Checklist: Starting a Security Consulting Firm

Recently a friend of mine asked for input on what would be needed to launch a new security consulting company, to help him out I drafted a detailed list of what would need to be done for a successful launch. Here is an expanded version of that list, hopefully others will find this useful as well. This isn’t the simplest route to setting up a new business, but is intended to set the business up for long-term success.

This is largely focused on starting a business with at least one partner, though largely applies to single-owner businesses as well.

I would like to point out that this isn’t legal advice, nor accounting advice – it is intended to be a starting point to help discover what you need to do, and at what points you need to engage with others to get professional advice.

Before You Start

Starting any business is high risk, and a consulting business is no different. There is a lot of time, money, and effort invested before you take on your first client, and failing to be properly prepared can lead to lost opportunities, burnt bridges, and legal liability. Making the decision to start your own consulting business should not be taken lightly, it is a serious commitment.

This is an endeavor that not only impacts your financially stability, but the finances of those that you work with – not to mention your clients. If you aren’t able to pay a contractor, you can damage relationships for life, if you aren’t able to provide the service the way your client expects, you not only damage your relationship with the client, but can also but the client’s business at risk. Mistakes made when running a business like this can have a drastic impact on everyone involved.

I don’t say this to discourage you from starting a business, but to ensure that you are thinking the decision through clearly. You will find that you spend far less time performing security work than you likely expect, and will spend a great deal of time running the business itself. You have to be ready for that reality, otherwise you will find this to be a much more difficult and rather unpleasant journey.

Company Creation

The first key step in the process is creating the legal entity1, though to do this, there are a few things that need to be done first:

Name

One of the first things you need to do when creating the company is to determine what the name will be. You need a name that is clear, easy to remember, easy to type, and one that is available.

When picking a name:

  • Make sure the domain name is available.
  • Make sure there isn’t a trademark for it.
  • Make sure that the name isn’t used by any other companies (generally states require that the name be unique within the state, but if a company in another state is using the same name, it’ll create complications with the IRS).
  • Check the individual words to ensure that nothing is offensive in other languages.
  • Check to see if the name is available on social media.

This is a name that will be your brand, your signature, your face to the world – make sure it’s good.

Location

When creating a company, the state that it will be created in has a large impact on taxes, fees, banking, the level of protection you have as an individual, and many other things. Each state has unique rules & laws that apply to companies, and you will need to understand how they impact you. If you don’t have any partners (or all of your partners are in the same state as you), the simplest solution is to create the company in your state – it has the least risk of trouble in the future, and keeps things as simple as possible.

If you have partners that live in different states, or you are looking to optimize the level of legal protections or minimize taxes, there are other options available. While there are some advantages to creating your business in a different state, things can get complicated. There are two key facts that you need to keep in mind:

  • You must have a legal entity2 in any state where you transact business. Generally, this will be the state where your office is (even when the business is conducted online).
  • You must have a bona fide presence in the state that you are creating your company3.

Some states, such as Wyoming, don’t have a corporate income tax, which makes them tempting locations to start a company; some states, such as Delaware, may be preferred due to the rich history of case law that makes business dealings more predictable. Though if you don’t live there, and you don’t have partners that live there, do you have a legitimate presence in the state? Furthermore, where would you actually be transacting business?

If you create a business in one state, but are actually conducting your business in a different state, you’ll need to register as a foreign company in the state you are doing business in, which means paying taxes and filling reports in more than one state. This gets complicated quickly. In cases where the company has a physical office, it’s easy to say that’s where the business is being done, and there’s no real questions – in cases where there’s no physical office, and especially when there are partners in different states, it’s less clear where the business is actually occurring.

Setting up a business bank account may require a visit to a local branch, so if you are setting up the business in a different state, be aware that you may need to travel to get the bank account established. This can complicate matters more than you would think, so it’s important that you research the impact of the state you chose for creating the company has on access to banking. If you don’t, you may end up with an unusable legal entity – and lots of wasted time and money.

Legal Structure

There are two primary legal types of interest in the United States, and each has advantages and disadvantages. It’s important to research the options, as this decision will have substantial impact on you, business partners, and any future investors. Each state has its own laws that define these entity types, and as such, what makes sense in one state may not make any sense in another – you will need to understand how these laws impact you for the state you are creating your company in.

The two primary types are:

  • Limited Liability Company (LLC) – A LLC provides a shield to minimize exposure to liability as a result of the business. There are some limits to this protection, but in most cases you are protected as long as you operate the business in good faith. This is the simplest structure, has flexible federal tax options, and often has less expenses.
  • Corporation (Corp., Inc., etc.) – Corporate structures allow the company to raise money by issuing stock, has a more complex management structure, often has more complex reporting requirements, and may result in a more complex tax situation. There are cases where this structure makes sense, but if you are starting a consulting firm, this probably isn’t the structure you want to use.

