Security & Privacy Consulting Services 2021
Market Perceptions vs. Client Reality
In a constantly shifting security environment, many healthcare organizations choose to engage outside firms to help them improve their security posture and reduce risk. To differentiate the many firms that offer such services, KLAS spoke with security and IT leaders from 74 healthcare organizations of various sizes to understand (1) what makes a security and privacy consulting firm a true partner, (2) which firms are perceived to have the strong security services offering that healthcare organizations need, (3) how these perceptions compare to the experiences of actual clients, and (4) how the COVID-19 pandemic has affected healthcare organizations’ security programs.
Most Common Types of Security & Privacy Consulting Services
KLAS measures two main categories of security and privacy services: consulting services and managed services. This report focuses solely on consulting services. Projects measured under the umbrella of security and privacy consulting services range from high-level strategy projects to annual risk and privacy assessments to technical services, such as security product implementations and penetration testing. The most common types of projects reported by organizations in this sample are shown below:
Healthcare Focused vs. Cross Industry?
When choosing a security partner, some organizations prefer to leverage healthcare-focused firms who deeply understand the nuances and unique challenges of the healthcare industry. Other organizations look to cross-industry firms that can leverage learnings and best practices from a variety of industries to help healthcare organizations be successful. Where appropriate throughout this report, firms have been designated as either healthcare focused or cross industry to help readers better recognize a firm’s potential strengths and weaknesses.
Healthcare-Focused Meditology, Clearwater & CynergisTek Most Often Seen as Partners
Almost 60% of interviewed organizations view their security consulting services firm as a partner. Meditology Services, Clearwater, and CynergisTek, who have each won Best in KLAS in past years, are the most likely to be perceived by the market as partners. All interviewed clients that describe Meditology Services as a partner are midsize to large organizations who appreciate the firm’s deep healthcare expertise, quality staff, and fast response times (even outside of a project window). Several clients also report getting added value from educational opportunities and the firm’s investment in client success. Clients that describe Clearwater as a partner tend to be smaller. They highlight the firm’s responsiveness, background in risk management, and ability to benchmark organizations against their peers. Most interviewed clients that cite CynergisTek as their go-to firm are midsize or large organizations, and they frequently point to the firm’s industry and broader security expertise. Primarily validated for technical work, Optiv Security—the only cross-industry firm described as a partner by multiple interviewed clients—is recognized for their bench strength and range of security expertise. Additionally, many organizations report using local industry-agnostic boutique firms for additional services or due to preexisting relationships. See chart note for list.
Impact Advisors’ High Client Satisfaction Contrasts with Low Market Perception; Strong Perceptions of Meditology Not Always Born Out by Actual Performance
In addition to asking security leaders whether they view their chosen consulting firm as a partner, KLAS also asked them to share their perceptions of 10 firms with whom they may or may not have direct experience. In general, healthcare-focused firms are viewed as offering stronger security services than cross-industry firms. The exception is 2021 Best in KLAS winner Impact Advisors—the firm’s security offering is not well known. However, Impact Advisors’ security clients consistently rate the firm extremely high, noting skilled people, on-schedule projects, and positive executive involvement. A couple of respondents who shared perceptions of the firm’s security services offering reported lower satisfaction with the firm’s work on other, non-security projects. Conversely, Meditology Services has a strong positive reputation among security leaders and is the firm they say they are most likely to engage in the future. This stands in contrast to lower ratings from some current clients. While satisfaction has historically been high, some recently interviewed clients report challenges such as turnover and lack of experience as well as the feeling that Meditology is more concerned with profit than project quality or client relationships. Other healthcare-focused firms with positive market perceptions include Intraprise Health, Clearwater, CynergisTek, and Fortified Health Security. The first three receive above average satisfaction ratings from clients (see Bottom Lines for details). Satisfaction with Fortified Health Security is lower; some clients report delayed projects or problems that go unresolved unless escalated to executives.
