What Makes a

Great Cybersecurity
Consultant
BECOMING A CYBERSECURITY CONSULTANT 2

Table of Contents
Introduction................................................................................. 3

Ongoing Demand and Emerging Security Technologies......... 6

The Demand Quantified................................................................................ 6
Emerging Security Technologies................................................................... 8

The How: Preparing For and Creating Your Success.............. 10

Hard Skills: Knowledge Areas and Certifications..................................... 10
Soft Skills: The X Factor............................................................................... 16

Hustle First, Then Take the Leap............................................. 18

Final Thoughts........................................................................... 21

Resources................................................................................... 22
Certifications................................................................................................22
Conferences..................................................................................................22
IEEE Computer Society Resources..............................................................23
Reports, Statistics, and Associations.........................................................23
3 BECOMING A CYBERSECURITY CONSULTANT

Introduction
Security experts have been competing for an
advantage over adversaries since 1988, when the
Morris worm introduced the world to the denial-of-
service attack. In the decades following those early
skirmishes on what was a relatively contained network
of systems, the security space has vastly expanded.
Today, cybersecurity professionals must contend with
everything from smart power grids to interconnected
industry automation to the accelerating work-from-
home movement, all hovered over by the amorphous
and ever-expanding cloud.

For security professionals, this increasingly smart and

seemingly edgeless world is a land of opportunity
and challenge. It is also a world in which their skills
are in high demand, with projected cybersecurity
workforce shortages in the United States and around
the globe. Some firms—particularly the larger ones—
will compete for full-time hires to meet their security
needs. However, as all firms face an increasing array
of security challenges and their in-house teams
BECOMING A CYBERSECURITY CONSULTANT 4

buckle under the overwork, many consultant is relatively

will look to outsourcing. This straightforward: high demand,
creates an opportunity for skilled freedom, and—if you’re good at
cybersecurity professionals to chart what you do—limitless potential
an independent course for their for money and satisfaction. The
careers as consultants. how and the when? They are a bit
trickier. Jumping in too soon can
The case for why become an
leave you lacking the hard and soft
independent cybersecurity
skills needed to succeed, as well as

Dr. John D. Johnson Dr. Ricardo J. Rodriguez

CEO, ALIGNED SECURITY ASSOCIATE PROFESSOR,
UNIVERSITY OF ZARAGOZA

Dr. John D. Johnson has over 25 years of

Dr. Ricardo J. Rodríguez researches digital
experience as a cybersecurity leader in
forensics, program binary analysis, and the
industry, government, and academia. He
application of formal models to improve the
is an active IEEE volunteer and serves on
capabilities of cybersecurity-related incident
several industry and non-profit boards.
response teams.
5 BECOMING A CYBERSECURITY CONSULTANT

the hands-on experience that future senior manager of Cyber Risk

clients will typically demand in order Services at Deloitte; and Ricardo J.
to take the leap with you. Rodríguez, an associate professor at
the University of Zaragoza (Spain),
To parse the ambiguities and
who conducts research on digital
opportunities for becoming
forensics, program binary analysis,
an independent cybersecurity
and the application of formal
consultant, we sought the advice of
models to improve the capabilities
two esteemed cybersecurity experts:
of cybersecurity-related incident
John D. Johnson, founder and CEO
response teams. Both experts agree
of Aligned Security and formerly
that the time is ripe for charting an
the senior manager of cyber risk
independent career path.
at Campbell’s Soup Company and

“Technology, remote work, and a shortage

of skilled workers make this the ideal time
to consider becoming a cybersecurity
consultant. If you have the right skills and
attitude, this can be a solid career option,”
says Johnson. “Consulting can give you
flexibility, variety, and control over where
you want your career to go.”
BECOMING A CYBERSECURITY CONSULTANT 6

Ongoing Demand
and Emerging
Security Technologies
While the demand for cybersecurity professionals continues to
grow, so too, does the pool of technologies available to help monitor
threats and protect systems.

