One-Person Consulting Firms? How Are These Possible

egrizzly

The trend I've been noticing lately is the rise of 1-man or 1-woman consulting firms. Now at the monthly security group meetings one loses count of how many people are working as independent consultants.  Yet, when they present their services to you it's a very long list like that below.  So how is this possible for one person to do?  Are they just reselling services from bigger firms, or is their really a workable system to providing all these services as a InfoSec Consultant

[The below services I've noticed most consultants provide]

CYBERSECURITY ASSESSMENTS

Vulnerability Assessment Services

Penetration Testing Services

Social Engineering Assessments

Security Architecture Review & Design

FEDERAL SERVICES

Risk Management Framework (RMF) Support

Security Assessment and Authorization

FISMA Certification

FedRAMP Compliance

NIST 800-53 Assessment Services

Continuous Monitoring

Vulnerability Analysis and Penetration Testing

Security Policy and Procedures Documentation

Security Staff Augmentation

HEALTHCARE ASSESSMENTS

HIPAA / HITECH Readiness Assessment

PRIVACY ASSESSMENTS

Domestic and Cross-border

CLOUD SECURITY ASSESSMENTS

Cloud Security Services; FedRAMP Compliance

SOC EXAMINATIONS

THIRD PARTY RISK

LordQarlyn

It's not easy but it's possible. Once you get enough hands on experience in a particular field and you are very good at it, you can market yourself as a one man consulting firm. This is not limited to IT, other fields have consultants as well. While the list above seems big, many of them work together and are interrelated. If you worked across all the items on the list, you can get a feel for it, learn to do good analysis, learn to make good decisions, learn to effectively solve problems, learn to provide effective solutions to your client, learn to audit and evaluate, it is something to consider. Oh and be a good researcher and be willing to consult others as well. The most difficult part is getting started when you have no credentials, history or references, you are an unknown. I've read where some got their start as a side job, at first doing pro bono work for nonprofit organizations until they got some good testimonials and references. Then they started marketing themselves, attending trade conventions, seminars, where they networked extensively, while still doing pro bono for nonprofits if necessary. If they managed to cross that initial barrier, then their business took off, if they continued to grow they could raise their rates gradually and soon it was their full time job, and quite a good one too.

egrizzly

This is quite incredible.  So many of them are inter-related.  You're saying the training for these types of roles usually comes from certifications or having to get training from any consulting-related programs?

bigdogz

For me it came to doing some side work which created a customer base. Now I do it full time.

yoba222

My vote is reselling / subcontracting most of the services.

NetworkNewb

Doesn't look like too crazy of list as long you have some experience in them.   I think it would be hard to be an individual consultant if they didn't have a decent list of services they could provide. 

scasc

Very unlikely that a one man band can do all these services. However what people do is that they build relationships with other firms/ppl who can provide these services and win the work, charge a fee and keep a portion for when they pay that firm (sub-contract the work). 

egrizzly

scasc said:

Very unlikely that a one man band can do all these services. However what people do is that they build relationships with other firms/ppl who can provide these services and win the work, charge a fee and keep a portion for when they pay that firm (sub-contract the work). 

heh Scasc would you say you've picked up some of those skills from your extensive list of certs?  Looks like you've got certs covering Security Management, Risk, Cloud, and Pen Testing 

egrizzly

yoba222 said:

My vote is reselling / subcontracting most of the services.

How exactly is this done Yoba?  The reselling/sub-contracting of security services.  Needless to say I know I've searched for the answer but have come up empty for the most part.

LordQarlyn

egrizzly said:

This is quite incredible.  So many of them are inter-related.  You're saying the training for these types of roles usually comes from certifications or having to get training from any consulting-related programs?

I would say hands on experience, knowing how to make good judgements for the clients. You've heard the old cliche, good judgement comes from experience which comes from making bad judgements. Well, in this case, the consultant made his bad judgements as an employee where unless it was really costly and results in termination, worse case is the employee gets called on the carpet, learns, and moves on. Most one man consultants I've known started in their late 30s or early 40s, some in their 50s, which if you do the math, that's a lot of years in the industry.

egrizzly said:

yoba222 said:

My vote is reselling / subcontracting most of the services.

How exactly is this done Yoba?  The reselling/sub-contracting of security services.  Needless to say I know I've searched for the answer but have come up empty for the most part.

Many vendors you can become an affiliate, or as they often call it, "partner", where when you sell their products or services, you get a discount in the price and a commission, depending on the level of partnership, which often depends on the sales you've made; get more sales, get a better tier of partnership which results in a better discount and/or a higher commission. My best friend has started a side consultant as a collaboration/VoIP SME. Because he is certified at the top level as a Cisco Collaboration professional, he managed to get Cisco Premier partnership.

scasc

egrizzly said:

scasc 

Very unlikely that a one man band can do all these services. However what people do is that they build relationships with other firms/ppl who can provide these services and win the work, charge a fee and keep a portion for when they pay that firm (sub-contract the work). 

heh Scasc would you say you've picked up some of those skills from your extensive list of certs?  Looks like you've got certs covering Security Management, Risk, Cloud, and Pen Testing 

Hey. I’ve been contracting more than anything else over the last 3 years. This is where you are paid a day rate for your services. Firms advertise what they need, agents represent them. My own skill set is mainly risk, controls, management, architecture and cloud, I build these firstly through the certs, polished them through work experience and by doing further research/reading etc. I’m learning all the time by harnessing my knowledge where I can. 

I love learning and I think that’s what keeps me going and in the running for these roles. 

I reckon the US is different as it’s a massive market. Lots of opportunity to actually build your own business as a consultant and not necessarily a contractor. My advise would be to pick an area you like and one you can be the top of your game in and focus on that. At the same time build relationships by attending conferences,  connecting on LinkedIn etc who offer other services.

LordQarlyn

NetworkNewb said:

Doesn't look like too crazy of list as long you have some experience in them.   I think it would be hard to be an individual consultant if they didn't have a decent list of services they could provide. 

Sometimes though being really really good at one thing can be lucrative for a consultant. While I was still in telecommunications, I had CDMA training twice by this consultant, paid for by two different companies, and all he did was travel the nation (and sometimes Canada) training people on cellular phone CDMA. His personal brand and website was simply titled howcdmaworks.com. From what I can tell, he was doing very well at it.