Consulting

sir_creamy_ · July 2007

Has anyone here worked as a consultant in security?

Is it as lucrative as I've been led to believe or is there a dark side that I've not been informed of? Any thoughts/comments on consulting in general?

Cheers

Netstudent · July 2007

consulting can or cannot be a very lucrative business. It depends on how much clientele you have. If you can get on some big contracts, then hell ya IT security consulatants get paid serious cash. I guess it also depends on if you are consulting for a momNpop shop or a fortune500 company. But generally companies want consultants with lots and lots of experience.
Or someone with some serious skills.

keatron · July 2007

sir_creamy_ wrote:

Has anyone here worked as a consultant in security?

Is it as lucrative as I've been led to believe or is there a dark side that I've not been informed of? Any thoughts/comments on consulting in general?

Cheers

One key is relationship building and maintaining those relationships long term. I've never had a client argue with me over my rate (which is well above the average $250/hour for general consulting). Also establishing yourself as an expert helps to. And understand, you're only an expert when the industry in general refers to you as such. Not you yourself. In other words, what's the buzz you're generating in the industry? Here's an excerpt from an email I got today.

Keatron,
The project is in DC. at XXXXXXX

XXXXXX will be your security contact there as she is our civilian sector liaison. Feel free to call me on my cell if you need anything it's XXXXXXXXX.

We are looking forward to having you as we have heard you are the best! Hopefully I will get over to DC while you are in town to meet you. Travel safe.

The key here is don't start tooting your own horn. Let THE PEOPLE make that judgment (I know that's tough!!). Keep in mind this is my first time working with this particular agency so the person is referring to what they've "heard through the grapevine".

How do you get to that point? Glad you asked. First of all, start locally. NEVER under estimate the power of doing even light security consulting for mom and pop shops. You never know who these people know. I once did a trojan removal for a lady I met on the train, who's brother ended up being an alderman (who I ended up removing the same trojan for). Long story short, that relationship with him got me introduced to opportunities within that city, that I might not have ever gotten had I not helped her on the train that day (she saw that I had on a MCT shirt, figured I was a Microsoft employee and assumed I could help).

Yes, the bigger money is with bigger corporations, and of course defense orgs, and intelligence orgs. But you certainly will not start there (at least in most cases).

Keep your nose clean, if you don't, forget about security clearance (which you will probably need at some point).

Don't be shocked when you get the right experience and have the right certs and you're turned down for a position, or a contract if you're going solo. It happens. Regardless as to what you might hear, security is NOT guaranteed money. You have to build a reputation, and do THE BEST work, just like in any other industry. CISSP will get some doors open for you, but that's about it. If you want to excel, you need to know a lot of stuff and about a lot of stuff. Spend a few hours every day reading, researching, and modeling security architectures/testing them. I always cringe when people complain about the recommendations of reading 2 hours a day on weekdays and 4 hours a day on weekends to prepare for a certification. I cringe because you'll need to be doing that much FOREVER if you're really serious about doing security and being good at it.

As an employee, you can expect to make anywhere from 70 to 300,000 per year after 5 or 6 years of experience in the industry (if you get with a good consulting company). If you own a consulting company that does security, if you don't reach $1 million the first 2 years (net), you're probably not reaching much of your potential.

Also certain basic things you'll just have to know without having to look at a key or recite in your head a memorization trick. For example, you'll need to know all the common ports (plus some not so common ones). Not because you've memorized the charts, but because you've opened and closed them for various reasons (you had to open 22 for ssh connections on enough border devices that you know immediately that's what it's for). You'll need to be able to look at packets and quickly asses what was/is probably happening during a particular communication stream (which is related to ports too). You should be able to describe the 3 way handshake in detail. You need to have actually "watched" it happen a few times. After all, you can tell when the connection rules are being violated if you don't know what it looks like in the first place. Depending on software and hardware to do this for you is okay, but often times we're called in to verify for example that a port scan happened when snort and other mechanisms failed to detect it (any hacker worth mentioning will know how to fool most if not all IDS, IPS, and Proxy mechanisms).

So basically in security if you want to demand top dollar, then for one you need to have a reputation. You also need to be one of the "go to" people in the industry when all the expensive hardware and software fails to get the job done. Because when a compromise happens, the client does not want to hear you talk about what ISA is "supposed to do" and what snort "should have done". They want to know what happened, how it happened, and how to best protect against it happening again.

Hope this helps those of you looking to make the leap.

Keatron

homerj742 · July 2007

Keatron, that's a great post.

