No announcement yet.


  • Filter
  • Time
  • Show
Clear All
new posts

  • Consultancy

    This is not a job-hunting or a job posting. It's just the closest area of the forum I could find to what I want to ask about.

    I'm currently on a fixed contract for a company which I'm really enjoying - they're actually listening, genuinely care about their security posture, and are looking to improve it. On top of that they've got a parent company who have the pockets to buy tools that a normal company the same size would never be able to get into budget.

    ​​​​​​​They've asked me to stay on after the contract ends, which is nice of them and normally I'd love to. However realistically I'm only giving them maybe 1 in 4 days as productive, working to build up internal skills for people to take on the vast majority of what I'm doing for them, and am not interested in doing the day to day. I've told them this, and they've said they'd be more than willing to take me on afterwards as an independent consultant for them.

    It's something I've been thinking about for a while and would very much like to go for. I don't want to end up accidentally in a CISO role, as that often seems to involve moving away from the problem-solving I enjoy (whether it's people, processes, or tech). Nor do I want to do the BAU work, as I get bored without the variety (this is not to denigrate those who do that sort of wor , or to say that I can't do it if I need to, I just do not find it personally fulfilling).

    I really don't want to go to one of the larger consultancy companies as I've had too much experience with their output before.

    So really this is asking for advice and opinions on whether there's a market for independent security consultancy (distinct from contracting) which is not specific to technology, people, or processes. And whether anyone has advice for someone looking to start up that way but nervous about going the fully self-employed route for work.

  • #2
    It depends on how big the team is. I've got no shortage of problems to solve at my place.

    I've always drawn a distinction between contracting and consulting. In my mind, contracting is hired labor, whereas consulting is about stepping back and focusing on creating value for the client, focusing on the "why" questions, and helping them make decisions.

    I think there is a lot of room in the market for consultants, especially those that can wear both the vCISO and architect hats, and help implement. If you can standardize your method/approach, you could be able to keep the costs down enough to capture the gigantic small business market. Small businesses are going to get killed by new legislation in the coming decade.

    Twitter: @AccidentalCISO


    • coffeefueled
      coffeefueled commented
      Editing a comment
      Definitely agree with the distinction. I've found more and more over the last few years I'm doing less work myself, and spending a lot more time helping a company understand what work they need to do, why they need to do it, and a bit on how they can do it with what they already have (or what they need to add to do it).

      My main reason for wanting to avoid a CISO role is because I don't think I could maintain the same level of independence that I am at the moment.

      Also, I may know and see too many CISOs online to want to be in that particular role - would much prefer to be the trusted, independent voice who can come in and support than have to deal with the compromises and tradeoffs.