Starting a Cybersecurity Consulting Business is Easy
A blog post on the challenges I faced when I started my first vCISO cybersecurity consulting business and how I overcame them.
A question I’ve been asked from time to time:
“What were the main challenges with starting a cybersecurity consulting or vCISO" business?”
Starting a cybersecurity consulting or vCISO business is easy.
It's getting traction and making a living off it that's the hard part.
This post is to help anyone who wants to start a cybersecurity consulting business. I'm going to share the four main things I struggled with and how others might be able to overcome them.
Pro-tip: If you're looking for a behind-the-scenes look at the day-to-day of what it means to be a vCISO and the lessons learned, check out the Last Week as a vCISO newsletter.
The challenges at a high level:
Standing out from the noise
Getting customers to buy
Doing the work you can get paid for
Starting a consulting firm in any industry can be a more complex topic than you might think.
Getting started can be very simple and quick. All you need, in most cases, is a computer and someone willing to pay you for your advice.
Getting traction and locking in enough of a sales pipeline to make it a viable business, however, is a whole different story.
Consulting businesses are easy to enter, but a can have a steep learning curve to get traction and scale.
There are no simple answers to the universal challenges listed here, and I’ll attempt to explore the nuances here that I faced.
Here are a few important caveats before we get started:
My outcome was not normal.
My timeline was not normal.
There are many other challenges not listed here for consulting businesses in general.
Your mileage may vary depending on what kind of consulting work you do.
I started my first consulting business, Fraction Consulting, in late 2019 as a side hustle.
Fraction Consulting was one-part vCISO for small and medium businesses and one-part VC advisory.
I was in traditional corporate America roles for the previous 13 years. Over the years, I started to get the itch of doing something entrepreneurial, and it weighed on me daily.
I wanted to do more meaningful work, I wanted to learn new skills, and I wanted to solve different problems.
After so long in traditional corporate roles, the “learning” and the “challenges” had all but stopped for me.
The “work” I did every day was not about making progress towards cybersecurity goals at all.
I wasn’t getting the chance to put in place meaningful cybersecurity programs any longer. Instead, I was managing around corporate personalities (and lack thereof).
“The only thing that working in Corporate America prepares you for is how to continue working in Corporate America”
I was underutilized, unchallenged, and unmotivated to do the same kind of work day in and day out.
Starting a ”side business” (a business that I worked on before and after my day job) seemed like a ticket to fulfillment.
I wanted to use those years of experience to help a different audience, and I wanted to start learning again.
Why a side business instead of going all in?
A side business would have a safety net. My corporate job would let me experiment in a low-stakes environment. So I started Fraction Consulting.
The “fraction” in Fraction Consulting was a play on words (I always like a play on words). I was going to create a “fractional” cybersecurity consulting business.
I offered part-time consulting to small businesses and startups who needed cybersecurity guidance.
My goal was to work in the margins of my day job to the point where I could scale it up to leave and go full-time on this business.
Fast-forward to early 2020, and COVID happened.
My first thought was, “Well, that was a fun idea. Maybe I’ll pick it back up later after this thing goes away.”
Much to my surprise, however, my business accelerated.
Remote work and budget constraints at many companies actually worked in my favor. I landed more customers, not fewer.
Companies either didn’t want to or couldn’t hire people full-time to do cybersecurity work, so I got the call.
I was fortunate enough to have a strong network of people who referred me along the way. I networked like crazy, even during the pandemic, and kept searching for how I could connect the dots.
I quickly had more business than I could handle and had to bring in other part-time consultants to help me with the volume.
Fast-forward to late 2020, and I was in talks to have my business acquired less than 18 months after starting it.
I’d be lying if I said there wasn’t luck and great timing involved here.
My most successful strategy came from networking like crazy, providing value whenever I could, and not leaving anything unsaid.
In early 2021, I sold my business to a local venture capital company and came over as their CISO to establish a security consulting and MSSP practice.
After running with that business for 8 months, I pivoted to my next full-time opportunity (a customer of the company that acquired Fraction Consulting) and started another business.
That's the business that this blog, Return on Security, is under.
So what challenges did I face along the way, and how did I manage them?
Let’s dive in.
Standing out from the noise
There is so much noise and hype in the cybersecurity space.
Product companies, consulting and services firms, analyst reports, and the media in general.
It's not all bad, there's just a lot of it.
Average consumers get scare tactics and marketing hype trying to sell the latest “silver bullet” solutions.
As someone who wanted to sell services in a market where I was the buyer to buying, I wanted to switch things up.
I wanted to sell to the proverbial "me" and do it in a way that I would find appealing and approachable.
That seemed easy enough at first (since I know myself), but I realized the potential customers did not.
They didn't understand the difference between what I was selling and a penetration test.