The Demand Quantified

In July 2021, the Information of the cybersecurity professionals
Systems Security Association surveyed reported ongoing skill
(ISSA) and the Enterprise Strategy shortages, particularly in the
Group released their global study, areas of cloud security, application
The Life and Times of Cybersecurity security, and security analysis and
Professionals, which found that 95% investigation. The study also found
7 BECOMING A CYBERSECURITY CONSULTANT

high levels of workload increases LOOKING AHEAD

(68%) and burnout (38%) among
A Community
cybersecurity staff.
of Computing
This professional stress reflects
an ongoing gap between the
Leaders
number of existing cybersecurity
professionals and the need for The IEEE Computer Society
their skills in the global talent (IEEE CS) is the world’s
pool. To quantify this gap, (ISC)2 home for computer science,
compares two measures— engineering, and technology.
A global leader in providing
the Cybersecurity Workforce
access to computer science
Estimate and the Cybersecurity
research, analysis, and
Workforce Gap—for its annual information, the IEEE
Cybersecurity Workforce Study. Computer Society delivers
In 2021, it found an estimated a comprehensive array
4.19 million cybersecurity of unmatched products,
services, and opportunities for
professionals worldwide and
individuals at all stages of their
an estimated need for 2.72 professional careers. Known
million more, resulting in a gap as the premier organization
in critical asset protection that that empowers the people
will require a 65% growth in the who drive technology, the
IEEE Computer Society offers
cybersecurity workforce to fill.
international conferences,
Further, in the United States
peer-reviewed publications,
alone, the Bureau of Labor a unique digital library, and
Statistics projects a 33% increase training programs.
in information security jobs over
the next 10 years. Visit computer.org to launch
your career.
BECOMING A CYBERSECURITY CONSULTANT 8

Emerging Security Technologies

Although human expertise is says Johnson. “In the long run, we
essential, it cannot on its own need technology to help address
address the cybersecurity this because humans can’t keep up
workforce shortage. Fortunately, on their own.”
cybersecurity technologies are
As an example, Johnson points to
evolving in dramatic ways—
tools such as Security Orchestration,
particularly in their ability to
Automation and Response (SOAR),
automate threat analysis and
which automate workflows so that
deliver actionable intelligence to
cybersecurity professionals can
cybersecurity professionals.
focus on high-impact activities.
“As technology becomes more Such tools also facilitate rapid,
sophisticated and more devices are coordinated responses to malicious
connected to the Internet, it isn’t activity, thereby reducing harm to
effective to just hire more people,” companies and organizations.
9 BECOMING A CYBERSECURITY CONSULTANT

It is clear that the

current trend is to
incorporate new
techniques based on
Rodríguez also machine learning or deep learning
sees these security to improve the cybersecurity of
technologies as systems.
key to meeting
future needs. “It
is clear that the
current trend is to incorporate particularly important. Other
new techniques based on machine emerging technologies such as
learning or deep learning to improve quantum computing and blockchain
the cybersecurity of systems,” he will further contribute to this
says. “The application of the field area. Yet, as Johnson points out,
of artificial intelligence as a means technology alone will be no more a
to improve the quality of data match for hackers in the future than
analysis in the field of cybersecurity it is today.
is evident.”
“Rest assured that the adversary
He also cites advances such as the will take every advantage of
Domain Name System Security new technology as it comes
Extensions (DNSSEC), which along,” says Johnson, “and
strengthen DNS authentication cybersecurity professionals will
using digital signatures based be at a disadvantage if they don’t
on public-key cryptography, as keep pace.”
BECOMING A CYBERSECURITY CONSULTANT 10

The How: Preparing For

and Creating Your Success
To be a successful consultant, you need hard and soft skills, and
enough experience with both to identify your strengths and
weaknesses in each area. Doing so will help you determine what you
need to shore up before you go it alone, and what you can capitalize
on once you do.

