Do you have what it takes to be an independent security consultant?
It doesn’t matter if you’re part of a big enterprise or a small company, you’ve probably wondered at least once what it would be like to work for yourself.
Dreams of more free time, the possibility of self-organizing and working when it suits you, no unreasonable requests from the boss, or endless stories coming from that boring co-worker are great, but could you find enough work and perform all the tasks? Would your future be better or worse if you were on your own? Could you survive without regular income until your business takes off?
In a new series of articles, I’m talking to information security professionals in different roles to discover the ins and outs of their jobs. This week you get to peek behind the curtain, and find out what it’s like to be an independent security consultant.
John Reyes Freeman in his office
The road back to information security
John Reyes Freeman, owner of Freeman Consulting, has an unusual background for someone that likes to spend his days tackling complex security problems using a keyboard.
After being fascinated with hacking during his teenage years, his life took an unexpected turn and he ended up working in China for 15 years, focusing on entertainment law. But the love for the technical aspect of security never faded. In fact, to decompress after a hard day at work, he would still fire up a vulnerable VM to hack.
Looking for a more rewarding career, Freeman set out to make security his day job. After achieving a few security certifications, he tried getting a job in the industry. The disadvantage of not being a computer science major kept potential employers asking: “How can a lawyer pen test?”
“Many of the HR people couldn’t care less that I have my own lab at home. Most barely knew what the OSCP was, and generally didn’t have an idea of the amount of skill it took to pass it,” says Freeman.
This situation ultimately led him to provide his services as an extension to his legal consulting business. Many of his current clients were in the tech space, yet they were uncertain about whom to ask for a security assessment.
Built on this initial approach and referrals, his security consulting business got off the ground.
The need for a strong business focus
When you’re your own boss, you have to deal with everything, not just the fun stuff. Before heading out on your own, analyze the market in your area and define your expectations.
“You need to understand the basics, such as marketing and pricing,” says Freeman. “Without having the industry knowledge that many consultants have before starting their own companies, I had to figure out what was an acceptable pricing model.”
Prices are tricky. If you charge too much you might not get the job, but if your price is too low, you might end up feeling underrated even if you do get it. It’s a balancing act that depends on market research. Keep in mind that sometimes a discounted price could lead to a valuable recommendation or long-term contract, so the real worth of a job is not always in the number on the invoice.
Since information security is such a broad industry, in order to succeed at your job, you have to know plenty about a wide range of subjects. However, it’s imperative to recognize one’s strengths and weaknesses, and not succumb to the temptation to become a generalist. Determine your focus carefully, and don’t be afraid to let your clients know what you specialize in. In other words, find a niche and own it.
Despite running his own business before, Freeman quickly realized the differences between a law practice and infosec. “I’ve learned how to improve the handling of scope creep by clients who keep asking for new tasks. As a lawyer I would often try to go the extra mile just to achieve client retention. In infosec, I make it very clear that additional tasks outside the contracted engagement will be charged accordingly. I learned this lesson the hard way,” says Freeman.
Why creating a personal brand is important
In today’s connected world, a strong personal brand can open doors, regardless of who you’re working for. If you’re working for yourself, branding becomes essential. In essence, you are your brand.
You might be wary of writing for a publication or using social networking to promote your expertise, but it’s one of the most cost-effective ways of promoting your knowledge, and it has the potential to instantly launch your career to new heights by connecting you to people you might not meet in person.
“Being able to have people vouch for you will help potential clients feel you are skilled and trustworthy,” says Freeman.
We all prefer to do business with people we know, that’s why real-life networking is still such a big deal, even in the digital world. A solid personal brand can help you meet people and, ultimately, boost your business.
Advice for the aspiring independent security consultant
Planning. As with any business, before taking the plunge into independent waters, you should have a marketing plan, as well as a few clients lined-up. Freeman suggests performing free security assessments for a local charity or NGO. They usually need the help and are willing to provide a recommendation.
Networking. “Network, network, and network some more. Getting out to conferences and smaller infosec events will help you market yourself, but will also provide introductions to peers that can help with advice,” he says.
Legal. One of the trickier parts of a penetration tester’s job are surely the legal agreements. “Make sure you find a lawyer who understands information security. You don’t want to have a poorly worded engagement agreement, accidentally take down a production server, and then find yourself being sued for the downtime,” Freeman explains.
Time management. If you want your consulting practice to be successful, you need to work on your self-discipline. When you have no one to answer to but yourself, you might become tempted to overindulge in the things you prefer doing and ignore the things you find less interesting. But beware, you don’t want your work to suffer, so becoming organized and getting a grip on time management is key to long-term success.
Learning. Invest in a home lab and test all your exploits before running them in a live environment. This minimizes the chances of something unexpected happening during an assessment.
Endurance. “You’ll have engagements where you question your skills, days when you don’t want to talk to the client who keeps trying to get additional work for free, and days when you’ll get sick of staring at your computer. We all have those,” says Freeman. “You need to power through those days and not give up!”
Is there a specific infosec job you’d like to find out more about? Are you doing something our readers should know about? Let me know.