Have you ever wanted to drop out of infosec and become your own defensive consultant? Learn from us and our mistakes.

Some things @0xBanana and I learned running our first startup, a boutique cybersecurity consultancy 2018-2020.

A thread🧵

1/
Having lots of enterprise contacts will only get you so far.

Lg corps who have interesting infosec problems to solve typically won't hire a small consultancy unless they have a decent assurance the risk of doing so is low, and the value which will be gained will be high.

2/
Small to mid-size corps have much, much less interesting infosec problems to solve.

In this category, orgs who happen to have a budget with which to hire infosec mostly need product-focused security engineering support, and some nascent devsecops capability.

3/
This then leaves all the other small to mid-size orgs who have uninteresting infosec problems, meaning they need to establish a security program and take consistent steps towards sustainment and maturation.

This isn't fun for various reasons:

4/
- If, as a consultant at my level, I must convince someone infosec is important in order to make a sale, I am in the wrong room. Happens a lot.
- Most smaller companies don't understand the value of infosec and are hesitant to spend the money to realize unquantifiable value.

5/
The sad truth is that the majority of the infosec work needed by smaller orgs is foundational in nature, and if you're used to seeing larger problems at a larger scale, you may become quite bored... which can be a very big problem for the personality types in this business.

6/
Startups which provide services as a core capability don't really make it. They take longer to establish, are heavily reliant on niches, do not scale well without product as a focus, and are difficult to bootstrap, for various reasons.

7/
Venture Capital doesn't want to invest in a services-led company. They'd never get their money out, and the returns would be limited to ~maybe~ 2-5x versus the many multiples they could make from a product-focused business.

Services on their own just don't scale.

8/
This would all be well & good if all you want is to run a "lifestyle" business, but you have to be really good about maintaining your value prop and charging high fees, and you're still trading your time 1:1 for money, which doesn't allow you the time you need to scale.

9/
Beyond the time it takes to scale, which realistically means, as a founder, not having your hands in all aspects of the sausage-making anymore (which can be tough for technical folks used to having hands-on-keyboard, as quality can suffer), sales is a full-time job.

10/
A lot of folks don't like to sell (count me included). I have a difficult time convincing an org to give me their money because "I know best".

It's tough to know how much time to spend on customer education prior to a sale. It can be draining to expend effort on proposals.

11/
You can either reduce the effort you spend on proposals, decreasing the likelihood of a sale, or you can try to make your process more repeatable yet still high-quality, which is hard.

12/
Time = money. The more time spent selling, the less time available to spend on delivery when resource-constrained. Delivery is what strengthens your reputation. However, after delivery, you still need to get paid!

This can often be a significant problem for a small business

13/
Many lg. companies take advantage of their small vendors by negotiating unfavorable payment terms (ex. NET 90, meaning you must wait 90 days post-delivery to receive $).

Even after that, many corps must be chased, which is a very unpleasant task without dedicated finance.

14/
Being a small consultancy, you can run into the trap of failing to narrow down your niche, and doing too much "one off" work, which takes more time to deliver, and reduces your positive margin on each engagement.

However, custom work is why many corps are coming to you.

15/
Generating repeatable consulting engagements is fantastic for your margins and for streamlining your operations, but wanting to scale those means developing effective training so you can extend those methodologies to other consultants.

That takes time and effort.

16/
Soon after we got started & began delivering services, a VIP client decided to pitch us in our Manhattan apt to develop a physical infosec product for which we had some stong ideas.

His offer was $600K for us & our company. We should have taken it & built on it. We didn't!

17/
Instead, we tried on various types of custom work, and eventually decided we were bored.

So we built a product: a SaaS to identify open buckets on AWS/GCP through a number of combined methodologies, and for bulk visualizing the data within a browser for rapid analysis.

18/
After delivering dozens of reports to companies, we were approached by the media and spent several months working with them on a story.