Hard Skills: Knowledge Areas and Certifications

As in most disciplines, in more specialized knowledge and
cybersecurity, developing hard experience. General knowledge
skills requires general knowledge expected of cybersecurity
coupled with experience, which professionals includes an
in turn provide a foundation for understanding of and experience
11 BECOMING A CYBERSECURITY CONSULTANT

with IT areas such as operating where they are going to try to act,
systems, communication and thus be able to close the open
protocols, networking and network gaps in time.”
architecture, and common
Having education and job experience
programming languages (such as
in these areas is ideal; adding IT and
C++, Java, and Python).
security-specific certifications can
Cybersecurity consultants also further demonstrate this knowledge
need a general working knowledge to your future clients. Among the
of security areas such as security hundreds of certifications available,
auditing, firewall management, deciding which ones matter—to
penetration testing, encryption your focus, your potential clients,
technologies, and principles of and your bottom line is another
ethical hacking and coding, along issue altogether.
with an insight into
the hacker mindset.
As Rodríguez notes,
“To be able to defend
a system well, you
first have to know
how to attack it. You To be able to defend
have to put yourself a system well, you
in the role of the first have to know
enemy to know how to attack it.
BECOMING A CYBERSECURITY CONSULTANT 12

Among the general certifications that are often

cited as important to cybersecurity professionals
are the following:

Certified Certified Certified

Information Information Information
Security Analyst Security Manager Systems Security
(CISA) (CISM) Professional
(CISSP)

Certified in Certified Cybersecurity

Information Risk Cloud Security Analyst (CySA+)
and Systems Professions
Control (CRISC) (CCSP)

CompTIA Certified Ethical Offensive

Security+ Hacker (CEH) Security Certified
Professional
(OSCP)

Identifying each certification’s focus may be best suited for prospective

can help you decide which ones consultants looking to specialize
to pursue. As Rodríguez notes, in cybersecurity management
some certifications (such as CISM or organizational security, while
and CCSP) emphasize theory and others are more technology and
13 BECOMING A CYBERSECURITY CONSULTANT

practice-focused (such as OSCP and bootcamp training course; it doesn’t

CEH). Regardless of specialization, reflect actual experience. In all
Johnson says that all organizations cases, sound general knowledge—
will expect consultants to have basic backed by experience, training,
cybersecurity and IT knowledge and certification—is an essential
covered by certifications such as foundation for specialization.
CISA, CISSP, CISM, and CRISC.
“Specialization is always important
“My advice is to choose one that because an employer wants to fill
is appropriate based on your a position with the most qualified
experience,” says Johnson, adding individual,” says Johnson. “This is
that if you are new to information even more important as a consultant
security and pursue CISSP because a client is looking for
certification, that certification simply someone who is highly qualified for a
demonstrates your ability to take a specific job.”
BECOMING A CYBERSECURITY CONSULTANT 14

what you want to do

and identify where you
have gaps in your skills
Survey the industry
and experience. Do
and compare it to
your skills. Decide what you can to fill in

what you want to do those gaps in order to

and identify where be more attractive to

you have gaps in prospective clients.”

your skills and experience. Do For what certifications

what you can to fill in those gaps are literally worth—in
in order to be more attractive to terms of your bottom
prospective clients. line—Certification
Magazine’s Salary
Survey 75 focuses
on how certifications
In addition to knowledge-area
and salaries align. For 2022, it
certifications in risk management,
surveyed more than 5,400 certified
security management, incident
IT professionals from around the
response, industrial systems, cloud
world and found that the top five
environments, and so on, some
certifications in relation to salary
consultants might pursue industry-
were all security related: CRISC,
focused certifications for the federal
CISM, Certified Data Privacy
government, healthcare, finance,
Solutions Engineer (CDPSE), Okta
or manufacturing.
Certified Consultant, and Amazon
“Survey the industry and compare it Web Services Certified Security—
to your skills,” Johnson says. “Decide Specialty.
15 BECOMING A CYBERSECURITY CONSULTANT

Finally, whether you’re committed conferences. Among the many key

to a specialization or still exploring, conferences are the following:
listening to podcasts and attending
conferences are excellent ways IEEE Secure Development
Conference
to gain and keep up on security
knowledge in both general and
IEEE International Conference on
niche areas. Popular podcasts such
Cybersecurity and Resilience
as Risky Business, Into the Breach,
and Darknet Diaries, as well as the
InfoSecurity Europe
IEEE CS’s new 21st Century Security
& Privacy Podcast, can turn your
International Conference on
workout or daily commute into a Network and Information Security
learning opportunity.

