Striking out as an independent security consultant is risky, especially in the current economic climate
It may seem an odd time to abandon corporate safety and strike out as an independent consultant, but it can work. By Jessica Twentyman.
By Paul Dorey's own admission, the timing for starting his own business could have been a lot better. At the end of last year, just as global markets plunged even deeper into crisis, Dorey resigned from a high-profile, secure corporate job as CISO at petroleum giant BP and started his own independent IT security consultancy, CSO Confidential.
That bold decision was fuelled by a combination of personal and professional factors. He had always wanted to run his own business, he says, but had got used to living in a “cushioned corporate environment”. It wasn't until the prospect of an office relocation reared its head that family considerations forced him to think about going it alone.
Three months in, he's delighted with his progress thus far, but admits to a few worries along the way. “Doom-laden headlines in the papers didn't do much for my confidence levels in the early days,” he says. “But they've strengthened my resolve to make a go of things.” He also took comfort from the advice of other IT security consultants: “They pointed out that, in times of economic challenge, the organisations that do well are the ones that are flexible and creative. Self-employment gives you much more freedom in that respect.”
It's a freedom that many would envy, along with the job satisfaction and personal fulfilment that a life of freelance consulting can offer. Not everyone is prepared to take on the risks involved, especially in the present economic climate. In recent months, several large global companies, including Siemens and Capgemini, have announced swingeing cuts to their consultant and contractor budgets for 2009. And while IT security spend is likely to account for a larger slice of IT budgets in 2009, say analysts at Forrester Research, those budgets will shrink by an average of three per cent. Dorey insists that his pipeline looks strong for the time being – and there's no doubt that his credibility, 20-year track record and vast network of contacts will stand him in good stead.
The same is true for John Walker, former CISO at Experian and now running his own consultancy, Secure Bastion. For him, success in a time of turbulence is a question of shifting focus, where necessary. “You've got to look for areas of opportunity and change your approach according to the economic weather. Right now, there's a real rise in interest from the public sector,” he says. “If financial services is your only area of focus, you may be in trouble. You've got to be able to accommodate the clients and industries looking for help now.”
It's also a question, says Walker, of positioning yourself strongly when opportunities arise. From his own experience, he knows that CISOs look for external help when the services they seek lie outside the expertise of in-house staff, or when they need the objective perspective of someone not embroiled in the internal corporate politics.
They're also looking for a level of service that they won't get from any of the larger information security providers: less costly, certainly, but also more personal and more flexible. For these reasons, a broad base of skills is vital.
But technical skills alone won't cut it: IS professionals need to know how to sell themselves, not just to an IT department, but also to senior-level executives.
A useful guide to developing and reinforcing these kinds of skills, says Dorey, is provided by Peter Block's Flawless Consulting: A guide to getting your expertise used (Jossey Bass). Block sets out an “alternative vision” for the consultant. “The days of long studies and expert-driven answers are passing,” he says. “The task of the consultant is increasingly to build the capacity of clients to make their own assessments and answer their own questions.”
Qualifications are important, but not necessarily a deciding factor for firms looking to work with a third-party consultant. “A prospective client will want to see concrete proof of your competency, certainly. But they'll also be interested in your approach. They'll want to see that you can listen and that you can quickly come up with practical solutions,” says Walker.
That view is echoed by Dorey. “There's a feeling that qualifications don't typically measure your skill in the application of knowledge – just as a medical degree doesn't make you a doctor.”
In his other role as chair of the Institute of Information Security Professionals (IISP), Dorey is working towards establishing a common competency accreditation for the industry, based on rigorous peer assessment and benchmarking. “The more we harmonise the different ways of accrediting IS professionals, the more clarity we get about what can be expected of them,” he says. Eventually, IISP membership will be dependent on this process, he adds.
The issue of vendor independence can be a tricky one. A good relationship with vendors can be valuable, but for many clients, it's more important that a consultant is seen to assess a range of products before settling on the one that can best address the client's challenge.
Says Walker: “The solution you recommend for the client has to be 100 per cent to their benefit, otherwise you're playing a risky game with your credibility and reputation – your two most important assets in this business.”
In addition to these considerations, prospective consultants must also develop the practical skills needed to run a business, as well as identifying the best advisors in areas such as accounting, taxation and legal issues.
Of course, being an independent consultant needn't mean working alone. As well as CSO Confidential, Dorey is working on another business, Security Faculty, alongside David Morgan, former CISO of Lloyds TSB. Security Faculty provides training and development in leadership skills. “It's really beneficial to be involved in a joint venture of this kind,” Dorey says. “I was concerned that, working on my own, I would not have the benefit of a feedback loop.”
Justin Clarke, director and co-founder of consultancy Gotham Digital Sciences (GDS), found another way around this problem. After ten years working in information security in New Zealand, the US and the UK for Ernst & Young, he got together with three former colleagues to establish the London offices of GDS. “The New York office was already up and running, so when they were looking to expand internationally, we were the obvious people to approach,” he says. Clarke says that working in a group offers benefits in terms of flexibility and work/life balance. “In a big firm, you're not always free to hand off work to another member of the team when it's time for a holiday. Teamwork and collective responsibility are a big part of our approach at GDS and it works well for us all,” he says.
Whether working alone or in a group, self-discipline, motivation and determination may be the deciding factors that mark a consultant out for success or failure. “You must want to run your own business,” says Dorey.
Getting rich shouldn't be the main motivator, he says, because, for those at the top of the tree, there are already plenty of well-paid security jobs out there: “In the last four months, I've seen 20 heads of security jobs being headhunted, and last time I checked, barely a third of them had been filled.”
