[ ANALYSIS ] Crisis Management

Cybersecurity Consulting Has Become a Commodity

The cybersecurity consulting market has shifted. What was once differentiated by expertise is now driven by volume. The decisive capability in complex situations is not compliance — it is decision-making under pressure.

What Has Changed

Certifications like ISO 27001 or TISAX are now entry tickets, not differentiators. Consulting offers look increasingly similar. In public tenders, prices are often lower than four years ago despite growing regulatory complexity.

At the same time, something deeper has shifted: AI can now generate much of what used to be called implementation work — policies, risk registers, awareness concepts. Abstract consulting has become commoditized. Producing a document no longer requires a consultant.

The Problematic Market Response

Many consulting firms are responding by expanding into adjacent markets: crisis management, business continuity, often based on short trainings. That is a problem.

Business continuity is not the same as information security, even though both disciplines have interfaces. All management system disciplines have interfaces. That does not make them interchangeable. Shifting from one expert domain to another simply because they are neighbors is not expertise. It is erosion.

What Organizations Actually Need

Mature organizations are responding with internalization. They invest in building real in-house capabilities. Managing “cyber” does not require a PhD in computer science. It requires management competence, critical thinking, and learning capability.

External consulting still has value — if it delivers experience, benchmarking, and structured reduction of complexity. That kind of input does not take much time. But it is not cheap either.

The Decisive Capability

In volatile environments, the decisive capability is coping: staying operational, making decisions under stress, adapting under pressure, bringing the organization back to a stable position.

Resilience depends less on frameworks and more on how you lead when things go wrong.

Compliance should be a by-product of cybersecurity, not the only goal.

Security cannot be the objective because there is no such thing as a secure organization. Security is a vehicle for high-quality decisions in complex conditions.

Quotable

“Certifications are now entry tickets, not differentiators.”

“Shifting from one expert domain to another simply because they are neighbors is not expertise. It is erosion.”

“Security is a vehicle for high-quality decisions in complex conditions.”

→ How Rico Kerstan works with complex security and resilience topics: Services