nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Starting in Security on my Own?

Corrsta

Hello all,

A few months ago, I decided to start my own side business doing web design and development for local organizations. With the success I was finding, I decided to expand my services to setting up desktops, networks, servers, telephones, and surveillance systems for my clients. At the rate I'm going, I'm seeing a lot of potential for the future, and I would eventually like to start providing security services like pentesting or forensics for these types of businesses. I really don't know too much about security, other than the fact that it seems extremely interesting.

Now, not to generalize, but I've spoken to several people working in the InfoSec community about how I could get started in the field, and the most common response I've gotten is an obnoxious "you need to be doing this for years before you even start to think about pursuing this field." This is usually coupled with, "you need to work for a major InfoSec company to get the necessary experience, but they won't even hire you without the experience in the first place."

I'm not saying I plan to start doing security anytime soon, but if I were to pursue training with groups like SANS or EC-Council, along with interning at security companies for some hands-on experience, can a lone person possess the necessary skills to provide these services to his clients?

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

NotHackingYou

Start with Security+

YuckTheFankees

You can definitely learn the skills by certifications and interning..but without doing it everyday as your full time job...it might be a whileeee until you can provide that kind of service to your clients.

wes allen

IT security is a big place with many levels. And while you might not be up for helping with load balancing firewalls, Hot sites, redundant IPS, enterprise two factor Auth, etc, you may be able to provide all a Small Medium type biz needs, which, it happens, is a lot of basic stuff like Backups, disaster recovery, A/V and malware, encrypting data at rest, some NAT, and password policy. Many people feel "the next big thing" in infosec is helping SMB's, since they typically do not have the internal resources to help themselves. Security plus is a good starting point, then just really try to learn some of the best practices for the size of client you are working with.

Schneier on Security: All Those Companies that Can't Afford Dedicated Security

docrice

Corrsta wrote: »

...the most common response I've gotten is an obnoxious "you need to be doing this for years before you even start to think about pursuing this field."

That's because security is an extension of basic pillars such as systems and network engineering, compliance, policy management, software development, etc.. It's not a field in its own vacuum that you can pick up without understanding the related core areas, and gaining that level of comfort and skill requires a degree of applied maturity that generally doesn't exist without experience. Wisdom doesn't come overnight. Unless you've actually done some work on some of these subject areas, you won't know how to evaluate risk, impact, offense, and defense with a critical eye. And more importantly, you won't know how to see through vendor sales-speak and separate the snake-oil from the half-baked solutions the marketing departments love to gloss over with multi-colored candy LEDs. There's a lot of suck out there.

Security is not accomplished through book knowledge but through a continuous train (or train-wreck) of trade-off decisions and compromises while balancing priorities, asset values, business drivers, discovered vulnerabilities, perceived risks, and probability of exploitation of your current posture, because at the end of the day you have to make do with the limited resources you have. It's a constant juggling act and the threat landscape (if you'lll excuse the use of the over-leveraged, intelligence-driven, paradigm-shifting marketing term) changes frequently. It's a very time-consuming endeavor.

Corrsta wrote: »

This is usually coupled with, "you need to work for a major InfoSec company to get the necessary experience, but they won't even hire you without the experience in the first place."

I don't see why one would need to work for an infosec company to do security work. A lot of information security professionals work in your typical organizations which just happens to have a security team.

You can always start small with what you know. Installing and maintaining basic tools like anti-malware, configuring better security controls on operating systems, etc. can lead to better security, but you have to understand what's happening when the switches are flipped. A hardened configuration is "good," but there's always a cost somewhere (usually acceptable).

But if you break a client's expectations of an application's behavior, then you'll be the one who has to justify the controls or un-do them and let the client accept the risk. You can't just point to "best practices" without explaining it in layman's terms to non-technical people. Understanding the impact of your decisions is one of the more tough parts of the job. I'm sure this would be especially true with SMBs who often don't have a technical staff or staff who can understand the need for security or the current threat vectors.

And it's very easy to give good-sounding-but-bad advice without knowing it.

the_Grinch

Experience is very important in technology in general. Sometimes, when something breaks, you only have the knowledge in your head to fix it. The other thing to remember is if you are consulting then you are responsible. If the client gets hacked, customer data is stolen you are the guy who signed off on it and will be the one having to justify what you setup. I had a professor who consulted with banks on security measures and one would just not budge. They'd have their IT staff remove policies he suggested be in place and eventually he told them he would no longer consult nor sign off on parts of the audits. The point is, if you are in court, you want to be able to show you performed your due diligence and that would come from experience.