Security Consulting

This may not be the right place (I have my Asbestos suit on just in case) but I was wondering if there are any independent IT security consultants out there. I have a regular job working for the state and after having 2 jobs eliminated out from under me in the last 3 years I am a bit gun shy about leaving a good state job.

That being said I am also not doing security work (Peoplesoft Queries mostly) but I want to eventually get back into security both for the money and for the job satisfaction.

I like the folks I work with and all but PS queries are just one step above paint drying in interest level for me. It pays the bills but that is about all the good I can say about it! J

My question is (and I know it is a broad question) but what would it take to start a security consulting business? I am thinking of specializing in Pen Testing which by its nature would be better done on the weekends anyway.

Any comments?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

mcgargle

And as to why I am here asking this question I did take the CISSP exam Dec 20th and am waiting for my results. And since this forum is about that test I figured it would also be chock full of security folks that had an opinion on consulting.

veritas_libertas

Don't worry man, we don't bite. I am sure you will get some answers to those questions.

Welcome to TE!

GAngel

What would it take?
Money to cover your initial expenses, marketing and lawyer fees.

I don't think there is any one right answer but it would probably help if you stood out from the crowd in some way and not just cert wise.

JDMurray

Keatron once made some posts a few years ago about him owning a security and pen testing business. Try searching for them. Although there was the usual money, lawyers, and insurance needs, he also talked about really needing a drive to own you own business. It's very hard work and you need to really love what you do, otherwise you'll not have the will and desire to continue forward when things get tough.

dynamik

Do you have pen testing experience? It'd be rather difficult to find people willing to let you learn on their networks. You'll also need to like the idea of writing reports; that takes a significant amount of my time. This sample will give you a good example: http://www.offensive-security.com/offsec-sample-report.pdf

pennystrader

I am currently reading a book and really enjoying it. It is for starting a business but it takes lots of hard work, studying on your own time and learning to get yourself even an opportunity like Dynamik said to get that chance. That being said this book is really interesting to me.

Amazon.com: Professional Penetration Testing: Creating and Operating a Formal Hacking Lab (9781597494250): Thomas Wilhelm: Books

mcgargle

dynamic
Thanks for the link. I figured that there would be a lot of report writing. Having the technical knowledge to find holes in the perimeter is one thing but being able to communicate those findings to the powers that be will be the difference between a successful consultancy and a nerd with an attitude!

I have a lot of broad range experience in IT (DBA and admin on a dozen different platforms and apps over 15 years) but Penetration testing is a new area for me. I am studying the GPEN requirements and trying to get better at them.
Fortunately I have made quite a few friends in different companies over the years and I already have three different companies that trust me enough to do Pen Testing (as long as I don’t charge them of course) so I can learn and hone both my penetration skills and my reporting/presentation skills.

mcgargle

pennystrader
Thanks for the book link. I will order it as it looks like just the thing to give me the background of the “business” side to becoming a “Professional Hacker”.
As I said earlier to dynamik (sorry about the misspelled name in the earlier reply, spell checker got it and I didn’t notice) I have a lot of IT experience but the Penetration Testing/White Hat Hacker areas are new to me but I see it as both a growth area and as kind of a professional responsibility. With the China/Gmail/Adobe stuff coming to see the light of day I am starting to understand that the world of IT security needs capable people and I would like to think I am one of them. I am certifiable if nothing else!

unsupported

mcgargle wrote: »

... As I said earlier to dynamik (sorry about the misspelled name in the earlier reply, spell checker got it and I didn’t notice)...

He's been called worse.

mcgargle

Well I just got my e-mail and I passed. Now on to try to convince them to endorse me from my experiance. Dont know any real live CISSP cert holders myslef.

veritas_libertas

mcgargle wrote: »

Well I just got my e-mail and I passed. Now on to try to convince them to endorse me from my experiance. Dont know any real live CISSP cert holders myslef.

Congratz!

dynamik

Congratulations!

