Security & Privacy Consulting Services 2021
Market Perceptions vs. Client Reality

Though no one could have predicted COVID-19, almost all interviewed security leaders feel their organizations were at least moderately prepared to handle the security and privacy challenges posed by the pandemic. Many organizations had preexisting, ongoing security programs or policies already in place (e.g., preestablished remote work infrastructures) that they were able to expand to meet new needs. Even still, several respondents described the early days of the pandemic as frantic since organizations were moving quickly on sometimes non-optimized solutions.

A majority of organizations saw no change in their security budgets during the pandemic, with many saying they had a sufficient security program already in place. Smaller organizations were more likely to see increased budgets, often for things like hardware to facilitate remote work. Larger organizations were more likely to decrease their budgets, with security departments being asked to prioritize or pause initiatives to accommodate financial strain. Several organizations note that security spending is not optional and is now simply a cost of doing business given that ransomware attacks and data breaches continue to increase. The minimal effect of the pandemic on security budgets creates a strong foundation for ongoing security investments.

Client experience

“Clearwater’s consultants are very professional. They have a deep knowledge of security risk analysis. Even their junior consultants are like that. I don’t hesitate when I hear that Clearwater is sending out someone that is less senior. Overall, we have always had a great experience with Clearwater. We have grown as a program as a result of their services. Clearwater has helped to infuse and enhance our knowledge base around security risk analysis. They have a very organized methodology. The vendor is very punctual and meets stated commitments and time frames.” —CISO

Perception

“I have never worked with Clearwater, but I have heard of them. They are average. I say that based on a publication and from reading things and hearing things about Clearwater. I would be willing to engage with them and find out more based on our specific needs and see where Clearwater shines.” —CISO

Client experience

“The advisor the vendor sent out didn’t really participate in the assessment itself, but that person would ask a question here or there that maybe the assessors hadn’t thought of. The advisor would also clarify things if we didn’t understand them. We have a dedicated account manager who clearly makes an effort to be our partner and to help us stay plugged in. That person doesn’t just call once a year. There are constant feedback loops with our account manager. The executive teams came out and talked about things with us. The new person in leadership has called us several times just within the short amount of time that that person has been here. CynergisTek wants to help us, and they also want to solicit feedback from us. They ask about what we are seeing out there, and they tell us about what they are seeing in other hospitals. That feedback helps CynergisTek to expand their knowledge base and benefit the entire industry.” —CISO

Perception

“We used to use CynergisTek. They are pretty good, but we probably aren’t likely to use them again. . . . Their former CEO was an icon, but as CynergisTek has gotten bigger, they have had more turnover. Their assessments have become more formulaic. That is why we went in a different direction. CynergisTek’s security services offering is average.” —CIO

Client experience

“If I had to make the decision again, I would find somebody else. I don’t think Deloitte paid much attention to the final product, and I find that to be really odd. Several years ago, Deloitte was the top contender. I was pretty happy at the time, so I am rather disappointed with the product we got. There were a number of delays that happened, and the findings and recommendations didn’t align in many cases, so we had to seek clarification and validation. We had to assess the real intent that Deloitte was trying to get to. There was a lot of work on our part that we didn’t think we would have to do.” —CISO

Perception

“I have worked with Deloitte for auditing. They are obviously a big name that can hold their weight in a lot of cases, but in my experience, the big firms typically give us a very junior person who does most of the audits and assessments. That person is not really as thorough as some of the smaller players, but with that being said, Deloitte holds a lot of weight, and that can be good for getting board approvals or other things if we need the support on a certain initiative. Unless we had a need for the Deloitte name to be attached to a report, the likelihood that we would engage them in the future is probably not too high because of the cost.” —CISO

Client experience

“EY’s reporting was adequate, professional, and very organized. When working with an outside party, we want the party to be able to articulate risk through reports, and EY does really good at working collaboratively on responses prior to going to the senior leadership. We are all on the same page about how things should be articulated.” —CISO

Perception

“EY is one of the big old-school organizations. They tend to overcharge and underdeliver. They rely too much on their name, but some of the younger companies are more hungry and better at recruiting talent. The younger companies rely less on their name and more on building their name, and those are typically the vendors I prefer to work with. EY is not as easy to deal with as some of the other vendors in the space.” —CTO

Client experience

“Our project with Fortified Health Security took longer than we expected it to, and I was not very happy with that. We had to escalate issues and get the leadership involved. Meeting deadlines is very important to us, and Fortified Health Security could have stuck with their deadlines.” —CISO

Perception

“I definitely have heard of Fortified Health. I haven’t worked with them, but I know they reached out to me a bunch of times about a lot of the measures, trust talks, and things like that. Based on the fact that Fortified Health has taken interest in a lot of the latest trends, it looks like they are at least putting effort into staying on top of the needs of the hospitals. They are somebody I would consider because the fact that they seem to stay on top of things leaves a positive impression.” —CISO

