There is a common inflection point in most security practitioners’ careers where they consider leaving the corporate grind and hanging out a shingle as a consultant. Hey, if you hate your boss and can barely tolerate your coworkers, what could be better than tossing off all that and working for a real horse’s patoot: yourself? Such is consulting.
You can also be shed of those annoying departments who made your work life so difficult: the accounting people who are slow to pay expenses and the HR wonks who critically critique your outdated euphemisms and interpersonal exchanges. The problem is, you’re the new accounting and HR department for you. It’s now up to you to run down payments from your clients and that means you have to deal with multiple accounting and HR departments.
Yes, you can finally leave that drab, soul-sucking cubicle and exchange it for an even-worse cubicle on your client’s site. Do you really think they will clear out some VP’s old office for your use while you are on-site? Hah. The reality is you will be lucky to get a dark closet with all the broken and discarded office furniture. You’re now just a lowly contractor, not a valued employee who would complain to HR.
It is also important to know there are no casual Fridays or free pizza days for you. You’ll be there in your suit dragging yourself to the corporate cafeteria for a cold sandwich, chips and a drink for $8. And you had better be sure to keep the receipt in a safe place or you’ll be eating the cost of that lousy lunch as well.
If all this doesn’t scare you off your dream, let me add one more: you’re also the sales team. In addition to meeting all the requirements and deadlines for your client’s projects, you also must ensure you have a pipeline of work to maintain the income you need to pay your bills. Plus, don’t forget Uncle Sam who demands you pay down on your business taxes by making estimated quarterly payments and settling up on April 15. Remember, the government always gets its money upfront, unlike you, who is billing monthly at ‘net 30’.
Security consulting has its unique challenges. Usually, you will be so pleased to see your first paying client, you won’t stop to think why they decided to hire you for this gig. I know because I felt the same. Hard-won experience has taught me it is vital to get that question answered before showing up on-site in your suit and being seated in your broken chair. It will shape your whole engagement. When doing security analyses and projects, I was stunned to find out I was merely creating shelfware for clients to tuck securely away in a file cabinet, never to see that light of day after leaving my printer.
You know the collegial relationship you worked so hard to craft with the corporate CISO? You may find your report is being underwritten by a board member who wants to justify firing them. Or it could be funded by the CISO to function as posterior body armor in the event of a breach. Your carefully crafted and insightful timeline for overhauling their entire security program will likely never be implemented let alone reviewed by the people paying for your knowledge. It simply ticks a box on their compliance checklist as it’s filed away like the Ark of Covenant at the end of the Indiana Jones movie.
As far as security goes, only you and I really care. Most people just assume others like us can do our jobs and life moves on until something hits the fan and is unevenly distributed. Then they will care. If you’re lucky, some corporate leader will rummage in the file cabinet and blow the dust off your words of brilliance. But in the meantime, you have bills to pay and clients to satisfy. Try consulting, they said. It will be fun, they said.