The GPEN stuff is quality. That will help a lot with the legal/regulatory and presentation side of things a lot. You might also want to check out the OSCP for a solid technical pen testing cert.

gregscott

Hey Mcgargle - congrats on passing!

I see you're from La Crosse. I'm in the Twin Cities. Looks like we're in the same boat - did we see each other at the test site in a hotel ballroom in downtown Minneapolis on Dec. 20? I also don't know anyone in good standing with ISC2 so we share similar endorsement challenges.

Starting up a consulting practice is not easy. I've been doing it for lots of years, but the world was way different when I firsted started independently in 1994. I would urge you, try to line up some gigs first before you take the plunge. Believe me, bored with an income is much better than starving. IT consulting in general is a very crowded market today and everyone now laid off who used to work in an IT shop is now an independent consultant.

Come up with a marketing strategy. You want to do pen testing. Wonderful. How many others out there already do pen testing? Why would your testing be better than your competition? How big is the market? How would you approach potential customers? How would you go up against already established players and win? As a self-admitted IT geek, how do you pass the credibilty barrier that we all face as technology professionals? FWIW, if you passed the CISSP test, don't sell yourself short as an IT Geek. You're a professional and you had better put that message out to the world if you want anyone to take you seriously.

One tactical suggestion might be, try to find that first pen test customer and do that engagement on the side. Maybe take a few vacation days from your full time job to deliver the engagement. Evaluate how you like the experience. Evaluate whether it's worth the hassle to set up a whole business infrastructure for yourself.

Just a few thoughts.

- Greg

mcgargle

gregscott wrote: »

Hey Mcgargle - congrats on passing!

I see you're from La Crosse. I'm in the Twin Cities. Looks like we're in the same boat - did we see each other at the test site in a hotel ballroom in downtown Minneapolis on Dec. 20? I also don't know anyone in good standing with ISC2 so we share similar endorsement challenges.

Starting up a consulting practice is not easy. I've been doing it for lots of years, but the world was way different when I firsted started independently in 1994. I would urge you, try to line up some gigs first before you take the plunge. Believe me, bored with an income is much better than starving. IT consulting in general is a very crowded market today and everyone now laid off who used to work in an IT shop is now an independent consultant.

Come up with a marketing strategy. You want to do pen testing. Wonderful. How many others out there already do pen testing? Why would your testing be better than your competition? How big is the market? How would you approach potential customers? How would you go up against already established players and win? As a self-admitted IT geek, how do you pass the credibilty barrier that we all face as technology professionals? FWIW, if you passed the CISSP test, don't sell yourself short as an IT Geek. You're a professional and you had better put that message out to the world if you want anyone to take you seriously.

One tactical suggestion might be, try to find that first pen test customer and do that engagement on the side. Maybe take a few vacation days from your full time job to deliver the engagement. Evaluate how you like the experience. Evaluate whether it's worth the hassle to set up a whole business infrastructure for yourself.

Just a few thoughts.

- Greg

Yup I was there somewhere. I was at seat 19 I believe, about midway up on the right side, aisle seat! Nice hotel, no wonder they have to charge so much for the test!

I would be just as "at home" as a Ramada Inn by the Interstate with a pop machine in the hall, but hey, that’s just me!

I have been talking about the endorsement to some folks I met at the ISSA meeting last week. It seems the folks I talked to have the impression that it is not so much that they have known you for a long time, it is more that they go over your resume and talk to you to get a sense if you are the person on the resume! I have asked for some names of folks who might be willing to do this with me.

It helps if you join the ISSA and make the Minnesota chapter your home chapter. They get an e-mail (and $20 out of your registration) saying you are now a dues paying member.

As far as the consulting goes I am very aware of the bored versus starving cycle! I have a good State job right now and I plan on holding on to it for at least a couple of years while the economy gets back up to speed. I want to do the consulting on the side to make a little money (state = reliable, not high paying) and to refine my Security chops.

