.

Starting Your Own Company.....

<<

S3curityM0nkey

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon May 16, 2011 6:47 pm

Post Wed Oct 10, 2012 5:19 pm

Starting Your Own Company.....

As anyone who has been hanging around on this forum for a while will know one of the most common questions is “How do I get into the industry?” and as always the users on the forum will go out of their way to give helpful advice.

I have a slightly different question.

It seems to me that a few of the guys (and girls) on forum work for themselves or as consultants in the industry.

I want to hear from a few of you as to the challenges you faced while starting up your company.

How did you get your first client? I imagine its hard to convince someone to let you perform a pentest on their network when you have no rep in the industry.

Has it been worth it?

What advice would you give to someone on the forum who is thinking of starting up there own company or working as a consultant?
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Oct 10, 2012 5:51 pm

Re: Starting Your Own Company.....

SecurityMonkey wrote:I imagine its hard to convince someone to let you perform a pentest on their network when you have no rep in the industry.


That scenario should never come up. You shouldn't start a business (at least in this industry) unless you have extensive subject-matter expertise.

If this is something you're considering in the future, I highly recommend you read these two books:
http://www.amazon.com/Million-Dollar-Co ... consulting
http://www.amazon.com/Start-Your-Busine ... l+business

Something else to keep in mind is that if you run your own business, you will probably spend more time on business activities than whatever services you provide. Legal work, accounting, marketing, sales, etc. are going to take a significant amount of time. Don't start a business unless you want to run a business or have the resources to contract all those services out.

Disclaimer: I'm currently employed elsewhere, but I've run my own business for a stint and have done consulting on the side during some of my previous positions.
The day you stop learning is the day you start becoming obsolete.
<<

S3curityM0nkey

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon May 16, 2011 6:47 pm

Post Wed Oct 10, 2012 6:19 pm

Re: Starting Your Own Company.....

Good advice ajohnson. I have run a company as well and know how much work is involved in getting it off the ground and then keeping it going!
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Thu Oct 11, 2012 12:20 am

Re: Starting Your Own Company.....

I read this one back in the day (After being let go from a large telco company).
http://www.amazon.com/From-Serf-Surfer- ... 0782126618

There was another one, even older, that I read. I don't remember what it was called. It was written by an electrical engineer who went in to photography consulting if I remember right.
OSWP, Sec+
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Thu Oct 11, 2012 1:55 am

Re: Starting Your Own Company.....

I actually decided to start my own web pentesting company last month.  For the past 2 years, I've been doing consulting work for various start-ups while looking for a full-time job.  2 months ago I did a pentest on my friend's website and got a nice amount of money for it (despite the fact that I offered to do it for free).  As a result, I decided to try and see if I could make any money doing pentesting for other sites.  However, I'm having trouble finding that second client.

Besides using word-of-mouth with my friends, for the past 3 weeks I've been looking for sites that have obvious security holes (like a login system without HTTPS) and sending out e-mails.  I've gotten responses from 2 websites, both of which basically said, "We know and we don't care."

This past week, in addition to searching for those kinds of sites, I've been attempting to find freelance security jobs, but I haven't found anything useful.  If anyone has any advice, please let me know.

On the bright side, most of my interviews involve me going through 3-5 phone interviews, then flying out to the company before getting rejected.  So not finding clients is a lot less frustrating, and a lot less work, than not finding a job!
Sec+, eCPPT
<<

sternone

Full Member
Full Member

Posts: 129

Joined: Tue Aug 07, 2012 1:31 am

Post Thu Oct 11, 2012 5:06 am

Re: Starting Your Own Company.....

Starting your own business is a great thing to do.

you have basically 2 types of Entrepreneurs:

The ones that start a business to make a living
The ones that start a business to become the next billionaire (so they think)

I assure you, being a pentester will maximum be the first one.

The second ones usually blow up within a year or 2,3 max. I'm not investing in those business anymore, I lost too much money so far with several failures.