I'm looking to become an independent consultant in the future. I'm still yet to decide on what my primary focus would be, though I find myself drawn towards the security side of things.

I'm 26 years old, I was a desktop technician throughout college, and now for the past 2 years, I've been a Systems Administrator (windows), and I've done some work with Cisco Equipment (also hold a CCNA).

I was wondering, what advice can you give a beginner like myself? What's a good age to begin as an independent consultant? How can I get some good professional experience in network security?

Any advice would be greatly appreciated, thank you!

rossonieri#1 · July 2007

well homerj742,

just prepare for not being tempted by job ads

for not having a handful of cash

, leaving the family for travel -
meet bunch of "i know that" people.
but after you get the hardest part - you'll see the result.

HTH. and Good Luck

garv221 · July 2007

Consulting can be very rewarding but I would recommend securing contracts before quiting your day job. I have seen contracts pay 220K/year.

seuss_ssues · July 2007

Keatron,

Security Consulting has been something that I have considered getting into in the next 5-10 years. Do you have any good books or sites that discuss this in more detail?

I have plenty of security reference books. Im interested more in the business side or books on consulting tips rather than security howto.

keatron · July 2007

Unfortunately, there are really no per se, books on how to get into security consulting. The key is to stay focused and stay motivated. You'll certainly hear many people saying things like certifications don't matter. But, I would tell anyone, if you have an opportunity to get Security+, get it, same goes for other security certifications (and other non-security certs as well). Because believe it or not just having Security+ can land you in the perfect entry level position to grow. It's not very likely but it could happen. Now add Sec+ to something like MCSE:Sec and/or CCSP then all of the sudden, the chances of that happening increase. Keep grinding, getting more experience (even if it's desktop support), it will pay off. Once you do finally land that entry level role, because no matter what cert you have, be prepared to still end up in an entry level position as far as security goes; it's almost a given if you don't have solid experience in the area. Once you have that entry level position you need to truly OWN it. In other words, if your first job is to watch packets and ensure monitor logging, then don't just do that. Take extreme pride in it. Do extra, like export that data to excel, and create analysis charts. Remember, higher ups like pretty charts, plus, looking at the traffic from a graphical stand point can help you get a better understanding of what's actually going on as well. This is just one example, but whatever your initiation job into security ends up being, embrace and go the extra mile as I've just described. People will notice and if the right people notice, you're already on the right track. In the end you'll probably have a better understanding of traffic analysis than you would if you didn't go the extra step. Find out from the employer what the next logical step is from the position you're currently in. When you find out, spend some of your personal time researching that next position. Find out the level of knowledge required, the skills required...then GO GET IT. Not having money for books is NOT an excuse, you can go into borders and read for free all day if you just purchase a few cups of coffee. If there's no bookstore nearby, then re-introduce yourself to Mr. Google. You'll need to graduate beyond just typing terms in the google homepage search bar. Dig in and master the advanced search features, better yet, get a copy of Google Hacks, learn some perl and get busy (perl knowledge will certainly help you in the security world too, so it's a win/win move).

One common entry level job is documentation and/or implementing, IDS/IPS/FIREWALL rules that have been designed by someone higher up the food chain. Again, don't just do this job, do and then try and understand what the designer was thinking, why the rules and filters are to be configured the way you've been instructed to do it. Even ask the security engineer who designed them. Keep in mind, we're often times very busy, and some of us are even arrogant. So you might be brushed off from time to time with looks of "I know he/she can't possibly understand the greatness of my methods", but keep asking. Eventually they'll realize you're not going away and start to feed you "meat". Small morsels at first, but savor these.

Don't focus on proving you know this early in the game, focus on KNOWING.

If I find a book, I'll certainly let you guys know. Maybe I'll write one

JDMurray · July 2007

keatron wrote:

If I find a book, I'll certainly let you guys know. Maybe I'll write one

Hey, I know a publisher that might be interest in that book!

Paul Boz · July 2007

keatron wrote:

Once you have that entry level position you need to truly OWN it. In other words...

I can not stress enough, how valid this advice is. Promotions come from not only doing your job well (that's expected of you) but going above and beyond your job duties. Management respects people that are willing to innovate and learn. Don't brag to your bosses that you're working on a cert, either. Get the cert, hang it in your cubicle, and casually mention that you worked on it in your spare time. the dedication to improving your knowledge will go a long way, and keeping it on the "down low" will really show that you're hungry for the knowledge, not the title.

buulam · July 2007

homerj742 wrote:

What's a good age to begin as an independent consultant?

I am a Security Consultant, though I consult through a firm.

I was 23 when I started

Consulting

Comments