Despite the Mad Libs-esque tone of thesereports, boardsofdirectors have grown gravely serious about strength- ening cybersecurity in the face of rapidly changing external threats and ongoing digital transformations that
continually alter the organization’s risk profile.
“Digital transformation and digital risks are like the
yin and yang,” says Vishal Chawla, a Principal in Grant
Thornton’s business risk services practice and national
leader of the firm’s Risk Advisory Services practice.
“You need to address both to build a performance-driv-en organization.” These opposing yet related needs explain why cybersecurity consulting practices and business lines are growing at extremely healthy clips.
That doesn’t mean that this work is easy or easily
scalable. Numerous challenges— including a recent
spike in cyberattacks by nations, less tech-savvy board
members, fundamental gaps in existing capabilities,
skills shortages and more—pose knotty obstacles to
the step-change improvements most cybersecurity pro-
grams require. In many companies, “the basics of in-
formation security are not in place,” notes Vinnit Patel,
the head of Cybersecurity and Risk consulting in the
U.K. for Infosys Consulting.
The process of getting the fundamentals squared
away and then maturing a cybersecurity program faces stout headwinds.
Dramatic Changes all Around
Twelve to 18 months ago, one of the most common
requests for cybersecurity help, Patel recalls, consisted
of staff augmentation and specific types of expertise.
“We would often get requests for a consultant with a
particular type of skill to complement a team,” Patel
continues. “More recently, though, there’s been a sig-
nificant shift. Clients want outcome-based services.
They’ll present us with a problem statement and ask to
apply our industry and domain expertise to share how
we would address the problem.”
Patel and other cybersecurity consulting leaders also
report major increases in volume of client demand for
cyber-consulting services. These requests are largely
being driven by three factors.
1. The External Environment
Add up all of the Internet of Things (IoT) sensors
coming online during the next few years, compute
The procession of major cyberattacks on U.S. organizations makes news
reports of these breaches sound as if they were dashed off by filling
in a template: Ever since the __________(insert Fortune 500 company)
breach struck __________(number less than three) weeks ago exposing
the account information of __________(number greater than 50) million
customer accounts, information security teams have been scrambling
to strengthen their __________(cybersecurity weakness exploited by
the attackers) defenses to avoid a similar fate.