives while building technical credibility. Although it
    satisfies clients today and is one of the largest practices by revenue and headcount, its roadmap
    for addressing emerging client needs is overly simplistic for sophisticated buyers. The IP it
    generated from its own R&D efforts is undifferentiated and has had less client impact than leading
    firms in this assessment. Deloitte reference customers highlighted its knowledge and expertise,
    the quality of its deliverables, and its interaction with customers at all levels as professional
    and flexible. They highlighted a lack of peer groups to exchange ideas with other CISOs and
    the occasional difficulties in finding niche skill sets as areas for improvement. Customers that
    don’t mind paying a premium for a large firm with a broad range of strategic and technical
    implementation capabilities should consider Deloitte.

 • EY has made strides to improve its technology implementation capabilities. EY continues
   to invest in its European Growth Platform to bring together and consolidate its practices across
   Europe. EY has acquired new capabilities such as a federal government practice in Germany. It is
   investing in IP development and has been releasing interesting IP, for example in the OT space, via
   its OT Orchestrator asset and new IP based around Microsoft Sentinel. EY has a unique offering
   to upskill its staff with a technology-focused MBA, which is a unique approach to maintaining and
   improving the skills of its staff on top of the usual technical training its competitors offer.

                      © 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.             9
                      Citations@forrester.com or +1 866-367-7378
FOR SECURITY & RISK PROFESSIONALS                                                                                             July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up

    EY has made significant improvements in its technology implementation capabilities and
    IP development since our last Forrester Wave assessment. EY demonstrated strength in
    OT capabilities, and in services such as vendor risk management and security strategy and
    advisory work. EY reference customers expressed satisfaction with the quality of its work, the
    responsiveness and flexibility of its staff, and its global reach. EY reference customers also
    remarked that it needs to improve its ability to find staff from its practice quickly, remarked that EY
    continues to lack technical skills in some areas compared to other providers, and found price to
    be an issue on occasion. Customers looking for a firm that combines business expertise, strategic
    competence, and is known for delivering high-quality work should consider EY.

Strong Performers

 • IBM has strong technical capabilities and is trying to prioritize its offerings on cloud. IBM
   is undergoing a large change, as it separates out its legacy infrastructure outsourcing business,
   pivoting the remainder of IBM to focus on the hybrid cloud, security, and digital services. IBM
   continues to use its research capability to launch new security services, for example its services
   related to confidential computing and fully homomorphic encryption. IBM Security is streamlining
   its “periodic table” of service offerings to a tighter set, seeking to focus on and enhance its cloud-
   centric offerings.

    IBM demonstrated well-presented deliverables which worked well with both a technical and
    business audience. IBM’s agile contracting approach is a good variation on the traditional multiyear
    fixed price model for projects that use agile methodologies, with customers reporting lower prices.
    IP demonstrated met current client requirements well and was clearly being used effectively in
    service delivery to reduce costs but lacked the differentiation of others in this study. IBM reference
    customers noted that it excelled in its technical knowledge, global expertise, and experienced
    consultants. However, IBM reference customers said that IBM’s “prices were really high,”
    onboarding new staff was too slow, and IBM’s red tape and governance at project milestones were
    overengineered and did not add value to projects. IBM is a good fit for firms that require a firm with
    strong technical credentials to assist in transforming their organization’s security function.

 • NCC Group excels in technical assessments and research capabilities. NCC is a UK-based
   pure play security consulting and software assurance firm that has long been associated with
   technical assessment work and penetration testing in the UK and wider afield. It has recently
   expanded its offerings to include a remediate service offering that helps firms implement solutions
   to the findings of its testing and advisory consulting work. NCC dedicates a large proportion of
   staff time (up to 20%) for own research projects, culminating in a lot of specialist security research
   and the development and release of open source tools, setting it apart on this dimension in a
   crowded field.

