HomeIT ServicesIdentity & Security ConsultingDeloitte
Identity & Security ConsultingLondon, United Kingdom

Deloitte Review 2026 — Identity & Security Consulting

4.2/ 5.0 from 2,640 verified buyer references
Founded
1845
Headquarters
London, United Kingdom
Employees
~460,000 (FY2025)
Regions Served
150+ countries
Industries
All major verticals
Typical Engagement
$500K–$50M+ programmes

Overview

Deloitte is the largest of the Big Four professional services networks by both revenue and headcount, reporting US$67.2 billion in aggregate revenue for FY2024 across approximately 460,000 employees in 150 countries. The network operates as Deloitte Touche Tohmatsu Limited, a private UK company with member firms in each major market. Joe Ucuzoglu serves as Deloitte Global CEO; Jason Girzadas leads Deloitte US, the network's largest member firm. Cyber sits within the Risk & Financial Advisory practice in the US and as a standalone Cyber business unit in EMEA, with combined cyber revenue widely estimated above US$5 billion globally.

Within identity and security consulting, Deloitte fields one of the largest Big Four identity practices, with deep benches on SailPoint, CyberArk, Saviynt, Okta, Ping, Microsoft Entra, and ForgeRock. The practice covers identity strategy, IGA implementation, PAM, customer identity, machine and non-human identity, zero-trust architecture, and IAM managed services. Deloitte also runs significant adjacent practices in cyber programme strategy, third-party risk, OT and IoT security, security operations transformation, and post-breach incident response. The firm's audit-aligned controls testing methodology is a frequent reason regulated buyers select Deloitte.

Deloitte is typically a fit for global enterprises and regulated industries that need identity work bundled with audit, financial controls, or wider ERP and HR transformation in a single integrated programme. The firm is rarely the lowest priced option, with premium onshore rates and methodology overhead. Smaller single-platform IGA deployments under US$1 million are usually better served by a specialist such as Optiv or by the vendor's professional services arm.

Services Offered

Typical Engagement

Engagement TypeModelTypical Range
IAM strategy and target state designFixed-fee project$300K–$1.2M (8–14 weeks)
IGA or PAM implementationFixed-fee or T&M$2M–$10M (8–18 months)
Enterprise identity transformationMulti-year outcome contract$10M–$50M+ (24–48 months)
Managed identity servicesMonthly retainer$80K–$900K per month
Staff augmentation (Certified IAM)Hourly bill rate$180–$340/hour blended

Pricing ranges verified May 2026 from public procurement records, identity vendor channel benchmarks, and reference checks. Onshore-only US delivery is materially higher; India USI delivery centres lower blended rates by 25–35%.

Strengths

  • Largest Big Four cyber practice globally by revenue and certified identity headcount
  • Audit-aligned controls testing methodology suited to SOX, SOC2, and ISO 27001 environments
  • Integrated delivery combining identity with ERP, HR, finance, and risk programmes under a single contract
  • Strong industry IP for financial services, life sciences, energy, and public sector
  • Mature India USI delivery centres for cost-blended IAM platform work
  • Top-tier partner status across SailPoint, Saviynt, CyberArk, Okta, and Microsoft Entra

Limitations

  • Premium pricing — onshore partner rates frequently exceed US$400/hour and methodology overhead is significant
  • Cannot serve audit clients with attest-conflicting work, which materially restricts the addressable buyer base in the US
  • Methodology rigidity can slow delivery on smaller, product-led identity engagements
  • Senior consultant turnover between accounts is common during multi-year programmes
  • Member-firm structure means delivery quality varies across geographies and account teams

Regions Served

United States United Kingdom Germany India Japan Australia Canada France Singapore

Alternatives

PwC
Comparable Big Four scale, stronger in financial services audit territory
4.1
KPMG
Strong IGA and SoD analytics, audit-aligned methodology
4.1
EY
Big Four peer, deeper in cyber for energy and life sciences
4.1
Accenture Security
Largest non-Big-Four practice, deeper systems integration capability
4.2
Optiv
Specialist alternative, 15–25% lower pricing, vendor-agnostic
4.3

Compare Deloitte

Deloitte vs PwC → Deloitte vs Accenture → Deloitte vs Optiv →

Frequently Asked Questions

What is Deloitte's typical identity project size?
Deloitte rarely accepts identity engagements below US$500,000 in total contract value. Most IAM strategy and target-state projects land between US$300,000 and US$1.2 million over eight to fourteen weeks. SailPoint, Saviynt, or CyberArk implementations typically run US$2 million to US$10 million over eight to eighteen months. Enterprise identity transformation programmes combining IGA, PAM, customer identity, and machine identity span US$10 million to US$50 million or more over 24 to 48 months and usually involve blended onshore and India USI delivery.
How does Deloitte price managed identity services?
Deloitte prices managed identity services on monthly retainers typically between US$80,000 and US$900,000 per month, scaled to platform scope, identity population, and SLA targets. Most retainers cover Level 2 and Level 3 platform administration, scheduled access certifications, role and policy management, and a defined hours pool for connector and workflow enhancements. Audit-aligned controls testing can be packaged into the retainer for regulated industries. Outcome-based pricing tied to certification completion rates is available on larger programmes.
How does Deloitte compare to Accenture for identity?
Deloitte is stronger on audit-aligned controls testing, financial services risk, and integration with broader audit and tax workstreams. Accenture has a larger systems integration bench and a more developed offshore delivery pyramid, often resulting in lower blended rates. Deloitte wins more often on programmes where identity is bundled with risk advisory or SOX controls. Accenture wins more often on transformation programmes where identity sits inside a wider ERP or cloud migration. Pricing is broadly comparable at the top of the tier.
Which industries does Deloitte specialise in for identity?
Deloitte has the deepest Big Four identity assets for banking, insurance, capital markets, life sciences, energy, and federal and state public sector. The firm maintains pre-built process accelerators for SOX, NIST CSF, NIST 800-53, HIPAA, PCI-DSS, and DORA. Deloitte US Federal serves the US public sector with cleared personnel and FedRAMP-aligned delivery. The firm is comparatively lighter in retail and consumer goods than Accenture and PwC.
Can Deloitte deliver onshore-only identity programmes?
Yes. Deloitte maintains onshore identity capacity in the United States, United Kingdom, Germany, Australia, Canada, and Japan, and supports cleared US federal work. Onshore-only delivery runs roughly two to three times higher than blended India USI pyramids. Senior architect capacity is constrained for complex SailPoint, Saviynt, CyberArk, and Microsoft Entra programmes, with typical staffing lead times of 60 to 90 days for cleared engagements.
Last updated: May 2026

About Deloitte

Founded 1845. Headquarters: London, United Kingdom (Deloitte Touche Tohmatsu Limited). Approximately 460,000 employees. Revenue: US$67.2B (FY2024). Global CEO: Joe Ucuzoglu. US CEO: Jason Girzadas. Top-tier partner across SailPoint, CyberArk, Saviynt, Okta, and Microsoft Entra.

All Identity & Security Consulting Providers → Identity Consulting in United States → Identity Consulting in United Kingdom →

Related Categories

Cybersecurity Services IT Governance & Compliance Data Privacy & GDPR ServiceNow Implementation SAP Implementation

Research

Identity Consulting RFP Guide 2026 Identity Consulting Pricing Benchmark Best Identity Consultancy for Financial Services
Last updated: