What it takes to be a security consultant

IT security consultants tend to be busy people. Given the widespread shortage of professionals with skills in many different aspects of cyber security, organizations frequently need help from outside experts.

Like many others who work in information security, Kevin Beaver, did not initially set out to pursue a career in the field—or to eventually become an independent IT security consultant. “During my senior year of high school, my late mother, Linda, encouraged me to go to college and study computers. That seemed to be a growing field with lots of opportunities,” Beaver says. “My mom was exactly right! My computer studies led to me pursuing this thing called computer security.”

For his undergraduate college education, Beaver attended Southern College of Technology—now Kennesaw State University—and received a bachelor’s degree in computer engineering technology. He attended graduate school at Georgia Tech and received a master’s in management of technology.

While in college, Beaver held part-time positions at companies including IBM, Hewlett-Packard, and Lotus Development. “These were call center/help-desk related jobs,” he says. “Those roles taught me how to best deal with people and learn the technical ins and outs of the products I was supporting.”

It was the IBM job that Beaver says helped him eventually find his calling as a consultant. “It was a systems engineer role at IBM,” he says. “In that position, I had to write proposals, do the technical hands-on work, write reports, train users and so on. I quickly learned that being self-sufficient, disciplined, and most of all a good communicator were essential for the role as a consultant. It all just felt natural to me.”

The year he graduated “was the year the World Wide Web really took off and the internet as we now know it provided a lot of opportunities for security—even way back then,” Beaver says. “So, the first six years of my career were focused on computers and networks, but it was a very natural transition to move into security.”

After returning to IBM as a systems engineer at a division that

focused on K-12 computers, software and services, Beaver landed his first full-time job out of college, with a local K-12 school system. “With my new computer engineering-focused degree and six-plus years of IT work experience, I thought I knew it all,” Beaver says. “But my new role as technology manager quickly put me in my place. Not only was the technology at the school system dated, we had this thing called ‘the internet’ that we wanted to connect the schools to.”

For the next three and a half years, Beaver learned more than he ever dreamed he’d learn about workstations, servers, LANs, WANs and, in particular, firewalls and web browsers.

That job “gave me the experience I needed to start winding down my career as a regular employee and transitioning to a full-time consultant,” Beaver says. His next three jobs in the late 1990s and early 2000s were as a network security consultant for a value-added reseller, an IT services director for a systems integrator, and an information security manager for a dotcom company in the business-to-business marketplace.

“The role as the security consultant was amazing,” Beaver says. “I developed a ton of connections across the Atlanta area, many with whom I’m still connected nearly two decades later.” The IT services director role was short-lived and forgettable, he says, but the dotcom role helped him get to know the inner workings of the big hosting/collocation companies and the legal ins and outs of large online marketplaces. “It was the final kick in the pants I needed to go out on my own and be happy with that decision,” Beaver says.

In 2001 Beaver launched his own information security consulting firm, Principle Logic LLC, which provides a variety of security assessment and penetration testing services as well as consulting. A big part of being a successful independent consultant is being independent by nature. “By and large, I think I’m just a guy who likes to think for himself and make his own decisions,” Beaver says. “I was that way as a child and, apparently, you never grow out of that.”

The consulting roles he has held felt right to him. “I’ll have to admit, it wasn’t just my love for the role,” he says. “It was also me working [full-time] for other companies, where I witnessed bad management literally run the businesses into the ground. So, I promised myself that I’d never work for another company again.”

The “emotional intelligence” Beaver says he gained over the years of working for companies has helped him interact better with clients—everyone from IT directors to CIOs to executives. “The people and business side of my experience is priceless,” he says.

Working as an independent IT security analyst has not required Beaver to return to school or get any specialized training. “Outside of the inner workings of computer hardware and software that I learned a lot about in my bachelor’s degree program, fortunately I timed the IT and security industries really well and learned what I needed to on the job,” he says. “That’s the best kind of experience anyway.”

Looking ahead, Beaver’s plan is to continue to get better at what he does. “I have a guiding principle in my goals document that says, ‘I strive to be a knowledgeable and sought-after consultant, writer and professional speaker,’” he says. “I focus on personal market dominance and continually work to be known in the industry as a person of value.”

Learning and growing is a continual process, Beaver says. “I know that in order to continue competing with the big, name-brand consulting firms I have to promptly do what I promise and provide valuable deliverables, that my clients are not just ‘satisfied’ with but [that] also build loyalty,” he says. “That’s what keeps them coming back.”

Many companies are hiring independent outside consultants to act as interim CISOs, and others are using consulting firms to do the same,” says Joyce Brocaglia, CEO of Alta Associates, a leading executive search firm specializing in cyber security. In addition to having a thorough understanding of technical issues, consultants aiming to provide high-level cyber security leadership need to have a good knowledge of business.

“Gone are the days that companies are searching for CISOs [or consultants that can fill that role] based on their technical competencies alone,” Brocaglia says. That role “is now valued as a bridge for business enablement, so these leaders need to demonstrate collaboration and influencing skills with business stakeholders, be able to effectively and succinctly present to the board, interact with regulators and have the capability for the development of an overall risk strategy for their companies.”

According to Payscale, the median income for a security consultant is $82,476. “Consulting incomes are probably harder to measure given the lack of corporate HR data,” said Beaver. “As with any income, it can vary greatly depending on the value you bring to the market, the level of diversity you have in your work (e.g., consulting and writing, speaking, etc.) your productivity skills, and so on. With two different consultants doing generally the same work, their incomes could vary by hundreds of thousands of dollars.”

A big part of being a consultant is being prepared to hustle for the work you get. “The most difficult, yet most potentially rewarding, part of being an independent consultant is generating and maintaining cash flow,” Beaver says. “You hear some people say they’re on a ‘fixed income.’ As a consultant, you’re on no income. Every week brings new opportunities for not only doing all of my billable work but also generating new leads and landing new deals.”

This is why Beaver has started saying he’s in sales when people ask him what he does for a living. “At the end of the day, that’s what it’s all about,” Beaver says. “It’s selling my personality, my specific expertise, and my wisdom. Succeeding as a consultant is 100 percent dependent on the value I bring to the marketplace. This not only requires being at the top of my game with security, but also being a savvy businessman who stays on top of time management and goals in order to maximize my utilization.”

Above all else, the most critical aspects of working for himself, especially when he’s competing for much of the same work as the big players in the space, “is to continually work to improve my deliverables and be someone who builds and maintains strong relationships with my clients, business partners, and others who can support my efforts.”

Anything else we missed? Head to Facebook to add comments.