How to be an information security consultant

The original

WHAT IS A SECURITY CONSULTANT?

Security Consultant is the infosec equivalent of Obi-Wan – advisor, guide and all-round guru. In your role as an expert consultant, you’ll be able to design and implement the best security solutions for an organization’s needs. You’ll talk to stakeholders, draw up budgets, supervise teams, and get stuck into research. You’ll conduct security tests and probe for vulnerabilities. In other words, you’ll put your technical and interpersonal skills to good use.

I think this is an exciting job. Back to five years ago, I felt confused on which road I should go which is releated with security. After the internship and two years’ work experience, I cannot wait to challenge being a security consultant.

SECURITY CONSULTANT JOB RESPONSIBILITIES

Each institution will be dealing with unique IT security threats, so your day-to-day tasks can vary greatly. You may be required to:

• Determine the most effective way to protect computers, networks, software, data and information systems against any possible attacks
  
• Interview staff and heads of departments to determine specific security issues
  
• Perform vulnerability testing, risk analyses and security assessments
  
• Research security standards, security systems and authentication protocols
  
• Prepare cost estimates and identify integration issues for IT project managers
  
• Plan, research and design robust security architectures for any IT project
  
• Test security solutions using industry standard analysis criteria
  
• Deliver technical reports and formal papers on test findings
  
• Provide technical supervision for (and guidance to) a security team
  
• Define, implement and maintain corporate security policies
  
• Respond immediately to security-related incidents and provide a thorough post-event analysis
  
• Update and upgrade security systems as needed
  
  In a large organization, you will typically collaborate with IT Project Managers and/or a Security Manager.

SECURITY CONSULTANT CAREER PATH

To become a Security Consultant, you should consider gaining your work experience in intermediate-level security jobs such as:

• Security Administrator
  
• Security Specialist
  
• Security Analyst
  
• Security Engineer
  
• Security Auditor
  
  If you’re looking for a bump in pay and the chance to lead a large team, these jobs are logical next steps:
  
  
• Security Architect
  
• Security Manager
  
• IT Project Manager
  
  The highest seniority and pay generally comes with being a:
  
  
• Security Director
  
• CISO
  

SECURITY CONSULTANT JOB REQUIREMENTS

Security consultancy is not for the neophyte. Employers will want to see a bachelor’s or master’s degree in the field, at least 3 years of work experience, and plenty of technical skills in your application. IAPSC membership and relevant certifications will give your résumé some extra shine.

Finally, take a good, hard look at the job description and the reputation of the company. Not all security consultancy jobs are made equal. Some consultancy firms specialize in certain aspects of security (e.g. robust security architectures, auditing, reverse engineering and pen testing, etc.). Others do all kinds of work. And big multinationals may have scores of consultants on their payroll. Reach out to current professionals through networking sites and conferences before you make any decisions. Getting “insider advice” is one of the most effective steps you can take in this arena.

1. Hard Skills
   
   Since the job of a Security Consultant covers the waterfront, technical knowledge is paramount. Here are a variety of hard skills that we’ve found employers requesting:
   
   
   • IDS/IPS, penetration and vulnerability testing
     
   • Firewall and intrusion detection/prevention protocols
     
   • Secure coding practices, ethical hacking and threat modeling
     
   • ISO 27001/27002, ITIL and COBIT frameworks
     
   • PCI, HIPAA, NIST, GLBA and SOX compliance assessments
     
   • Windows, UNIX and Linux operating systems
     
   • Performance tuning views, indexes, SQL and PLSQL
     
   • Application security and encryption technologies
     
   • C, C++, C#, Java or PHP programming languages
     
   • Subnetting, DNS, encryption technologies and standards, VPNs, VLANs, VoIP and other network routing methods
     
   • Network and web related protocols (e.g., TCP/IP, UDP, IPSEC, HTTP, HTTPS, routing protocols, etc.)
     
   • Advanced Persistent Threats (APT), phishing and social engineering, network access controllers (NAC), gateway anti-malware and enhanced authentication
     
     
2. Soft Skills
   
   It goes without saying that great leadership and negotiation skills are going to be helpful in this job. Companies are also looking for candidates with excellent oral and communication abilities. Talking to clients and working with diverse IT teams requires patience and tact.
   
   Like Security Architects and Security Engineers, Security Consultants are creative builders, complex problem-solvers and savvy analysts. You’ll be dealing with a huge range of variables when you design and assess security systems.

In summary, being an security consultant is challenging. So let’s go for it!