Feasible to start security career moonlighting as an independent contractor?

Most of what is written about cyber-security careers applies to people looking to get a job from a large company, or move up within one. What about someone who has decades of JOAT IT skills, who trains them-self in security, and goes out to find their own clients (while moonlighting from their day-job). So instead of trying to moonlight doing web or mobile development, trying to build a cyber-security business from scratch.

Has anyone heard of anyone doing this? I see people all the time doing web and mobile development without having done it as their day-job, but I've never seen anyone create their own cyber-security business, without having been in the business before.

Find more posts tagged with

Comments

docrice

Possible I guess, depending on what kind of service you're actually providing. Infosec isn't something you'd moonlight though.

Cyber-security careers aren't limited to large companies and there are small-to-mid-sized organizations with those positions as well. When I say "small" I'm referring to maybe a few hundred employees though. Businesses with only a few dozen likely won't have such an opening.

lavidicus

I've thought about doing that, stand up an LLC and perform vulnerability scans and even considered becoming a channel partner for Tenable sellling their software along with security services. You could probably do it, but the market looks like its becoming saturated from the little bit of research I've done.

JoJoCal19

lavidicus wrote: »

I've thought about doing that, stand up an LLC and perform vulnerability scans and even considered becoming a channel partner for Tenable sellling their software along with security services. You could probably do it, but the market looks like its becoming saturated from the little bit of research I've done.

I've done some research on it as I've thought about the same thing but I've found there's already a few small security shops here in Jacksonville alone.

joelsfood

PLENTY of small (20 or less) companies looking for PCI compliance help. Go ahead and do it.

Danielm7

joelsfood wrote: »

PLENTY of small (20 or less) companies looking for PCI compliance help. Go ahead and do it.

Can't the really small places do the self assessment questionnaire for PCI? I'd just be leery of hiring a contractor, in off hours, that is brand new for my PCI needs. Other basic stuff, maybe, but I'd want some significant experience for someone handling PCI audits.

cyberguypr

Remember, some people just want to tick that checkbox via the path of least resistance.

joelsfood

Many small companies don't have the technical knowledge/confidence to fill it out themselves.

lavidicus

joelsfood wrote: »

PLENTY of small (20 or less) companies looking for PCI compliance help. Go ahead and do it.

Wouldn't your company require a QSA qualification in order to do that work? I've looked into that also, but what I read said you had to be a PCI-DSS certified org. Not helping the companies perform the self assessment but the full compliance audit.

BuzzSaw

I think the issue is that if someone is going to hire a contractor, they want to see a laundry list of experience in a specific field. Even small companies are smart enough to know that you get what you pay for.

One thought that I've had is doing pro bono type of work here and there for small businesses, churches, or non-profits. For example, I once found a small business in my area that had a GAPING hole in security that could have led to identity theft pretty easily and it was mostly by accident that I stumbled upon this. I would suspect there are a lot of small businesses like that. If you volunteers a few hours of your time to educate them, or to even fix the issue under a free service contract (no liability) you could build up a portfolio of customers that a PAYING customer is more likely to buy into.

I think this is TOTALLY do-able ...

bhoops

I was considering creating a "basic vulnerability review" that could be done for a fee, and follow up work could be done at an hourly rate. At a minimum I could run a lot of the same assessments a hacker would try, just to make sure they didn't have any obvious issues. There a couple of "case scenarios" that could be productized, so the customer knew what they were paying for. If it is true that cyber-security has a 0% unemployment rate, then entering that business would be a very smart move, especially if you love the work. Friends have mentioned doing compliance audits, I will have to look in to that. A freelance Windows Admin that I know, mentioned some expensive certs that allow you to do compliance audits, I forgot which ones they were (it was like $5k to get certified, assuming you pass the tests).

Thanks for all the positive feedback. Maybe instead of getting a 4 year degree, then getting certs, then getting an entry level job, then going independent, I should just learn the skills, make some "products", and start getting clients.

rono

I hope your are based in US because it's challenging to make money from pentesting/ethical hacking other places. Most of pentesters:

1. have a name/brand
2. they have been in the game for at least 5+ years if not 10+ years.
3. and all seems to earn money from learning others to become pentester or presenting a tool at hacker gatherings like BlackHat and I doubt that they conduct so many pentests as they advertise even in the US - Europe is even worst.

but there is hope, bhoops! if you are or become an good pentester you can :

- search for bug bounty programs (https://bugcrowd.com)
- write book about this subject
- get yourself a blog and become a pentest-queen posting "news" from others and earn money from advertising and selling security products(but not pentesting )
- teach online others on Coursera or Udemy
- search for freelance hacker jobs
- or get a job in a big company who need pentesting and hacker defense-like positions as mostly certified pentesters in here.

IronmanX

rono wrote: »

3. and all seems to earn money from (teaching) others to become pentester or presenting a tool at hacker gatherings like BlackHat and I doubt that they conduct so many pentests as they advertise even in the US - Europe is even worst.

Providing training seems to be how individuals make the lion share of their money.

I've heard before that an instructor gets like $1000 a head for a 5 day course.
I looked up a random SANs instructor and in a 8 month period they are working 53 days. $1000/ 5 days = $200 a day per head. Lets say you had a super low class turn out of 10 people. $200 * 10 students a day * 53 days in a 8 month period = $106,000. Then that person offers security services while not doing training but really at that income (i think my estimate of 10 students is super low) for 8 months work they really don't need the work and the best bang for their buck is probably just staying relevant and up to speed on changes in the industry.

AND I bet most of their clients come from contacts they have made with students they have taught. I did some SharePoint training years ago and the instructor offered something like 1 free day of consultation to all students. How many orgs took him up on the free consultation and then decided the person they sent to do the training probably couldn't achieve what the instructor could and got the instructor to set things up and have there internal person mirror the instructor and continue to learn and do more of a maintenance role?

I kinda feel like if there are not many people offering security services as a side job there is probably a reason it is not done.
Like what was mentioned before people make web sites, web apps, mobile apps, games ect... as a on the side job. Besides game development I think for the most part I think people are making enough money to make it worth while. Game dev umm i think the consensus now seems to be who make professional products do well those who treat it like an art fail. Making a crappy game like Flappy Birds and wondering why your not making any money when some guy did the same thing and made millions just because it went viral is not a good business plan.

bhoops

Training is a good idea, and I am getting some more ideas. I might try what use to be called "intrapeuring", acting like an entrepeneur within your existing company. In a nutshell, if I could demonstrate my employers software products could be improved, I could then offer to train the other employees how to make the software better. I could then offer that service to other companies, either by myself or through my employer.

I think there are not many moonlighting infosec consults because the ones with the skills are already working for big companies.

In some scenarios, a product would work better. For example, if a local hospital hired a small 1-man PHP shop to make an inhouse app, who would better be able to pay me, the 1-man shop or the hospital? In that case, I would try to work for the hospital to verify the app they were getting was solid. If the hospital was part of a chain that had their own programming staff, it might be better to offer training to their staff. I doubt you would get any money out of a 1-man PHP shop, regardless of how bad they needed help.

If I formed a company, Bhoop INC, a hospital might trust me if the list of companies I had worked with included the ones from my dayjob (though I would be open about it having been at my dayjob). Or maybe my current employer would embrace the things I was doing, and work with me on it.