With over 750,000 open cybersecurity positions in the U.S. alone, tech professionals looking to establish or advance in a cybersecurity career have numerous options. It’s a significant reason why the role of cybersecurity consultant has gained new traction in the marketplace and offers a perch for further advancement—whether working in-house for one organization or multiple clients.
Cybersecurity consultant (also known as a security specialist, security consultant or information security consultant) is listed as one of the top titles on the CyberSeek cybersecurity career site, with nearly 23,000 open positions posted in the U.S.
As with other cybersecurity positions, there’s no one set definition of what a cybersecurity consultant does or is responsible for; industry experts note the job description varies depending on the individual tech professional and the needs of a particular organization.
This consulting role can include helping companies evaluate and implement various security applications and solutions. Cybersecurity consultants can also help with employee and staff training as well as establishing policies and procedures that can better secure networks, infrastructure and data.
The reasons for the growth of the cybersecurity consultant position vary, but industry insiders note that increasing threats (both internal and external) as well as government regulations and a lack of skilled security professionals have made the position a must-have for many organizations.
“The market for these positions is rapidly growing as a direct result of the increasing frequency and sophistication of cyberattacks and the recognition of cybersecurity in an organization,” George Jones, CISO at Critical Start, recently told Dice.
“Not only are growing threats driving this growth, increasing compliance requirements and skills shortages are increasing the market for individuals with the right skills and experience to help companies improve their posture,” Jones added. “I expect the market to continue to grow as more organizations seek to protect their assets from an increasing range of threats.”
Cybersecurity Consultant: By the Numbers
Currently, CyberSeek lists cybersecurity consultant as a mid-level position that offers a gateway to more advanced titles in the security field, including cybersecurity architect, cybersecurity engineer and cybersecurity manager.
The salary is not as high as some of the more advanced positions, but still lists at $92,900 on average, according to CyberSeek. About 65 percent of all cybersecurity consultants hold a bachelor's degree, while 24 percent have more advanced degrees such as a master’s degree.
In terms of skills, cybersecurity consultants should have one or more of these certifications:
- Certified Information Systems Security Professional (CISSP)
- Certified Information Systems Auditor (CISA)
- CompTIA Security+
- SANS/GIAC Certification (Various)
- Information Systems Certification
“Effective communication, consulting and sales skills are also key to success in this role as you must be able to effectively communicate complex security concepts to both technical and non-technical stakeholders at the same time and across multiple levels of a company,” Jones added.
Cybersecurity Consultant: Working In-House or For Multiple Clients
As the title implies, a cybersecurity consultant tends to be either an independent contractor or a consulting firm employee with multiple clients and organizations that he or she works with at any given time.
Over the last several years, however, a cybersecurity consultant can also be a full-time employee of an organization who fulfills multiple roles within the larger security team, noted Guillaume Ross, deputy CISO at JupiterOne. No matter the specifics of the role, tech professionals who want to become cybersecurity consultants need a combination of technical and soft skills to sell themselves to clients and employers.
“To become a consultant, you need soft skills on top of technical skills,” Ross told Dice. “Being a consultant requires being able to sell oneself, and being able to interact and communicate clearly with management and executives. Those working for larger consulting companies will usually benefit from a sales organization and an existing client base, while those going indie will definitely need to hustle.”
In many instances, consultants offer insight into integrations between various security solutions and platforms. They also know what newly available security offerings an enterprise needs to secure its data and networks.
Since security teams often have their hands full with managing deployed security solutions and putting safeguards in place against the latest attacks, staying on top of new capabilities or products is many times left to consultants working in-house or for a firm on a contract, said John Yun, vice president for product strategy at ColorTokens.
“Knowledge of the latest product offerings and new innovations from cybersecurity vendors is a must for cybersecurity consultants. Understanding the direction and convergence of different cybersecurity categories is also a key data point for cybersecurity consultants as it has a direct correlation with how enterprises may budget for future cybersecurity deployments,” Yun told Dice. “Consultants with working knowledge of having deployed various cyber security solutions in the past offer the most relevant experience that can help avoid pitfalls. Many of these pitfalls can only be identified in actual deployments.”
Gary Schafer, CEO of Grypho5, also noted that cybersecurity consultants need a wide-ranging background to fit the needs of employers or clients. This includes not only knowledge of applications and trends but also how best to implement security policies.
“Cybersecurity professionals are most desirable when they have command of and experience with a range of tools, systems, applications and infrastructure configurations, both for use in conducting their jobs and in the context of testing organizational vulnerabilities,” Shafer told Dice. “Job postings could have a wide variety of specific experience and skills requests depending on the role, the existing environment or clients they will serve, and duties they will be expected to perform. The cybersecurity consultant position is broad and can cover a wide range of proactive security counsel, testing and strategic planning activities.”
Cybersecurity Consultants Need Python, Oracle Skills
While cybersecurity consultants need to know the latest security trends, CyberSeek lists Python and Oracle as two of the top 10 skills needed for this position. Reasons vary for this, but having a background in these two skills can make a difference when it comes to hiring and advancement.
In his estimation, Ross noted cybersecurity consultants need to know Python and Oracle for two distinct reasons:
- A lot of "consultants" are also penetration testers, hired by companies to target their enterprise environments, which include Oracle; knowing Python is an obvious advantage in terms of automation and exploit development.
- Oracle is also common in large organizations that hire many consultants and contractors, and because many security teams are looking to hire people with development skills to come in, automate something and leave. If that's the case, then someone with serious skills in security and development could find a niche in "cybersecurity process automation.”
Cybersecurity consultants also need to know how to make various systems work and integrate, which is another reason Python is in demand.
“Consultants often rely on Python to automate much of the backend operations as well as integrate various products and services together,” Yun said. “Since no two enterprises are alike, consultants often rely on Python to provide the level of customization required, making knowledge of Python a necessity for many consultants.”
Cybersecurity Consultant: Additional Opportunities
For those thinking about exploring cybersecurity consultant roles, Jones noted that the greater emphasis on work-from-home means there are many more opportunities open for tech and security professionals in this area.
“The increased demand for the role has increased opportunity for many as the work can be conducted remotely, opening the possibility of working more efficiently and taking more clients as the engagements can be managed from any location,” Jones added. “The improved performance of collaboration tools has helped make these engagements easier to manage and improved communication with clients and team members.”
Once established as a cybersecurity consultant, other opportunities higher up the security ladder can open. Ross, a former consultant himself, used the position to seek other opportunities.
“I often get asked why I am not a consultant anymore, and my answer is simple: Consulting is a great way of being exposed to many different companies and learning about how security is done in dozens of places, but it's not a great way of enabling and witnessing large-scale change over a long period of time,” Ross noted. “So while you need experience before becoming a consultant, consulting experience then is very valuable for ‘regular’ security jobs as well, and different people will feel differently about those pros and cons.”