Going solo: How to be a security consultant
Going solo: How to be a security consultant
We all dream of being our own boss, but what does it take to set up a successful business in the real world? Mark Mayne has some advice.
IT security consultants have it easy, as everyone knows. They swan around the city, taking long lunches and even longer holidays, and all for a few meetings, a couple of phone calls and a bit of fiddling around with a BlackBerry. And anyone with some idea about IT security could do this, right? Well, not exactly. SC takes a look at the life of an IT security professional going solo, how it's done, and the highs and the lows.
First, setting up on your own isn't the right job for everyone. While a large corporation has a department working on each business area, such as IT, marketing, accounts etc, the lone consultant has to take on all these roles, and more. Being a qualified and experienced IT security professional does not necessarily mean an individual can deal effectively with clients, construct and follow a realistic business plan and stick to their own budgets.
"The biggest challenge is to have the combination of required capabilities," confirms Roy Harari, UK managing director of Comsec Consulting. "A technically superior IT professional will also need excellent marketing and personal skills to succeed on their own. It's all about the nature of the person - a techie guy who communicates through his keyboard is unlikely to be able to present at board-level. We're talking about business here, so having and adhering to targets, whether performance-related or financial, is crucial. This is a very rare combination, but it is possible to learn these other skills, especially on the business side."
Tim Best, director of enterprise security solutions at Logica CMG, agrees. "You need to be able to approach the entire board convincingly and lucidly, and do the same with the IT department. You have to be comfortable discussing the business case for a job and proving return on investment," he says. "I believe it's important to be able to move customer thinking away from IT as a grudge spend and towards recognising the potential of new technology and ways of working."
The right qualifications
A consultant also needs to have the raw industry knowledge and the credentials to go it alone. Several years of top-level security experience are critical, as well as specific qualifications. "There are a lot of qualifications to choose from, and there are multiple ways to refine or broaden the focus of your business through taking management or architecture units, for example," says Peter Berlich, a member of the (ISC)2 board of directors and founder of Birchtree Consulting in Switzerland. "Establishing relevant and high-quality credentials upfront is the most important area of setting up a consultancy."
The most widely recognised formal qualifications include those from ISACA (the Information Systems Audit and Controls Association), (ISC)2 (the International Information Systems Security Certification Consortium) and ISEB (the Information Systems Examinations Board). These certifications are globally recognised, a key factor when working with international organisations.
The two most relevant ISACA qualifications, both accredited by the American National Standards Institute, are the CISA - Certified Information Systems Auditor, and the CISM - Certified Information Security Manager. (ISC)2 recommends the Certified Information Systems Security Professional (CISSP), which is accredited by ANSI to ISO Standard 17024:2003. Within this qualification, either the Information Systems Security Architecture Professional (ISSAP) concentration or the Information Systems Security Management Professional (ISSMP) are of most use to freelancers, according to the company.
However, not everyone agrees with this emphasis on education. Rick Essen, managing director of XNLT IT, believes that many of his SME clients are not that interested in outright qualifications. "Surprisingly I've found that customers often don't want to look at qualifications as much as get references for similar work I've done. I think that good-quality references are the most important thing to convince customers to take you on."
References are certainly essential, but Harari has some words of warning: "You need to be careful about references, and be sure to keep jobs quite separate. The client is not stupid, and if you talk openly about previous work, you can be sure they will be wondering what you will say about them in the future."
Relationships are key to establishing a successful consultancy, but they can also be the biggest challenge. Vendors will be keen to get you signed up to an exclusive deal, while customers will expect you to have wide-ranging knowledge to call upon, as well as having in depth information at your fingertips. So is it better to stay independent or commit to one vendor?
"It's important for consultants to remain independent from vendors," Best insists. "You need to partner with them, but not get sucked in further. This can be a bit of a love-hate relationship, as they'll be keen to pull you in - it can be a delicate balancing act. It is key that you can recommend the appropriate solutions to your clients - bear in mind that the security market changes every two years, so you'll need to keep up to date."
Many IT security professionals will come from a background of working with blue-chip companies and should have a pedigree spanning several in order to succeed. This in itself can be an issue, as Berlich explains: "Having set up your own consultancy, you have to reposition your 'brand' as separate from your last employed post. This can easily lead to conflicts of interest, which you must be very aware of. Additionally, working with competitors to your ex-employer needs to be kept on a very professional footing."
Finding the right balance
The most important relationship is that between client and consultant, and again you need to watch out for potential pitfalls. While a consultant should provide value for money, there's also the issue of giving too much. Essen believes that security audits are a good example. "Some companies with their own IT department are a tricky balance to strike, especially when you're doing an audit," he says. "Too much information and they could just implement your suggestions themselves, while too little loses you the work. It's not always easy to manage how much detail to give."
Alan Philips, managing director of 7safe has a good tip for dealing with larger customers: "Remember that the client's purchasing department has one sole purpose, and that is to beat you down on price. Don't take this personally, be ready for the discussion, and keep in mind your overheads and price structure - if they're too demanding it may not be worth your time doing the job ... ".
Marketing is a tricky area even in established businesses and can easily trip up beginners. Selling yourself too aggressively may alienate customers, or could simply be so successful that you're inundated with more work than you can do. An added danger of this unbalanced "boom-and-bust" way of working is that it may lead to dry periods when little money is coming in - a real risk for a small business.
So what can IT consultants do to market their offerings in the right way? "Being known in the security field is vital for marketing and business purposes, and an excellent way to raise your profile is by speaking at conferences," Berlich suggests. "But make sure they're targeted at the right market. RSA and Infosec have both been good for me in the past - it's important to go along and meet the right people. Word of mouth is the best recommendation, and the biggest winner for smaller businesses without a big public profile - you have to make your reputation travel."