    NCC excels in its testing work and its research capabilities have made demonstrable improvements
    in security beyond its direct work on client projects. NCC is more in line with the market in its
    security strategy, risk advisory work, where deliverables were traditional and functional but lacked

                      © 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.            10
                      Citations@forrester.com or +1 866-367-7378
FOR SECURITY & RISK PROFESSIONALS                                                                                             July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up

    executive impact. NCC reference customers note the outstanding technical knowledge of staff,
    knowledge of threat vectors and attackers, and consistency of resource allocation and staffing.
    NCC reference customers said that consulting capabilities outside of Europe are not as strong as
    they would like, consultant knowledge was occasionally inconsistent, and outputs of reports could
    be repetitive and need to be streamlined. Customers looking for a consulting firm with renowned
    technical specialists and that have complex technical testing needs should consider NCC.

 • KPMG struggles to differentiate its services, IP, compared to other firms in the market.
   KPMG continues to invest in its cybersecurity capabilities in Europe via its status as a global
   priority in KPMG priority investments program. KPMG is continuing to shift its delivery models
   to a “virtual overlay model” accelerated by the COVID-19 pandemic to invest in delivery centers
   of excellence with more remote delivery planned in future. KPMG has continued to invest in its
   “Powered by KPMG” offerings, combining vendor alliance partner technology with KPMG process
   IP and knowledge.

    KPMG has developed IP and technology platforms but has been slower to invest than other leading
    consultancies, and the disparity is now showing. KPMG IP addresses common client problems
    but is less successful in showing cutting-edge thinking to address emerging client needs. KPMG
    reference customers demonstrated high levels of satisfaction with KPMG’s breadth and quality of
    staff, market insights, and the way they engaged with client staff. They criticized KPMG’s executive
    presentations for lacking key narratives and poor formatting, cited a lack of hands-on experiences
    in technology implementation, and limited contracting options and delivery models. Customers
    wanting a firm that delivers competent and quality services across the whole range of service
    offerings should consider KPMG.

 • Capgemini does the job but lags in addressing emerging client challenges via its IP.
   Capgemini has recently bolstered its cybersecurity practice via the acquisition of Altran, adding
   OT engineering capability and the UK GRC consultancy IRM’s software offerings to its portfolio.
   Capgemini continues to invest in its home market of Europe, for example via its partnership with
   Boeing to build a Cybersecurity Experience Center in Utrecht in the Netherlands. Capgemini is also
   expanding its use of pay as you go “as a service” based models with a view to introducing further
   price flexibility and predictability for its clients.

    Capgemini demonstrated competent technical and executive-facing deliverables. Capgemini has
    improved its IP generation capabilities since our last assessment, but its offerings concentrate
    on commonly seen client challenges and its IP is not especially differentiated relative to leading
    firms in the market. Capgemini reference customers were satisfied with the services they received,
    praising Capgemini’s technical knowledge, industry understanding, and pragmatic management of
    contracts as strengths. They called out staff availability and occasional gaps in technical expertise
    as areas for improvement. Customers looking for a service provider that can straddle both the
    business and technology domains with a full-service portfolio should consider Capgemini.

                      © 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.            11
                      Citations@forrester.com or +1 866-367-7378
FOR SECURITY & RISK PROFESSIONALS                                                                                             July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up

 • TCS’s industrialized security offerings meet clients need and are price competitive. Tata
   Consultancy Services positions itself as an end-to-end IT services provider that can cover all
   aspects of security from advisory to technical implementation and managed services. TCS is
   investing heavily in R&D to develop IP based around platforms to offer industrialized, repeatable
   services, like its Identifence IP and Vendor Risk Management offerings. TCS continues to invest in
   local European capabilities in its Madrid- and Manchester-based Threat Management centers as
   well as its substantial offshore resource pools in India.

    TCS is forward thinking in its plans to improve its IP portfolio and develop asset-based offerings.
    TCS’s IP delivers current client value but is less differentiated than Leaders and is less clear on
    its strategy to meet emerging client needs. TCS was unable to present detailed evidence of client
    deliverables, but customers were generally satisfied with the services they received. Reference
    customers highlighted TCS’s flexibility, price point for delivery, and customer service-oriented
    mindset. They pointed to communications issues with offshore staff, high associate turnover, and
    rigid, slow-moving TCS internal processes as areas for improvement. Customers wanting a service
    provider with experience of delivering at scale and that can offer price competitive offerings should
    turn to TCS.