Historically Audit-Focused Firms Deloitte, EY & PwC Less Likely to Be Engaged in Future; Slips in Delivery from Deloitte Also Create Client Frustrations
The cross-industry firms in this study are all perceived by security leaders as lagging somewhat, with not much difference in perceived strength between firms. Perceptions of Deloitte and PwC are often impacted by prior experience with the firms (security related or otherwise)—security leaders who have engaged with Deloitte or PwC in the past perceive the firms more positively than leaders who haven’t worked with the firms. However, low client-reported satisfaction separates Deloitte from other cross-industry firms—clients report poor executive involvement, issues with project or deliverable quality, and staff who lack experience. Deloitte and PwC, along with EY, are less likely to be engaged in the future; respondents feel less-prominent firms could deliver better value or staff quality. (For additional insights on EY, see page 5.) Respondents who would engage Optiv Security in the future are all current or former clients, many of whom have existing reseller relationships with Optiv.
Industry Insights:
Majority of Organizations Felt Prepared for COVID-19 Security Challenges
Though no one could have predicted COVID-19, almost all interviewed security leaders feel their organizations were at least moderately prepared to handle the security and privacy challenges posed by the pandemic. Many organizations had preexisting, ongoing security programs or policies already in place (e.g., preestablished remote work infrastructures) that they were able to expand to meet new needs. Even still, several respondents described the early days of the pandemic as frantic since organizations were moving quickly on sometimes non-optimized solutions.
A majority of organizations saw no change in their security budgets during the pandemic, with many saying they had a sufficient security program already in place. Smaller organizations were more likely to see increased budgets, often for things like hardware to facilitate remote work. Larger organizations were more likely to decrease their budgets, with security departments being asked to prioritize or pause initiatives to accommodate financial strain. Several organizations note that security spending is not optional and is now simply a cost of doing business given that ransomware attacks and data breaches continue to increase. The minimal effect of the pandemic on security budgets creates a strong foundation for ongoing security investments.
The Bottom Line on Firms
Clearwater
Known for their background in risk management (they offer a software tool as well as consulting and managed services). In security market, they are recognized as a partner for their responsiveness and peer benchmarking. Industry reputation, good prior experiences, and free educational sessions lead respondents to view Clearwater as strong security option, and current clients report moderately high satisfaction. Many clients specifically highlight the firm’s knowledgeable staff; some note room for improvement to the firm’s strategic ability.
Client experience
“Clearwater’s consultants are very professional. They have a deep knowledge of security risk analysis. Even their junior consultants are like that. I don’t hesitate when I hear that Clearwater is sending out someone that is less senior. Overall, we have always had a great experience with Clearwater. We have grown as a program as a result of their services. Clearwater has helped to infuse and enhance our knowledge base around security risk analysis. They have a very organized methodology. The vendor is very punctual and meets stated commitments and time frames.” —CISO
Perception
“I have never worked with Clearwater, but I have heard of them. They are average. I say that based on a publication and from reading things and hearing things about Clearwater. I would be willing to engage with them and find out more based on our specific needs and see where Clearwater shines.” —CISO
CynergisTek
Offers wide range of services spanning both strategic and technical engagements. CIOs and IT directors are slightly more likely than CISOs and security directors to perceive CynergisTek positively, though the firm is all around seen as strong. Clients often choose multi-year engagements that include program guidance, annual risk assessments, and progress benchmarking. Highlighted by current clients for strong partnership (often due to industry and security expertise). Some clients report receiving subpar deliverables or having to pay for services they didn’t use, leaving them feeling they didn’t get their money’s worth.
Client experience
“The advisor the vendor sent out didn’t really participate in the assessment itself, but that person would ask a question here or there that maybe the assessors hadn’t thought of. The advisor would also clarify things if we didn’t understand them. We have a dedicated account manager who clearly makes an effort to be our partner and to help us stay plugged in. That person doesn’t just call once a year. There are constant feedback loops with our account manager. The executive teams came out and talked about things with us. The new person in leadership has called us several times just within the short amount of time that that person has been here. CynergisTek wants to help us, and they also want to solicit feedback from us. They ask about what we are seeing out there, and they tell us about what they are seeing in other hospitals. That feedback helps CynergisTek to expand their knowledge base and benefit the entire industry.” —CISO
Perception
“We used to use CynergisTek. They are pretty good, but we probably aren’t likely to use them again. . . . Their former CEO was an icon, but as CynergisTek has gotten bigger, they have had more turnover. Their assessments have become more formulaic. That is why we went in a different direction. CynergisTek’s security services offering is average.” —CIO
Deloitte
Traditionally known for their background in auditing and position as one of the Big Four accounting firms. Three of the four interviewed clients report poor satisfaction stemming from issues with executive involvement, deliverable quality, delays, or junior staff lacking experience. Among non-clients, security offering is perceived similarly to those of other cross-industry firms in terms of being costly and being delivered by a “B-team”; security leaders don’t report a high likelihood of engaging the firm’s security offerings in the future.