Harari agrees: "Recommendations are the number-one sales generator. Your reputation will spread itself to a certain extent - you have to ensure that it's totally spotless, and keep it that way."
Of course, it's not just about going it alone whatever your skills. The most successful businesspeople know their own strengths and weaknesses, and play to them. If you don't have the marketing abilities you need to make IT security consultancy work, then find someone who does. "Partnering with 'the other half' is often the most successful way to begin a business," Harari continues. "It's all about strengths and weaknesses, as well as self-knowledge."
Philips echoes his feelings. "You simply have to have a business head to set up on your own. A degree or further qualification in business studies is a good idea, but it's always difficult to switch between different hats, and it's important to be able to relinquish parts of the workload to others."
Naturally, there are benefits to running your own IT security consultancy, such as personal fulfilment, flexibility and job satisfaction. There is also a very practical side. In spite of the consolidation of the security market and moves by giants such as IBM to provide localised consulting services, there is still a large gap in the market for smaller businesses. "The largest consultancies are keenest on bigger projects, purely due to their size, so smaller companies can simply pick out the smaller jobs," Philips points out.
Also, a smaller consultancy can specialise more readily, a move that makes particular sense for the consultant going solo. Setting up a stand that has a fresh, new unique selling point in a fairly crowded market could be the only way to be successful. Just don't think about it too long, warns Berlich. "I think the biggest error people can make when considering whether to go it alone is to wait for the best moment to do so - it never comes! It's certainly better to do it younger, as you can then change your plan more easily. Leave it too late and you might be too old to re-enter business."
Ultimately, becoming a lone IT security consultant is a long task, and not one to be taken lightly. Without careful, realistic planning and solid business acumen most startups will fail, and you need the right mix of personal attributes to avoid disappointment. For those entrepreneurs who succeed however, it will be the most fulfilling thing they ever do ...
GROWING THE BUSINESS
Once established, a consultant inevitably reaches the next stage of the business plan: growth. This is where the strategy side of business management comes to the fore. While running a one-man-band can be challenging, stressful and requires long hours, running a small company is many times more so. Legal issues become more pressing, as you will have to consider employment law, pension provision and health and safety legislation.
Roy Harari, UK managing director of Comsec Consulting, believes there are distinct stages in the development of a consultancy. "From one through to five people is the first stage, then up to 15 employees, then up to 30. These are the main stages in development, and each one requires significant capital investment to progress through," he explains.
Aside from cost, the people you choose to represent your brand are the most important. Harari thinks this is one of the biggest pitfalls facing a growing consultancy: "Consultancy is a people-driven business, and you will want to try to predict what skill sets you'll need to meet market requirements in the future. Failure to do this will result in an unbalanced workforce and limited company vision," he warns. "However, predicting this mix precisely is extremely problematic."
Alan Philips, MD of 7safe, agrees. "When recruiting, you'll need to find people with an affinity for what you're doing. The trouble is, when you get into recruitment and become an employer, your focus changes completely, from IT security to business management. You'll be looking into human resources issues, training for your employees - the list goes on," he says.
The key to dealing with growth is to have a solid business plan from the beginning, as well as a strategy that looks towards expansion. While it may be tempting to simply use freelance help and subcontract excess work, this can be problematic. EU employment law provides protection for subcontractors that provide a regular service for extended periods, and freelancers may decide to take future work for themselves. There is also a quality assurance issue, and subcontractors may not share your ethical viewpoint.
TOP TEN TIPS:
1 Register with the Inland Revenue All self-employed workers must register, and there is a potential penalty of £100 for failure to do so within three months. The helpline for the newly self-employed is on 0845 915 4515. The Inland Revenue will send you a self-assessment tax return form, which is then your responsibility to complete. For more information, visit www.hmrc.gov.uk.
2 Tax - get organised Unfortunately, leaving employment means that you have to deal with your own taxation. If you are self-employed, you must still pay National Insurance contributions as well as income tax. Organise both these outgoings from the beginning to save an annual panic when the deadlines come around.
3 Sales and marketing Often not a core expertise for IT workers, but certainly an essential skill for the self-employed. Experienced freelancers spend as much as one third of their time pursuing new business.
4 Get an accountant Accountants can help make financial decisions, keeping your new business on track and satisfying the requirements of the Inland Revenue. Their fees are tax-deductible, and bank managers are impressed by the output from good accounting systems.
5 Pension scheme Make arrangements for a pension scheme and other insurance policies that would normally be provided by an employer. Be sure that you are adequately covered should you be unable to work for an extended period.
6 Make a business plan Without a strategy, your business will never grow.
7 Organise the books Make sure that you have a filing system for invoices, receipts, bills etc, and that you use it. Disorganised paperwork can be a nightmare and could land you in legal trouble if important documents are misplaced.
8 Location - home or rented office? Rented offices are plentiful in most cities and can offer an excellent professional working environment. However, the costs can be high, and it's important to check that they have the right facilities available. Working from home is tempting in many ways, but try to keep your home office space separate from the rest of your house if possible, otherwise you may find that work encroaches too much into your personal life.
9 Take responsibility You will be the person responsible for everything to do with your business, from emptying the bins and paying the bills to dealing with difficult clients. Make sure you're up to speed on all aspects, or employ someone else who is.
10 Ride the financial roller coaster There will be good months and bad months, so build up a financial safety net to cover your overheads. Try to keep marketing yourself even in the good times.