Contenders

 • Wipro has big ambition, but inconsistent customer feedback holds it back. Wipro recently
   reorganized its global cyber risk services business into its broader Infrastructure, Cloud, Digital
   Operations, Risk, and Cyber-security services (iCORE) unit, bringing in new global leadership and
   gaining a seat on Wipro’s executive committee of the CEO. Wipro continues to invest in its delivery
   capabilities in Europe via local hiring and plans to open new cyberdefense delivery center facilities in
   Germany in the next 12 months. Wipro continues to invest in cybersecurity firms via Wipro Ventures
   which are then used in service delivery of both consulting and managed services offerings.

    Wipro has several cyber risk services platforms and IP that it builds to supplement its services.
    Its roadmap and ambition are forward thinking in terms of how the consulting market will evolve,
    though current IP deals with commoditized issues. Wipro’s competitive stance is undermined
    by inconsistent feedback from customers. Wipro’s remains technically focused, with executive
    deliverables being more suited to technical rather than business leadership. Wipro reference
    customers praised Wipro’s flexibility, technical knowledge, price competitiveness, and global
    coverage. However, they critiqued Wipro’s willingness to say yes and overcommit and under-deliver,
    poor communication with offshore staff, and weak C-level presentations as areas for improvement.

 • DXC struggles to stand out in the market with its traditional consulting offerings. DXC
   Technology’s consulting business is undergoing a period of change following some of the initial
   integration pains of bringing HPE and CSC together to create DXC in 2017. The security consulting
   business is based around securing the core enterprise and offers a range of managed services,
   consulting advisory, and implementation options. It has instigated a program called “new DXC” to
   try and transform the business.

                      © 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.            12
                      Citations@forrester.com or +1 866-367-7378
FOR SECURITY & RISK PROFESSIONALS                                                                                             July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up

    DXC’s offerings remain traditional and closely linked to its broader IT outsource and managed
    services business. DXC’s planned improvements will deliver capabilities widely available in the
    market from other firms, failing to establish a clear leadership position. The “new DXC” program
    has yet to identify what is new or fundamentally changing about DXC that will change its fortunes
    in future. DXC did not provide customer references as part of this evaluation process. Customers
    who use DXC for other services may consider DXC security managed services as an addition to the
    portfolio. DXC declined to participate in the full Forrester Wave evaluation process.

 • Atos services are functional but basic, and its roadmap significantly lags the market. Atos
   is seeking to modernize its consulting practice to take advantages of new market trends. It is
   investing in hiring new staff and developing new skills in cloud, OT, and 5G. Atos’s current portfolio
   is a mix of security maturity and strategy reviews; governance, risk, and compliance capability;
   and technical implementation services, with particular specializations in its own emerging product
   suite (e.g., Idnomic in IAM, Horus HSM for IoT). It has also recently bolstered its capabilities in
   Europe via acquisitions such as Paladion in the managed services space and SEC.Consult in the
   OT and IoT spaces. Atos has also recently expanded its capabilities in the Benelux region via the
   acquisition of Digital.Security.

    Atos’ current consulting capabilities are functional and basic. Deliverables are technically
    functional and are appreciated by clients but lack impact for senior business executives. IP lacks
    the technical capabilities shown by other firms for similar offerings. Atos’ future roadmap will put
    in place some basic practice level capabilities that ought to be in place already. Atos reference
    customers we spoke to praised the technical competence of staff, their flexibility, and experience
    they brought to projects. However, they also cited high prices, staff turnover, and issues with
    timely project and program management as areas for improvement. Customers looking to use a
    consulting firm with a pan-European focus and seasoned consultants should consider Atos.

 • Orange Cyberdefense’s consulting capabilities lag their MSS offerings. Orange Cyberdefense
   has acquired its consulting capability by blending SecureLink, SecureData, and OCD staff together
   into a single consulting capability. OCD aims to build a consulting capability that leverages its
   managed services pedigree to bring together a technically competent consulting capability that
   goes beyond “audit” recommendations. It has the expected range of consulting capabilities,
   technical assessment, and is focusing on investing in its OT capabilities in the consulting space as
   a key investment priority.

