I am currently in college with a major in Cybersecurity and a minor in business. I expect to graduate in December of 2018. I want to start a security consulting business after I graduate and I want advice. Should I do it after I get my Bachelor’s degree, or wait until I have a Masters? I have been considering getting a Masters in Information Assurance after finishing my Bachelors. Is the master’s even worth it?
Any independent IT guys here?
I am currently working in IT, and have been for a couple years.
What do you mean by security consulting? Application security audits? Pen tests against corporate networks? SSAE16 or PCI compliance? Vulnerability research? Secops management consulting? Infrastructure management and consulting?
It’s a wide, wide world of sports. You might be better off working in corporate infosec for a while before hanging out your own shingle if you’re not currently familiar with the marketplace.
Why would someone hire a person with a brand-new degree over a firm of experienced professionals? I would think you would need some experience and a reputation in the field before people trust your new firm with their information security.
I want to do security architecture and pen testing.
That’s nice. Again, why should a company with assets to protect trust your startup with them?
No one’s going to hire you by yourself with a degree and no practical experience actually doing this kind of work. Security engineering is one of those fields where there’s a gigantic chasm between theory and practice. Get a job with a firm that does security audits and penetration testing and learn. Develop a network of contacts, then go out on your own.
If you want to start a business, you should start a business.
We’ve done this several times. Somebody likes to do saleable skill X. So now they think they want to start a business doing X.
Wrong.
Running a business is about running a business. Marketing, admin, policies and procedures, hiring and firing. It doesn’t really matter what the business does. All that stuff is utterly necessary and utterly not delegable until your business has dozens or hundreds of employees.
If that’s the kind of stuff you want to do, then start a business.
If OTOH you want to hunch over a computer performing auditing & pen testing, get a job doing that.
There may, 5+ years later, come an opportunity to sell your solo services directly to some customers versus going through your employer to find gigs.
But *if *that opportunity does arise it won’t be because you’re the best pen-tester around. It’ll be because you’re the best personal marketer / biz-social networker around. Your brand is what matters, not your results. To be sure, crappy results will produce a crappy brand. But middling results with an excellent marketing effort will go much farther than will the opposite mix.
Today you have almost no actually saleable skills, no results, and no brand equity. Time to get the job that will build 1 plus give you a chance to build 2 and 3. You absolutely can get there. But a BS and no experience is not the launching pad you need. It’s only a part of it.
And IMO the Master’s now is simply wasting time. Get it later while working. Not *instead *of working. No, that won’t be easy or convenient.
I started an IT consulting business out of University about 25 years ago with a focus on database applications. I had up to two staff at a time, formed a new business with partners, folded that and went to work for a mid-size (150 people) firm for 18 months before laughing a new company with 2 co-workers.
For the last 18 years I’ve focused less on hands-on and more on management. Now that I have 60 people, I’m getting the point where I can delegate more.
I’ll admit that it is a different market today than 1993, but there was value in both being my own boss and working for someone else.
I agree. It is fine to start your own business, but the best education for it is working for a company that is already doing it to gain that prospective. You can see their successes and failures, and what part of the marketing they don’t peruse and why. All the while you are getting paid to learn this. The difference here is that if you take a job with a company with that intention of starting your own in the same field, you will be paying a lot more attention to how the business is bring ruin than if you are simply doing the consulting part of it.
Agreed. I think in practical reality, the Op would like to become a highly-paid and highly-respected contractor of IT security services - which is very do-able, but nobody starts at the top in that game.
I’m going to take a bit of a contrary position here. Plenty of people start businesses right out of school, or even drop out of school to do so. And chances are, if you go to work in corporate America, you’ll either end up doing low-level bullshit work for some major corporation’s IT department or work for some big consulting firm where you will get sent on whatever assignment is available, regardless if it is your interest.
If you want to start a business, these are the things you need to think about:
-What product or service are you providing? You mentioned “security architecture and pen testing”. There are plenty of firms that do that. How will you position yourself to compete with them?
-Will it be just you (single with a shingle) or will you bring on partners/employees?
-How will you pay them?
-How will you pay yourself?
-Are there other costs (software, hardware, advertising and marketing, do you want to rent an office?)
-Who will your customers be? How will you market and sell to them?
-Who is going to help you with taxes / legal (i.e. contracts, SOWs, filings, etc)?
Personally, I don’t think it’s a terrible idea. You’ll learn a lot about starting and running a business. Even if it doesn’t work out, worse case scenario, you go find a corporate job. Probably at a higher level that you would otherwise have been qualified for.