Starting a Cybersecurity Consulting Business is Easy

Learn practical strategies to overcome common obstacles and successfully navigate the cybersecurity consulting landscape.

A question I’ve been asked a few times:

“What were the main challenges with starting a cybersecurity consulting or vCISO" business?”

Starting a cybersecurity consulting or “vCISO business” is easy.

It's getting traction and making a living off it that's the hard part.

This post is to help anyone who wants to start a cybersecurity consulting business. I'll share the four main things I struggled with and how others might be able to overcome them.

Table of Contents

The TL;DR

The challenges at a high level:

  1. Standing out from the noise

  2. Getting credibility

  3. Getting customers to buy

  4. Doing the work you can get paid for

Embarking on the Cybersecurity Consulting Journey

The Setup

Starting a consulting firm in any industry can be a more complex topic than you might think. Getting started can be very simple and quick. All you need, in most cases, is a computer and someone willing to pay you for your advice.

Getting traction and locking in enough of a sales pipeline to make it a viable business, however, is a whole different story. Consulting businesses are easy to enter, but they can have a steep learning curve to get traction and scale.

There are no simple answers to the universal challenges listed here, and I’ll attempt to explore the nuances that I faced. Here are a few important caveats before we get started:

  • My outcome was not normal.

  • My timeline was not normal.

  • There are many other challenges not listed here for consulting businesses in general.

  • Your mileage may vary depending on what kind of consulting work you do.

My Background

I started my first consulting business, Fraction Consulting, in late 2019 as a side hustle. Fraction Consulting was a one-part vCISO for small and medium businesses and a one-part VC advisory firm.

Prior to starting Fraction Consulting, I had been in traditional Corporate America roles for the previous 13 years in medium and large banks and insurance companies.

Over the years, I started to get the itch to do something entrepreneurial, and it weighed on me daily. I wanted to do more meaningful work, learn new skills, and solve different problems. After so long in traditional corporate roles, the “learning” and the “challenges” had all but stopped for me.

The “work” I did every day was not about making progress towards cybersecurity goals at all. I wasn’t getting the chance to put in place meaningful cybersecurity programs any longer. Instead, I was managing around corporate personalities (and lack thereof).

“The only thing that working in Corporate America prepares you for is how to continue working in Corporate America”

Me

I was underutilized, unchallenged, and unmotivated to do the same kind of work day in and day out. Starting a ”side business” (a business that I worked on before and after my day job) seemed like a ticket to fulfillment. I wanted to use those years of experience to help a different audience and start learning again.

Why a side business instead of going all in?

A side business would provide a safety net, and my corporate job would let me experiment in a low-stakes environment, so I started Fraction Consulting. The “fraction” in Fraction Consulting was a play on words (I always like a play on words). I was going to create a “fractional” cybersecurity consulting business.

I would offer part-time consulting to small businesses and startups who needed cybersecurity guidance. My goal was to work in the margins of my day job to the point where I could scale it up to leave and go full-time on this business.

Fast-forward to early 2020, and COVID happened.

My first thought was, “Well, that was a fun idea. Maybe I’ll pick it back up later after this thing goes away.” Much to my surprise, however, my business accelerated. Remote work and budget constraints at many companies actually worked in my favor. I landed more customers, not fewer. Companies either didn’t want to or couldn’t hire people full-time to do cybersecurity work, so I got the call.

I was fortunate enough to have a strong network of people who referred me along the way. I networked like crazy, even during the pandemic, and kept searching for ways to connect the dots. I quickly had more business than I could handle and had to bring in other part-time consultants to help me with the volume.

Fast-forward to late 2020, and less than 18 months after starting my business, I was in talks to have it acquired. I’d be lying if I said there wasn’t luck and great timing involved here. My most successful strategy came from networking like crazy, providing value whenever I could, and not leaving anything unsaid.

In early 2021, I sold my business to a local venture capital company and came over as their CISO to establish a security consulting and MSSP practice. After running with that new business for 8 months, I pivoted to my next full-time opportunity (a customer of the company that acquired Fraction Consulting) and started another business. That's the business that this blog, Return on Security, is under.

So, what challenges did I face along the way, and how did I manage them? Let’s dive in.

Standing Out From the Noise

Identifying Your Unique Value Proposition

There is so much noise and hype in the cybersecurity space, from product companies to consulting and services firms to analyst reports and the media in general. It's not all bad; there's just a lot of it.

Average consumers get scare tactics and marketing hype trying to sell the latest “silver bullet” solutions. As someone who wanted to sell services in a market where I was the buyer to buying, I wanted to switch things up. I wanted to sell to the proverbial "me" and do it in a way that I would find appealing and approachable.

That seemed easy enough at first (since I know myself), but I realized the potential customers did not. My potential customers didn't understand the difference between what I was selling and a penetration test. They didn't understand the difference between compliance frameworks. They wouldn't understand what was included with "strategy consulting."

