The field of security is growing rapidly; expansion in this industry has exploded in the past 25 years. It is an environment that requires a quick, agile response to changes in the global landscape. Security as a business is a billion-dollar industry that seeks to meet a variety of needs for a variety of organizations, groups and individuals; and it provides an environment defined by constant change. Professionals in the Security industry must take steps to increase their knowledge and skills to remain current. Over time, individual roles have been more clearly defined. Positions and job titles not known 25 years ago are now common. New opportunities have opened for experienced security professionals to provide expertise on a consultant basis. This opportunity requires specific skills and abilities to ensure that all elements of security work in harmony for an organization. Enter the Security Consultant.
The Security Consultant contracts with an organization to provide feedback, make recommendations and oversee implementation of programs, policies and protocols in an effort to ensure the integrity and effectiveness of the entire scope of security. The Security Consultant reviews current state, evaluates that current state for potential vulnerabilities and then designs and implements various security systems in order to protect the data and network assets of an organization. Because the Security Consultant is not on staff, this can include both short-term and long-term contract periods.
Foundations – Education
This technical role requires an extensive background in computer technology, information technology and systems, mathematics and security-related studies (i.e. cyber-security). A Master’s Degree in related field of study may overcome a perceived deficiency in undergraduate studies. Also, gaps in educational background can be covered through industry-related certifications. The role of Security Consultant is not entry-level, so the educational requirements, while important, may be overshadowed by certifications and experience.
Foundations – Experience and Certifications
The role of Security Consultant includes sole-proprietors (free-lance) and staff in a consulting firm. While the specific role is not entry-level, a consulting firm will hire new graduates and work with them through their particular system of experience and “work product” for up to 5 years before giving a Security Consultant his own territory. Client organizations prefer to see 3-5 years’ security consulting experience to be comfortable. Previous experience in
Information Technology (IT), network administration, cryptography and cyber-security shows well on the Security Consultant’s resume. The role encompasses many facets of security, so the successful Security Consultant will have solid, hands-on experience in as many elements of security as possible.
To supplement the educational requirements of the position, and keep current on new trends and changes within the realm of security, there are recommended Certifications. A leading oversight organization is the International Association of Professional Security Consultants (IAPSC) who offer training and certification as a Certified Security Consultant. Other programs to consider include (but are not limited to):
Offensive Security Certified Professional (OCCSP)
Certified Protection Professional (CPP)
Physical Security Professional (PSP)
ISC2 (International Information Systems Security Certification Consortium, Inc.):
Certified Information Systems Security Professional (CISSP)
GIAC (Global Information Assurance Certification):
Various security certifications
Foundations – Continuing Education
Because there is constant change within with the Security Industry, continuing education is vital for the long-term success of the Security Consultant. It is imperative that a Security Consultant stay informed of technology advancement through trade publications, news, blog and organizational affiliations; continuing education programs, classroom training and field exercises are critical to staying current (and effective) in the industry. It is also critical for the Security Consultant to recognize advancement in threat approaches, attack vectors and the technology used to defeat (or circumvent) security protocols and systems. Nearly all certifications are subject to periodic renewal, which will keep the successful Security Consultant informed of changes, updates and enhancements to security protocols and systems. it is not just a requirement to maintain current certification, it is best practice to keep current on advancements and trends.
Employment Opportunities – Job Titles
The Security Consultant job title is an upper-level position; there are several jobs and roles that will move the candidate in the proper direction toward the goal. Some mid-level examples are:
Leadership opportunities and team leadership are incorporated in these nest-level positions:
IT Project Manager
The duties of a Security Consultant may also be included in these roles:
Information Security Consultant
Computer Security Consultant
Database Security Consultant
Network Security Consultant
While the role of Security Consultant is a technical, “task-related” position, there are executive and leadership opportunities to consider, including (but not limited to):
Chief Information Security Officer
Employment Opportunities – Job Duties, General
The role and duties of the Security Consultant are varied. The work includes independent duties as well as team participation. The Security Consultant is expected to evaluate integrated and independent security systems, review policies and procedures and determine risk (and the mitigation thereof). The overarching duty of the Security Consultant is to ensure the integrity of an organization’s security suite of programs, policies and protocols.