    Orange lacks the polish of leaders and strong performers in the market. Deliverables are
    largely audit focused and aimed at a technical audience, with basic, functional formatting and
    presentation. IP development in the consulting space lags that in Orange’s managed services
    business, duplicating much of what is available from competitors. Orange reference customers
    are broadly satisfied, praising staff flexibility, their hands-on and practical nature, and their
    responsiveness as strengths. They desired improvements in the presentation skills of staff and

                      © 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.            13
                      Citations@forrester.com or +1 866-367-7378
FOR SECURITY & RISK PROFESSIONALS                                                                                             July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up

    noted that red-tape in the sales process slowed down Orange’s responsiveness when providing
    quotes. Customers seeking a technically competent firm known for delivering pragmatic technical
    advice should look to Orange Cyberdefense.

Challengers

 • Sopra Steria’s basic current offering and weak IP leaves it lagging. Sopra Steria is an IT
   services business headquartered in Paris, with a security consulting and managed services
   practice serving clients in the Nordics, France, Netherlands, UKI, Belgium, and Germany. It
   continues to build its cybersecurity capabilities out of its cybersecurity services center in Toulouse.
   Sopra Steria is closely associated with the Security Visa scheme launched by ANSII and is listed
   under several of the accredited schemes as a service provider.

    Sopra Steria significantly lagged the field on almost every domain of our assessment. Sopra’s
    current IP offerings are outclassed by all other providers and its roadmap aims to establish it as
    a follower, rather than a frontrunner in the space. Deliverables and IP presented to validate its
    credentials were basic, badly presented, and almost exclusively aimed at a technical audience.
    Reference customers provided were exclusively French, so we are unable to verify the experience
    of pan-European customers. Reference customers noted working with a small number of high-
    quality individuals based in Toulouse who were competent, flexible, and focused on building
    a quality relationship. However, they noted on-time delivery as a weakness, along with a lack
    of bench strength and poor name recognition as areas for improvement. Existing Sopra Steria
    customers in the IT services space in France should consider leveraging Sopra’s security
    capabilities to support their programs.

Evaluation Overview
We evaluated vendors against 21 criteria, which we grouped into three high-level categories:

 • Current offering. Each vendor’s position on the vertical axis of the Forrester Wave graphic
   indicates the strength of its current offering. Key criteria for these solutions include key
   differentiators, customer satisfaction, partner and own IP development, talent management and
   service offerings covering security strategy engagements, governance, risk, and compliance
   engagements, and security technology assessment and implementation engagements.

 • Strategy. Placement on the horizontal axis indicates the strength of the vendors’ strategies. We
   evaluated vendors strategy, vendor roadmaps and service improvement plans, go-to-market
   strategies and investment plans in R&D and partnerships and alliances.

 • Market presence. Represented by the size of the markers on the graphic, our market presence
   scores reflect each vendor’s revenue in Europe, European practice size, and European customer
   count.

                      © 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.            14
                      Citations@forrester.com or +1 866-367-7378
FOR SECURITY & RISK PROFESSIONALS                                                                                             July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up

Vendor Inclusion Criteria

Forrester included 15 vendors in the assessment: Accenture, Atos, Boston Consulting Group,
Capgemini, Deloitte, DXC Technology, EY, IBM Security, KPMG, NCC Group, Orange Cyberdefense,
PwC, Sopra Steria, Tata Consultancy Services, and Wipro. Each of these vendors has:

 • Revenue of at least $40 million in Europe. Each vendor reports at least $40 million in revenue for
   cybersecurity consulting services in the European Economic Area as well as in UK and Switzerland.

 • At least 10% of global cybersecurity consulting revenue with European customers. Each
   vendor generates at least 10% of its global cybersecurity consulting revenue in the European
   Economic Area as well as in Switzerland.

 • At least 50 consultants on staff based in Europe. Each firm has at least 50 consulting staff based
   in a European office location in the European Economic Area countries, UK, and Switzerland.

 • Broad service coverage across Europe. Each participant has a broad footprint of cybersecurity
   consulting customers and revenue across several European countries, demonstrating applicability
   beyond a single country or two.

 • A comprehensive cybersecurity consultancy portfolio for European customers. Each vendor
   offers a complete suite of cybersecurity consulting services to customers across Europe.

 • Significant interest from Forrester customers. Each vendor has significant interest from our
   clients in the form of inquiries, advisories, interactions at events, and other conversations.

