As a Deloitte alumnus and a current cofounder of my own cybersecurity services and advisory firm, I hope I am qualified to weigh in here.
First, lumping all consulting firms together is a mistake. The main lists here cover the big brands, and I've added a couple more. Each has their strengths, weaknesses and approach to the market:
- Pure technology consulting:
Accenture, IBM, Cap Gemini, Tata, Cognizant and Infosys
These firms usually win because of their reputation for solving large scale technical problems. They can mobilize large teams of relatively qualified people and often have exclusive or at least preferential treatment from software providers who are eager to sell into their distribution channel.
- Prestige strategy firms:
McKinsey, Bain, BCG
Very little technical knowledge. Almost no implementation. Usually bought for political reasons that require "hiring the best." A true Veblen service. Still, they often are the right choice for a question that has an unknowable answer and requires panache and persuasion.
- Big Four:
Deloitte, EY, KPMG, PwC
Outside of government practices, these firms win because they have a monopoly on the CFO relationship. This entree into board conversations around audit and financials is powerful enough to build a relationship that can lead to strategy, technology, supply chain or myriad other consulting projects (SarbOx made it illegal to sell both audit and consulting at once, but once Deloitte made it clear that some hand waving and compliance measures were sufficient to fend of regulators, as long as services weren't sold at the same time, the rest jumped back into consulting).
- Niche players:
Aon, WTW, AT Kearney, CapCo, ATT, Verizon, Marsh, Sapient and Booz
This heterogenous group often wins because of a specific strength, relationship or reputation. For Aon, Marsh and WTW it is around insurance and the CRO. For ATK, they are known for logistics.
Finally, to address the article itself, one of my earliest observations about the corporate world is that the less work one does, the more one gets paid. Partners delegate work and even proposal writing to focus on selling. Those who get promoted most quickly are those who sell the most work. Relationships are what lands deals and working is in conflict with schmoozing, so it is important to do very little actual work.
Furthermore, what people are saying about bureaucracy and management being inherent to an organization is correct, although I'm less jaded on this point than I was while working for somebody else. Sclerotic organizations need third parties to make change because inertia is such a powerful force, and a combination of risk aversion and other fallacies can do harm to one's career unless there is somebody else to blame. See Rene Girard on this point to fully understand why scapegoating is a feature, not a bug.
The last thing I would say, is that having real expertise and experience is crucial to making a convincing sale. My field, cybersecurity, is still professionalizing so credentials don't mean as much as past work experience. Social proof is everything and competing on price in markets with information asymmetry is a sign of bad quality.
There are a few ways to get to the place that was laid out by the OP. The first, and most desperately needed, is somebody with deep technical knowledge who can develop and implement processes. The second, and almost as important is somebody who can create documentation that ties everything together and explains code, networks, data and systems at various levels of granularity (C-suite, middle management, engineering lead, devs, network engineers, etc.). While the latter should be the responsibility of a good engineer, it often gets left behind and is almost never prepared for different audiences. Third and final is where we are positioned, risk management. We assess, mitigate and quantify risk in terms leadership can understand and act on. Whether a bank is worried about regulatory pressure and needs to demonstrate a good faith effort to comply or a due diligence team needs a financial quantification of the current cybersecurity risk in an acquisition, the greatest value here is being fluent in business and technology. Translating between lingo, goals and most importantly culture is easier said than done.
First, lumping all consulting firms together is a mistake. The main lists here cover the big brands, and I've added a couple more. Each has their strengths, weaknesses and approach to the market:
- Pure technology consulting: Accenture, IBM, Cap Gemini, Tata, Cognizant and Infosys
These firms usually win because of their reputation for solving large scale technical problems. They can mobilize large teams of relatively qualified people and often have exclusive or at least preferential treatment from software providers who are eager to sell into their distribution channel.
- Prestige strategy firms: McKinsey, Bain, BCG
Very little technical knowledge. Almost no implementation. Usually bought for political reasons that require "hiring the best." A true Veblen service. Still, they often are the right choice for a question that has an unknowable answer and requires panache and persuasion.
- Big Four: Deloitte, EY, KPMG, PwC
Outside of government practices, these firms win because they have a monopoly on the CFO relationship. This entree into board conversations around audit and financials is powerful enough to build a relationship that can lead to strategy, technology, supply chain or myriad other consulting projects (SarbOx made it illegal to sell both audit and consulting at once, but once Deloitte made it clear that some hand waving and compliance measures were sufficient to fend of regulators, as long as services weren't sold at the same time, the rest jumped back into consulting).
- Niche players: Aon, WTW, AT Kearney, CapCo, ATT, Verizon, Marsh, Sapient and Booz
This heterogenous group often wins because of a specific strength, relationship or reputation. For Aon, Marsh and WTW it is around insurance and the CRO. For ATK, they are known for logistics.
Finally, to address the article itself, one of my earliest observations about the corporate world is that the less work one does, the more one gets paid. Partners delegate work and even proposal writing to focus on selling. Those who get promoted most quickly are those who sell the most work. Relationships are what lands deals and working is in conflict with schmoozing, so it is important to do very little actual work.
Furthermore, what people are saying about bureaucracy and management being inherent to an organization is correct, although I'm less jaded on this point than I was while working for somebody else. Sclerotic organizations need third parties to make change because inertia is such a powerful force, and a combination of risk aversion and other fallacies can do harm to one's career unless there is somebody else to blame. See Rene Girard on this point to fully understand why scapegoating is a feature, not a bug.
The last thing I would say, is that having real expertise and experience is crucial to making a convincing sale. My field, cybersecurity, is still professionalizing so credentials don't mean as much as past work experience. Social proof is everything and competing on price in markets with information asymmetry is a sign of bad quality.
There are a few ways to get to the place that was laid out by the OP. The first, and most desperately needed, is somebody with deep technical knowledge who can develop and implement processes. The second, and almost as important is somebody who can create documentation that ties everything together and explains code, networks, data and systems at various levels of granularity (C-suite, middle management, engineering lead, devs, network engineers, etc.). While the latter should be the responsibility of a good engineer, it often gets left behind and is almost never prepared for different audiences. Third and final is where we are positioned, risk management. We assess, mitigate and quantify risk in terms leadership can understand and act on. Whether a bank is worried about regulatory pressure and needs to demonstrate a good faith effort to comply or a due diligence team needs a financial quantification of the current cybersecurity risk in an acquisition, the greatest value here is being fluent in business and technology. Translating between lingo, goals and most importantly culture is easier said than done.