How to Start a Cybersecurity Consultancy with Global Reach

[Music] thank you very much for joining us uh this is welcome to my talk it's uh how to start a cyber security consultancy with global reach so a bit about me I'm a founder and CEO of fortsafe uh 24 years in I.T and engineering masters of I.T security and a Bachelor's of electrical engineering and I've presented at Defcon uh and in in 2020 uh I we came second out of uh 92 teams in the the Defcon opensock CTF uh and you can find me on Mastodon and Twitter so did you know that uh cyber crime costs the global Community seven trillion US dollars in 2022 and that's expected to rise to 10.5 trillion in 2025.

uh that leaves currently there's 3.4 million cyber security jobs unfulfilled globally right now that just in the US that's 770 000 jobs right now that are that are unfulfilled so that means that cyber security consultancies are going to field the shortfall uh so where do you find where do clients find quality and trustworthy cyber security consultancies industry has a hiring Gap problem so they're currently only hiring experienced and Senior candidates and there's which leads to a effectively a skilled shortage uh the the impact of hiring the wrong candidate can be pretty significant uh and because of that there's also uh the interview process doesn't necessarily provide the most uh best or most trustworthy candidate leaves uh some uncertainty surrounding

consultancies that aren't pre-vetted are they trustworthy is what about the quality of their work so here's an example of some types of cyber security Consulting Services uh so you've got a sock analyst uh it could be a malware analyst uh could be a cyber threat intelligence analyst uh and uh more reasonably common is a pen tester and potentially red teaming and on the right we've got the column the categories associated with the nist nice framework which basically outlines all the different types of jobs in cyber security that uh that the US are looking for but it's applicable across uh most Nations so I'm here to talk about starting a cyber security consultancy and I'm going

to cover these eight steps uh identifying restraints shareholders agreement a structure of company certifications develop a client agreement Insurance branding and contractual agreements so the first one identify restraints so you've got to look through your employment contract and decide whether you've if there's something in there that stops you from working in in Sydney in New South Wales in Australia there may be restrictions that stop you from working as residual after your employment contract ends so you need to have a look at what restraints there are and if you're coming across someone that some of these you may need to uh I ident to seek legal advice uh most of these are not necessarily enforceable but they could be if you're

an executive and you're taking clients to go and start your own business and stealing something from existing companies so uh it's something that you need to have a look at and check to see if this is a is a problem next you've got the shareholder agreement so say you're starting the consultancy uh with other people uh you you're going to have a number of shares in the in the in the company and so you need to have a legally binding contract which is between shareholders and that uh stipulates key information such as uh the hierarchical structure UH responsibilities of each shareholder uh and it's recommended to seek Legal Professional uh to oversee all of this

uh now going to going into company structure there's a couple of different types uh the first one we're going to cover is the sole Trader that's the simplest and cheapest uh you can you're the sole owner of your business and it's under your name uh so you can hire employees it's pretty efficient for tax returns uh but you your liability is solely on you including any debt so if you say or do something that someone wants to sue you for uh they can take your house uh that's if you have one um company structure so a limited company is a proprietary Limited in Australia uh it's operating as a separate entity from yourself uh it's the Premier Choice for business

owners so your personal assets remain safe uh more it's more tax flexible and there's more opportunity for investors uh and business partners but it's uh it's a bit more complexity to it another type is a trust uh it's you're viewed as one with the trustee so it's uh it's like a an investment trust or income trust uh and it's often used for holding shares in the proprietary limited company uh and so you could it's separate from the the company and so you might actually have the the proprietary limited company uh the shares owned by the the Investment Trust uh and then you can distribute uh dividends through the Investment Trust to beneficiaries so the revenue can be distributed throughout uh

and there's a enhanced company privacy but it's a bit more complex you've got to do tax returns for the the trust and the the company as well uh so then you've got another type is a dual structure uh this is where you have two companies you have a holding company and an operating company uh and the owners usually have shares in the holding company uh it provides Advanced protection uh limited liability uh and enhanced opportunity but as I said before it's these are more complex and you're not completely protected so now you've got your your company structure in order uh you need to look at what kind of relevant certifications apply to what you're going to be