                      © 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.            15
                      Citations@forrester.com or +1 866-367-7378
FOR SECURITY & RISK PROFESSIONALS                                                                                               July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up

   Engage With An Analyst
   Gain greater confidence in your decisions by working with Forrester thought leaders to apply
   our research to your specific business and technology initiatives.

   Analyst Inquiry                                Analyst Advisory                                         Webinar

   To help you put research                       Translate research into                                  Join our online sessions
   into practice, connect                         action by working with                                   on the latest research
   with an analyst to discuss                     an analyst on a specific                                 affecting your business.
   your questions in a                            engagement in the form                                   Each call includes analyst
   30-minute phone session                        of custom strategy                                       Q&A and slides and is
   — or opt for a response                        sessions, workshops,                                     available on-demand.
   via email.                                     or speeches.

   Learn more.                                    Learn more.                                              Learn more.

             Forrester’s research apps for iOS and Android.
             Stay ahead of your competition no matter where you are.

Supplemental Material

Online Resource

We publish all our Forrester Wave scores and weightings in an Excel file that provides detailed product
evaluations and customizable rankings; download this tool by clicking the link at the beginning of this
report on Forrester.com. We intend these scores and default weightings to serve only as a starting
point and encourage readers to adapt the weightings to fit their individual needs.

The Forrester Wave Methodology

A Forrester Wave is a guide for buyers considering their purchasing options in a technology
marketplace. To offer an equitable process for all participants, Forrester follows The Forrester Wave™
Methodology Guide to evaluate participating vendors.

In our review, we conduct primary research to develop a list of vendors to consider for the evaluation.

                      © 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.              16
                      Citations@forrester.com or +1 866-367-7378
FOR SECURITY & RISK PROFESSIONALS                                                                                             July 1, 2021
The Forrester Wave™: European Cybersecurity Consulting Providers, Q3 2021
The 15 Providers That Matter Most And How They Stack Up

From that initial pool of vendors, we narrow our final list based on the inclusion criteria. We then gather
details of product and strategy through a detailed questionnaire, demos/briefings, and customer
reference surveys/interviews. We use those inputs, along with the analyst’s experience and expertise in
the marketplace, to score vendors, using a relative rating system that compares each vendor against
the others in the evaluation.

We include the Forrester Wave publishing date (quarter and year) clearly in the title of each Forrester
Wave report. We evaluated the vendors participating in this Forrester Wave using materials they
provided to us by April 1, 2021, and did not allow additional information after that point. We encourage
readers to evaluate how the market and vendor offerings change over time.

In accordance with The Forrester Wave™ and New Wave™ Vendor Review Policy, Forrester asks
vendors to review our findings prior to publishing to check for accuracy. Vendors marked as
nonparticipating vendors in the Forrester Wave graphic met our defined inclusion criteria but declined
to participate in or contributed only partially to the evaluation. We score these vendors in accordance
with The Forrester Wave™ And The Forrester New Wave™ Nonparticipating And Incomplete
Participation Vendor Policy and publish their positioning along with those of the participating vendors.

Integrity Policy

We conduct all our research, including Forrester Wave evaluations, in accordance with the Integrity
Policy posted on our website.

                      © 2021 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.            17
                      Citations@forrester.com or +1 866-367-7378
forrester.com

We help business and technology leaders use
customer obsession to accelerate growth.

PRODUCTS AND SERVICES
›   Research and tools
›   Analyst engagement
›   Data and analytics
›   Peer collaboration
›   Consulting
›   Events
›   Certification programs

Forrester’s research and insights are tailored to your
role and critical business initiatives.

ROLES WE SERVE
Marketing & Strategy             Technology Management             Technology Industry
Professionals                    Professionals                     Professionals
CMO                              CIO                               Analyst Relations
B2B Marketing                    Application Development
B2C Marketing                    & Delivery
Customer Experience              Enterprise Architecture
Customer Insights                Infrastructure & Operations
eBusiness & Channel            • Security & Risk
Strategy                         Sourcing & Vendor
                                 Management

CLIENT SUPPORT
For information on hard-copy or electronic reprints, please contact Client Support at
+1 866-367-7378, +1 617-613-5730, or clientsupport@forrester.com. We offer quantity
discounts and special pricing for academic and nonprofit institutions.

                                                                                                    161534
You can also read