Secrets of Running a Consulting Business

Brian Martin

Thu, 10th January 2013


Speaker Bio 1:
We are delighted to have Brian Martin as our first Hacker Hotshot of 2013. Brian Martin is owner of Digital Trust in Allentown, PA, a small yet fully powerful Information Security consultancy specializing in civil litigation and eForensics. With an interest in OSINT (Open-source intelligence) Brian is an expert penetration tester and security assessment professional.

Brian shared some really helpful information with regards to starting your own security consultancy - this is particular helpful to our community since we know that a lot of you guys are freelance and likely struggle with understanding the full intricacies of tax returns etc.

Brian will help you by talking about the things needed to spin up a viable consulting business, from concepts to funding to growth, and why it's our moral obligation as intelligent humans to take advantage of the possibilities. He talks about how to design a business that will keep you happy and interested (if not entertained), and most importantly, taxes and the games businesses play. Hacking is the appropriate mental state to take into the startup minefield, and while half of startups fail within the first 3 years, there are ways an intelligent person can approach business that improve the situation.

Questions and answers

Max, Concise Courses:
“Can you advise the viewers as to potential niches that you would recommend, by niches we mean SME or large corporations. I mean, would you suggest people start after SME’s or larger corporations in regards to generating clients?”

Brian Martin:
I guess it would depend on what type of business we are talking about. If we are talking about information security then if you can get a large corporation then you are in really good shape. jumping into the large corporation then you would be in a great shape because you would get a nice solid stream of income to get started. Just deciding to go after large corporations, in my mind isn’t going to work because large corporations typically don’t work with sub-contractors.

I do see a lot of things where big companies, someone like an IBM, will reach out to the local market and hit up sub-contractors and use them for certain jobs. [This] could be an “entry-way-in” because you can keep going back. Once you have the business cards then you can go back directly to them.


Max, Concise Courses:
Are you seeing any particular demand for any specific vertical in your experience, for example, retail or hospitality or healthcareetc?

Brian Martin:
I think that the verticals aren’t as important as the pieces of those that you are interested in. I mean, if you have a healthcare background then that would be a good angle to pursue or banking, but for instance if your passion is physical security like locks and alarms etc, then I think that retail would be a good place to go, but just as much as banking would make sense. It largely depends on how you are approaching it.


Max, Concise Courses:
Marketing: what is working for you and what can you share with us with regards to client generation, online, offline, social media etc etc?

Brian Martin:
To me marketing is largely a waste of time, I have never done mass mailing and I have a website just because you have to have a website and for email, but we have been doing this three years and we are just creating our first set of marketing materials which is largely just take-away stuff, so its not how I get introduced to the client, or how I meet or find the client, its just something I am going to leave with them. Its all personal – all who you know, everything comes back to that. For example if you are an employee trying to find a new job – its all about who you know. The only thing that we engage in marketing wise on a regular basis is going to events. We interact with all of the local IT groups, security groups and I sit on the local board of the Chapter of ISC, we go to all the conferences we can go to, not just because they are a blast, but also because you get to meet people and some of my good partners or jobs are through people that I have met at security conferences; they lead to other jobs. [For example] if they get work they can call you so I think that anything that has inter-personal interaction is the best approach to marketing.


Max, Concise Courses:
We talked about information security certifications, we offer various training events and certification programs, and so are aware of the discussions as they relate to certain courses, but let me ask, is there a “must have” security qualification to possess as a consultant?

Brian Martin:
No absolutely not, not at all.


Max, Concise Courses:
Regarding skill-sets, what would you suggest viewers persue with regards to being able to position themselves to get security consultancy work?

Brian Martin:
That’s a little strange. If you have got the time and you want to focus on some aspect of information security, working hard to become very good at it before you start marketing yourself as cable of doing it would be recommended. You cant just decide one day to become a pentester, there’s an incredibly complicated field there that takes decades to master the entire thing and I don’t necessarily think that anyone can master the whole thing. People specialize in certain security niches like social engineering,physical security or hacking, but even hacking breaks down into for example database pentesting – so picking a piece of it that you can get your hands on and getting very good at it is probably your best way into that market.

The way that we do it here is that we bring people in that have [specific] technical skills. For example some people have just come out of college with a Bachelor level in IT and we will out them to work scripting, and doing forensics, back-end stuff and we bring them upto speed on the forensics side of the house because it is simpler than the pentesting side and there is more business there. It is therefore easier to get them profitable and to stand on their own and then cross over into the pentesting side.


Max, Concise Courses:
What do you like doing the least as a small business owner/ infosec consultant and conversely what do you love doing the best?

Brian Martin:
I hate figuring out who isnt going to get paid this week and telling people that I consider to be my friends that they are not going to get all their money this week so that aspect really sucks. Sometimes clients don’t pay you on time or arguing over things etc, sometimes they are just dead-beats.


Max, Concise Courses:
Cash flow management in other words?

Brian Martin:
Yes its brutal! So, what do I like the most? Breaking things!


Max, Concise Courses:
Its the physical thing, the pentesting discipline which is your passion. You just love what you do right!?

Brian Martin:
Yeah, every time you get to that “Aah-ha” moment whether its dealing with electronics or a forensics case or getting into a building when you hit that success its the best.


Max, Concise Courses:
Sounds good to me. Brian your a superstar and I appreciate your time for sharing this wealth of knowledge and I think we should really do a follow-up here and maybe flesh this one out a little more because I am pretty sure there are lot of people that want to break out on their own and there is a lot of business out there and more than enough for everybody so there must be a lot of people that would appreciate some more of your time. I want to wish you all the best for 2013 and I hope you have a huge one and love to get you back on sometime soon.

Brian Martin:
Great thanks Max