Sunday, October 26, 2008

How would you start a network/security consulting business?

If you the typical security person, sales is not your strong suite. Heck, you may actually be very bad as a sales person. And since without sales you are not going to earn any money from this consultancy, you need someone who can actually close sales.

So what are you going to sell? Services? Do you have any software or other solution you will be offering? Go ahead, write them down in bullets. I know you know them, but you will be surprised when you try to boil each down into a soundbite. If you don't know this already, it is called an 'elevator pitch' because sometimes you will have a 10 or 20-second opportunity to make your case to a client, and that will not be the time to think up something clever to say. So know what you are selling, and know how to condense that to an elevator pitch.

Other things:
1. Now that you know what you are going to offer, and what your pitch is, get a good sales guy. Seriously. Your team may be extremely talented, but they need the contacts and they need the personality to 'close' sales. Not something techies are good at.
2. Create proposal, report and assessment templates (and get website/email/phones the usual logistics stuff)
3. More than one person? Think about the corporate structure. LLC, S-corp, C-corp? (Google for the differences and how each may effect you). Don't put this off--no matter how good friends you all are.
3. Land your first customer. Make sure s/he is willing to be a reference. Start looking for this customer now, even before the business is fully formed. The first customer is the hardest to get. Start by talking to people who are in a position to buy your offering. If you are currently working for someone else, you need to have a very clear idea about who is going to be your customer. Talk to every consulting firm, software company and VAR in your region.
4. Speak at places/seminars/conferences where potential customers show up. Stay longer and listen to them, talk to them, solve problems for them or give them pointers. People like nice people.
5. Did I say you need a sales person with a rolodex full of contacts that s/he already knows from previous jobs? You can hire someone on commission. Make a deal with a hardware sales-guy (so there is no conflict of interest)--when s/he visits a customer s/he can mention your company, make an introduction, etc.
6. Prepare for an initial dry spell. If the people can not handle no income, no health insurance, etc. for 6 months (just to be safe) then they are not ready for this. If you do hit the doldrums, look into opportunities for potential part-time contract work. It may sound strange, but this may help provide sustenance during lean periods. (for this, check out DICE, which lets you search for contract work based on W-2, corp-to-corp, etc). And don't forget, once you are at a contract gig, you are meeting a potential client who may hire your company for the next job.

Any decent-sized clients will ask you about your workman's compensation, liability and errors/omissions insurance. This will set you back a few thousand dollars--talk to an insurance agent and find out.

Good luck.

Thursday, October 23, 2008

Career Progression: How to become a CISO

I am often asked about this--to the degree that this is now a frequently asked question. Sorry, there is no magic formula.

There are two parts to the answer: How to 'get' the job and How to be 'good at it' that are intermixed.

My first CISO job was through applying directly. I was a director at a financial industry giant, and became the first CISO at a 500-million-dollar financial services company.

My next CISO gig was for a company with about $1B in revenue, and I was recruited by a retained search firm.

Here is the summary of my experience:
  1. Relevant industry sector experience: going from financial services to healthcare (or vice versa is very rare)
  2. CISO/CSOs are typically director or above positions. If you already have a director or VP title, that helps
  3. If you are already a CISO, that also helps. A lot.
  4. If you are not being promoted from within, having a bachelors degree is absolutely required.
  5. Soft skills like communication is absolutely important. So is a demonstrated business skills, budgeting, people management, etc.
  6. If a CISO job description says you need hands-on experience configuring firewalls (or some other specific technology), tread carefully. Either the job description is wrong, or it is not a CISO job. There are exceptions, of course, but this is a good indicator.
  7. If other C-level officers are not in the interview team, you are not getting a 'real' CISO job, regardless of what the title is
  8. As a CISO, your job will be to make people who you have no direct influence over do things for you.
  9. You have to have direct reports and budget experience
  10. At the interview, you have to make them understand that [a] security will help business and [b] you understand and care about the business--you are not just a security-nazi.

If you can show most or all of the above in your resume and during the interview, that would be a huge help.

Networking definitely helps, but we all can't know the CEO, so working with recruiters is the next best thing. If it is a retained search, that is great. If it is a contingency, that is fine, too--but before you send a resume, talk to the recruiter and make sure they don't submit you before asking your permission first.

How about certifications? It is expected that the CISO will have at least one major certification. If the CISO position is asking for just A+ or Security+ certifications, see number 6 above. ISACA designed the CISM for the CISO-level professionals, but not many employers are making this the primary certification requirement. CISSP is still the certification to have for any senior security job, although it really does not cover the management of an information security program. The CISA is not directly needed, but helpful because as a true CISO you will have to deal with internal and external auditors. It is my opinion that the certifications do not indicate how good a candidate will be as a strategic leader, but they certainly show relevant job skills. On the other hand, it is easy to establish your business-friendliness if you have an MBA.

Good luck.