Cybersecurity consultants are the go-to professionals to devise best ways to protect an organization’s critical assets. Their role entails helping clients lower their risk by accurately interpreting and analyzing security risks to implement best practices that can increase protection from cyber threats. They are able to tailor cybersecurity solutions to specific business needs.
All medium-to-large companies and many smaller ones are now making cybersecurity consultants a core part of their resource planning and are investing time and money in hiring professionals able to address the myriad of security threats that present themselves. Whatever is decided, hiring in-house or external, experienced consultants with proper training are becoming a necessity.
A career as a cybersecurity consultant
According to CyberSeek™, the path to becoming a cybersecurity consultant is varied. These mid-level professionals can start as an IT auditor, incident responder, cybercrime analyst or technician as well as a penetration tester or vulnerability expert. Often advertised as a security specialist or consultant, the demand is booming. According to the 2019 (ISC)2 Cybersecurity Workforce Study, “Organizations in North America and Europe are more likely than others to recruit consultants.”
The larger demand comes from cybersecurity consulting firms, as the tendency for businesses is to hire external help for 24/7 coverage without straining their often stretched, understaffed IT departments. Consulting companies, then, are looking for professionals with the right education (most ask for at least a bachelor’s degree). They are especially looking for professionals who can prove specific expertise and updated knowledge.
Becoming a cybersecurity consultant requires a mix of formal knowledge and practical experience and credentials can nicely complement both. Are there certifications that will give you an edge? Yes: subject matter-specific certifications are a concrete way to demonstrate up-to-date knowledge and can help prove your worth to employers looking for specialized professionals.
IT certifications for cybersecurity consultants
The GIAC®️ Security Expert (GSE) certification is considered one of the best GIAC options. It differs from other offers thanks to its practical, hands-on component. According to GIAC, “the GSE will determine if a candidate has truly mastered the wide variety of skills required by top security consultants and individual practitioners.”
Part 1 of the GSE Entrance Exam is a virtual machine, 24-question lab-based exam for which candidates will have a proctor. Professionals will be tested on their skills in general security, incident handling, intrusion detection and analysis.
After passing the three-hour part, the candidate will have to sit for the two-day on-site GSE practical lab, to be completed within 18 months. It’s in this part of the exam that professionals are asked to write a report on an incident response scenario and will then be subjected to a series of hands-on exercises based on five domains: DS and traffic analysis, incident handling, ITSEC, security technologies and soft skills.
Unfortunately, GIAC no longer offers the specific Certified Security Consultant (GCSC) option. However, individuals with the certification at the time the credential was retired will remain listed as Certified Professionals on GIAC’s website and “may continue to refer to the credential on any professional or personal documentation, such as a resume or business card.”
Another great option is CompTIA’s Security+. It assesses baseline cybersecurity skills through a test that includes multiple choice and performance-based questions with an emphasis on hands-on skills. This certification is great for either a security systems administrator or for anyone (a specialist in computer and network security) asked to consult on cybersecurity. Domains covered include topics like threats, vulnerabilities, identity and access management, risk management and cryptography. The certification exam consists of a 90-minute, 90-question test (multiple-choice and performance-based).
The (ISC)² CISSP certification is also ideal for a number of different IT professionals, including not only experienced security practitioners but those in positions such as managers, executives and consultants. The test is based on knowledge of topics such as security and risk management, communications and network security, identity and access management, security assessment and testing. Therefore, professionals planning to make cybersecurity consulting into a career can definitely benefit from acquiring this certification to prove their wide breadth and depth of knowledge in the field. The CISSP exam contains 100 to 150 multiple-choice and advanced innovative questions, with a maximum time of three hours for the examination.
ISACA’s CISM, which is a high-level certification, can open up many opportunities as a principal IT consultant or an information, security or privacy risk consultant. This means that the kinds of jobs that a CISM can get are varied and can lean towards operations consulting.
The certification exam is a four-hour, 150-question test based on the following domains: information security governance, information risk management, information security program development and management and information security incident management.
Another well-regarded option is the CMC® (Certified Management Consultant) certification by the Institute of Management Consultants (IMC) USA, a competence-based professional qualification for individual consultants. To be considered, professionals need to be currently in a consulting position, possess a degree from a four-year accredited college, have positive professional references and pass a written and oral assessment with senior CMC® examiners.
The written ethics and consulting competency exam is administered online and is a 45-minute, two-section test with an ethics section (20 multiple-choice questions) and a core competencies of management consulting section (20 multiple-choice questions). The oral examination is conducted in-person (although phone and Skype options are offered in some cases) by three examiners who, according to the official certification site, are “looking for a positive answer to the ultimate question: ‘Would you want this person to represent you, your practice, and IMC USA to your clients?’” A combination of case studies on client engagement, questions on ethical issues and core competencies are part of this examination.
Professionals can also consider the International Association of Professional Security Consultants (IAPSC) Certified Security Consultant℠ designation for professional, independent security consultants. Obtaining the “CSC℠ “reflects a high level of professionalism, knowledge and integrity, and [has been] the recognized standard for Security Consultants,” the IAPSC says. In order to obtain their credential, a candidate must meet the qualifications and pass “a 100-question multiple choice examination that includes consulting practices, security management, and business ethics.”
Career outlook
Consulting can be a rewarding career in terms of job satisfaction and salary for a person who has the right experience and qualification. Currently, there is a steady demand for cybersecurity professionals who can propose ways to improve an organization’s efficiency, advise clients on how to minimize risk and provide customers with a full range of professional services for business continuity and network resilience.
Consultants are often hired by smaller companies and agencies that cannot afford an in-house security team, but are also employed by larger businesses to provide assistance to security teams and provide an outside perspective.
Work can be demanding with long hours, a requirement for flexibility and often much traveling to clients’ offices.
According to PayScale, the average salary for an IT security consultant is $84,000. However, like any salary, pay will be influenced by many factors — including location. A senior security consultant can earn anywhere between $76,000 and $145,000 in the US.
CyberSeek’s Career Pathway also shows detailed information about the salaries, credentials and skill sets most appropriate and linked to the cybersecurity consultant role.
Conclusion
Considering the shortage of cybersecurity workers when it’s not possible to support a full-time, in-house IT department, employers can count on an outsourced IT consulting service with a team of specialists who can take on this burden to help prevent cyber-related problems before they hamper business productivity. Cybersecurity-as-a-Service consulting firms will ensure that adequate steps are taken to preserve and protect the company’s digital assets. The surge in consulting requests has boosted the demand of professionals who are specialized in advising clients on the best ways to protect their assets.
A cybersecurity consulting career can be fulfilling and rewarding, but in order to have access to the best jobs (and salary), professionals should consider acquiring credentials that can attest to their knowledge and prove their worth.
Sourced from InfoSec