Security conferences can offer more Black Hat

social and immersive experiences.
InfoSec has searchable databases DefCon
of both security podcasts and
IEEE Symposium on Security
and Privacy

IEEE European Symposium on

Security and Privacy

In addition to their educational

value, conferences are an excellent
place to network with other security
professionals, identify potential
mentors, and hone those all-
important soft skills.
BECOMING A CYBERSECURITY CONSULTANT 16

Soft Skills: The X Factor

Soft skills are not the first thing everything from critical thinking and
people consider when they think stress management to commitment,
about cybersecurity, but unless flexibility, and teamwork. “Soft skills
you’re content to toil alone in a are important to achieve good team
room, such skills are crucial. Whether cohesion, among other things,” he
it’s working in or leading teams, says, emphasizing that independent
presenting proposals or analyzing consultants work with—and often
results in meetings, or attending lead—diverse teams, including
industry conferences and other teams of other outside consultants
events, being able to communicate and mixed teams within a
clearly and read the room often client’s organization.
dictates your level of success.
Johnson agrees, noting that it is
In addition to solid communication essential that you demonstrate to
skills, Rodríguez says that essential clients that you’re a team player, a
soft skills for consultants encompass capable communicator, and that you
meet your commitments.
One question to consider,
he says, is: What would
your previous employer or
other clients say about you?

Soft skills are “Consultants who have

important to a reputation of being
achieve good team difficult to work with,
cohesion, among who don’t listen to the
other things. client, or who turn in
17 BECOMING A CYBERSECURITY CONSULTANT

work that isn’t professional will on time. You also need organization
find it difficult to compete,” he and presentation skills. That is, it is
says, adding that having solid not enough to be good at analyzing
skills in both communications and an organization’s existing security
project management is crucial. and vulnerabilities; you also need
“This is especially true if you are an to describe the latter coherently to
independent consultant because you various stakeholders and clearly
need to listen to your client and set outline possible solutions, along
clear expectations—and then deliver with the strengths and downsides
a professional work product.” of each. This advisory role is critical;
play it well, and you will inspire
To be a successful independent
clients to trust you and recommend
consultant, you need experience
you to other organizations.
leading projects that stay on
schedule and complete successfully
BECOMING A CYBERSECURITY CONSULTANT 18

Hustle First,
Then Take the Leap
Armed with skills (hard and soft), extensive job experience, and a list
of certifications, it’s tempting to simply apply for a business license,
build a website, tender your resignation, and start the hustle. But it
might be best to put the hustle at the top of your list, then consider
the timing on the other items later.

A good place to start the hustle? such as its online Special Technical
Networking. One place to look Community on Cybersecurity and
for opportunities is professional Technical Community on Security
societies, such as the IEEE and Privacy and conferences
Computer Society. It offers such as the IEEE International
numerous volunteer opportunities, Conference on Cyber Security and
as well as security-targeted learning Resilience (IEEE CSR). Engaging
and networking through resources with opportunities such as these
19 BECOMING A CYBERSECURITY CONSULTANT

to learn and meet people not skills, including accounting; legal

only keeps your knowledge sharp, skills, for issues related to contracts,
but can also lead to mentorship insurance, and so on; and, perhaps
possibilities with established most importantly, promotional
cybersecurity consultants. skills. How you will promote yourself
and your business is a crucial
“Young professionals who desire to
consideration that might change over
consult are at a disadvantage, mainly
time, but it’s unlikely to ever fall off
because they are new to consulting
your to-do list.
as a profession,” says Johnson. “It is
important to build a strong personal As the IEEE Computer Society’s
network because this is where you Professional’s Guide to Freelancing
will get many leads and make the describes, working independently
connections to
secure the contract.”