On any given day, a Security Consultant may be tasked with any of the following:
Evaluate current security systems and protocol to determine more effective methods to protect workstations, networks, data and information systems against unauthorized access
Meet with staff, team leads and department heads to determine specific issues
Test, analyze and assess current security measures
Research standards, compliance and other requirements within the organization’s field or industry
Design security systems and create the implementation protocol
Prepare and present security program, policy and protocol proposals for approval
Provide detailed technical reports and evaluations to the client
Oversee system implementation and provide training/guidance to the on-site security team
Respond to imminent threats, report on breaches of security and provide quality analysis of the event
Provide updates and upgrades as required
The actual scope of work will be outlined and detailed in the consulting contract; Security Consultants will usually collaborate with the local IT Project Manager and/or Security Manager.
Employment Opportunities – Job Duties, “Hard” Skills
There are specific skills a Security Consultant must have. These include expertise in the following:
Advanced Persistent Threats (APT), phishing/social engineering, network access controllers (NAC), gateway anti-malware and enhanced authentication
Application security and encryption technology
Firewall and intrusion detection/prevention protocol
IDS/IPS, vulnerability testing, penetration testing
ISO 27001/27002, ITIL and COBIT frameworks
Network protocols (e.g., TCP/IP, UDP, IPSEC, HTTP, HTTPS, routing protocols, etc.)
PCI, HIPAA, NIST, GLBA and SOX compliance assessments
Programming languages including C, C++, C#, Java and PHP
Secure coding practices, ethical hacking and threat modeling
SQL and PLSQL
Subnetting, DNS, encryption technology and standards, VPNs, VLANs, VoIP and other network routing applications
Windows, UNIX and Linux operating systems
Employment Opportunities – Job Duties, “Soft” Skills
Additionally, there are universal skills required for excellence in the field:
Excellent oral and written communication skills (including public speaking)
Integrity, trustworthiness, strong ethics and good judgment
The role of the Security Consultant encompasses both the technical side of program development and implementation and the interactive side of presenting findings and recommendations. The successful candidate will break free from the stereotypical computer nerd with no social skills to be an engaging business partner to the organization.
Employment Opportunities – Job Duties, Private Sector
Opportunities are available in all kinds of organizations: large and small, business and non-profit, civil and retail. Nearly all businesses have need of security for their data, information and network regardless of its size or function. This provides a multitude of opportunities for the Security Consultant and allows them to specialize as appropriate. Finding a niche can be lucrative for the Security Consultant, as expertise in narrow areas can be valuable to a client.
Whether contracting for a large financial institution, a law firm or a local retailer, the duties of the Security Consultant have many common elements and the daily duties will be similar in scope (if not task): ensure the integrity of security systems for data, information and networks.
Employment Opportunities – Job Duties, Public Sector
The National Security Agency (NSA) is considered to be “security central” when it comes to all elements and environments of domestic security. Protection of data is critical within governmental agencies, military and federal law enforcement teams, and the defensive systems for that data, information and networks must be strong. The government offers many opportunities for contractors and sub-contractors (which is where the Security Consultant and consulting firms reside). Security Consultants provide a valuable service from testing and evaluation, recommendations and implementation to ensure that the security programs, policies and protocols are at their peak of effectiveness. The role is vital to ensuring security to all citizens and protecting the country’s assets from harm.
Additionally, every branch of the military requires data and information security aligned with that of the NSA, with the additional level of importance being the national defense. Sensitive data and information must be protected from unauthorized individuals and organizations to maintain a strong national defense.
The Department of Homeland Security is another large governmental agency that appreciates the role of the Security Consultant for their security systems, policies and protocols. There are numerous opportunities within the public sector for the skilled Security Consultant.
The Security Consultant’s role is uniquely challenging as they must not only have to stay ahead of the ‘enemy’ to maintain security of information and data, but they also need to keep their business growing. Because the nature of the security industry is so complex and changeable, the Security Consultant is always learning and growing in knowledge. This role with its virtually universal application has an everlasting learning curve!