The leading cybersecurity consulting firms in the GCC

15 February 2021 7 min. read

The word is out: the usual suspects of Deloitte, EY and PwC are the top professional services firms in the Gulf Cooperation Council for security consulting and services.

For leaders in the professional services industry, analyst recognitions are one the most anticipated moments of the year – shedding light on how firms are regarded in the eyes of industry experts, as well as their most important stakeholder – clients. The consulting industry is home to several analyst firms, with US-headquartered IDC – in business since 1964 – in the view of among the most trustworthy firms* in the scene.

The global analyst and research firm has now released its annual analysis of professional services firms for security consultancy and related technology services, ranking three of the four Big Four giant as the GCC’s top providers. Spanning the markets of the United Arab Emirates, Saudi Arabia, Bahrain, Qatar, Oman, and Kuwait, IDC’s assessment looked at capabilities, track record and company success to come to its findings.

The leading cybersecurity consulting and services firms in the GCC

Over 20 professional services firms were lauded by the analysts as ‘leaders’ and ‘leading players’, with Deloitte and EY leading the pack across the study’s three key dimensions: security strategy capabilities, technical capabilities and size. Deloitte for instance has a presence of around 250 cybersecurity practitioners in all major cities in the GCC, capable of delivering an end-to-end service from consulting to technology implementation and managed services.”

IDC also praised Deloitte’s Digital Center in Riyadh and Cyber Intelligence Center in Kuwait, which provide it with the technological backbone for its service delivery. 

Commenting on the recognition, Tariq Ajmal, Cyber leader at Deloitte Middle East said: “Deloitte’s unique approach to cyber security, comprised of a wide range of core cyber and integrated offerings, enables us to become the trusted advisor for our clients and position them for long-term success.” 

Fellow leader EY similarly has a team of approximately 250 professionals dedicated to cybersecurity in the GCC. The practice is led by the Australian Clinton Firth (who leads the wider Africa, India and the Middle East region), who said: “EY focuses on trust by design, with outcomes assessed by the effectiveness of cyber defense and risk management.” 

“Through this approach, combined with continued investment in new innovations and leveraging emerging technologies, EY teams are providing leading professional security services and managed security services.” 

Third in the ranking is PwC, which according to IDC “places building a secure digital society is at the heart of its Cyber Security and Privacy practice. PwC brings clarity to the challenges of trust, resilience and secure enablement, allowing its clients to be better prepared for cyber and other threats of disruption and to continue to operate as usual.” 

The firm’s standout offerings via a vis rivals include extensive understanding of the local market and regulations, a market leading risk and cyber quantification methodology, and its Experience center in Dubai, which “provides clients a unique interactive simulation of potential threats and responses to real challenges that security practitioners and those at C-Suite and board level are facing.”

Grant Waterfall, PwC's EMEA Cyber Security and Privacy leader said: “We’re really proud to see the recognition of PwC's leadership in cybersecurity consulting extend into the important region of the Middle East. As our presence in the region grows, clients will benefit from an expanded catalogue of technologies, product and service capabilities in cyber, privacy, and risk management.”

“Our extensive range of cybersecurity and privacy services including data security, operational technology, identity and access management – together with our global business knowledge and strong relationships across the Middle East, means that we bring something truly distinctive to our clients in the region,” added Simone Vernacchia, Cyber Security and Privacy leader at PwC Middle East.

Beyond the Big Three

Outside of the ‘Big Three’, other consultancies classified as leaders in the landscape are IBM, Wipro, Etisalat’s Help AG (formed in February 2020), Gulf Business Machines, Protiviti, and Atos-owned Paladion (Atos acquired Paladion in June 2020). Protiviti’s listing is arguably the most notable, with the firm by a distance the smallest of the eight leaders, punching above its weight in the cyber advisory domain.

Rounding off the list of GCC’s leading cybersecurity consulting and services firms are Digital 14, Midis Group, Solutions by STC, Accenture, DU, Advanced Electronics Company, Paramount, Saudi Information Technology Company, TUV Rheinland, Saudi Business Machines and Injazat.

No KPMG? McKinsey? What’s going on?

Notable in IDC’s ranking is the omission of several top consulting firms that beyond doubt have a strong capability set in cybersecurity consulting. Both ALM and Forrester for example rank KPMG and McKinsey & Company among the top security consulting firms globally, as well as regionally, however, IDC’s Middle East ranking makes no mention of these firms. The same applies for consultancies including Boston Consulting Group, FTI Consulting, and Bain & Company

Beyond these global behemoths, there are dozens of varying assessments between the different analyst rankings, across geographies and the several follower categories, known as ‘strong performers’, ‘contenders’, ‘challengers’. So, how can such discrepancies arise? Welcome to the world of analyst relations, which for many is shrouded in secrecy. 

The leading cybersecurity consulting firms in the world

According to the latest estimate of, there are over 20 analyst firms that conduct due diligence on the capabilities of consulting firms, with all of them applying different models for evaluating strengths. More controversial is how they shortlist firms for their provider assessments. Some rankings by analyst firms are opt-in, meaning that firms that don’t ‘pay’ simply can’t be featured. 

IDC’s latest assessment of the Middle East cybersecurity consulting landscape perfectly illustrates this. While not many would debate that Deloitte, EY and PwC are indeed among the leaders given their sheer depth and breadth of offerings, and client track record, the omission of for instance KPMG and FTI's Kroll raises the eyebrows of most insiders, even among partners at Deloitte, EY and PwC. 

Speaking on the basis of anonymity, one Deloitte partner sportsmanly admitted to ConsultancyME, “We often come across KPMG at cyber pitches. Not seeing them in the list is somewhat of a lapse.” Similarly, a partner at a top strategy consulting firm in the region told ConsultancyME “We don’t participate in all regional versions of vendor assessments, and this sometimes sees us omitted while we are assessed at a global level.” 

Time for a new approach?

At, we have been tracking the analyst rankings of providers across all industries, service areas and geographies for over five years now, taking note of models, shortlist criteria and more. Based on our analysis, we believe that the current system in the market insufficiently reflects the full landscape, and in some cases is even rigged.

It is our mission to provide the world of consulting with a more independent, holistic, transparent, inclusive and regionally-tailored oversight of rankings and firm capabilities. Leveraging a database of millions of internal and external data points, including recognitions from the abovementioned analyst firms we endorse, aims to set the new standard in the landscape.

In the second quarter of 2021 we will formally unveil our approach – keep an eye on this space for more.

* has no financial ties with IDC and also features and endorses other analyst firms.