What Does a Security Consultant Do?
The Short Version
A Security Consultant is the IT equivalent of Obi-Wan – advisor, guide and all-round security guru.
In your role as an expert consultant, you will design and implement the best security solutions for an organization’s needs.
Security Consultant Responsibilities
Each institution will be dealing with unique IT security threats, so your day-to-day tasks can vary greatly. You may be required to:
- Determine the most effective way to protect computers, networks, software, data and information systems against any possible attacks
- Interview staff and heads of departments to determine specific security issues
- Perform vulnerability testing, risk analyses and security assessments
- Research security standards, security systems and authentication protocols
- Prepare cost estimates and identify integration issues for IT project managers
- Plan, research and design robust security architectures for any IT project
- Test security solutions using industry standard analysis criteria
- Deliver technical reports and formal papers on test findings
- Provide technical supervision for (and guidance to) a security team
- Define, implement and maintain corporate security policies
- Respond immediately to security-related incidents and provide a thorough post-event analysis
- Update and upgrade security systems as needed
A lot of these responsibilities will depend on the terms of your consulting contract. For example, some companies may expect a consulting firm to monitor and maintain any security plan that is implemented.
In a large organization, you will typically collaborate with IT Project Managers and/or a Security Manager.
Security Consultant Career Paths
To become a Security Consultant, you should consider gaining your work experience in intermediate-level security jobs such as:
If you’re looking for a bump in pay and the chance to lead a large team, these jobs are logical next steps:
The highest seniority and pay generally comes with being a:
The term “Security Consultant” is a fairly broad one. You may also find the job referred to as:
- Information Security Consultant
- Computer Security Consultant
- Database Security Consultant
- Network Security Consultant
As you would expect, Database Security Consultants are tasked with protecting databases; Network Security Consultants advise on network-related security issues.
Security Consultant Salaries
According to Payscale, the median salary for a Security Consultant is $80,072 (2014 figures). Overall, you can expect to take home a total pay of $46,384 – $146,663. This includes your base annual salary, bonuses, profit sharing, tips, commissions, overtime pay and other forms of cash earnings, as applicable. Higher figures do not include benefits.
Security Consultant Job Requirements
All Security Consultants must understand IT security from the ground-up. That means organizations and consulting firms will require – at minimum – a bachelor’s degree in Computer Science, Cyber Security or a related field (e.g. Engineering).
Don’t have a technical undergraduate degree? Gauge whether gaining a master’s degree with a concentration in IT Security would help. You’ll need to add significant work experience, training and certifications to impress employers.
Security Consultants are expected to have at least 3-5 years of professional experience before companies and organizations will consider hiring them.
Since the job of a Security Consultant covers the waterfront, technical knowledge is paramount. Here are a variety of hard skills that we’ve found employers requesting:
- IDS/IPS, penetration and vulnerability testing
- Firewall and intrusion detection/prevention protocols
- Secure coding practices, ethical hacking and threat modeling
- ISO 27001/27002, ITIL and COBIT frameworks
- PCI, HIPAA, NIST, GLBA and SOX compliance assessments
- Windows, UNIX and Linux operating systems
- Performance tuning views, indexes, SQL and PLSQL
- Application security and encryption technologies
- C, C++, C#, Java or PHP programming languages
- Subnetting, DNS, encryption technologies and standards, VPNs, VLANs, VoIP and other network routing methods
- Network and web related protocols (e.g., TCP/IP, UDP, IPSEC, HTTP, HTTPS, routing protocols, etc.)
- Advanced Persistent Threats (APT), phishing and social engineering, network access controllers (NAC), gateway anti-malware and enhanced authentication
It goes without saying that great leadership and negotiation skills are going to be helpful in this job. Companies are also looking for candidates with excellent oral and communication abilities. Talking to clients and working with diverse IT teams requires patience and tact.
Like Security Architects and Security Engineers, Security Consultants are creative builders, complex problem-solvers and savvy analysts. You’ll be dealing with a huge range of variables when you design and assess security systems.
Certifications for Security Consultants
The most important acronym you need to know is IAPSC (International Association of Professional Security Consultants). Companies may require proof of IAPSC membership before hiring you.
Also check out certifications such as:
- GIAC Security Certifications
- OSCP: Offensive Security Certified Professional
- CSC: Certified Security Consultant
- CPP: Certified Protection Professional (CPP)
- PSP: Physical Security Professional (PSP)
- CISSP: Certified Information Systems Security Professional