What Does a Security Consultant Do?
What is a Security Consultant?
A Security Consultant is the infosec equivalent of Obi-Wan – advisor, guide and all-round guru. In your role as an expert consultant, you’ll be able to design and implement the best security solutions for an organization’s needs. You’ll talk to stakeholders, draw up budgets, supervise teams, and get stuck into research. You’ll conduct security tests and probe for vulnerabilities. In other words, you’ll put your technical and interpersonal skills to good use.
A lot of your responsibilities will depend on where you work and the terms of your consulting contract. For example, some companies may expect a security consulting firm to monitor and maintain any security plan that is implemented. Others may just want your skills for a short time period. It’s a role with long hours and deadlines, but it may also expose you to a wide range of security issues. If you like dealing with people (including experts and non-technical folks), it’s worth investigating.
Security Consultant Job Responsibilities
Each institution will be dealing with unique IT security threats, so your day-to-day tasks can vary greatly. You may be required to:
- Determine the most effective way to protect computers, networks, software, data and information systems against any possible attacks
- Interview staff and heads of departments to determine specific security issues
- Perform vulnerability testing, risk analyses and security assessments
- Research security standards, security systems and authentication protocols
- Prepare cost estimates and identify integration issues for IT project managers
- Plan, research and design robust security architectures for any IT project
- Test security solutions using industry standard analysis criteria
- Deliver technical reports and formal papers on test findings
- Provide technical supervision for (and guidance to) a security team
- Define, implement and maintain corporate security policies
- Respond immediately to security-related incidents and provide a thorough post-event analysis
- Update and upgrade security systems as needed
In a large organization, you will typically collaborate with IT Project Managers and/or a Security Manager.
Security Consultant Careers
Security Consultant Career Paths
To become a Security Consultant, you should consider gaining your work experience in intermediate-level security jobs such as:
If you’re looking for a bump in pay and the chance to lead a large team, these jobs are logical next steps:
The highest seniority and pay generally comes with being a:
The term “Security Consultant” is a fairly broad one. You may also find the job referred to as:
- Information Security Consultant
- Computer Security Consultant
- Database Security Consultant
- Network Security Consultant
As you would expect, Database Security Consultants are tasked with protecting databases; Network Security Consultants advise on network-related security issues.
Security Consultant Salaries
According to Payscale, the median salary for a Security Consultant (Computing / Networking / Information Technology) is $83,568 (2019 figures). Overall, you can expect to take home a total pay of $51,191 – $148,992. This includes your base annual salary, bonuses, profit sharing, tips, commissions, overtime pay and other forms of cash earnings, as applicable.
Security Consultant Job Requirements
Security consultancy is not for the neophyte. Employers will want to see a bachelor’s or master’s degree in the field, at least 3 years of work experience, and plenty of technical skills in your application. IAPSC membership and relevant certifications will give your résumé some extra shine.
Finally, take a good, hard look at the job description and the reputation of the company. Not all security consultancy jobs are made equal. Some consultancy firms specialize in certain aspects of security (e.g. robust security architectures, auditing, reverse engineering and pen testing, etc.). Others do all kinds of work. And big multinationals may have scores of consultants on their payroll. Reach out to current professionals through networking sites and conferences before you make any decisions. Getting “insider advice” is one of the most effective steps you can take in this arena.
All Security Consultants must understand IT security from the ground-up. That means organizations and consulting firms will require – at minimum – a bachelor’s degree in Computer Science, Cyber Security or a related field (e.g. Engineering).
Don’t have a technical undergraduate degree? Gauge whether gaining a master’s degree with a concentration in IT Security would help. You’ll need to add significant work experience, training and certifications to impress employers.
Security Consultants are expected to have at least 3-5 years of relevant professional experience before companies and organizations will consider hiring them.
Since the job of a Security Consultant covers the waterfront, technical knowledge is paramount. Here are a variety of hard skills that we’ve found employers requesting:
- IDS/IPS, penetration and vulnerability testing
- Firewall and intrusion detection/prevention protocols
- Secure coding practices, ethical hacking and threat modeling
- ISO 27001/27002, ITIL and COBIT frameworks
- PCI, HIPAA, NIST, GLBA and SOX compliance assessments
- Windows, UNIX and Linux operating systems
- Performance tuning views, indexes, SQL and PLSQL
- Application security and encryption technologies
- C, C++, C#, Java or PHP programming languages
- Subnetting, DNS, encryption technologies and standards, VPNs, VLANs, VoIP and other network routing methods
- Network and web related protocols (e.g., TCP/IP, UDP, IPSEC, HTTP, HTTPS, routing protocols, etc.)
- Advanced Persistent Threats (APT), phishing and social engineering, network access controllers (NAC), gateway anti-malware and enhanced authentication
It goes without saying that great leadership and negotiation skills are going to be helpful in this job. Companies are also looking for candidates with excellent oral and communication abilities. Talking to clients and working with diverse IT teams requires patience and tact.
Like Security Architects and Security Engineers, Security Consultants are creative builders, complex problem-solvers and savvy analysts. You’ll be dealing with a huge range of variables when you design and assess security systems.
Certifications for Security Consultants
The most important acronym you need to know is IAPSC (International Association of Professional Security Consultants). Companies may require proof of IAPSC membership before hiring you.
Also check out certifications such as:
- GIAC Security Certifications
- OSCP: Offensive Security Certified Professional
- CSC: Certified Security Consultant
- CPP: Certified Protection Professional (CPP)
- PSP: Physical Security Professional (PSP)
- CISSP: Certified Information Systems Security Professional