The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

If you decide to become an independent InfoSec consultant, the first thing you should do is develop a business plan—before you resign from your current job. Developing the plan may ultimately make you decide that you don't or can't make it as an independent InfoSec consultant. There are many sample business plans available in books and as software programs that can help you get started. Regardless of how you proceed to develop your InfoSec business consulting plan, you must be objective. If you are to assume anything, assume the worst. That way, you will be prepared for the worst-case scenario and will be able to successfully deal with it. Your plan should be looked at as a project plan and, as a minimum, should address the following:

• Your business goals and objectives;

• Why you want to start this business;

• Your education and experience skills and whether they will fit your consulting business—be realistic;

• How much money you will need to begin;

• How much money you have;

• How you will get the money you don't have but need;

• How you will financially survive when business is slow;

• If you have a family or significant other, whether they will support you;

• If not, whether you might have to decide your relationship-business priorities;

• Whether you are willing to travel the majority of your time—after all, you must go to clients and not them to you;

• What steps you will take to begin the business and the costs for each line item or task;

• Whether you will incorporate your business;

• Whether you know the marketplace—your competitors;

• Whether you offer better services at lower prices;

• Your competitors' strengths and weaknesses;

• Your strengths and weaknesses;

• A complete competitive analysis;

• A complete market scope;

• Whether you have a logo and business motto, and if so, what they are and why;

• Whether you should get a lawyer to assist you;

• Whether you will have copyrighted material, trademarks, and/or trade secrets and, if so, how you will handle those processes;

• Whether you have standard invoices, proposals, confidentiality agreements, contracts, billing and general business processes and forms in place and ready for use;

• Whether you have trusted InfoSec specialists available to support your contracts as subcontractors (after all, you can't be experienced in everything);

• How you will obtain business;

• How much you will charge for what work; and

• Whether you are aware of the laws and regulations that affect you doing business.

These are but a few of the many questions that you should answer before making the plunge into the InfoSec consulting services business. Remember also the guiding principles that you should employ:

• Confidentiality;

• Objectivity;

• Professionalism;

• Respect;

• Integrity;

• Honesty;

• Quality;

• Efficiency; and

• Client focus ("we").