An Introduction to Consulting as a Service

What is security consulting, and do clients actually require security consulting services?

5 min read · Written by Grant Rayner on 02 Aug 2023

Share by email

For many of you starting a business as an independent security professional, one of your default approaches may be to establish yourself as a ‘consultant’ and offer ‘consulting services’ to your clients.

What is consulting as a service, and is it something you should be doing as an an independent security professional?

In this article, I’ll be exploring consulting as a service. I’ll define consulting and explain how consulting differs from other services. I’ll also provide examples of services that are consulting and others that are not. I’ll wrap up by discussing whether clients actually require security consulting services (spoiler alert: many don’t).

What is consulting?

In the context of your work as an independent security professional, consulting can be defined as a professional service provided by experts who have skills and knowledge in a particular field, aimed at solving problems, providing advice, improving performance, or facilitating decision-making.

As a consultant, you will be expected to use your expertise to identify problems, analyse underlying issues, and then recommend solutions in your area of specialisation.

How is consulting different from other services?

There are a few ways we can distinguish consulting from other services:

  • Expertise. The primary value of consulting lies in the specialist knowledge and experience of the consultant. While other services may focus on delivering a product or performing a specific task, consulting is all about leveraging your intellectual capital.
  • Problem-Solving Focus. Consulting is often centred around identifying problems and proposing solutions to those problems. This distinguishes consulting from other services that have predefined or routine outcomes (such as physical security assessments, for example).
  • Customised Service. Unlike many services that can be standardised, consulting is typically tailored to the individual needs of each client. As you’ll learn in subsequent articles, customisation can be one of the key limitations of consulting as a service.
  • Advisory Role. As a consultant, you typically won’t implement solutions. Instead, your role will be to advise your clients on what needs to be done. The client will then accept (or reject) your recommendations and implement them in their own time. This contrasts with many other security services where you are the one actually carrying out the task.
  • Impact on Strategy and Operations. Consulting projects often aim to impact strategic direction and operations of a business, whereas other services may be more tactical or operational in nature.
  • Client Involvement. Consulting usually requires significant interaction with the client to understand the problem. Other services may not require the same level of client engagement.

Following from these points, my contrarian view is that not as much real consulting is done in the security space as we might think. Most ‘security consultants’ provide services, but don’t actually do true consulting, based on the definition above.

It’s useful to consider the types of services offered by strategic consulting companies like McKinsey and BCG, who typically get involved with major change management projects that will have tangible impacts. These impacts invariable either boost revenue or save cost. Most security consulting projects achieve neither of those objectives.

Let’s drill down a bit further to look at examples of consulting services and contrast them with the other types of services you may provide as an independent security professional.

Examples of consulting services

As you define the services your business will offer its clients, there’s value to be gained by understanding what is consulting and what isn’t. Here’s some thoughts on the delineation:

  • Writing or reviewing plans and procedures. Writing or reviewing plans and procedures is not consulting. However, if you were guide a client on their overall approach to establishing a particular capability, which involves developing plans and procedures, that’s consulting. Also note that most security professionals will develop plans and procedures based on existing templates, which is closer to offering a productised service than offering a highly customised consulting solution.
  • Conducting security risk assessments. Conducting a security risk assessment is a routine service and is not consulting. Working with a client to build a risk assessment framework tailored to the needs of their organisation is consulting.
  • Conducting a physical security assessment or audit. Ticking off points on a checklist and writing a short summary of actionable recommendations is not consulting. However, developing the framework for a security assessment or audit programme is consulting. You could probably argue that conducting an physical security assessment and then providing a benchmarking assessment based on industry best practices is consulting.
  • Analysis. Analysis meets many of the criteria for consulting, but I’d argue that it’s not consulting—it’s analysis. Analysis is sufficiently important to warrant its own category as a service. You could provide a consulting service to a client to understand their requirements for information and provide recommendations on what information services would be most appropriate for their needs.
  • Investigations. Investigations are not consulting. As with analysis, investigations warrant their own category as a service. You could certainly consult to a client on an approach to an investigation, but the actual conduct of an investigation is, well, an investigation. Training and exercises. The design and delivery of training and exercises are not consulting. However, working with a client to understand their training needs, and developing policies around training and exercises, is consulting.

As you might have noticed, there’s a substantial amount of synergy between consulting services and other related services. You certainly shouldn’t ignore services that don’t fully meet the definition of ‘consulting’. For example, you could consult to a client to help them build a risk assessment framework. Once the framework is in place, you could offer an annual service to help your complete the risk assessment. You could also run ongoing training in the use of the risk assessment framework. More on these approaches in later articles.

I’ll wrap up this article by focusing on the ten million dollar question: do clients actually need consulting services?

Do clients need security consulting services?

Many companies benefit from the use of consultants. However, the fact is that rarely will a company hire a security consultant to help them solve a problem that has an impact on strategy and operations. Most security consulting projects don’t drive significant change and have minimal impacts on strategy.

Similarly, many ‘security consulting’ projects don’t involve significant interaction with the client. Often the entire reason the client hires a security professional is to not get involved in the delivery of the service. In many cases, the client will have the expertise to do the work themselves, but they may not have the bandwidth to do so. It could also be as simple as the corporate security team just doesn’t want to do the work and may see their time put to better use elsewhere. Possibly a combination of both reasons.

Some services are also more suited to using an external service provider, such as training and assessments (neither of which quality as ‘consulting’ work based on our definition above).

In cases where a client has a large and capable security team, they’re less likely to need the support of an external security consultant. They already have the necessary expertise in house.

It follows that, where a client has a poorly staffed or inexperienced security team, there might be opportunities to deliver valuable consulting services. However, if an organisation hasn’t made the effort to build a robust security function, it may be that they’re not that interested in security and have little need for additional security services unless there’s an incident. They probably don’t know what they don’t know, hampering their ability to define their needs.

There’s also a scenario where the client may not have a security function and may need external consulting support. In my experience, however, this type of situation only arises when there’s been a major incident and the client is scrambling to make sense of what happened and deal with the consequences.

Probably not the rosiest picture, but that’s an accurate view of the landscape. Even the larger security consulting companies don’t get as many true consulting projects as you may think. Most serious security projects tend to be managed in house.

Wrap up

This article has provided an introduction to security consulting as a service.

Next week, I’ll focus on some of the advantages and disadvantages of security consulting as a service. I’ll also raise the question of whether you, as an independent security professional, should even offer security consulting services.