Unfortunately, the editors felt they could not include the name of our product, Data Drifter, in their article.

nbcnews.com/tech/internet/…

19/
NBC chickened out, and this killed the paid membership boost we thought we would get -- which would have allowed us to keep the lights running on the site, which was a bit expensive to run. We shut it down after gaining 3,000 free users but only a couple dozen paid.

20/
In hindsight, we spent too much time with the journalist and not enough time marketing our own efforts.

If you suck at marketing like us (and most infosec folk), you MUST hire for this.

Marketing and Sales support aren't optional.

21/
We also jumped into the blockchain consulting space. We both got into it in 2017 prior to leaving corporate, & attended various industry events. I remember 1 in particular, hosted for women only, which impressed me greatly. We could see the potential & wanted to be involved.

22/
We delivered several engagements in that space, but the work ran out when the market cycle waned (as it does; it's cyclical).

We did some work for one of the largest companies in this space, but it wasn't always interesting tbqh

23/
Blockchain companies often have little time or patience for traditional infosec.

The work looks more like traditional finance, with some security engineering on product, mainly oriented towards detecting and preventing fraud.

24/
Going back to hiring, if you have ideas about hiring juniors and training them, good luck. Training is a full-time job, and who will deliver?

The effort needed to develop junior staff as a very small organization doing highly technical, custom work is monumental.

25/
Because this was initially simply a lifestyle business which we had no serious intention to scale, we suffered from a lack of focus, and were subject to the whims of the market instead of focusing on developing our own market.

Flexibility is important, but so is focus.

26/
So, going back to the "interesting" work. Large security consultancies often have custom work they can't or don't want to deliver themselves. They either don't have the people or want to reduce their risk by delivering through 1099 consultants.

27/
So you might be tempted to subcontract to them in order to take advantage of their marketing efforts and sales pipeline. You join in on the sales effort, then sign a separate SOW with them to deliver the work.

28/
This sounds good, except you then have two sets of bosses: the prime contractor and your mutual client(s). This can be OK or can be a bummer. Often more of a bummer.

This also means any conflict with the prime can negatively affect multiple of your engagements/clients.

29/
At first, looking at the consulting space as a consultant who had recently departed corporate, I felt I would be deploying complex technology solutions to deliver threat hunting services & compromise assessments, so I spent a significant amount of time...

30/
...Connecting with the product vendors I like and whose products I felt were good, in order to establish relationships with their sales team and ensure I was ready with an appropriately custom tech stack for any engagement.

31/
In reality, few corps we didn't already have an established relationship with wanted us to deploy product into their environments; cost was too high.

Hindsight: I would build an open source stack, even if having to roll my own/develop some capabilities ourselves.

32/
Another thing we didn't do well is choose advisors that were aligned with what we were trying to do; because we often weren't sure what we were doing other than the general rubric of "defensive cybersecurity consulting".

33/
We were quite glad to have their support as established leaders in the community, but likely would have benefited from mentors who would have asked tougher questions about our ultimate raison d'être.

Find mentors who push you.

34/
We declined to continue buyout discussions with a very cool security consultancy led by a strong leader who was considering us for an "acquihire" type deal.

Our own lack of focus made us think we wouldn't ultimately be successful doing the work they wanted us for.

35/
An interesting thing we did was to move from NYC to Miami to SF Bay and back to NYC during this time, investigating the startup scenes across coasts.

The move to SF Bay was an effort to try and position ourselves geographically in a smarter way.

36/
I feel we lost some traction during those moves, because we struggled to establish ourselves within new communities while also having a new baby.

We decided to return to NYC after 7 months of searching for livable/affordable housing.

37/
For women, do not underestimate how difficult it is to try and close deals while pregnant/having recently given birth.

It can be extremely jarring to a group of men to see a pregnant woman waddle up to a meeting. It often has the effect of making them visibly uncomfortable.

38/
That's not the right context from which to start a business relationship. They might only ever see you as a woman, and not as a business partner.

Additionally, "mommy brain" is real. A woman's brain changes during pregnancy. I worked through two back-to-back pregnancies.