Consulting on and so that includes uh examples include assist or the Sans courses for giac or the crest certifications for pen testing and likewise for offensive security uh so this is a very complex structure it's the there's 460 different certifications in cyber security as of August 2022 so this is you're going to have uh a few different certificates to choose from uh I would choose which ones that don't overlap if you're going to spend time you don't really want to be spending time uh focusing on the certifications that uh don't necessarily lead to the to the highest level so you've got the the the different uh divisions in the in the categories uh vertically and then on the left on the

horizontal axis you've got uh the uh beginners intermediate and ex an expert level so they as you go higher up the the graph the the certificates get harder so the next thing you need to think about is okay you're going to be engaging client clients are going to be engaging you so you need to have an agreement that the client can use uh that protects and outlines the business relationship with the client uh so the this protects both entities and is curated to explain terms of the working relationship uh includes payment terms mediation Clauses uh and termination clauses uh okay so you've got the business you got an agreement uh now you need to start marketing yourself so you're you

need to go out looking at different ways you can sell the brand or at least attach branding to your business so that could be anything from just a logo through to social media advertising uh and the the this effectively establishes trust uh creates client loyalty uh and if you uh if you've got a fairly common name uh you can protect it with a trademark uh and so you can uh if you're going global globally you can have trademarks with the business name in different regions around the world uh you also need to consider insurance and so that the the key ones that you need to consider for Consulting uh professional Indemnity insurance and public liability insurance uh so the

professional Indemnity insurance covers you for claims from clients as a result of your mistake or negligence and likewise the public liability is protection in the event that an external party experiences an injury or loss as a direct result of your negligent business practices so these are important uh it's I I from what I was told if you join the ace Australian computer Society you can actually get them cheaper uh because it's it shows that you're part of a industry body uh and of course you should have cyber security Insurance you're going to have uh the client's data on your machines and you need to if something you get hacked or something happens to that data

you they the client could uh sue you so you you also need contractual agreements and that's for any employees or contractors that you hire uh so this is predominantly the relationship between uh the consultancy and any employees uh it the contractual agreement uh keeps both entities protected and uh acts as a safety net uh and it's recommended to get a lawyer to draft the agreements so now you've got your consultancy ready to go so the next question is where do you find clients so one of the recommendations is to find uh quite find overflow work from other consultancies that have uh big sales teams that have generated a lot of sales and they need someone to do the work so you could

potentially partner with one of these consultancies and take on the Overflow work uh at other places Global online cyber security marketplaces so that's Bridging the Gap with consultants and clients and clients can come to these marketplaces and post projects or jobs and you as a consultancy can go to these marketplaces and bid for the work so that includes the uh in this case the the cyber security marketplaces uh can provide advocacy like there's benefits of getting the right cyber security consultant for the client and there's uh and it's effectively guiding the consultant and the client through the process so that we can also have a phase associated with nurturing so the global online and cyber security marketplaces

can run workshops and organize meetups and they can attend conferences and networking events uh and they it's you they will uh nurture the relationships with the clients uh and for uh bring more clients onto the marketplace to allow your cyber security consultancies to go and bid for work so uh cyber security marketplaces can be uh regulated they do uh Global police check uh they can do validations of certifications they can even provide skill testing to to show a badge that they've got a certain set of skills uh they can also have video interviews with clients and Consultants to vet projects uh and they can have rigorous screening processes they these cyber security marketplaces can uh be an authority on trust so they

can act fairly for both clients and Consultants uh provide honest feedback on what worked and provide uh open communication between the marketplaces clients and Consultants uh so the idea is that this Global online security marketplaces can be places that uh clients come to come to uh that they trust and provide a and provide Consultants that are have been pre-vetted and uh can uh get a rating score that provides a certain level of trust so Global online security marketplaces can create opportunities so they can effectively be an outsourced sales team uh they can provide advertisements on your behalf and be a platform to showcase the skill and work ethics they can also do things such as podcasts

and blog articles uh into highlight showcase the different consultancies so that concludes my talk I've gone a little bit quicker than I uh originally anticipated because in the past this has gone long uh so if you want to reach out for more information uh surrounding how to run your own cyber security consultancy with global reach uh please get in contact uh you can see me on Mastodon and Twitter and that's my LinkedIn on the QR code thank you very much