Client experience
“If I had to make the decision again, I would find somebody else. I don’t think Deloitte paid much attention to the final product, and I find that to be really odd. Several years ago, Deloitte was the top contender. I was pretty happy at the time, so I am rather disappointed with the product we got. There were a number of delays that happened, and the findings and recommendations didn’t align in many cases, so we had to seek clarification and validation. We had to assess the real intent that Deloitte was trying to get to. There was a lot of work on our part that we didn’t think we would have to do.” —CISO
Perception
“I have worked with Deloitte for auditing. They are obviously a big name that can hold their weight in a lot of cases, but in my experience, the big firms typically give us a very junior person who does most of the audits and assessments. That person is not really as thorough as some of the smaller players, but with that being said, Deloitte holds a lot of weight, and that can be good for getting board approvals or other things if we need the support on a certain initiative. Unless we had a need for the Deloitte name to be attached to a report, the likelihood that we would engage them in the future is probably not too high because of the cost.” —CISO
EY
Validated mostly for strategic projects like program assessment/development. Perceived similarly as Deloitte and PwC for costly engagements and less-experienced staff. Security leaders rate them as lagging behind most healthcare-focused firms and cite cost as the most common reason they might not engage EY in the future. Clients report mixed satisfaction, reporting either good partnership and executive involvement or inconsistent staff and poorly summarized reports.
Client experience
“EY’s reporting was adequate, professional, and very organized. When working with an outside party, we want the party to be able to articulate risk through reports, and EY does really good at working collaboratively on responses prior to going to the senior leadership. We are all on the same page about how things should be articulated.” —CISO
Perception
“EY is one of the big old-school organizations. They tend to overcharge and underdeliver. They rely too much on their name, but some of the younger companies are more hungry and better at recruiting talent. The younger companies rely less on their name and more on building their name, and those are typically the vendors I prefer to work with. EY is not as easy to deal with as some of the other vendors in the space.” —CTO
Fortified Health Security
Validated for a wide range of strategic and technical projects. Offers both managed services (most common approach, though not measured in this report) and consulting services. Most interviewed security leaders are not familiar with Fortified Health despite the firm’s focus on healthcare security. Those that are familiar view the firm as having a fairly strong security offering. However, has lower overall satisfaction due to varied client experiences; less-satisfied clients report delayed projects or say they have to escalate problems to executives to get them addressed. Many of the more recently interviewed clients report a positive experience.
Client experience
“Our project with Fortified Health Security took longer than we expected it to, and I was not very happy with that. We had to escalate issues and get the leadership involved. Meeting deadlines is very important to us, and Fortified Health Security could have stuck with their deadlines.” —CISO
Perception
“I definitely have heard of Fortified Health. I haven’t worked with them, but I know they reached out to me a bunch of times about a lot of the measures, trust talks, and things like that. Based on the fact that Fortified Health has taken interest in a lot of the latest trends, it looks like they are at least putting effort into staying on top of the needs of the hospitals. They are somebody I would consider because the fact that they seem to stay on top of things leaves a positive impression.” —CISO
Impact Advisors
Historically known for advisory services for broader IT projects; rarely recognized by respondents as even having a security offering. Had the fewest security leaders rate their perceived strength, and two of the three rated it low due to past experiences with non-security work. However, actual clients report extremely high satisfaction with the firm’s relationships, delivery, staff, and level of executive involvement, and Impact Advisors is the 2021 Best in KLAS winner for security and privacy consulting services.