The first type of business is still a good business. The book advise on the million dollar consultant is a good book.

I have actually a friend who is a very senior consultant in IT, call it a top Java specialist, used to be with Sun but is on his own the last 4 years and he is invoicing his personal consulting services for more than 1 Million $ a year. We don't see him very often. He's all over the world. So it is possible. I would never want his life. Never. He's actually not living. He's consulting.

I would say if possible start small with a minimum of investment. If possible do it as a side job. The best consultants who work on payroll and who want to become independent still can work for their previous boss usually. that's my experience.

Good luck. You will need it. Just remember my words: start small, low cost and invoice your customers quickly.  ;D
Try harder....hmpf!!
<<

prats84

User avatar

Jr. Member
Jr. Member

Posts: 73

Joined: Thu Nov 18, 2010 7:03 pm

Post Thu Oct 11, 2012 5:50 am

Re: Starting Your Own Company.....

SecurityMonkey wrote:
What advice would you give to someone on the forum who is thinking of starting up there own company or working as a consultant?




Apart from the being good at the skills you are offering, one major think is marketing. Security being a tough competition, as many skilled people offering their service, marketing is a Big Must. There must be something to make you stand out shining from the competition.
I would spend majority of my capital 'initially' in marketing, because only when you sell u earn and u learn.

Start with 'FREE' we all love it when its free. Look at everything around as case study,

Metasploit- Started as free (still community version is free) but then added certain Pro products which make a 'buck'

SecurityTube- Started as providing infosec education at no cost and still does provide a huge set of topics for free. Once successful started infosec certifications at a low price, again making a buck.

All those guys might have not started the project to make money initially but we all know how over the years some of free products have developed into industry must haves.




Always plan long term and always innovate.


Just my 2cents.
Image
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Oct 11, 2012 11:17 am

Re: Starting Your Own Company.....

Seen wrote:If anyone has any advice, please let me know.


What are you doing to get your name out there? Are there any local ISSA, ISACA, OWASP, etc. meetings you could speak at? Focus on establishing a solid reputation; don't just knock on doors and ask for work.

prats84 wrote:Security being a tough competition, as many skilled people offering their service, marketing is a Big Must. There must be something to make you stand out shining from the competition.


Actually, one of the most significant problems is the amount of unskilled people that are offering these services. There's an abundance of charlatans passing off copy-pasted Nessus reports as "penetration tests." I even saw one assessment where the consultants made a huge deal out of two systems that were in fact their own systems that they included in the scan on accident.

A lot of organizations are having these services performed to satisfy a compliance check box. How are you going to position your quality services against others' that cost a fraction of what you charge when the customer doesn't care about quality? I think there's a huge gap between the amount of work available and the amount of legitimately skilled practitioners.  
Last edited by dynamik on Thu Oct 11, 2012 11:19 am, edited 1 time in total.
The day you stop learning is the day you start becoming obsolete.
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Thu Oct 11, 2012 12:59 pm

Re: Starting Your Own Company.....

ajohnson wrote:
What are you doing to get your name out there? Are there any local ISSA, ISACA, OWASP, etc. meetings you could speak at? Focus on establishing a solid reputation; don't just knock on doors and ask for work.



'm not actually trying to be part of the security community.  I'm trying to go after small businesses and start-ups that have no idea they need security.  Sites that don't use HTTPS and send credit card numbers in plaintext for example.  There's definitely a market for that, but I'm trying to figure out how to market to people who don't have any idea of the security risks.
Sec+, eCPPT
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Oct 11, 2012 1:13 pm

Re: Starting Your Own Company.....

Seen wrote:
ajohnson wrote:
What are you doing to get your name out there? Are there any local ISSA, ISACA, OWASP, etc. meetings you could speak at? Focus on establishing a solid reputation; don't just knock on doors and ask for work.



'm not actually trying to be part of the security community.  I'm trying to go after small businesses and start-ups that have no idea they need security.  Sites that don't use HTTPS and send credit card numbers in plaintext for example.  There's definitely a market for that, but I'm trying to figure out how to market to people who don't have any idea of the security risks.


