How to be a security Consultant?
http://www.shvoong.com/writers/razvi
We ( I ) dream of being our (my) own boss, but what does it take to set up a successful business in the real world?
IT security consultants have it easy, as everyone knows. They swan around the city, taking long lunches and even longer holidays, and all for a few meetings, a couple of phone calls and a bit of fiddling around with a BlackBerry. And anyone with some idea about IT security could do this, right? Well, not exactly. Let’s takes a look at the life of an IT security professional going solo, how it’s done, and the highs and the lows.
First, setting up on your own isn’t the right job for everyone. While a large corporation has a department working on each business area, such as IT, marketing, accounts etc, the lone consultant has to take on all these roles, and more. Being a qualified and experienced IT security professional does not necessarily mean an individual can deal effectively with clients, construct and follow a realistic business plan and stick to their own budgets.
“The biggest challenge is to have the combination of required capabilities,”"A technically superior IT professional will also need excellent marketing and personal skills to succeed on their own. It’s all about the nature of the person - a techie guy who communicates through his keyboard is unlikely to be able to present at board-level. We’re talking about business here, so having and adhering to targets, whether performance-related or financial, is crucial. This is a very rare combination, but it is possible to learn these other skills, especially on the business side.”
“You need to be able to approach the entire board convincingly and lucidly, and do the same with the IT department. You have to be comfortable discussing the business case for a job and proving return on investment,” “ it’s important to be able to move customer thinking away from IT as a grudge spend and towards recognising the potential of new technology and ways of working.”
The right qualifications
A consultant also needs to have the raw industry knowledge and the credentials to go it alone. Several years of top-level security experience are critical, as well as specific qualifications. “There are a lot of qualifications to choose from, and there are multiple ways to refine or broaden the focus of your business through taking management or architecture units, for example,” “Establishing relevant and high-quality credentials upfront is the most important area of setting up a consultancy.”
The most widely recognised formal qualifications include those from ISACA (the Information Systems Audit and Controls Association), (ISC)2 (the International Information Systems Security Certification Consortium) and ISEB (the Information Systems Examinations Board). These certifications are globally recognised, a key factor when working with international organisations.
The two most relevant ISACA qualifications, both accredited by the American National Standards Institute, are the CISA - Certified Information Systems Auditor, and the CISM - Certified Information Security Manager. (ISC)2 recommends the Certified Information Systems Security Professional (CISSP), which is accredited by ANSI to ISO Standard 17024:2003. Within this qualification, either the Information Systems Security Architecture Professional (ISSAP) concentration or the Information Systems Security Management Professional (ISSMP) are of most use to freelancers, according to the company.
However, not everyone agrees with this emphasis on education. “Surprisingly it has been found that customers often don’t want to look at qualifications as much as get references for similar work done. Good-quality references are the most important thing to convince customers to take you on.” “You need to be careful about references, and be sure to keep jobs quite separate. The client is not stupid, and if you talk openly about previous work, you can be sure they will be wondering what you will say about them in the future.” Relationships are key to establishing a successful consultancy, but they can also be the biggest challenge. Vendors will be keen to get you signed up to an exclusive deal, while customers will expect you to have wide-ranging knowledge to call upon, as well as having in depth information at your fingertips. So is it better to stay independent or commit to one vendor? “It’s important for consultants to remain independent from vendors,” “You need to partner with them, but not get sucked in further. This can be a bit of a love-hate relationship, as they’ll be keen to pull you in - it can be a delicate balancing act. It is key that you can recommend the appropriate solutions to your clients - bear in mind that the security market changes every two years, so you’ll need to keep up to date.”
Many IT security professionals will come from a background of working with blue-chip companies and should have a pedigree spanning several in order to succeed. “Having set up your own consultancy, you have to reposition your ‘brand’ as separate from your last employed post. This can easily lead to conflicts of interest, which you must be very aware of. Additionally, working with competitors to your ex-employer needs to be kept on a very professional footing.”
Finding the right balance
The most important relationship is that between client and consultant, and again you need to watch out for potential pitfalls. While a consultant should provide value for money, there’s also the issue of giving too much. Essen believes that security audits are a good example. “Some companies with their own IT department are a tricky balance to strike, especially when you’re doing an audit,” “Too much information and they could just implement your suggestions themselves, while too little loses you the work. It’s not always easy to manage how much detail to give.”
Marketing is a tricky area even in established businesses and can easily trip up beginners. Selling yourself too aggressively may alienate customers, or could simply be so successful that you’re inundated with more work than you can do. An added danger of this unbalanced “boom-and-bust” way of working is that it may lead to dry periods when little money is coming in - a real risk for a small business.
So what can IT consultants do to market their offerings in the right way? “Being known in the security field is vital for marketing and business purposes, and an excellent way to raise your profile is by speaking at conferences,” “But make sure they’re targeted at the right market. RSA and Infosec have both been good for me in the past - it’s important to go along and meet the right people. Word of mouth is the best recommendation, and the biggest winner for smaller businesses without a big public profile - you have to make your reputation travel.” “Recommendations are the number-one sales generator. Your reputation will spread itself to a certain extent - you have to ensure that it’s totally spotless, and keep it that way.”
Of course, it’s not just about going it alone whatever your skills. The most successful businesspeople know their own strengths and weaknesses, and play to them. If you don’t have the marketing abilities you need to make IT security consultancy work, then find someone who does. “Partnering with ‘the other half’ is often the most successful way to begin a business,” “It’s all about strengths and weaknesses, as well as self-knowledge.”"You simply have to have a business head to set up on your own. A degree or further qualification in business studies is a good idea, but it’s always difficult to switch between different hats, and it’s important to be able to relinquish parts of the workload to others.”
Naturally, there are benefits to running your own IT security consultancy, such as personal fulfilment, flexibility and job satisfaction. There is also a very practical side. In spite of the consolidation of the security market and moves by giants such as IBM to provide localised consulting services, there is still a large gap in the market for smaller businesses. “The largest consultancies are keenest on bigger projects, purely due to their size, so smaller companies can simply pick out the smaller jobs,”Also, a smaller consultancy can specialise more readily, a move that makes particular sense for the consultant going solo. Setting up a stand that has a fresh, new unique selling point in a fairly crowded market could be the only way to be successful. “The biggest error people can make when considering whether to go it alone is to wait for the best moment to do so - it never comes! It’s certainly better to do it younger, as you can then change your plan more easily. Leave it too late and you might be too old to re-enter business.”
Ultimately, becoming a lone IT security consultant is a long task, and not one to be taken lightly. Without careful, realistic planning and solid business acumen most startups will fail, and you need the right mix of personal attributes to avoid disappointment. For those entrepreneurs who succeed however, it will be the most fulfilling thing they ever do …
http://www.shvoong.com/writers/razvi
to assist in the setting up a “National Computer Emergency Response Team” CERT-MU which will help to secure computer and IT systems, through security alerts, security awareness and collaboration with key stakeholders in ICT sector.
