Career Advice Tuesday – “Advice For Starting An Infosec Consultancy”
August 16, 2011
I hate to bring up what seems to be the elephant in the room within information security and penetration testing in particular, but how exactly are people getting the gigs doing this. Personally, I have tons of training, 15+ years experience in the realm, business experience to match and every time I ask this question, nobody seems to want to answer/discuss it.
It is a known fact that the big companies (IBM, the Big X, large telcos,etc) sell it as a service to existing companies but there are A LOT of two-three man pen testing teams that seem to stay busy constantly. I understand that people don’t want to give out there client attraction methods and strategy but I have yet to see this topic covered. There has to be a lot of others with the necessary experience asking the same thing.
Anyway, just can’t seem to tackle the elephant in the room. Nobody wants to cover it.
Thanks guys and unique blog for the infosec community.
To be candid, I had to look at your question a number of times before I was able to formulate a response. It is my interpretation that the crux of your question is, how do you begin your own information security consulting business – particularly in the field of penetration testing. In addition, you would like to know why others are successful, and why some (you) can’t seem to get off the ground.
First of all, I should start by telling you that all businesses are similar – and beginning a penetration testing consulting business is no different than starting any other services business – such as lawn care, pool service, or home painting. When people decide to buy any service, they look for certain elements – experience, competency, price, and reliability. Anyone who has been successful in beginning a small information security business has been able to personally demonstrate these qualities in their previous life, prior to forming their own company. It is from this reputation and personal brand, that they are able to attract some of their initial customers, which provide them with experience and references, which they should be able to leverage into new business opportunities.
Another essential component of any business (and career) is the ability to sell and market ones services and one’s self. It is this skill that often separates the successful from the remainder of the pack. Selling ones talents and branding ones skills in the marketplace and information security is often overlooked as the key factor in determining success. Many information security professionals have focused their professional development on their technical skills, but at the same time they have neglected to attempt to develop their business/sales/presentation skills.
Long and short, there are many technical “rock stars” that have failed on their own as business people, but once partnered with competent business people, have achieved great things.
I have learned over the years that business is about surrounding yourself with great people who compliment your strengths. Maybe it would be best for you to find someone who can help “open some doors” and help sell your talents. Or, maybe you need to reevaluate your assessment of your business skills, and try to honestly assess some of the obstacles that are standing in your way in getting your business off the ground.
Understand that it is easy to prove technical competency, but in the world of business, the proof of competency solely lies in the color of the ink – “red” or “black”.
In closing, our note does not mean to come across as harsh, but it is meant to be direct.
Hopefully some of this advice and insight helps, and your infosec consulting business will get off the ground soon.
Hope this helps,
Lee and Mike