For those with less experience, however, life may be a lot tougher in 2009, according to research from recruitment company Barclay Simpson. It is frequently asked by its corporate and public sector clients to find information security consultants to carry out contract work. “In 2008, the increased number of contractors looking for work resulted in more competition for positions, with rates falling approximately ten per cent for generalist information security work,” says Barclay Simpson's report, Information Security Market 2009. Some contractors were requested to move into permanent positions to cut costs, the firm found. On the positive side, specialists such as identity management experts and penetration testers were able to maintain their rates, but in 2009 “there will almost certainly be more competition among contractors, as those who have been made redundant from permanent roles will also be looking for contract work”.
In 2008, the public sector was a major area of opportunity – a trend that is set to continue in 2009. In particular, the firm saw strong demand for CLAS consultants (those registered as listed advisers with CESG, the information assurance arm of GCHQ) to fulfil central government projects. Those consultants with a strong track record in this area are being tied into longer, more lucrative accounts, says the report, and demand is expected to remain, if not increase, in 2009.
In the commercial sector, the outlook for 2009 is more mixed. Barclay Simpson anticipates that continued consolidation in the financial services industry could result in an increased demand for consultants with network security and architect skills to assist with post-merger systems-integration projects. And the continued drive towards ISO 27001 could increase the number of roles for consultants with specialist skills in this area, it added.
Whether information security professionals enter the consultancy business by choice or through redundancy, this is clearly still an area of opportunity – but only for those with the drive and skills to truly set themselves apart from the herd.
Setting out your stall
So you've decided to become an independent information security consultant. How do you get your name out there – and bring business in?
Your success will depend on three things: reputation, reputation, reputation. That will involve seeding the marketplace with evidence of that reputation – through intensive networking, glowing client references and establishing yourself as a thought leader.
“Other consultants are extremely helpful – it has been a revelation to me,” says Paul Dorey, former CISO at BP and now running his own consultancy, CSO Confidential. “I've actually found, to my surprise, that there is less head-on competition between independent consultants than you'll typically find between different departments within a large corporation.”
It's also a question, he says, of staying in touch with old contacts and making new ones, whether they're former colleagues, former employers, or people you've met through industry organisations and trade shows. Often, he says, when one consultant learns of an opportunity that they are unable to fulfil due to other commitments or a lack of specialised skills, they are happy to refer the prospective client to another consultant.
They can also be useful in terms of recommending books and providing insight into how easy (or otherwise) it is to work with a particular vendor. John Walker of Secure Bastion uses online social networking tool LinkedIn regularly and says that it has been remarkably productive for him.
On the subject of trade shows, exhibitor costs can be prohibitive for small or one-person consultancy outfits, but attendance can still be valuable. Better still, a speaking slot at these events is an excellent opportunity to demonstrate your depth of knowledge and strategic thinking, as well as explaining to a wide audience what led you to develop these attributes.
If you aspire to see your name in print, all the better. Trade magazines are always looking for expert commentators to give their view in news stories and articles, so journalistic contacts can be a real plus and may open up opportunities for you to write longer opinion pieces.
You may even write a book. Justin Clarke, co-founder and director of Gotham Digital Sciences, will see his book, SQL Injection Attacks and Defense, published by Syngress next month – a move that will further strengthen his company's reputation in the field of protecting vulnerable web applications.
As part of his business plan for 2009, Dorey has planned a pipeline of papers and speeches that aim to get his name out to as wide an audience as possible.
But for a first-timer, even a simple blog, updated regularly, can be a powerful tool for reaching out to potential clients and joining in wider discussions in the IS community.
Coping with the recession
The greatest danger in times of turbulence is not turbulence itself, according to management guru Peter Drucker. The real threat, he wrote in his 1980 bestseller, Managing in Turbulent Times, lies in acting “with yesterday's logic”.
For independent IS consultants, the recession should provide several areas of opportunity, if they are prepared and able to readjust their business models accordingly. Peter Dorey of CSO Confidential says that many clients are looking at ways to achieve better security on tighter budgets. That's a major theme of his work this year and he recently contributed his best-practice thinking on the subject to Driving Fast and Forward, a report from the Security for Business Innovation Council.
Prospective clients will also be unable to ignore the growing risk of insider fraud and outside attacks on their systems as economic times get harder, says John Walker of Secure Bastion. So the market should hold strong for those consultants with skills in vulnerability assessment and forensic evaluation skills.
Compliance, too, remains an area of non-discretionary spend for many organisations and a lively market for ISO 27001 consultants is expected for 2009. With outsourcing still on the rise and cloud computing quickly gaining in popularity, IS functions may well need help in 2009 to explore the implications of keeping data beyond the corporate firewall. John Walker has recently advised clients on how problems within the Indian outsourcing business are likely to affect data security and what can be done to mitigate these risks. “Risk doesn't slip down the corporate agenda in an economic downturn,” he says. “If anything, it's more important than ever. So think about your clients and think about their areas of risk – there's potentially a lot you can do to help them address these.”
Join the club
The information security community is a sociable one and industry bodies are a great place to network with peers, share advice and contacts and meet potential new clients. Below is a non-exhaustive list of some useful organisations:
- Institute of Information Security Professionals (IISP) www.instisp.org
- Information Systems Audit and Control Association (ISACA) www.isaca.org
- Information Systems Security Association (ISSA) www.issa.org
- International Information Systems Security Certification Consortium (ISC)2 www.isc2.org
- Jericho Forum www.opengroup.org/jericho
- The Open Web Application Security Project (OWASP) www.owasp.org