By Fiona Czerniawska.

“The difference between cybersecurity and other types of risk is that, with cyber, we have to assume we’re being attacked right now, we just haven’t realised it.” That’s how a client we recently interviewed summed up his organisation’s attitude—and he’s not alone: other forms of risk (regulatory, reputational, operational) may be possible, but cyber attacks are a reality.

As we’ve noted previously in this blog cybersecurity is already big business for consulting firms, and likely to become even bigger business in the future, which makes it all the more puzzling when you start to realise just how bad firms are when it comes to describing what they do in this field. Let’s look at two randomly selected firms.  

According to McKinsey & Company, its approach “integrates cyberresilience* into management and governance processes and extends that integration deep into the technology environment to provide differentiated protection for an institution’s most important assets.” Nice, but how does it do that? At first sight, EY appears to fall at the same hurdle: “Our global mindset and collaborative culture across our diverse team of consultants and industry professionals inspire us to ask better questions about the cybersecurity challenges you face,” says the firm. “We then team with you to co-create more innovative answers—to activate a foundation that protects the business as it is today, adapt that foundation as the organisation and threats change, and anticipate attacks that may be coming.”  However, after this admittedly not very promising start (explain to us how exact the same text wouldn’t have worked equally well for any other consulting services—strategy, supply chain management, human capital, etc.), EY goes on to list its services, from cyber programme management to business resilience. Although there are a few too many three-letter acronyms dotted around, the casual client will get some sense of what the firm does, but still not much substance on how it does it.  

Perhaps that’s deliberate: Say too much about how you work and your competitors will copy you, won’t they? That’s fine for traditional consulting, where competitive advantage essentially lies in making something that theoretical (strategy) real (execution), but it works less well in a field that’s already very real to clients. For this you need a more concrete response, one that won’t be lost in the retelling. The numbers and background of your cyber experts would help, as would details of the technology you use, and the facilities you run your cyber operations from. For all the obvious reasons, it’s hard to have case studies of cyber work, but some indication of the number of projects, actual if anonymous examples, even short dramatised documentaries, would all help to paint a picture of an organisation that’s actually done things, as opposed to talked about doing them.  

The irony here is that much of what consulting firms stand to earn from cybersecurity won’t come from consulting services. However, by marketing these services in the same way that they market their traditional consulting services they run the risk making clients think that’s all they do.

* This isn’t a word, except on the McKinsey website. Please tell us it’s not a real word.