After twentyish years working for someone else, I quit my corporate job and started a cybersecurity consulting company. While it seemed risky at the time, now I can’t imagine doing anything else.
When I first quit, I got questions like, “You have clients lined up, right?” and “What are you really doing?” The answers, “no” and “starting a cybersecurity consulting company” did not seem to placate most folks.
That first month was a little nerve racking. Then I developed some leads which turned into two clients less than three months into the new venture. Soon enough I was actually doing client work; helping to protect my clients’ organizations.
The variety of work and clients has been interesting. I have served as a virtual/interim CISO, assisted companies in getting ready for audits, performed risk assessments, created cybersecurity plans, cybersecurity strategies, crafted policies and procedures, assisted in vulnerability assessments and helped with product security strategy. When I started I never imagined that I would be able to help so many organizations and in such different ways.
As a year mark approached, I was inundated with project work. I decided to make our first hire. I found a great candidate from a top computer science grad school. She has made a terrific contribution to the team and our clients.
We rented an office in a co-working space and we had our corporate headquarters. We were a real company!
Our office is in Newton, Massachusetts at the Riverside T-stop. Here is a picture of our building.
Why a virtual CISO
I originally started out knowing that the cybersecurity guidance I was providing my past couple of companies could be broadly applied to many organizations. Now I have come to believe that every mid-sized company will have a full or part-time CISO within the next ten years. The security and regulatory environment changes mean that every company needs cybersecurity expertise to build a cybersecurity program and set strategy.
You may not have come to this conclusion, yet. That’s okay; all our clients haven’t either. We also offer a la carte services to organizations to help them with gap assessments, risk assessments, cybersecurity plans, and other services to put the organization on the right track for solving their cybersecurity challenges.
With this emerging need, there will be an insatiable demand for high quality, affordable cybersecurity expertise. Several clients have tried to hire me full-time. I have turned down the opportunities as I know the need for services that we provide will just continue to grow.
Lessons Learned
I have learned a large number of lessons over our first 18 months. Here are some of my favorites.
- Read business books. Reading books is really important. I have gotten some great business and cybersecurity ideas from books. Three business books that have been invaluable to someone new to starting a consulting company and new to sales:
- Million Dollar Consulting by Alan Weiss. This is by far the best book on building a consulting business. Anyone considering starting a consulting company should read this book.
- Million Dollar Consulting Proposals by Alan Weiss. How can you have a whole book on proposals? This book covers every detail about writing great proposals. Since reading it I have shrunk the size of our proposals and added a signature section so that there wasn’t a need to create a separate Statement of Work (SOW). It has plenty of other great tips and tricks.
- Beyond Referrals by Bill Cates. Referrals are the lifeblood of a fledgling consulting company. Beyond Referrals is a great book on how and when to ask for a referral.
- Read cybersecurity books. Two great books on cybersecurity risk have driven how we build our risk models at Fractional CISO:
- Have a strong network. Maybe this is obvious but it wasn’t to me starting out. My network has been the best source of leads for business. When I haven’t worked with someone before, getting them to agree to a deal can be a challenge. Contrast that with a recent customer who had worked with us before at a different company. From the first call to the time that we had a signed deal was around two weeks. If you are planning on consulting on your own, then you should know/believe that you have a strong network that values your advice.
- Be disciplined. You have to be really disciplined especially in the beginning. Getting the first couple of clients is a lot of work. Even when you don’t have anything you have to do, you need to send those emails, make the calls and have a lot of meetings over coffee. You never know when one of those will pay off.
- Have good friends and colleagues. I have a great network of friends and former colleagues. I can’t tell you much I have appreciated everyone’s support.
- Talk to other consultants. I have learned so much from other consultants from both inside and outside cybersecurity. So many business issues transcend your industry. Having some folks that you trust outside of your industry make it easy to share the challenges and get great advice.
- Have a terrific family. I have a terrific family who has been 100% supportive from the moment I told them my crazy idea to quit my job. When you are starting out on your own, it is invaluable having people that believe in you.
- Enjoy it. Being on your own can be incredibly rewarding. Aside from the potential financial rewards, being able to decide your own direction and how to spend your time is a reward in itself. It is not for everyone. I recently spoke with someone in a similar field who said something like, “I don’t know why I did this. I hate working from home and I hate making sales calls.” For me, I don’t have anyone looking over my shoulder. I will succeed or fail based on my own volition. Although I had never been a salesperson before starting Fractional CISO, it turns out that I enjoy it! I am definitely building my sales skills.
What’s next?
If you or someone you know needs help with their cybersecurity program then please give us a call. We can be reached at (617) 658-3276 and our email is [email protected].