Tweet

Jackie 

2 Sep, 44 tweets, 9 min read

@0xBanana

Have you ever wanted to drop out of infosec and become your own defensive consultant? Learn from us and our mistakes.

Some things @0xBanana and I learned running our first startup, a boutique cybersecurity consultancy 2018-2020.

A thread🧵

1/

Having lots of enterprise contacts will only get you so far.

Lg corps who have interesting infosec problems to solve typically won't hire a small consultancy unless they have a decent assurance the risk of doing so is low, and the value which will be gained will be high.

2/

Small to mid-size corps have much, much less interesting infosec problems to solve.

In this category, orgs who happen to have a budget with which to hire infosec mostly need product-focused security engineering support, and some nascent devsecops capability.

3/

This then leaves all the other small to mid-size orgs who have uninteresting infosec problems, meaning they need to establish a security program and take consistent steps towards sustainment and maturation.

This isn't fun for various reasons:

4/

- If, as a consultant at my level, I must convince someone infosec is important in order to make a sale, I am in the wrong room. Happens a lot.
- Most smaller companies don't understand the value of infosec and are hesitant to spend the money to realize unquantifiable value.

5/

The sad truth is that the majority of the infosec work needed by smaller orgs is foundational in nature, and if you're used to seeing larger problems at a larger scale, you may become quite bored... which can be a very big problem for the personality types in this business.

6/

Startups which provide services as a core capability don't really make it. They take longer to establish, are heavily reliant on niches, do not scale well without product as a focus, and are difficult to bootstrap, for various reasons.

7/

Venture Capital doesn't want to invest in a services-led company. They'd never get their money out, and the returns would be limited to ~maybe~ 2-5x versus the many multiples they could make from a product-focused business.

Services on their own just don't scale.

8/

This would all be well & good if all you want is to run a "lifestyle" business, but you have to be really good about maintaining your value prop and charging high fees, and you're still trading your time 1:1 for money, which doesn't allow you the time you need to scale.

9/

Beyond the time it takes to scale, which realistically means, as a founder, not having your hands in all aspects of the sausage-making anymore (which can be tough for technical folks used to having hands-on-keyboard, as quality can suffer), sales is a full-time job.

10/

A lot of folks don't like to sell (count me included). I have a difficult time convincing an org to give me their money because "I know best".

It's tough to know how much time to spend on customer education prior to a sale. It can be draining to expend effort on proposals.

11/

You can either reduce the effort you spend on proposals, decreasing the likelihood of a sale, or you can try to make your process more repeatable yet still high-quality, which is hard.

12/

Time = money. The more time spent selling, the less time available to spend on delivery when resource-constrained. Delivery is what strengthens your reputation. However, after delivery, you still need to get paid!

This can often be a significant problem for a small business

13/

Many lg. companies take advantage of their small vendors by negotiating unfavorable payment terms (ex. NET 90, meaning you must wait 90 days post-delivery to receive $).

Even after that, many corps must be chased, which is a very unpleasant task without dedicated finance.

14/

Being a small consultancy, you can run into the trap of failing to narrow down your niche, and doing too much "one off" work, which takes more time to deliver, and reduces your positive margin on each engagement.

However, custom work is why many corps are coming to you.

15/

Generating repeatable consulting engagements is fantastic for your margins and for streamlining your operations, but wanting to scale those means developing effective training so you can extend those methodologies to other consultants.

That takes time and effort.

16/

Soon after we got started & began delivering services, a VIP client decided to pitch us in our Manhattan apt to develop a physical infosec product for which we had some stong ideas.

His offer was $600K for us & our company. We should have taken it & built on it. We didn't!

17/

Instead, we tried on various types of custom work, and eventually decided we were bored.

So we built a product: a SaaS to identify open buckets on AWS/GCP through a number of combined methodologies, and for bulk visualizing the data within a browser for rapid analysis.

18/

After delivering dozens of reports to companies, we were approached by the media and spent several months working with them on a story.

Unfortunately, the editors felt they could not include the name of our product, Data Drifter, in their article.

nbcnews.com/tech/internet/…

19/

NBC chickened out, and this killed the paid membership boost we thought we would get -- which would have allowed us to keep the lights running on the site, which was a bit expensive to run. We shut it down after gaining 3,000 free users but only a couple dozen paid.

20/

In hindsight, we spent too much time with the journalist and not enough time marketing our own efforts.

