The unusual suspects for cybersecurity

Cybersecurity is the biggest and fastest growing risk service, so it’s no surprise to see so many firms investing in their people and offerings in this area. It reflects what’s happening within many client organisations, where cybersecurity is now a board-level agenda item. In our first survey of client perceptions of risk advisory firms, we’ve asked clients in the US what type of firm they use for cybersecurity and, all else being equal, what type of firm would be their first choice for cybersecurity work. It gives us an idea about who clients are using now, but also who clients might go to in the future.    

Around a third of clients in our sample currently use technology consulting firms (such as Accenture or IBM Services) for cybersecurity. Perhaps more surprisingly, an even higher proportion of clients currently use one of the Big Four accounting firms for cybersecurity support, while comparatively few clients use software vendors or risk specialists. Part of the popularity of the Big Four could reflect the strong relationships they have with clients working in finance functions, but this represents only 20% of our sample.

When we look at what type of firms are first choice for cybersecurity work, we see that the proportion opting for the Big Four or technology consulting firms is similar to the proportion that currently work with them. However, a much higher proportion of clients consider other accounting firms outside the Big Four—mid-tier firms such as Grant Thornton and BDO—to be their first choice for cybersecurity than currently use them. 

We think the reason why mid-tier accounting firms are a relatively popular first choice is for the same reason why many clients use the Big Four:  Accounting firms are seen as having strong skills in assurance and testing, and are also used to dealing with, and protecting, vast amounts of sensitive confidential financial data. But why, despite their apparent popularity, aren’t clients actually using mid-tier accounting firms in this way? We suspect they may lack the same level of reputation at board level as the Big Four and technology consulting firms, which could be what’s holding them back. 

But where does all this leave risk specialists and cybersecurity software vendors? While clients currently don’t seem to be using them much, nor would they turn to them as their first choice, we think there is a place for such specialists as part of the ecosystem of the Big Four or larger technology consulting firms. Larger firms can bring the reputation to win over the board, while specialists bring cutting edge capabilities. Such a partnership could be beneficial for everyone and help risk firms take advantage of the cybersecurity boom. 

Related reports