Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: So umm... Best Way to Start Your Own Security Consulting/ Penetration Testing Company

  1. #1
    Member
    Join Date
    Apr 2002
    Posts
    52

    Question So umm... Best Way to Start Your Own Security Consulting/ Penetration Testing Company

    Hi guys, so I was browsing around, as I tend to do and the Start Your Own Security Company thread caught my eye. This topic intrests me greatly because I too would someday like to start a small security company. Unfortunatly, NOBODY answered the OPs question in the 4 pages that was the thread before it killed itself. You would think the title had been "Do you think I'm 1337 enough to start a security company?" or something.

    Well maybe none of you have any experience in that area(which would be ironic), but if any of you do I would really like to hear some advice or experiences. Successes and failures such as what works, what doesnt... I think this topic is would be a great contribution to the AO community.

    SOOOOOOOO... have any of you started your own security company? What scale did you initially start at and what were some of the hurdles in getting up and running. How do you find clients and what measures do you take to protect yourself from liability? What range of services do you offer?

  2. #2
    Good luck on this topic, as you read what happened to my thread. I was just looking for the same advice as you.

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    have any of you started your own security company?
    Certainly not! because failure is a virtual certainty.

    1. You need to have been in the business for a long time.
    2. You need to have been a senior consultant in a major consultancy for at least 5 years.
    3. You need to be prominent in the industry through seminars, publications and the like.
    4. You need a number of similar standing individuals on your team.

    Unfortunately ones ability to do the job is relatively unimportant compared to the reputation of the people who get hired. You see a lot of these exercises are CYA (cover your a$$) rather than a true security job. The customer doesn't really care about security, they are just looking for a feel good factor.

    Back in the day, it was an old saying that "nobody ever got fired for buying IBM".....................well, the same kind of thing goes for security consultants these days. Sure you might be able to do as good a job, and a hell of a lot cheaper, but trust me when I say that no corporate EVP is going to put his neck on the line, for the sake of saving a few thousand bucks.

    It is pretty much the same with external auditors. Small companies deal with small companies and the big boys go to the likes of PriceWaterhouseCoopers.

  4. #4
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    I believe the advice was given....

    Know your stuff

    Get lots of experience

    Keep your certs up to date

    Be a good sales person

    have the resources to to the job

    Get incorporated.....so if the lawsuits fly..you are not personally liable

    be REALLY good at what you do

    All outlined in the original post......



    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  5. #5
    Senior Member
    Join Date
    Mar 2004
    Posts
    119
    I concur with everyone else. Even highly regarded information security experts don't usually start companies on their own. Take Ed Skoudis for example, he is a highly regarded information security professional, author of a few books, and wrote and teaches for SANS. He confounded a company with a few other information security professionals. So I highly doubt you will have much success on your own.


    I have had a great deal of laughs about the other thread as I can remember the first time a client handed me a "security audit" completed by a so called security consultant. The so called consultant ran a Nessus scan and then managed to press the print button. He didn't even bother to bind it or anything, just a loose stack of pages presented to the client. If this entertainment keeps up than I am canceling cable.

    Until you have worked for a company exclusively conducting security audits under the watchful eye of another professional for at least 3 years, then I wouldn't dream of it.

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmmmm, I am afraid that this is the problem:

    So umm... Best Way to Start Your Own Security Consulting/ Penetration Testing Company
    That is a very specialist and restricted service that would require you competing with a relatively small number of established organisations, much larger than yourself.

    A much more feasible approach to starting your own business is to go one level further down and look at the day to day activities of smaller businesses.

    This requires understanding business processes and procedures as Morgana~ has suggested.

    Other areas such as network design, database design, separation of business functions, data security, disaster recovery and business continuity , authorised usage policies, data protection and so on.

    All these areas have security implications but they also have business implications and are far more likely to be understood by the managers/owners of small businesses.

    When it comes to financial systems, for example, there is no need for internet connectivity at all. It should be a self contained network and penetration testing should be irrelevant. What matters more is authority levels and checks and balances.

    I don't know what things are like in other countries, but over here at least 95% of small business fraud is either the good old fashioned confidence trick, or it is internal (that is most of it). This is a problem that the owners are aware of and will gladly pay for consultancy for.

    Sure, the law says that they have to have external auditors to examine their statutory accounts but the smaller companies cannot afford full time internal auditors or security specialists in their IT function.

    It is far cheaper for them to hire a local consultancy firm for 12 weeks and then for a two week review every year than to employ a permanent member of staff who would probably get bored to tears and leave fairly quickly.

    A contractor would be an alternative, but they come and go and disappear off the face of the earth. A permanently established local consultancy is the ideal solution.

    It is also ideal for someone getting started in their own business as the big boys cannot compete (too many overheads) and are not interested in the smaller jobs.

    Over time you might be able to concentrate more and more on security, but to begin with it would be prudent to offer a broader range of services and extend your earnings base.

  7. #7
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    In the UK you often have to be CLAS or CHECK certified (in addition to CISSP) before you'd get looked at by a large company or public sector. These are government sponsored and you can't buy your way into them (alledgedly).

    You could still work for smaller companies who can't (or won't) pay for CHECK teams. Get work and build your reputation that way. Most security companies offer other services such as ISO certifications, forensics etc.

    CLAS - http://www.cesg.gov.uk/site/clas/index.cfm
    CHECK - http://www.cesg.gov.uk/site/check/index.cfm

    Some companies we have used

    http://www.dns.co.uk/
    http://www.sapphire.net/
    http://www.mwrinfosecurity.com/

  8. #8
    Junior Member
    Join Date
    Apr 2002
    Posts
    16
    I've found that the best way to go about starting your own business is to first work in the field for another larger company.

    1.) Study, test, repeat -- Get some Alphabet soup for the back of your name
    2.) Work in industry in excess of 10 years
    2 alt) Go to school with a Co-Operative education program RIT places students with PenTesting companies for 3 month periods up to 6 months at a time...
    3.) Get hired by a larger firm and gain experience there
    4.) THEN think about splitting off and forming your own.

    Applications many people use for PenTesting are VERY expensive Think CORE or Immunity's CANVAS although you can pen-test using the standard hacker fare, you should use a multitude of tools and I reccomend you use atleast one of the biggies. I know for sure I'd rather be buying a new Jeep than a seat for a pen-testing program.

    But hey, what do I know? I run a computer business building custom computers to a small customer base. It's more a hobby business anyway...

  9. #9
    This is some good advice, this is all I was asking the other day.

  10. #10
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    NetSecExpert

    I think it was spelled out in the other thread.......E X P E R I E N C E

    and by the way...whining doesnt become you

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •