A day in the life of a Cyber Security Consultant

Is there such thing as a typical day as a Certified Cyber Professsional consultant? I would argue not. This is because the range of activities you can be involved in is so varied and each client you work for brings different challenges. However, there are certain commonalities between tasks and similarities in the types of deliverables you will be asked to meet. Below is an outline of what I have found to be the most typical aspects of the life of a senior Certified Cyber Professsional (CCP).

Firstly, preforming risk assessments. This is the bread and butter of the CCP consultant – because the application of security is a risk management activity. However, the risks assessment methodology you use may depend on the type of work you are asked to do or the type of client you are doing it for.  It may be the case that the client already uses a specific methodology which they would like you to follow, or they may want you to choose the best methodology to fit the situation.  It is always useful if the proposal document states clearly which risk assessment methodology/frameworks are to be used as you may need to spend some time reading up on them beforehand.  

Secondly, you are likely to be involved in taking the risk assessment further and participate in developing (or updating) the client’s accreditation documentation. As with the above, the type of work you are doing, and the nature of the client will likely impact the style of accreditation documents you will be updating.  For example, some government departments still use the old RMADS style documents whereas commercial or private organisations will likely have their own document set based on their idea of best practice.  In any light, most document sets will have the same core aspects; description of the system, asset identification and impact levels, risk assessment, identification of security controls (baseline control set), residual risk register and risk treatment plan. The names may differ, but all those aspects should be there.

Thirdly, you may be asked to preform security audits. Security audits can take several forms; you may be required to help complete the internal audit of an organisation against an international standard (such as ISO27001 or NIST 800 series).  Alternatively, you may be required to preform a gap analysis against a standard – typically if the client organisation is preparing to go for accreditation to that standard. This means that you will need to have a working knowledge of several major standards or frameworks.

Additionally, you may be asked to provide reviews on things such as architecture or policies and provide ad hoc guidance and advice on how the client can better improve their security posture. When preforming these types of activities, it is always important to keep in mind what deliverables you are contracted to do; whereas it is crucial to always be helpful and cater to the client’s needs, preforming ad hoc tasks may affect your ability to deliver other items which are detailed in the proposal.  When in doubt, it is always good to speak to your operations team and the client and clarify what it is they would like you to focus on. It may be the case that the client purchases additional time for you to complete the tasks.

Your work schedule is largely dependent on the types of work you will be doing but can be broadly split into two: long term, full-time engagements with a single client and short term, part-time engagements with multiple clients. Depending on your own personal likes and dislikes, you may prefer working on multiple projects at the same time or just sticking to one larger project for a long time. Neither is objectively better than the other and they both have their strengths and weaknesses.

Typically, long term engagements will last between 6 and 12 months and you’ll be embedded fully within the client’s organisation. The benefits of this are that you have much better access to the key stakeholders you’ll likely need to liaise with to meet your deliverables and you are often far more involved at the earlier stages of the project – something which is extremely beneficial for ensuring security objectives are met. You also typically have more time meet the deliverables. Negatives are that you are much more prone to scope creep, and you can also feel separated from your parent organisation due to you spending nearly 100% of the time working within in the client organisation.

Alternatively, you can be involved with a number for shorter term projects, working for a few clients.  Ideally, you’ll be able to work on one project per day, but it may be necessary to work in ¼ day chunks. The benefits of working on short term projects are that things tend to be faster paced – you’ll only have a set number of days to produce the deliverables and the client will likely have a shorter timeline themselves. You can also work on several different types of projects at the same time.  The negatives are that you are always spinning plates and what you have planned for the week may change several times if clients are late providing you with what you need. You also tend to have less time to meet the deliverables and less access to key stakeholders.  But this is not always the case.

CCP is recognition by the National Cyber Security Centre (NCSC) for competent cyber security professionals. Certified Cyber Professional (CCP) assured service will enable you to demonstrate to an employer your Cyber Security competence, knowledge and skills.