Possible career paths in the freelance information security business

Question

I currently work as a PHP/MySQL programmer for a track and tracing company. I love the job and I learn more and more every day. I have a wide range of responsibilities going from programming to application support, stretching out to system administration(Linux) and networking.

I already ordered a load of security related books, and the subject really intrigues me.

• SSL AND TLS - Building and Designing Secure Systems (Rescorla, E)

• Cross Site Scripting Attacks: Xss Exploits and Defense (Seth Fogie, Grossman Jeremiah)

• Gray Hat Hacking, Second Edition (Shon Harris, Allen Harper, Chris Eagle, Jonathan Ness)

• Security Warrior (Peikari, Cyrus, Chuvakin, Anton)

• Reversing: The Hacker's Guide to Reverse Engineering (Eilam)

I was wondering how would one pursue a freelance career in this field of work?

Other questions on my mind are:

Is certification worth the cost?

What are most looked for skills in the security freelance world? (Pentesting, Rev Engineering, etc)

All input is happily received.

Thanks!

Answer 1

An obvious option for you would be further schooling pursuant to a Bachelor's or Master's degree with a focus on Cybersecurity or Internet Security. If you have a Bachelor's degree, perhaps a Master's degree might be the perfect next step in your endeavor. Check out schools near you and see what they offer.

As for Certifications, it shouldn't hurt. But, IMO a degree holds more value.

Answer 2

For a freelance position, I think there's a few key elements:

• Getting good at the job - knowing enough both broadly and in specific detail in some specialized areas, to be good at consulting. The people I know who are best at this come from having hardcore hands on security experience as regular employees in a business domain and then leveraging that knowledge as consultants.
• Good communication - you have to be able to sell the customer on why your solution makes sense. This means being a teacher and a salesman at the same time. The most successful people I've seen in this area manage to combine charisma, a degree of arrogance, and really good explanation skills.
• Good business sense - all freelancing means some degree of managing yourself as a business. You're not just an engineer, you have to manage to sell your skills as a business service. Security has a particular spin - you need to sell companies on the fact that you will decrease security threats to the company. That means two things - first, showing that you are talented enough to reduce their risk from outside thread, second, convincing them that you are ethical enough not to be a threat yourself.

One big thing to consider if you are considering a security freelance consulting line of work is bonding. Like a locksmith, but as a cybersecurity professional -- having a 3rd party insure you so that perspective clients know you are trust worthy. Certifications typically don't offer a guarantee that you are honest, they merely provide some degree of assurance that you are smart (at least smart enough to pass the certfication process).

At the same time, you'll want to learn enough about the law to protect yourself. How you manage and communicate what you know and how you develop your contract paperwork protects you from litigation. And being able to tell clients why you work the way you work, and why that protects them as well as you will go a long way to establishing your credibility.

Certificates are good selling points depending on industry. For example, right now there's a big push for ISC^2 certifications in government contracts. But it strongly depends on the industry which certification is the really important certification. And they go in and out of vogue.