Cybersecurity Consultancies Face Goldilocks-Style Expectations From APAC CISOs
I’m thrilled to announce The Forrester Wave™: Cybersecurity Consulting Services In Asia Pacific, Q4 2023. This report (available to Forrester clients) showcases our evaluation of the 10 most significant cybersecurity consulting providers in APAC. This blog highlights what CISOs should look for as key differentiators in this market.
Talent crunches, evolving threats, emerging technologies, and regulatory sprawl are the conventional problems that have plagued security leaders for decades, but in 2023 in the APAC security space, these problems have collided. Until recently, APAC has largely avoided global breach headlines and regulator attention — until 2021 and 2022, when 31% of the 55 most notable breaches in our research were from APAC. Regulators in APAC could no longer ignore these breaches, with Australia, India, Singapore, and Japan strengthening their regs. Then of course, emerging tech in the form of generative AI emerged to make things even more interesting. APAC CISOs are dealing with these dynamics on the smell of an oily rag — constrained budgets, a resource gap, and, often, a lack of buy-in.
In this environment, they’re leaning on their consulting providers to help them address these myriad, different but interlinked, challenges and expect them to:
- Be commercial enough but not too commercial that they forget about the customer’s interest. CISOs don’t expect their providers to be a charity, but God helps the consultant who prioritizes its own commercial interest before fully putting their customer, their business, geography, or industry first. For a long time, CISOs have expected partnership from their security service providers in APAC, but they are now very specific on what this partnership means and won’t settle for anything less.
- Have enough juniors to make them affordable but not too many, as they need experience. In the first APAC cybersecurity consulting services evaluation we ran in 2019, there was “surprise” among providers as to why we cared about diversity, equity, and inclusion (DEI) matters. In 2023, though, they are the words du jour, with each provider boasting many DEI programs, scholarships, and academies. Outcomes are still hard to come by, however, with most plagued by a significant gender imbalance in the name of “But we are in line with the industry!” Not only is this becoming unacceptable for CISOs, but what’s also unacceptable is the overload of junior resourcing and a hidden expectation that CISOs end up training the provider’s teams.
- Be strategic enough but no “PowerPoint as a strategy,” thank you — they need tech capability. PowerPoint as a strategy went out of fashion years ago, but the line between strategic and operational, business and technical, and other euphemisms once used to describe and pigeonhole people, teams, and providers is now very blurry. Providers need depth and technical competency while not shying away from delivering vision and translating technical and operational matters into business speak.
Let’s Connect
Forrester clients who have questions about cybersecurity consulting providers in Asia Pacific can reach out to me via inquiry or guidance session.