39/
I had trouble remembering things, and my focus shifted more towards the babies I was incubating than the business.

Jason carried us all during this time, and it wasn't easy.

Thanks Jason!

40/
I don't consider the venture a complete failure, as we closed down not for lack of money, but because we decided to start a family together.

This meant we began to value some sort of stability and great quality health insurance a bit more.

41/
However, we couldn't quite kick the issues of boredom and lack of focus, and decided we would close down Spyglass Security until a future time when we can fully commit to a new startup concept.

42/
It is important to understand that most entrepreneurs do not succeed in their first attempt, and experience (read: failures, separate and compounding) is the critical factor which eventually leads folks to success.

If you don't play, you can't win!

43/43

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jackie 

Jackie  Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hackingbutlegal

1 Sep
Australia just passed a nasty surveillance bill:

“When presented with such warrant […] Australian companies, system administrators etc. must comply, and actively help the police to modify, add, copy, or delete the data of a person under investigation”

tutanota.com/blog/posts/aus…
Politicians said the bill is intended to fight child exploitation (CSAM) and terrorism.

However, the bill enables law enforcement to investigate any "serious Commonwealth offence" or "serious State offence that has a federal aspect".
This wording enables the police to “investigate” any offense which is punishable by imprisonment of at least three years, including:

terrorism
sharing child abuse material
violence
acts of piracy (!!!!!)
bankruptcy
company violations
tax evasion
Read 4 tweets
31 Aug
This.

Despite all of the “intractable” problems we seem to have, for at least half of these, money gathered in service of our country and Her people, allocated carefully, is the solution.

Raising taxes on the top 1-10% helps solve this.

1/
Republicans refuse to participate in increasing taxation while claiming to be the party of limited government as justification. Excuse me, that ship sailed long ago.

For neocons, or whatever the GOP even are anymore, a small government is no longer a priority.

2/
The main priority of the GOP leadership (and a few Dem leadership as well), based solely on their actions, appears to be the acquisition & maintenance of power for power’s sake. In politics, money drives the machine, so they’ll do whatever is needed to keep it coming in.

3/
Read 7 tweets
8 Aug
Just recieved what looks a lot like a phishing email, suggesting I am now registered for a COVID test on August 12

Uses the branding of a legit medical facility (in roughly my geo area), from a gmail account with the facility’s legit info@ as the reply-to

Let’s investigate ⬇️
Here's the email. Pretty convincing, right? I have removed a couple of details for OPSEC purposes.

But is there anything particularly sinister about this email? Did it include a tracking pixel? Any bad links?
Let's download the message as an .eml file from Gmail. We do this directly from the message's context menu.

This will provide us the complete headers and allow us to further analyze the message.
Read 37 tweets
27 Dec 20
Current status
Very important dinner update
Apparently if it’s a GIF made from an iOS Live Photo, Twitter downscales to oblivion
Read 5 tweets
27 Dec 20
This is a thread about how we are manipulated by powerful marketing depts to pay more for common items

I need children’s Tylenol for my almost-2 year old. Did a search at my retailer. Two different products from the same company show up.

Let’s take a look at the packaging.

1/
The differences between these products:

> pricing (40.36%)
> volume differs (50%)
> inclusion of a baby syringe which is included in every package of “infant” pain reliever, of which every parent has many; throws out dupes
> age of child (range + visual photo)
> “dye free”

2/
The most important part, dosage, is exactly same. 160mg per 5mL.

Q: As a parent, what would lead me to purchase a 40% more expensive product to receive half the volume, actually making it 180% more expensive per ounce — if you fully disregard the cost of the syringe?

3/
Read 10 tweets
27 Dec 20
Oh me nm jus chillin at home, found my homie @MichaelRileyDC on @hbomax talking about some dope ass cyber journalism/Stuxnet in a new documentary 😲

Nice work dude!!

Link below 👇🏾
And @alexstamos just showed up!! Yesss #infosec
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

:(