The same concept applies. Join the local Chamber of Commerce and/or find other events where you can interact with local business owners.
The day you stop learning is the day you start becoming obsolete.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Thu Oct 11, 2012 3:50 pm

Re: Starting Your Own Company.....

Seen wrote:
ajohnson wrote:
What are you doing to get your name out there? Are there any local ISSA, ISACA, OWASP, etc. meetings you could speak at? Focus on establishing a solid reputation; don't just knock on doors and ask for work.



'm not actually trying to be part of the security community.  I'm trying to go after small businesses and start-ups that have no idea they need security.  Sites that don't use HTTPS and send credit card numbers in plaintext for example.  There's definitely a market for that, but I'm trying to figure out how to market to people who don't have any idea of the security risks.


You need to think of it from their perspective. How many people do you think contact them on a regular basis for these "Services".

If they're doing anything PII (HIPAA, CreditCard, Banking, etc) and not doing HTTPS, and you and show it without "being evil" (BE ETHICAL), then you might want to let the agency that is concerned with that know (the ones you report to with violations).

As for ISACA, ISSA, etc, you're gutting yourself from the word go. Not everyone that goes to them know everything, and some are looking for help from other people. #misec is made up of several skilled people (100 or so of us), and we all have our specialties. We  also leverage the others in the community for help. You may meet someone that needs or wants a web app pen test, but doesn't have the skill in house and willing to hire you if you have the references to back you up.
OSWP, Sec+
<<

sternone

Full Member
Full Member

Posts: 129

Joined: Tue Aug 07, 2012 1:31 am

Post Thu Oct 11, 2012 7:08 pm

Re: Starting Your Own Company.....

This is a fun niche in the IT industry.

What many don't understand is that it's absolutely not easy to find a job. I think it's easier to make a buck to provide training to people than to actually make a living doing pentesting on a daily basis.

I have customers who need pentesters. I do this because of my customers question.

There is no way my customers are going to trust somebody else to sneak around and provide some report about it. That's the whole thing in this industry. TRUST is everything. That's where the power is.
Try harder....hmpf!!
<<

S3curityM0nkey

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon May 16, 2011 6:47 pm

Post Thu Oct 11, 2012 7:25 pm

Re: Starting Your Own Company.....

sternone wrote:
What many don't understand is that it's absolutely not easy to find a job.



I agree! It's so hard....  :'(
<<

prats84

User avatar

Jr. Member
Jr. Member

Posts: 73

Joined: Thu Nov 18, 2010 7:03 pm

Post Thu Oct 11, 2012 7:28 pm

Re: Starting Your Own Company.....

ajohnson wrote:


Actually, one of the most significant problems is the amount of unskilled people that are offering these services. There's an abundance of charlatans passing off copy-pasted Nessus reports as "penetration tests." I even saw one assessment where the consultants made a huge deal out of two systems that were in fact their own systems that they included in the scan on accident.



Strongly agree with you. Its not just limited to Penetration Testing but also to the Infosec education being offered.
Image
<<

S3curityM0nkey

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon May 16, 2011 6:47 pm

Post Thu Oct 11, 2012 7:34 pm

Re: Starting Your Own Company.....

prats84 wrote:
ajohnson wrote:


Actually, one of the most significant problems is the amount of unskilled people that are offering these services. There's an abundance of charlatans passing off copy-pasted Nessus reports as "penetration tests." I even saw one assessment where the consultants made a huge deal out of two systems that were in fact their own systems that they included in the scan on accident.



I would not limit this to just Infosec... I have found that a lot of the IT guys I have worked with claim to have this cert and that training but in the real world they don't have a clue! Training in Inforsec and IT has become such a HUGE money spinner that every man and his dog wants a part of it.

Strongly agree with you. Its not just limited to Penetration Testing but also to the Infosec education being offered.

Next

Return to Career Central

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software