[ ADVISORY ] Risk Architecture

Generic Cybersecurity Consulting Has Become a Commodity

ISO 27001 and TISAX are entry tickets, not differentiators. AI can generate what used to be called implementation work. What organizations actually need is someone who helps them lead through uncertainty when documents are not enough.

A Market Under Pressure

The cybersecurity consulting market has changed. What used to be expert-driven has become volume-driven. Certifications are now baseline requirements, not competitive advantages. Consulting offerings look increasingly similar. In public tenders, prices are lower than four years ago, despite growing regulatory complexity.

Something deeper is shifting as well. AI can now generate much of what was previously called implementation work: policies, risk registers, awareness concepts. Abstract consulting has been commoditized. An organization no longer needs a consultant to produce documents. It can learn about Annex A controls independently.

What it cannot replace is someone who helps navigate uncertainty when those documents are not enough.

The Problem with Adjacency

Many consulting firms are expanding into crisis management and business continuity, often on the basis of short trainings. Some of these moves lack the experience and depth the domains require.

Business continuity is not the same as information security, even though both have interfaces. All management system disciplines have interfaces. But moving from one expert domain to an adjacent one solely because they are neighbors is not expertise. It is erosion.

What Mature Organizations Are Doing

Mature organizations respond with internalization. They build real in-house capabilities. Managing cybersecurity does not require a PhD in informatics. It requires management skills, critical thinking, self-directed learning, and some technical understanding.

External consulting still has value — if it delivers experience, benchmarking, and structured complexity reduction. That kind of input does not take much time. But it is not cheap.

The Decisive Capability

In volatile environments, the decisive capability is coping: staying operational, deciding under stress, adapting under pressure, returning the organization to a stable position.

Resilience depends less on frameworks and more on how an organization leads when things go wrong.

Compliance should be a by-product of cybersecurity, not its primary objective. There is no such thing as a secure organization. Security is a vehicle for high-quality decisions in complex conditions.

Quotable

“Certifications are entry tickets, not differentiators.”

“Moving from one expert domain to an adjacent one just because they are neighbors is not expertise. That’s erosion.”

“Security is a vehicle for high-quality decisions in complex conditions. It is not a destination.”

→ How Rico Kerstan structures complex security topics: Services → The methodological approach: Approach