• Return on Security
  • Posts
  • How Building a Security Consulting Practice on the Side Changed My Career

How Building a Security Consulting Practice on the Side Changed My Career

How a nights and weekends security consultancy unexpectedly grew into an acquisition and reshaped my career. Plus, lessons on fractional CISO work, vCISO hype, and service-first growth.

A side hustle to help out a friend turned into a full-fledged business, an acquisition, and one of the best career moves I never planned.

I started my first consulting business, (cleverly named) Fraction Consulting, in late 2019 while still working a full-time job. When starting Fraction, I had just landed a role as a “Divisional CISO” at a large U.S. bank that was going through a merger with another large U.S. bank. My day-to-day had gone from focusing on running a large security engineering organization focused on data protection, encryption, certificate services, etc., to a newly formed organization that was less technical and more influence-focused.

Divisional CISO might not be a title you’ve heard often. In most companies, the role is known as the Business Information Security Officer or BISO. If you’re not familiar with that title, a BISO is a senior leader guiding a division's security strategy. They connect the centralized security function with the business and report to the business line.

I’ve written a deep dive on the BISO role, including why it looks better on paper than it tends to play out in reality. It’s a position full of accountability but not always the authority to match. You’re responsible for business outcomes without owning the levers to deliver them, creating a ton of friction.

The Divisional CISO role had a lot more visibility with other executives throughout the business than my previous role and was a more outwardly focused role. It was a planned move and even a promotion on paper, but it left me wanting to do more hands-on and impactful security things.

The friction of the role and my missing the security engineering side of things was a big part of what pushed me to try something different.

Building a Bridge, Not an Exit Ramp

After over a decade in traditional enterprise roles, I felt disconnected from the work that originally drew me into security. The farther up you go in large organizations, the more time you spend in meetings and managing personalities rather than actually improving security outcomes. Strategy becomes a paperwork exercise, and execution happens through layers of delegation.

I didn’t have a grand plan or a step-by-step escape from corporate life, but I was looking for a way to regain control of my career. Fraction Consulting was my way of doing just that. 

Fraction was designed to be a bridge between large company experience and the needs of smaller companies. It gave me a chance to use what I had learned along the way with strategic planning, program building, years of sourcing and buying cybersecurity products, risk management, and communication with executive teams, and apply it in environments where those skills were needed but not available full-time.

I wanted to do real work again. I also wanted to build a track record that didn’t rely on job titles or brand names. Fraction was how I created experiences where none existed before.

Then COVID hit.

I assumed that would be the end of Fraction (or at least a really long pause). Instead, it became an inflection point that ultimately created Return on Security. But Return on Security might not have happened were it not for what came next with Fraction.

From Side Project to Acquisition

COVID made remote work explode, budgets tighten, and hiring freeze, but cybersecurity needs didn’t go away. In contrast, they became more urgent in this new, largely untested reality. 

Many smaller companies weren’t able to bring on full-time senior staff because all their costs were flipped upside down, so more companies looked for flexible, part-time help. That shift brought fractional leadership to the forefront.

What started as a few client projects quickly turned into something much bigger. Within a few months, I had more work than I could manage alone, and I brought in other consultants to support the demand.

Less than 18 months after starting Fraction, I sold the company to Defiance Ventures and joined them to build out and lead a managed security services offering. I spent nearly a year creating and running that business before moving into a new full-time role (with one of our customers, interestingly enough), this time at a fintech startup instead of a bank.

After the experience of starting Fraction, rapidly growing, and then exiting to Defiance that led me to one important conclusion:

If I ever start another business, I won’t do things like that again. 

Starting and growing a consulting business is very much a grind. It’s a much faster path to revenue than doing a product, but you’re always incentivized to keep your eyes mostly fixed on landing the next project instead of delivering what’s in front of you. You have bills and people to pay, so you say ‘yes’ to just about any kind of work to keep things moving. It works, but it’s not for the faint of heart.

That’s why I did things differently with Return on Security. It was born from an approach by the mathematician Carl Gustav Jacobi, who famously said, “Invert, always invert.” This approach looks at problem-solving in reverse. Instead of focusing on a specific goal, like “starting my own business,” it became a matter of asking, “How do I avoid doing a business like that again?”

In the end, though, Fraction did what it was meant to do. It helped me make the quantum leap from big to small and fill the “experience gap.” Looking back, a part of this experience gap that I found the most interesting was learning how important fractional security leadership would become in the years to come.

Why Services Are Gaining Ground

It was after my experience at Defiance Ventures that I realized that the fractional model had gained traction beyond my own experience. I noticed more and more MSSPs were taking a similar approach and bundling vCISO services into their offerings. It made total sense on paper. Higher margins, more “sticky” to customers, and you can land and expand your scope, all of which typically equals more revenue for longer. This trend was always inevitable, looking backwards.

I’ve been tracking data on the cybersecurity industry since 2021, and in The State of the Cybersecurity Market in 2024, I called out a growing trend: services companies are getting more attention. Even in a market that still heavily favors products, services have slowly gained more market share and attention.

Product companies raised nearly $12.3 billion in 2024 alone. Services companies raised just $1.7 billion. That gap has always existed. But something else is happening under the surface, and M&A activity tells a different story. 

More than half of all cybersecurity acquisitions now involve services businesses. MSSPs and advisory firms are buying one another to gain scale and expand capabilities. Many are layering in software and automation to create hybrid models that blend hands-on expertise with repeatable delivery.

These hybrid models are becoming more common. And they’re working because they meet companies where they are. Not everything needs to be a product. Not everything needs venture scale through code, and I’m telling you it’s OK to shoot your shot.

If You’re Considering the Same Path

I wrote a more detailed breakdown of the day-to-day challenges I faced while building Fraction here:

That post covers how to stand out, build credibility, get customers to buy, and deal with the early-stage work that doesn’t look like your original plan.

This post is about what happens when you follow that plan long enough to see it change your trajectory. I didn’t leave corporate life to start a company. I started a company to figure out what I wanted from my career, and that slight shift in framing changed everything.

If you're thinking about doing something similar, start small. Talk to people. Start with a project. Most importantly, you need to start and not just talk and theorize. Take control of your next move instead of waiting for someone else to hand it to you.

It worked for me and might work for you, too.

Reply

or to participate.