One-Person Consulting Firms? How Are These Possible

egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
The trend I've been noticing lately is the rise of 1-man or 1-woman consulting firms. Now at the monthly security group meetings one loses count of how many people are working as independent consultants.  Yet, when they present their services to you it's a very long list like that below.  So how is this possible for one person to do?  Are they just reselling services from bigger firms, or is their really a workable system to providing all these services as a InfoSec Consultant

[The below services I've noticed most consultants provide]

CYBERSECURITY ASSESSMENTS
Vulnerability Assessment Services
Penetration Testing Services
Social Engineering Assessments
Security Architecture Review & Design

FEDERAL SERVICES
Risk Management Framework (RMF) Support
Security Assessment and Authorization
FISMA Certification
FedRAMP Compliance
NIST 800-53 Assessment Services
Continuous Monitoring
Vulnerability Analysis and Penetration Testing
Security Policy and Procedures Documentation
Security Staff Augmentation

HEALTHCARE ASSESSMENTS
HIPAA / HITECH Readiness Assessment

PRIVACY ASSESSMENTS
Domestic and Cross-border

CLOUD SECURITY ASSESSMENTS
Cloud Security Services; FedRAMP Compliance

SOC EXAMINATIONS

THIRD PARTY RISK
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+

Comments

  • LordQarlynLordQarlyn Member Posts: 693 ■■■■■■□□□□
    It's not easy but it's possible. Once you get enough hands on experience in a particular field and you are very good at it, you can market yourself as a one man consulting firm. This is not limited to IT, other fields have consultants as well. While the list above seems big, many of them work together and are interrelated. If you worked across all the items on the list, you can get a feel for it, learn to do good analysis, learn to make good decisions, learn to effectively solve problems, learn to provide effective solutions to your client, learn to audit and evaluate, it is something to consider. Oh and be a good researcher and be willing to consult others as well. The most difficult part is getting started when you have no credentials, history or references, you are an unknown. I've read where some got their start as a side job, at first doing pro bono work for nonprofit organizations until they got some good testimonials and references. Then they started marketing themselves, attending trade conventions, seminars, where they networked extensively, while still doing pro bono for nonprofits if necessary. If they managed to cross that initial barrier, then their business took off, if they continued to grow they could raise their rates gradually and soon it was their full time job, and quite a good one too.
  • egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
    This is quite incredible.  So many of them are inter-related.  You're saying the training for these types of roles usually comes from certifications or having to get training from any consulting-related programs?
    B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
  • bigdogzbigdogz Member Posts: 881 ■■■■■■■■□□
    For me it came to doing some side work which created a customer base. Now I do it full time.
  • yoba222yoba222 Member Posts: 1,237 ■■■■■■■■□□
    My vote is reselling / subcontracting most of the services.
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
  • NetworkNewbNetworkNewb Member Posts: 3,298 ■■■■■■■■■□
    Doesn't look like too crazy of list as long you have some experience in them.   I think it would be hard to be an individual consultant if they didn't have a decent list of services they could provide. 
  • scascscasc Member Posts: 461 ■■■■■■■□□□
    Very unlikely that a one man band can do all these services. However what people do is that they build relationships with other firms/ppl who can provide these services and win the work, charge a fee and keep a portion for when they pay that firm (sub-contract the work). 
    AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...
  • egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
    scasc said:
    Very unlikely that a one man band can do all these services. However what people do is that they build relationships with other firms/ppl who can provide these services and win the work, charge a fee and keep a portion for when they pay that firm (sub-contract the work). 
    heh Scasc would you say you've picked up some of those skills from your extensive list of certs?  Looks like you've got certs covering Security Management, Risk, Cloud, and Pen Testing  :open_mouth:
    B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
  • egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
    yoba222 said:
    My vote is reselling / subcontracting most of the services.
    How exactly is this done Yoba?  The reselling/sub-contracting of security services.  Needless to say I know I've searched for the answer but have come up empty for the most part.
    B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
  • LordQarlynLordQarlyn Member Posts: 693 ■■■■■■□□□□
    egrizzly said:
    This is quite incredible.  So many of them are inter-related.  You're saying the training for these types of roles usually comes from certifications or having to get training from any consulting-related programs?
    I would say hands on experience, knowing how to make good judgements for the clients. You've heard the old cliche, good judgement comes from experience which comes from making bad judgements. Well, in this case, the consultant made his bad judgements as an employee where unless it was really costly and results in termination, worse case is the employee gets called on the carpet, learns, and moves on. Most one man consultants I've known started in their late 30s or early 40s, some in their 50s, which if you do the math, that's a lot of years in the industry.
    egrizzly said:
    yoba222 said:
    My vote is reselling / subcontracting most of the services.
    How exactly is this done Yoba?  The reselling/sub-contracting of security services.  Needless to say I know I've searched for the answer but have come up empty for the most part.
    Many vendors you can become an affiliate, or as they often call it, "partner", where when you sell their products or services, you get a discount in the price and a commission, depending on the level of partnership, which often depends on the sales you've made; get more sales, get a better tier of partnership which results in a better discount and/or a higher commission. My best friend has started a side consultant as a collaboration/VoIP SME. Because he is certified at the top level as a Cisco Collaboration professional, he managed to get Cisco Premier partnership.
  • scascscasc Member Posts: 461 ■■■■■■■□□□
    egrizzly said:
    Very unlikely that a one man band can do all these services. However what people do is that they build relationships with other firms/ppl who can provide these services and win the work, charge a fee and keep a portion for when they pay that firm (sub-contract the work). 
    heh Scasc would you say you've picked up some of those skills from your extensive list of certs?  Looks like you've got certs covering Security Management, Risk, Cloud, and Pen Testing  :open_mouth:

    Hey. I’ve been contracting more than anything else over the last 3 years. This is where you are paid a day rate for your services. Firms advertise what they need, agents represent them. My own skill set is mainly risk, controls, management, architecture and cloud, I build these firstly through the certs, polished them through work experience and by doing further research/reading etc. I’m learning all the time by harnessing my knowledge where I can. 

    I love learning and I think that’s what keeps me going and in the running for these roles. 

    I reckon the US is different as it’s a massive market. Lots of opportunity to actually build your own business as a consultant and not necessarily a contractor. My advise would be to pick an area you like and one you can be the top of your game in and focus on that. At the same time build relationships by attending conferences,  connecting on LinkedIn etc who offer other services.

    AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...
  • LordQarlynLordQarlyn Member Posts: 693 ■■■■■■□□□□
    Doesn't look like too crazy of list as long you have some experience in them.   I think it would be hard to be an individual consultant if they didn't have a decent list of services they could provide. 
    Sometimes though being really really good at one thing can be lucrative for a consultant. While I was still in telecommunications, I had CDMA training twice by this consultant, paid for by two different companies, and all he did was travel the nation (and sometimes Canada) training people on cellular phone CDMA. His personal brand and website was simply titled howcdmaworks.com. From what I can tell, he was doing very well at it.
Sign In or Register to comment.