They didn't understand the difference between compliance frameworks.
They wouldn't understand what was included with "strategy consulting."
They wouldn't be able to separate my firm from any other of the thousands of consulting firms.
I realized that I was no longer trying to sell to "me." This meant I couldn't rely on what would appeal to me.
I needed to carve out a specific niche and help a specific customer. The quicker I could get to that point, the better.
The rest was noise. Many other consultants I've spoken to get stuck at this spot.
Your past experience might not help you as much as you think.
When you're starting out with your consulting business, you're starting from square one in a very inefficient way.
You don't have credibility, you don't have social proof from your new buyers, and your past work isn't always considered.
Also, contrary to some beliefs, you can't fake it. At least not for long.
💡 This isn't to say that imposter syndrome still isn't very real and that you won't have struggled here. The key is looking at what you want vs. what is true and coming up with a plan on how to close that knowledge and experience gap. With knowledge and experience comes the confidence to not let imposter syndrome win again. I go into detail on how I bridged this gap myself prior to growing my consulting business in my video course:
You might think that your past experience tells the best story by itself (I thought this).
You might think that your experience at bigger companies will make you more than qualified to help smaller ones (I thought this).
You might think that smaller companies will jump at the chance to pay for your vast experience. (I thought this for a brief moment until the hard reality came to bear 🙄).
You might also be very, very wrong (I was).
When you go out on your own, you've got to sell the work AND do the work. You have a lot of convincing to do before anyone will care or give you a chance.
Remember, you're telling a new story now.
It's a story you haven't told as often before, and it's likely not as crisp as your old corporate story.
Yes, your previous experience matters, but no one cares about that in this new world. They care about what you can do for them right now.
You need a lot of chances to tell your news story. You need to constantly iterate on your pitch, and you need to cut straight to your value proposition.
You need to see what will resonate and what will not.
You also need wins.
Wins have a logarithmic impact on your future success.
You need to be able to relate to your potential customer. You do this with empathy, and you do this by sharing how you've helped others in their spot (wins).
This creates social buy-in and a connection with your potential customers.
The more shots you take and the more value you provide, the more wins you can accumulate.
This was an especially hard lesson for me to learn at first, and it's one where most newcomers mess up.
Getting customers to buy
Remember that part about wins? Not all wins may be the win you wanted.
When it comes to customers, I tried to group them into buckets:
Companies I wanted to sell to
Companies that wanted to work with me
Companies that I actually worked with
This came as a surprise to me, but the companies in those buckets were not often one and the same.
I found I could win work I didn't want to sell or do. This was really frustrating at first.
I realized, however, that I needed to be more flexible. I needed the ability to iterate and refine my service offerings as I went.
The more potential customers I talked to, the more I understood how to bucket them.
I could pull out the customer motivations, their likeliness to pay, and how they viewed the cybersecurity field.
This helped me understand if the job was worth pursuing or passing off.
Points I learned to pull out when interacting with a potential customer were:
What are the customer objectives?
Do they have a pain point I can solve?
If yes, how bad is the pain (a small headache or migraine)?
What does success look like for them?
What value do they place on the work (annoying or critical)?
How cost-conscious are they?
These questions were leading indicators for me and helped me have better conversations.
This helped me move from focusing on what I wanted to sell to what the customer needed to be solved. After that, it was a matter of alignment and fit.
I learned this on the fly through constant outreach and iteration. And also lots of failures.
Doing the Work You Want vs. Doing the Work You Can Get Paid For
For this part, I'm going to play a little bit of Bad News vs. Good News.
Bad News - You may not be able to make money on your original plan.
Good News - That's great; you can move on to find the plan that will.
Bad News - You may have to do work you don't want to do.
Good News - That work gives you experience you can leverage later.
You've got to stay nimble and constantly readjust. This requires a lot more work than you might think, but it is possible.
Two pieces of advice I got when struggling with this were:
Do the thing you don't want for X months first, and then decide. The worst case is you get experience, and you get some money.
Money gives you optionality.
Make some money to give yourself breathing room.
Do the work and regroup yourself instead of agonizing over it.
Decide if you are or are not going to do that kind of job again.
Money lets you think, adjust, and pivot on this front.
Get paying customers first, and then you can start adapting.
This is what I wrestled with as I grew my consulting business on the side. There are way more things to consider here, but these were the main areas I had to work through.
Becoming aware of these sticking points can't guarantee success, but it will put you on a better track.
Have you had a similar experience starting or running a consulting or vCISO business?
I'd love to hear from you if any of this rings true or what other pitfalls you've faced.
I'm saying 'no' to most consulting opportunities these days and only accepting the most interesting ones that align with my new goals.
If you think you've got an interesting opportunity to run by me, let's chat.