Today’s post comes from an e-mail I received recently that I feel applies to so many people in information security (shortened for clarity):
I am working in infosec, too, and currently trying to advance my career. Just some information on my background. After working for a few years with security related technologies, I finally felt in 2014 that I have the experience as well as the confidence to become an independent consultant on a contracting basis.
I am now advising CISOs on technology choices, security architecture and GRC matters. I can elaborate risks is business terms if necessary, but I also understand the tech-speak when I am dealing with sysadmins or software developers. I am still heavily exposed to technology as I develop software and manage servers, not necessarily as part of my daily job.
After all these years, I think I have the security skills (the Security Disciplines in your book) on an adequate level, however, I realised that I cannot be that all-around person on the long-run. So the next step is specialisation. I find consulting to be a great fit as I enjoy helping others with governance related activities such as risk management, security policy development, or leading security projects and making architecture decisions.
Is it worth to give up my independence and join a company like KPMG? I am wondering if I could boost the skills related to consulting in this environment.
Personally, I’ve spent time at very big consulting firms (KPMG), boutique firms (Cigital) and inside both medium and large corporations. Each provide a different learning experience that can be valuable.
As a general rule, I think never working inside a company is a mistake. A consultant has to understand what it’s like to sit on the other side of the desk. I’ve met outstanding career consultants but I feel there is something missing to their recommendations if they’ve never sat in internal meetings and understood the budget and execution processes. (Some consultants have spent so much time at a single client that they figured it out.)
Specific to this readers question, is giving up independence to join a big consulting company worth it?
Go back to what you want to specialize in. In this case, it’s risk management. That is a core competency for a company like KPMG. KPMG also tends to focus on very large companies with complex needs. Something an independent consultant might not get exposed to.
For application security, companies like KPMG and Accenture are just starting to get their practices setup. My current employer Cigital has deep expertise dating back more than 20 years. You’d find more value joining Cigital than KPMG for the application security space.
And there are countless other examples. Firms which specialize in startups, medical devices, identity management, and countless other focuses. Think back to what you’d like to grow your career in and match the firm that can best meet those objectives.
You point out you’re giving up the independence of being an independent contractor for the experience. As with all job decisions, it isn’t as simple as one factor to weigh.
Overall, I think I’ve learned much more working for consultant companies than if I was out on my own.
[Tweet “Think about what you’d like to do and match the company that can best meet those objectives.”]