Trust me, I can't afford to take that plunge without a few good stable customers to keep food in the kitchen!

And in here among other geeks I am a geek, but if I am working for you I am your security professional with several difficult Industry certs, a BS and an MS in computer systems and a wall full of parchment paper saying I'm a really smart guy. I do “clean up well” and I can talk business with the best of them. Just because I have 6 computers at the house (7 with the new Linux box) doesn’t mean anything!

JDMurray

mcgargle wrote: »

I have been talking about the endorsement to some folks I met at the ISSA meeting last week. It seems the folks I talked to have the impression that it is not so much that they have known you for a long time, it is more that they go over your resume and talk to you to get a sense if you are the person on the resume! I have asked for some names of folks who might be willing to do this with me.

This is how I've given (ISC)2 endorsements. It's rather like a job interview over lunch. We just chat about our experiences in security IT, and life and I can tell all I need to know from that.

dwtherock

Just think how foolish I feel with my direct mailers to prospective clients offering penetration testing w/o reading this thread. No worries, I closed that business down. No one's buying IT services for SMB in my area. Sure I may not have had the best marketing or the best name at the time. Now I have the name, (watch the calls come in now).

Owning a business as well as working for one is a double time job (imagine if I actually got work) Well I was studying for my CCNA Sec as well. Anywho.... McGargle, best of luck to you. It's not easy. Going into it like Encyclopedia Brown is not the way to go. Seeing this PDF, and of course the lawyers to protect you etc. It's a lot of work.

Personally my goal is to work for someone else doing it. I'm a great worker bee but with life and work the balance must be struck.

Dynamik, you still have your blog up?? You had/have some interesting reading off your site.

Paul Boz

The problem with penetration testing for a living is that only a subset of organizations do it. The company that Dynamik and I work at services the financial industry because banks and credit unions are required to purchase independent third-party testing of various types. It's hard to get Joe's Diner to pay you to do a pen test when A.) they don't really care about security, and B.) they're not required to do so.

The only security consultants that I know that do the solo game are those that have been in this industry for years and have quite a lot of experience, certs, and education. I was just at one of the nation's larger private banks and they had a SOX guy onsite for six months making more than I make in three years.

JDMurray

e-Discovery is also a very profitable business to get into because of the need for electronic discovery as part of the litigation process for all types and sizes of businesses. It was once nearly impossible to get into computer forensics without having a legal or law enforcement background, but e-Discovery has become a way into that field without having those backgrounds.

veritas_libertas

JDMurray wrote: »

e-Discovery is also a very profitable business to get into because of the need for electronic discovery as part of the litigation process for all types and sizes of businesses. It was once nearly impossible to get into computer forensics without having a legal or law enforcement background, but e-Discovery has become a way into that field without having those backgrounds.

Just thought I would add some extra links... Interesting stuff!

Tuesday’s Tip: E-Discovery Jobs are on the Rise

http://blogs.techrepublic.com.com/career/?p=361

dynamik

Paul Boz wrote: »

The problem with penetration testing for a living is that only a subset of organizations do it. The company that Dynamik and I work at services the financial industry because banks and credit unions are required to purchase independent third-party testing of various types. It's hard to get Joe's Diner to pay you to do a pen test when A.) they don't really care about security, and B.) they're not required to do so.

Yes, over six months I have only worked with two companies who were not financial institutions. One was a state agency that just got some basic security awareness training, and the other was a company that got an external pen test because someone told the CEO that their security wasn't good enough. Sadly, very few organizations will take security seriously if they are not required to do so. Honestly, a lot of places don't take it seriously even when they're required to do so.

dwtherock wrote: »

Dynamik, you still have your blog up?? You had/have some interesting reading off your site.

No, and while I don't remember what I posted, I'm glad it was interesting

I have some college courses and certs to clear up in 2010, but I'm going to make a serious attempt to chronicle my GSE studies in 2011, so stay tuned!