Introduction


Information systems security (InfoSec) is a very challenging profession, and these days it commands a good salary, of course depending on one's education and experience. In fact managers of InfoSec programs in New York City command salaries of $350,000 or more, while those of London ISSOs are in at least the 80,000–100,000 range. Even for such expensive cities as New York City and London, that's not bad. Add to that the free or minimal-cost benefits that are provided and other compensations such as bonuses, and one can see that the profession has come a long way.

However, there is a price to be paid. The price is constantly keeping up with high technology, new protection products, new malicious codes, attack techniques, and defenses, and also putting in many long days. However, these should be the fun, challenging parts of the job. The part that may not be so much fun are the people problems that arise when you are an ISSO. Then there are the management meetings, performance reviews, and such that have nothing to do with InfoSec but have to do with being part of a corporation.

No, managing a successful CIAPP or InfoSec organization is not a "9 to 5" job. If you are a conscientious and dedicated professional it can consume your life. So, when one looks at the salary and benefits compared with the number of hours one works, job pressures, stress, time to commute to and from work, and lack of personal time, maybe that salary is not worth it. Add to all that the fact that you are not really your own boss. In fact, you may work for one of those bosses that one thought only existed in bad movies. You know the type—a boss who demands everything, takes credit for what you do, and blames you when things are not going right. There once was a boss who said with pride, "I don't get stress, I give it." Needless to say, the person was not a joy to work with!

Some like the big city and the challenge of this type of job. Others don't see a way out and feel trapped. After all, their lifestyle has caught up with or even surpassed their salary. For those with more of a personal career plan, the sacrifice of working as an ISSO in a demanding position may serve them well. Those professionals may take such jobs for just a short period of time, such as 3 to 5 years. Their purpose is to build up experience and credentials for going out on their own as InfoSec consultants.

To be in any type of profession working for oneself takes a special type of personality to succeed. After all, there is no one to continue to pay you when you are on vacation, no benefits that you don't have to pay for, and if you decide to just hang around the office and not work, you won't get paid for that, either. There is no safety net, no paid time off when sick. No work—no pay. For the independent consultant, the old saying " time is money" is certainly true. In addition, there is a constant need to maintain contacts (potential customers) and keep up with high technology, and of course there is the almost constant travel.

Some InfoSec technicians and managers may have the connections and believe that they are well thought of as InfoSec professionals, called upon to lecture at conferences, assist clients with their InfoSec needs, and the like. However, those that do so as a member of a large firm such as a large accounting-consulting firm believe that it is they who are the ones that draw clients to them for help, when in fact it is usually not that at all. It is usually the large corporate name that brings these clients to the InfoSec person.

Some InfoSec managers and technicians don't realize this fact. Then when they decide to go out on their own as InfoSec consultants, they find that what they thought was a great client base on which to build their business trade turns out to be the client base of their former employer, and they aren't switching to your firm. Furthermore, there are legal and ethical matters relating to "stealing" clients away from a former employer. When the shock of this fact hits them, they find themselves scrambling for clients.

Some advice for those who may be ready to take the InfoSec consulting plunge; Be sure that you objectively inventory your skills and potential client base, and also have at least 2 years of your current salary (including funds for equivalent benefits) safely in the bank. That emergency fund will provide a year or more of income as you grow your business. If nothing else, it will provide a good emergency fund for some lean times or for the times when you will want to take a break for a week or two and go on vacation. After all, you have to pay for your own days off now. Oh, and don't forget insurances such as "errors and omissions," also known as professional liability insurance, general liability, and workman's compensation. Some clients require proof of some or all of these policies before you set foot in the door.

With all that said, if you have the education, experience, business sense, and personality to handle being out on your own, it does offer its own rewards. These rewards include setting your own schedule and hours; being your own boss; vacationing whenever you like; doing it your way—but wait a minute, that's not completely true. Your hours will be set by your workload and your clients. You will be able to do the work pretty much your way, but only doing the work that meets the clients' needs. And vacations can be cut short by an urgent client need. You really can't afford to postpone an urgent client request, as you risk losing the client to a competitor. Payments from clients may be slow in coming and they may be shocked by their bill for services rendered, causing you to negotiate or get your lawyer to negotiate for you. That means additional costs if you can't get your lawyer's costs ported over to the clients. However, one thing is certain: When such issues arise, you may eventually get your money, but you will probably never do business with that client again. How many clients can you afford to lose?

So, being an InfoSec consultant looks great on paper and it may do your ego good, but after a while the real world takes over. It's a tough life and not for the faint at heart. So, before you think about it, be sure you have a good business plan and one that is done objectively. Also, be sure you can support yourself and your family without work for extended periods of time. Yes, it sounds great, but maybe that salary, working conditions, and boss weren't all that bad?

However, you have successfully worked your career plan and have developed the education and experience skills over the years that have given you the confidence to think about going out on your own as an InfoSec consultant. You have had articles published in magazines, have lectured internationally, and have developed a reputation as a professional ISSO. So, you think you are about ready for this career move. If so, you need a plan.




The Information Systems Security Officer's Guide. Establishing and Managing an Information Protection Program
The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program
ISBN: 0750698969
EAN: 2147483647
Year: 2002
Pages: 204

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net