Top whitehat consultants earnings

drrossgellar

Hey Tech!

I have been doing some self study on various topics, and one of the most interesting areas (to me) is security. I was out shopping and came across a "Hacking exposed" book, and figured it would be a really good read so I bought it. This was really how I came across the black hat/grey/white hat titles. I think that the point for most that are interested in security is to be some sort of consultant? Maybe own their own firm or liase with high livel business and conduct audits and so forth.

What would the salary range be for these white hat individuals? I can't seem to find a lot of information on the earnings, I can find some for the BH's (in the millions) but seeing as they are illegal it doesn't really count.

Has anyone else done any research into this/ or is it something you are aiming for?

Thanks guys.

Paul Boz

That's what I do for a living, amongst other things. I do penetration testing, it audits, social engineering, risk assessments, etc. If a bank or credit union is required to have a service, I can provide it. Security is the highest growth area in IT right now, so there are lots of people trying to get into it.

You will never make it in the real world as a consultant if you don't have a strong foundation and background in doing security work. My best advice for you would be to get some security certifications, stay "in the loop" on current security events, and read as many books on subject matter as possible. Also, if you want to be a paid hacker you have to know what you're doing. I'd set up some vulnerable systems in VMware or something and have fun hacking them.

Also, attitude is everything in this industry. If you show up to a client with the "I'm a hacker and I'm here to rip you apart" mentality you'll never get clients or keep current ones. You really have to have the mentality that your job is to help your clients improve your security. If you go into an organization with something to prove you're just going to look like an idiot and the client won't get any value. However, if you can go in, tactfully rip a network apart, then provide clear and concise reporting on what you did with valid advice on how to get better, the client will not only be happy with your work, but will be happy to recommend or endorse you.

Another thing to keep in mind is that there is a difference between what you read in books and what exists in the real world. I see guys that are "knowledge heavy" start out in this industry making grandiose recommendations that to someone with a budget, are ridiculous. You have to understand the scope of your client, understand their operating culture, and understand what recommendations you can make that will be effective and implementable. Sure it would be nice for everyone with a data network to use fort-knox security measures but its not practical to most organizations.

Lastly, remember that business always comes before security and not the other way around. With 100% security you can't conduct business, so you have to find that equilibrium between productivity and security. If you tell someone to set the organization's screensaver lockouts to 1 minute it'll never fly. Likewise, if your only recommendation is "get rid of what you have and replace it all" it won't get very far either.

Turgon

drrossgellar wrote: »

Hey Tech!

I have been doing some self study on various topics, and one of the most interesting areas (to me) is security. I was out shopping and came across a "Hacking exposed" book, and figured it would be a really good read so I bought it. This was really how I came across the black hat/grey/white hat titles. I think that the point for most that are interested in security is to be some sort of consultant? Maybe own their own firm or liase with high livel business and conduct audits and so forth.

What would the salary range be for these white hat individuals? I can't seem to find a lot of information on the earnings, I can find some for the BH's (in the millions) but seeing as they are illegal it doesn't really count.

Has anyone else done any research into this/ or is it something you are aiming for?

Thanks guys.

Its a very wide ranging field. I endured a site level BS7799 audit in 2002 which Im happy to say we passed and had books like that on our shelves because as a network specialist I regarded security as being an inherent aspect of the job as it is for everyone. Boat loads of people have moved into this area and continue to want to move into this area because it's emerged as a genre in it's own right. To be a credable consultant requires more than certification although this certainly helps. You will be looking at having a solid foundation and building an impressive track record in delivering security type services. The technical aspects of security while important are not the whole picture. A lot of technical security work is dull, actually a lot of security work can be dull quite frankly so I would do some reading before you barrel off in this direction. But it can be very interesting as well. The pen test thing is one trap people fall into. Its important but far from the exciting life the security consultant is supposed to lead. We did our own pen tests in 2001 as an inhouse IT department and passed any audit someone came along to do. We developed Java based FX solutions for banks.

You will need to read widely and stay abrest of lots of things. As for the ubergeek technical security specialist, its a lot more complex and competitive these days and many more people chasing those areas.

But as I say, wide area and some nice jobs to be had.

dynamik

Paul Boz wrote: »

If a bank or credit union is required to have a service, I can provide it. Security is the highest growth area in IT right now, so there are lots of people trying to get into it.

Dumpster diving isn't the only service Paul will perform in a dumpster...

Paul Boz wrote: »

Also, attitude is everything in this industry. If you show up to a client with the "I'm a hacker and I'm here to rip you apart" mentality you'll never get clients or keep current ones. You really have to have the mentality that your job is to help your clients improve your security. If you go into an organization with something to prove you're just going to look like an idiot and the client won't get any value. However, if you can go in, tactfully rip a network apart, then provide clear and concise reporting on what you did with valid advice on how to get better, the client will not only be happy with your work, but will be happy to recommend or endorse you.

This is important. I think clients actually enjoy my IT audits (well, as much as you can enjoy an audit). I tell them right off the bat that I'm not going to be combative, and I hope this will be an educational and enjoyable experience. I really try to educate and show how they can improve instead of just finding faults and assigning blame. I don't let things slide, but I don't state those recommendations in a condescending manner either. I think you'll find a lot of auditors have slow self-esteem and enjoy cutting people down (important note: people like that no longer work for us ).

+1 to everything else Paul said. Saved me the trouble of writing it

h.embass

Heyy great stuff there on security.. It has always been one of the remarkable area to work on and is in great
demand since most of the organizations are looking for secure networks as we all know hacking can impact
their businesses real bad One breakdown could turn down the entire organization so most are willing to invest
big on security to save the entire thing.