I’m not going to waste my time ranting about generational conflicts or “everything used to be better” nonsense. No – this is a rant about the consulting industry in cybersecurity. It’s time to call out the nonsense and demand better.
Everyone knows them. They’re the self-proclaimed CEOs of some consulting clique, the thought cybersecurity leaders, the keynote speakers, the cybersecurity strategists, the trusted advisors, the executive digital and security leaders, the security natives, the mentors, the C-level advisors, the cybersecurity advocates, the people who just slipped out of the cozy environment of their university a few years ago and who then offer you the hottest shit from their consulting portfolio on some networking platform or “conference.” These are people who, apart from the information on some marketing and sales sheets, have had no connection whatsoever in their lives to the products or services that they are now trying to sell as “cyber solutions”.
These security zombies target people who have been in the industry for over 20 or 30 years. People, who have learned to reject the multitude of “let’s link via xyz.com” requests with a single click.
After being quite some time in this industry, I am convinced that there is almost 80% “white noise” in the cybersecurity landscape today. This useless chatter has no depth of content. It’s just marketing mumbo-jumbo, self-evident facts wrapped in glossy paper, bullshit bingo, and lies. It’s a typical side effect of a sectoral gold rush mood without substance and sustainability.
The remaining 20% is invaluable information that will advance the entire industry. However, I can say with confidence that this 20% is not generated by the consulting industry. It’s simple. The salary structures of the Big 4/5/6/x don’t appeal to experts who can initiate “the real next big thing” based on their wealth of knowledge and experience. Secondly, such employers simply do not offer an inspiring working environment for people with an unconventional, creative mind; people who are generally incompatible with the typical consulting environment. The really valuable information is often exchanged in discussions between experts, shared at specialist conferences (usually free of charge), or published online as a research paper.
Absolutely. There are also positive exceptions in the consulting industry, which is spreading like wildfire. But these exceptions are like a needle in a haystack. It’s tough to find, highly specialized, and perfectly suited to a specific job. It’s not at all what consulting services need to “scale” from the vendor’s perspective. These services are ordered because the buyer is either in really trouble or because he needs carte blanche from a reputable firm to justify his own failures.
But let’s get back to the “propagators” of that white noise. You are responsible for the current crisis in the security industry. Your actions have led to the sale of security solutions whose complexity is beyond the capabilities of even the sellers of these products – let alone your customers. These products have never undergone a quality management process, have never been designed according to the basic principles of a future-oriented security architecture, and have never been verified and validated from a security perspective. They are rotten products and services that go to rack at the customer’s place.
Let’s not forget the army of consultants who are fuelling this veritable fountain of horror on the service/product side. They are obviously in a symbiotic relationship with another professional group: security coaches. People who claim to have the agility to deliver WhateverKindOfOps without ever having gained any experience of it themselves. They’re just like the eunuchs: they know how to do it. And customers have no choice but to accept these promises of salvation because they don’t want to be seen as “not agile” in this fast-paced world.
Take the time today to search for the relevant buzzwords from the security community in your career network. You will quickly be overwhelmed by an ever-growing wave of security coaches who have the supposedly right answer to every question, no matter how abstruse. What’s truly remarkable about this professional group is its capacity to adapt swiftly to emerging challenges. Initially, it was the staccato of security events that accelerated the growth of this professional group like a catalyst. Then, the topics of crypto and AI quickly followed. Once these topics have all landed in the same pot, all you need to do is stir them around a little and the result is a fruity cocktail of buzzwords that can then be monetized.
I would be remiss if I did not mention a final professional group or industry that goes alongside with the aforementioned security esoterics: the saviors of public-private partnerships in cybersecurity. These economic players have zeroed in on the weakest links in the cybersecurity landscape of society as a whole: the public administration. They have focused their product portfolios on these weak spots and have made them their priority. The public administration is the most grateful when it is given a helping hand with cybersecurity issues. Let’s be real: they’ve already lost the war for talent before they’ve even entered it. Who is prepared to work for an E15 civil service salary with the cybersecurity knowledge that is in demand today (in numbers it is just under 95 kEUR/year with 15 years of professional experience)? And this is where the supposed helpers from the private sector come into play. They work on the starving field of missing know-how and resources – and they do so gratefully. It is not realistic to expect skyrocketing revenues in the short term. However, this industry has learned to think more long-term. Instead of opening up solution spaces for customers that address their needs in a sustainable and targeted manner, the opposite is done. Dependencies are created by using monocultures and product lock-ins that ensure a revenue stream even years after the project kick-off. Design decisions are influenced both operationally vis-à-vis the executive and through lobbying vis-à-vis the legislature. Public structures are penetrated with personnel in order to jump on the next train that is heading in the direction of their own product portfolio in good time.
Let’s be clear: this has resulted in the well-known million-dollar graves we’ve seen in public administration in recent years. And on the other hand, we have a cybersecurity landscape that collapses like a house of cards at the slightest tremor in its own sphere of influence. It’s logical. You can’t expect resilience in a monoculture. The public sector is particularly vulnerable because even the largest private sector companies cannot guarantee the security of the products and services they provide, despite investing vast sums of money and employing highly skilled experts.
Sure – I’ve ask myself why I am complaining about this, especially as someone who was once part of the army of consultants. To be honest, I believe that many consultants may not fully realize that the consulting firms are providing them with a valuable opportunity to gain insight into their own inclinations, desires, and interests. This can be an important step in their journey towards becoming a seasoned expert, especially after years of experience. It appears that the concept of “seeking wisdom along the way and ultimately making yourself indispensable through this accumulated knowledge” has given way to a different idea of success. This new idea seems to be that of the typical influencer who has gone from precarious circumstances to becoming a winner (whatever “winner” may mean in this context) in no time. One can see the result of this development everywhere. It is often the case that the “shortcuts” that many seek and find are, in fact, the root cause of flawed risk decisions, which in turn lead to the unfortunate headlines we see time and time again regarding cybersecurity events. While headlines may suggest otherwise, it’s crucial to recognize that the root cause of these incidents was not necessarily the advanced persistent threats, state-sponsored hackers, zero-day attacks, or even the heightened criminal sophistication of the attackers. In many cases, the underlying issue may have been a Layer8 vulnerability.