Client experience
“Our overall experience was great with Impact Advisors. They did a really nice job of not just putting together their research and report but also adding value along the way. I was able to get their perspectives on a number of things that were out of the scope, and the leaders and consultants were more than willing to provide us with information, answer questions, and help with planning and strategizing. Overall, Impact Advisors had a fantastic perspective. They are a very flexible organization. They were able to adjust when we wanted to make a few modifications. They were very responsive.” —CIO
Perception
“I haven’t done any security work with Impact Advisors. They are very well known, and I hear about them all the time. One time when I worked with Impact Advisors, I disagreed with one of their recommendations. Upon further review, we finally said no to that recommendation. Some of the things Impact Advisors was doing were unrealistic. I wasn’t too pleased with Impact Advisors’ recommendations. They didn’t do the detailed work to make sure they were partnering with good companies. My management team might work with Impact Advisors again, but I won’t.” —Security director
Intraprise Health
Does a lot of HITRUST certification work in addition to annual risk assessment services and program development. Not known by many security leaders but those that are familiar with the firm have positive perceptions (e.g., broad healthcare experience, good road map, strong focus on clients). Client experience varies—some say the firm is flexible and adaptable to their needs; others report some concerns about the staff’s quality or experience level.
Client experience
“There will be bumps along the way in any process, but if I can find a vendor partner who works through those bumps with me, then I know that that is a real relationship. Intraprise Health sat down and listened to who we are. The vendor is flexible with us. They work within our limitations. They try to tell us what is realistic. Intraprise Health will let us know whether we need to do something in a different way. They have been honest and flexible.” —CEO
Perception
“I have worked with Intraprise Health a lot and have a very good opinion of them. I would certainly work with them again, and I would certainly recommend them. If the primary firm we worked with went under, I would use Intraprise Health again. They have very good, broad healthcare experience. The leadership was strong within the organization, and the firm has a good road map. They know where they want to go.” —CISO
Meditology Servicess
Long-standing industry presence; only firm validated for all types of projects measured in this report. Leadership background comes from large, cross-industry firms and includes a blend of security backgrounds and healthcare-focused expertise. Highly regarded by security leaders and is the firm most likely to be seen as a partner and most likely to be engaged in the future. Clients have historically reported strong satisfaction, but a handful of dissatisfied clients have recently reported staff turnover and lack of staff experience; some also note that Meditology seems to be pursuing profit over quality delivery or relationships.
Client experience
“The issues with the initial group that Meditology Services sent were caused by some turnover the firm had. They lost a couple of strong players and put someone in charge who wasn’t strong. The firm was trying to have that person do security work, and the work wasn’t getting done. I think it would have been nice if one of the executives had noticed that things were taking a long time and asked why we weren’t making progress. When I emailed the firm about my frustration, their response was quick. They brought in some really talented, solid folks who knew their stuff. Those people got us going in the right direction and got everything done. But before we got the executives involved, we were just meandering.” —CISO
Perception
“Meditology is way up there on my radar. I am probably going to wind up using them soon. Their vendor presentation was very strong and impressive. They don’t nickel-and-dime their customers; they are very adaptable. From a cost perspective, they were very reasonable in terms of what they quoted us. For all those reasons, we are definitely going to be considering them. We were very impressed with the team that presented. I have spoken to my peers who have used Meditology, and they are very happy with their services.” —CISO
Optiv Security
Widely used as a VAR. Unique in this study in that all validated work is technical work (e.g., technical testing and implementation of security technologies). Unlike other cross-industry firms in this study, focuses solely on information security. Security leaders view strength of security offering as comparable to that of other cross-industry firms, and a solid percentage are likely to engage the firm in the future (most of these are current clients using the firm’s reseller, procurement, or security services). Client satisfaction varies—some clients are satisfied with staff and delivery quality, while others report frustration with these aspects of their engagement, including frustration with contractors and resellers.