In short, these potential customers wouldn't be able to distinguish my firm from any of the thousands of consulting firms. I realized that I was no longer trying to sell to "me." This meant I couldn't rely on what would appeal to me.

I needed to carve out a specific niche and help a specific customer. The quicker I could get to that point, the better. The rest was noise. Many, many other consultants I've spoken to get stuck at this spot.

Conveying Credibility

Your past experience might not help you as much as you think.

When you're starting out with your consulting business, you're starting from square one in a very inefficient way. You don't have credibility, you don't have social proof from your new buyers, and your past work isn't always considered. Also, contrary to some beliefs, you can't fake it. At least not for long.

💡 This isn't to say that imposter syndrome still isn't very real and that you won't have struggled here.

The key is looking at what you want vs. what is true and coming up with a plan on how to close that knowledge and experience gap.

With knowledge and experience comes the confidence to not let imposter syndrome win again.

If you’re working in a corporate cybersecurity role today and want to gain deeper insights into the steps and approaches I personally took to advance my career, I created a really short video course that can help. At the time of writing this update, it’s helped 100+ people in 20+ countries, and I think it could help you, too.

You might think that your past experience tells the best story by itself (I thought this). You might think that your experience at bigger companies makes you more qualified to help smaller ones (I thought this). You might think that smaller companies will jump at the chance to pay for your vast experience. (I thought this).

You might also be very, very wrong (like me).

When you go out on your own, you've got to sell the work AND do the work. This simple balancing act is what breaks many a would-be consulting business. You realize you like doing the work but not all of the sales and business development stuff. Or vice versa.

Remember, you're telling a new story now. It's a story you haven't told as often before, and it's likely not as crisp as your old corporate story. Yes, your previous experience matters, but no one cares about that in this new world. They care about what you can do for them right now.

You have a lot of convincing to do before anyone will care or give you a chance. You need many chances to tell your news story, constantly iterate on your pitch, and cut straight to your value proposition. You need to see what will resonate and what will not.

You also need wins. Wins have a logarithmic impact on your future success.

You need to be able to relate to your potential customers. You do this with empathy and by sharing how you've helped others in their spot (wins). This creates social buy-in and a connection with your potential customers. The more shots you take and the more value you provide, the more wins you can accumulate.

This was an especially hard lesson for me to learn, and it's one where most newcomers mess up.

Getting Customers to Buy

Remember that part about wins? Not all wins may be the win you wanted. When it comes to customers, I tried to group them into buckets:

  • Companies I wanted to sell to

  • Companies that wanted to work with me

  • Companies that I actually worked with

This came as a surprise to me, but the companies in those buckets were not often one and the same.

I found I could win work I didn't want to sell or do, which was really frustrating at first. However, I realized that I needed to be more flexible. I needed the ability to iterate and refine my service offerings as I went. The more potential customers I talked to, the more I understood how to bucket them.

I could extract the customer's motivations, likelihood of paying, and perceptions of the cybersecurity field. This helped me understand whether the job was worth pursuing or passing up. Learning this skill alone was truly invaluable!

Points I learned to pull out when interacting with a potential customer were:

  • What are the customer objectives?

  • Do they have a pain point I can solve?

  • If yes, how bad is the pain (a small headache or migraine)?

  • What does success look like for them?

  • What value do they place on the work (annoying or critical)?

  • How cost-conscious are they?

These questions were leading indicators for me and helped me have better conversations. This helped me shift my focus from what I wanted to sell to what the customer needed to solve. After that, it was a matter of alignment and fit. I learned this on the fly through constant outreach and iteration.

And also lots of failures.

Doing the Work You Want vs. Doing the Work You Can Get Paid For

For this part, I'm going to play a little bit of Bad News vs. Good News.

  • Bad News - You may not be able to make money on your original plan.

  • Good News - That's great; you can move on to find the plan that will.

  • Bad News - You may have to do work you don't want to do.

  • Good News - That work gives you experience you can leverage later.

You've got to stay nimble and constantly readjust. This requires a lot more work than you might think, but it is possible.

Two pieces of advice I got when struggling with this were:

  1. Do the thing you don't want for X months first, and then decide. The worst case is you get experience and you get some money.

  2. Money gives you optionality.

Make some money to give yourself breathing room. Do the work and regroup yourself instead of agonizing over it. Decide if you are or are not going to do that kind of job again. Money lets you think, adjust, and pivot on this front.

Get paying customers first, and then you can start adapting.

Closing Thoughts

I wrestled with all of this as I grew my consulting business on the side. There are way more things to consider here, but these were the main areas I had to work through. I didn’t have a career coach or a blog post like this, so by all accounts, I got very lucky I made it to the other side.

My hope is that by writing this, I can help others not fumble as badly or that they can at least go with their eyes wide open. Becoming aware of these sticking points can't guarantee success, but it will put you on a better track.

Have you had a similar experience starting or running a consulting business? I'd love to hear from you if any of this rings true or what other pitfalls you've faced.

Join the conversation

or to participate.