How to get started in IT security consulting

IT security consulting is an excellent way to grow as a security professional. In contrast to an corporate role, consultants are exposed to a variety of business situations and industries. Those who succeed in the consulting world find themselves equipped with greater skills and cutting-edge knowledge of new technologies.

Before you enter consulting, take note of the field’s current opportunities and challenges. “Migrating security services to the cloud, incident response, forensics and security risk assessments are areas in high demand,” comments Brian Honan, founder of BH Consulting. The Ireland-based IT security consulting firm has grown to 10 consultants and serves clients in Ireland, Europe, the United Kingdom and the US.

Aspiring consultants need to understand the various firms involved in the security business. Each type of organization will vary by specialization, geographic emphasis and growth prospects. An individual’s career options will be impact by their location and the skills they bring to the market. “Economically, it is important to understand that the two groups in consulting: those who generate the projects and those who do the work. Those who sell the projects always earn the highest income,” explains Peter Block, author of Flawless Consulting.

[ ALSO ON CSO: The balance of career power is shifting toward security ]

Large consulting firms such as Accenture, Deloitte, KPMG, PWC and EY all have technology and security groups at their organization. At a large multi-service firm, consultants benefit from strong institutional support (e.g. Deloitte runs Deloitte University to support professional development). The trade-off to these firms is that IT security may not always be a focus of the firm.

“Deloitte’s cyber security practice and related areas are growing rapidly,” commented Marc MacKinnon, partner in Deloitte Canada’s Enterprise Risk Services practice. “Aspiring security consultants need to show a passion for the field. In interviews, I often ask candidates for their assessment on breaking news stories relating to data breaches and security matters. Their response tells me a lot about their interest level,” he explained.

“A junior consultant in our cybersecurity groups has a unique opportunity to contribute. In many consulting organizations, junior staff simply execute on the direction of others. In this group, junior consultants are directly contributing to our methodology and approach. That is a tremendous opportunity to grow and learn,” MacKinnon added.

The future is bright for security consultants. “We expect to do a lot of hiring for security talent in Canada this year and in 2017,” he added. Deloitte is currently hiring for a variety of cybersecurity consulting roles. As of March 2016, the firm was looking for interns, analysts and consultants across the United States. Typical job titles include IT Security Solution Developer, Cyber Risk Assessments Consultant, and Cyber Risk Technical Architect.

The steady stream of cybersecurity incidents in the news means demand for security focused consulting firms. Examples in this category include Root9b, RSA, Fortinet and Palo Alto Networks. These firms typically focus on a specific niche: Palo Alto Networks focuses on threat detection and prevention while Forcepoint focuses on Internet of Things (IoT) security.

“Achieving success in this industry requires two skillsets: consulting and IT security capabilities,” explains Reg Harnish, CEO of GreyCastle Security. Established in 2011, GreyCastle has over 20 security consultants and had six open job roles as of March 2016. “Finding qualified consultants is challenging so we take several approaches. We recruit at tradeshows, conferences and from local colleges and universities,” Harnish explains.

“To address the talent shortage, we partnered with Hudson Valley Community College to offer a 10-week Cybersecurity 101 program,” Harnish explains. “I already know of two promising students in the course that we are thinking about as potential employees,” he added. The program subject matter is taught by GreyCastle Security staff while the administration is handled by the college.

“Our consultants are expected to develop a primary and secondary area of focus related to our practice areas,” Harnish continued. GreyCastle’s six practice areas are Risk Assessment, Awareness, Vulnerability Assessment, Penetration Testing, ISO [Information Security Officer] As A Service and Incident Response. The firm’s client base includes numerous health care and higher education institutions in the United States as well as private companies.

Large technology companies also offer cybersecurity consulting services to their clients. “Every morning, I face new problems to solve and research. That constant variety and change makes the work exciting,” commented John Kuhn, senior threat researcher at IBM Managed Security Services. “IBM hires a variety of security professionals in different areas and we have partnered with universities to develop the next generation of security talent,” Kuhn explained.

[ ALSO: 4 infosec hiring tips to attract top talent ]

“Getting your hands dirty is one of the best ways to get started in security consulting. For example, an aspiring malware analyst could analyze one of those applications, deconstruct it and then write a paper about their process. Going through that process would impress me,” Kuhn explains.

IBM has become a major player in the security field. IBM Security has over 7,500 researchers, developers, and subject matter experts focused on security. In 2015, the company added over 1,000 new employees to the security business. Opportunities at IBM include security research, working on security products, and consulting.

The entrepreneurial option

Becoming an independent security consultant is often an excellent option for those keen to break into the field. Running an independent practice requires several capabilities beyond technical knowledge. Sales and marketing skills represent the stumbling block for most novice consultants. Fortunately, there are ways to overcome this approach.

“For brand new solo consultants, your first clients tend to come from your personal network,” explains Block. “Learning to manage client expectations is important: some clients are looking for magical, turn-key solutions and that needs to be discussed,” he added.

“When I set up BH Consulting in 2004, I was lucky that many in my network needed my skills. Ever since then, our client base has grown. Referrals from existing clients have been a major source of growth,” comments Honan.