Thursday, February 19, 2015

Does Security Consulting Add Value To An Information Security Career Path?

Does Consulting Add Value To An Information Security Career Path?

I've been asked whether investing some amount of time into an information security consulting role adds value to an information security professional's marketability?

This is a great question and the overall answer is yes but let's walk through a couple of different scenarios.

Many companies I’ve worked with to fill Manager, Director and “C” level positions over the years have expressed a preference for candidates who are coming directly out of corporate environments.  These companies have specifically told me that they do not want candidates coming straight out of long-term tenure in consulting firms.

Why you might ask?  

The logic I’ve heard many times is that candidates coming directly out of “Big 4” firms for example are strong in front-end experience and frequently weak in back-end experience. This is particularly true if the candidate's only experience is in consulting and they have never worked for any length of time as an employee in a corporate environment.

Front-end experience in this case would be experience doing risk assessments, security assessments, etc. and making recommendations for remediation solutions.

Back-end in this case would be actually sticking around to implement solutions and then living with the consequences of decisions made with regard to implemented solutions.

Is there value to working in a consulting capacity for a couple or a few years?  

I believe there is potentially tremendous value that can be gained by working for a security consulting firm for a few years. Here are some of the criteria I would use to evaluate whether a security consulting firm is a good place to gain experience.

  • Look for a consulting firm that provides regular training that will expand your skill set.
  • Look for a consulting firm that is deeply entrenched in providing information or cyber security consulting services.
  • Look for a consulting firm that will move you around from project to project from time-to-time so you gain exposure to different technologies, different security frameworks, different regulations and different approaches to build security solutions.
  • Look for a security consulting firm that will align you with a mentor or possibly different mentors on different projects.
After you’ve see a variety of approaches to building security solutions, you’ll be better equipped to step into a full-time corporate role where you’ll frequently be expected to act as an internal consultant.  A few years working as a consultant in certain situations can sometimes add up to more than a few years of advancement and skill growth.

This might be especially true if your consulting experience exposed you to incident response and cleaning up after a breach.  

What are you longer-term goals?

If your goal is to be a CISO one day, you don’t want to invest too much time in the consulting world.  The reason is that you can at some point become branded as a consultant who lacks experience in taking ownership for projects.  

You will likely be lacking significant experience in addressing corporate relationship building and corporate politics.  These skills are more valuable than you might currently recognize.


There is no always / never, right / wrong answer to how long one should invest in the consulting business.  I’m simply sharing preconceived thoughts that many employers have shared with me when they have asked me to find security leadership to guide their organizations.'s Security Recruiter Blog