Having
conversations,
whether one-time
or ongoing, with
other cybersecurity It is important to build a
professionals and strong personal network
consultants can give because this is where you
you insights into will get many leads and
the field as well as make the connections to
its basic practices, secure the contract.
such as money
BECOMING A CYBERSECURITY CONSULTANT 20

has many pros and cons, and it can Johnson agrees; in addition to
take many forms. Having a mentor learning about the cybersecurity
or regular interactions with other field and how to avoid pitfalls,
professionals can help you better reaching out to experienced
understand the practical issues and consultants may result in your
avoid reinventing the wheel. It can reconsidering the timing of
also help you formulate a clear vision establishing your own consultancy.
of your own story: who you are,
“You may decide this isn’t the
what you plan to offer, and why an
time, but after some additional
organization should hire you.
experiences, training, and
Rodríguez recommends that aspiring certifications, you may be much
consultants focus on one field and better prepared,” says Johnson,
specialize as much as possible, and adding that, in any case, it’s
always stay tuned to industry news. important for you to “frequently
“Learn to learn,” he says, “because reassess where you are, what
in this job, you will always have you offer, and what is needed
to be updating and learning new in the industry to stay current
technologies—and how to attack and marketable.”
and defend them.”
21 BECOMING A CYBERSECURITY CONSULTANT

Final Thoughts
Rodríguez and Johnson both passionate about cybersecurity, which
emphasize that the fuel for a is essential to success in this field. You
successful consulting career is passion. can take trainings and learn technical
It is a passion for the security mission skills in a variety of ways, he says, but
that will drive your learning and hard “it will be difficult to succeed as an
work, your resiliency in challenging independent consultant if you don’t
times, and your client list’s expansion. demonstrate your passion.”

Johnson says that when he started Rodríguez agrees, adding that it is

out, he “was highly skilled and important to let your passion fuel
knowledgeable,” but thought that your ongoing learning. When he
cybersecurity was simply a set was starting out, he says that this
of rules that always applied. “I continual learning process was a key
learned that there is no one-size- to his success, as was his love for the
fits-all cybersecurity solution,” field. “Put passion into what you do,”
he says, adding that he also had he says, as well as into learning and
misconceptions about his role networking with other professionals.
regarding those solutions. “In fact,
the cybersecurity professional’s
job is to identify and explain
the risk in an understandable
way to executives and other
stakeholders.… At the end of
the day, the business will make A cybersecurity
decisions on how to treat risk.” professional’s
job is to identify
While acknowledging that he
and explain the risk in an
was initially “rough around the
understandable way to executives
edges,” Johnson says he was also
and other stakeholders.
BECOMING A CYBERSECURITY CONSULTANT 22

Resources
Certifications Conferences
• Certified Information Security • IEEE Secure Development
Analyst (CISA) Conference

• Certified Information Security • IEEE International Conference

Manager (CISM) on Cybersecurity and Resilience

• Certified Information Systems • IEEE Symposium on Security

Security Professional (CISSP) and Privacy

• Certified in Information Risk • IEEE International Symposium

and Systems Control (CRISC) on Hardware Oriented Security
and Trust
• Certified Cloud Security
Professions (CCSP) • IEEE Computer Security
Foundations Symposium
• Cybersecurity Analyst (CySA+)
• IEEE International Conference
• CompTIA Security+ on Cyber Security and Cloud
• Certified Ethical Hacker (CEH) Computing

• Offensive Security Certified • InfoSecurity Europe

Professional (OSCP) • International Conference
• Certified Data Privacy Solutions on Network and Information
Engineer (CDPSE) Security

• Okta Certified Consultant • Black Hat

• Amazon Web Services Certified • DefCon

Security • Search Hacking Events
23 BECOMING A CYBERSECURITY CONSULTANT

IEEE Computer Society Reports, Statistics,

Resources and Associations
• 21st Century Security & • Cybersecurity Skills Crisis
Privacy Podcast Continues for Fifth Year,
Perpetuated by Lack of
• Technical Community on Business Investment
Security and Privacy
• (ISC)2
• Special Technical Community
on Cybersecurity • A Resilient Cybersecurity
Profession Charts the Path
• Professional’s Guide to Forward
Freelancing
• Information Security Analysts—
• IEEE Security & Privacy Magazine Job Outlook

• CertMag Salary Survey

www.computer.org