If you suck at marketing like us (and most infosec folk), you MUST hire for this.

Marketing and Sales support aren't optional.

21/

We also jumped into the blockchain consulting space. We both got into it in 2017 prior to leaving corporate, & attended various industry events. I remember 1 in particular, hosted for women only, which impressed me greatly. We could see the potential & wanted to be involved.

22/

We delivered several engagements in that space, but the work ran out when the market cycle waned (as it does; it's cyclical).

We did some work for one of the largest companies in this space, but it wasn't always interesting tbqh

23/

Blockchain companies often have little time or patience for traditional infosec.

The work looks more like traditional finance, with some security engineering on product, mainly oriented towards detecting and preventing fraud.

24/

Going back to hiring, if you have ideas about hiring juniors and training them, good luck. Training is a full-time job, and who will deliver?

The effort needed to develop junior staff as a very small organization doing highly technical, custom work is monumental.

25/

Because this was initially simply a lifestyle business which we had no serious intention to scale, we suffered from a lack of focus, and were subject to the whims of the market instead of focusing on developing our own market.

Flexibility is important, but so is focus.

26/

So, going back to the "interesting" work. Large security consultancies often have custom work they can't or don't want to deliver themselves. They either don't have the people or want to reduce their risk by delivering through 1099 consultants.

27/

So you might be tempted to subcontract to them in order to take advantage of their marketing efforts and sales pipeline. You join in on the sales effort, then sign a separate SOW with them to deliver the work.

28/

This sounds good, except you then have two sets of bosses: the prime contractor and your mutual client(s). This can be OK or can be a bummer. Often more of a bummer.

This also means any conflict with the prime can negatively affect multiple of your engagements/clients.

29/

At first, looking at the consulting space as a consultant who had recently departed corporate, I felt I would be deploying complex technology solutions to deliver threat hunting services & compromise assessments, so I spent a significant amount of time...

30/

...Connecting with the product vendors I like and whose products I felt were good, in order to establish relationships with their sales team and ensure I was ready with an appropriately custom tech stack for any engagement.

31/

In reality, few corps we didn't already have an established relationship with wanted us to deploy product into their environments; cost was too high.

Hindsight: I would build an open source stack, even if having to roll my own/develop some capabilities ourselves.

32/

Another thing we didn't do well is choose advisors that were aligned with what we were trying to do; because we often weren't sure what we were doing other than the general rubric of "defensive cybersecurity consulting".

33/

We were quite glad to have their support as established leaders in the community, but likely would have benefited from mentors who would have asked tougher questions about our ultimate raison d'être.

Find mentors who push you.

34/

We declined to continue buyout discussions with a very cool security consultancy led by a strong leader who was considering us for an "acquihire" type deal.

Our own lack of focus made us think we wouldn't ultimately be successful doing the work they wanted us for.

35/

An interesting thing we did was to move from NYC to Miami to SF Bay and back to NYC during this time, investigating the startup scenes across coasts.

The move to SF Bay was an effort to try and position ourselves geographically in a smarter way.

36/

I feel we lost some traction during those moves, because we struggled to establish ourselves within new communities while also having a new baby.

We decided to return to NYC after 7 months of searching for livable/affordable housing.

37/

For women, do not underestimate how difficult it is to try and close deals while pregnant/having recently given birth.

It can be extremely jarring to a group of men to see a pregnant woman waddle up to a meeting. It often has the effect of making them visibly uncomfortable.

38/

That's not the right context from which to start a business relationship. They might only ever see you as a woman, and not as a business partner.

Additionally, "mommy brain" is real. A woman's brain changes during pregnancy. I worked through two back-to-back pregnancies.

39/

I had trouble remembering things, and my focus shifted more towards the babies I was incubating than the business.

Jason carried us all during this time, and it wasn't easy.

Thanks Jason!

40/

I don't consider the venture a complete failure, as we closed down not for lack of money, but because we decided to start a family together.

This meant we began to value some sort of stability and great quality health insurance a bit more.

41/

However, we couldn't quite kick the issues of boredom and lack of focus, and decided we would close down Spyglass Security until a future time when we can fully commit to a new startup concept.

42/

It is important to understand that most entrepreneurs do not succeed in their first attempt, and experience (read: failures, separate and compounding) is the critical factor which eventually leads folks to success.

If you don't play, you can't win!

43/43