Client experience
“The vendor met but didn’t exceed our expectations. One thing that frustrated me was the vendor’s tendency to use contractors. We had to cycle through a resource or two to get to somebody who could handle the project. The contractors had to pick up other work, so we would maybe go a week or two when the contractors weren’t dedicated to our project. The vendor subcontracted out engagements, and if we didn’t manage things, there was an opportunity for variable quality. The vendor tried to get other work and then had scheduling issues, and then we had to adjust our schedules. That definitely had an impact on us. We had to learn how to best work with the vendor and make sure that we were interviewing contractors.” —Security director
Perception
“We have never worked with Optiv. We have never executed a contract with them, but we have been in discussions with them. I have a positive opinion of them based on the interactions that we have had. Optiv did a presentation at a meeting we attended, and it was a strong presentation. We have looked at a number of services that they offer, but ultimately, we engaged another vendor. The price point was a part of that. Nonetheless, I have a positive opinion of Optiv, and we would give them the opportunity to work with us again. They have even shared beneficial things like links, other documents, white papers, and those kinds of things. Optiv is doing little things and trying to further develop the relationship.” —Executive security director
PwC
Known as one of the Big Four accounting firms; perceived similarly to the other cross-industry firms and commonly looked at for strategic engagements. Though PwC lags most healthcare-focused firms in likelihood of being engaged in the future (cost is the most commonly cited barrier), they lead in this metric among the other Big Four firms in this study. Satisfaction feedback from current security clients comes from a limited sample. These organizations report higher satisfaction than clients of other cross-industry firms, citing strong security expertise and strong project leadership. Feedback on staff quality is mixed—some organizations report consistently high-quality resources, while others say they receive junior resources.
Client experience
“PwC was willing to tailor our experience around what we needed, and they got excited about doing something outside the box. The biggest thing that exceeded my expectations was PwC’s desire to gravitate toward a tailored engagement that was very focused on the risks to our organization. PwC was very receptive. In past years, we would have done the project differently, and that would have caused more tension between parties. The project was very collaborative, and that was ultimately what yielded better benefits to our organization.” —CISO
Perception
“PwC is usually exceptional with strategy and a programmatic, large-scale understanding of how things work. I don’t like using PwC for detailed work and things that are hands on. When it comes to strategy and programmatic work, I consider PwC to be way above average. I love working with them in that space, and they bring a lot to the table. Below the strategy level, I get mixed results with PwC, and I don’t use them a lot.” —CISO
About This Report
Data for this report comes from two sources: (1) KLAS performance data and (2) KLAS perception data.
KLAS Performance Data
Each year, KLAS interviews thousands of healthcare professionals about the IT products and services their organizations use. For this report, interviews were conducted over the last 18 months using KLAS’ standard quantitative evaluation, which is comprised of 9 numeric ratings questions and 3 yes/no questions, all weighted equally. Combined, the ratings for these questions make up the overall performance score, which is measured on a 100-point scale.
The number of unique client organizations interviewed for each firm is given in the table below:
What Does “Limited Data” Mean?
Some services are used in only a small number of facilities, and some firms are resistant to providing client lists. Thus a firm’s sample size may not reach KLAS’ required threshold of 6 unique organizations. When a sample size is less than 6, the score for that question is marked with an asterisk (*) or otherwise designated as “limited data.” If the sample size is less than 3, no score is shown. Note that when a firm has a low number of reporting sites, the possibility exists for KLAS scores to change significantly as new surveys are collected.
KLAS Perception Data
To supplement the client satisfaction data gathered with the standard evaluation, KLAS also created a supplemental evaluation to delve deeper into several questions specific to the security and privacy services consulting market. This evaluation asked respondents (1) what makes a security and privacy consulting firm a true partner, (2) which firms are perceived to have the security expertise and strength healthcare organizations need, and (3) how the COVID-19 pandemic has affected healthcare organizations’ security programs.
Writer
Elizabeth Pew
Designer
Natalie Jamison
Project Manager
Natalie Jamison
This material is copyrighted. Any organization gaining unauthorized access to this report will be liable to compensate KLAS for the full retail price. Please see the KLAS DATA USE POLICY for information regarding use of this report. © 2024 KLAS Research, LLC. All Rights Reserved. NOTE: Performance scores may change significantly when including newly interviewed provider organizations, especially when added to a smaller sample size like in emerging markets with a small number of live clients. The findings presented are not meant to be conclusive data for an entire client base.