Client experience

“Our overall experience was great with Impact Advisors. They did a really nice job of not just putting together their research and report but also adding value along the way. I was able to get their perspectives on a number of things that were out of the scope, and the leaders and consultants were more than willing to provide us with information, answer questions, and help with planning and strategizing. Overall, Impact Advisors had a fantastic perspective. They are a very flexible organization. They were able to adjust when we wanted to make a few modifications. They were very responsive.” —CIO

Perception

“I haven’t done any security work with Impact Advisors. They are very well known, and I hear about them all the time. One time when I worked with Impact Advisors, I disagreed with one of their recommendations. Upon further review, we finally said no to that recommendation. Some of the things Impact Advisors was doing were unrealistic. I wasn’t too pleased with Impact Advisors’ recommendations. They didn’t do the detailed work to make sure they were partnering with good companies. My management team might work with Impact Advisors again, but I won’t.” —Security director

Client experience

“There will be bumps along the way in any process, but if I can find a vendor partner who works through those bumps with me, then I know that that is a real relationship. Intraprise Health sat down and listened to who we are. The vendor is flexible with us. They work within our limitations. They try to tell us what is realistic. Intraprise Health will let us know whether we need to do something in a different way. They have been honest and flexible.” —CEO

Perception

“I have worked with Intraprise Health a lot and have a very good opinion of them. I would certainly work with them again, and I would certainly recommend them. If the primary firm we worked with went under, I would use Intraprise Health again. They have very good, broad healthcare experience. The leadership was strong within the organization, and the firm has a good road map. They know where they want to go.” —CISO

Client experience

“The issues with the initial group that Meditology Services sent were caused by some turnover the firm had. They lost a couple of strong players and put someone in charge who wasn’t strong. The firm was trying to have that person do security work, and the work wasn’t getting done. I think it would have been nice if one of the executives had noticed that things were taking a long time and asked why we weren’t making progress. When I emailed the firm about my frustration, their response was quick. They brought in some really talented, solid folks who knew their stuff. Those people got us going in the right direction and got everything done. But before we got the executives involved, we were just meandering.” —CISO

Perception

“Meditology is way up there on my radar. I am probably going to wind up using them soon. Their vendor presentation was very strong and impressive. They don’t nickel-and-dime their customers; they are very adaptable. From a cost perspective, they were very reasonable in terms of what they quoted us. For all those reasons, we are definitely going to be considering them. We were very impressed with the team that presented. I have spoken to my peers who have used Meditology, and they are very happy with their services.” —CISO

Client experience

“The vendor met but didn’t exceed our expectations. One thing that frustrated me was the vendor’s tendency to use contractors. We had to cycle through a resource or two to get to somebody who could handle the project. The contractors had to pick up other work, so we would maybe go a week or two when the contractors weren’t dedicated to our project. The vendor subcontracted out engagements, and if we didn’t manage things, there was an opportunity for variable quality. The vendor tried to get other work and then had scheduling issues, and then we had to adjust our schedules. That definitely had an impact on us. We had to learn how to best work with the vendor and make sure that we were interviewing contractors.” —Security director

Perception

“We have never worked with Optiv. We have never executed a contract with them, but we have been in discussions with them. I have a positive opinion of them based on the interactions that we have had. Optiv did a presentation at a meeting we attended, and it was a strong presentation. We have looked at a number of services that they offer, but ultimately, we engaged another vendor. The price point was a part of that. Nonetheless, I have a positive opinion of Optiv, and we would give them the opportunity to work with us again. They have even shared beneficial things like links, other documents, white papers, and those kinds of things. Optiv is doing little things and trying to further develop the relationship.” —Executive security director

Client experience

“PwC was willing to tailor our experience around what we needed, and they got excited about doing something outside the box. The biggest thing that exceeded my expectations was PwC’s desire to gravitate toward a tailored engagement that was very focused on the risks to our organization. PwC was very receptive. In past years, we would have done the project differently, and that would have caused more tension between parties. The project was very collaborative, and that was ultimately what yielded better benefits to our organization.” —CISO

Perception

“PwC is usually exceptional with strategy and a programmatic, large-scale understanding of how things work. I don’t like using PwC for detailed work and things that are hands on. When it comes to strategy and programmatic work, I consider PwC to be way above average. I love working with them in that space, and they bring a lot to the table. Below the strategy level, I get mixed results with PwC, and I don’t use them a lot.” —CISO

What Does “Limited Data” Mean?

Some services are used in only a small number of facilities, and some firms are resistant to providing client lists. Thus a firm’s sample size may not reach KLAS’ required threshold of 6 unique organizations. When a sample size is less than 6, the score for that question is marked with an asterisk (*) or otherwise designated as “limited data.” If the sample size is less than 3, no score is shown. Note that when a firm has a low number of reporting sites, the possibility exists for KLAS scores to change significantly as new surveys are collected.

KLAS Perception Data

To supplement the client satisfaction data gathered with the standard evaluation, KLAS also created a supplemental evaluation to delve deeper into several questions specific to the security and privacy services consulting market. This evaluation asked respondents (1) what makes a security and privacy consulting firm a true partner, (2) which firms are perceived to have the security expertise and strength healthcare organizations need, and (3) how the COVID-19 pandemic has affected healthcare organizations’ security programs.