Roles, Titles, Ownership, & Responsibilities

If you have partners, it’s critical for everyone involved to have a completely clear understanding of what role each person will play, what their responsibilities will be, and of course who owns what percentage of the business. This has to be documented, and everyone involved has to agree to it. Getting this wrong will set your business up for failure.

Some of these details may change over the life of the company, but to make it through the all important first year, everyone has to understand what is expected of them, and what recourse exists should someone fail to live up to their responsibilities. This information is generally included in the company’s formation documents, and are part of the legally binding agreements that define it.

Another important part of this discussion is to understand limitations that each person has due to other obligations, such as non-compete & non-disclosure agreements that they are bound to, which may limit ways that they are able to participate. Having this understanding upfront will allow everyone involved to understand what responsibilities are possible, and which ones aren’t. Starting a business doesn’t represent a free pass from prior commitments, and in fact, it often leads to greater scrutiny around compliance with those commitments; you must ensure that those agreements aren’t broken and expectations are set accordingly.

Contributions

When starting a company, each person will typically provide a certain amount of cash to the company to cover expenses. What this looks like depends on the structure (LLC vs Corp.), and may or may not define what percentage of the company each person owns. This initial cash infusion may be small, depending on how future funding is setup, but is important to have defined before the paperwork is started.

Assuming that everyone is working out of home offices, no laptops or other equipment will be purchased initially, and is otherwise being started in the leanest possible way, you should expect anywhere from a few hundred to a few thousand dollars in initial expenses. This will cover registering the company, creating and reviewing documents, various SaaS packages you’ll likely want, and time with an attorney or accountant as needed.

During the process of creating the company, there will be a fair bit of money going out, before you are ready to accept the first dollar of money coming in. Doing things right comes at a cost, but it’ll make things easier in the future.

Profits

Another thing that needs to be done is determine how profits will be distributed, and how people will be paid. In an LLC, each partner can receive a fair payment for the work they do for the business, so you may opt to have each person bill time spent (such as performing billable work for a client) for which they will receive an hourly rate. After all expenses (including paying for time spent), the profits can be divided up between the members. This makes things fairly simple for a tax & accounting perspective, as most small LLCs operate as a tax-passthrough entity, meaning that the taxes go directly to the individual taxes of the owners.

For corporations, the situation is different, as each person involved in the operations of the company would likely be made an employee of the company, and paid as a W2 employee. For a business that is just starting, the corporate-entity route can make things a fair bit more complex, and result in substantially greater overhead compared to an LLC.

The exact details of how this works can vary by state, and it’s a great idea to talk to an accountant to make sure you have a solid plan.

File the Paperwork

Once all of the decisions are set, and everyone is happy with the details, it’s time to make it real. The simplest route forward at this point is to hire a service that will handle the registration for you, as they can often provide a few other things that are useful for you:

  • You are required to have a registered agent, this is an entity that can accept legal documents on your behalf, and must be available during normal business hours, and be located in the state. In many places you can act as your own registered agent, but unless you want your home address included on the public records for the business, I would suggest using a third-party service. Most companies that will handle the company registration for you will also act as the registered agent for a small fee (as low as $25/year).
  • Draft operation agreement or articles of incorporation; these are the legal documents that create company (depending on the entity type), and most services will provide a draft version that has been reviewed to confirm that it complies with state requirements which you can customize. While you can create your own, or pay others for this starting-point document, using the version from the service can save some money. It should go without saying, but it’s best to have the final version reviewed by an attorney before it’s signed.
  • Mail forwarding (or virtual office leasing) so that the address of the company isn’t your home address.
  • Reminders of required state fillings, such as annual reports and the like.

Some will also offer to file for an EIN, though it’s simple to do on your own. While you can, in fact, do all of this yourself without too much trouble, it’s likely worth the money to have experienced professionals handle it. When setting up a new company, there’s enough of a learning curve as it is – when possible (and within budget), hand off what you can, so you are able to focus on more important things.

Business Finances

Once you have created your legal entity, you need to start work on its finances; this is something that is too often pushed off to later, something to be dealt with as needed, but that’s a mistake. From the first day, you need to get accounting setup, plan for expenses, and make sure that you are able to quickly & easily handle money as in comes in and goes out. If you push it off till later, you’ll end up regretting it.

Accounting Software

There are a lot of options for accounting software, with popular choices being QuickBooks and FreshBooks, this is something you’ll want to setup on the first day of the new business. You’ll want to keep track of all of your expenses (with receipts!) as you are getting started, these are business expenses that you’ll want to have properly documented when tax time comes around.

There are a lot of reviews available, and lots of opinions based on features, pricing, etc. – what matters is that you pick one, and use it consistently. If your books don’t match what’s going on with the business, you are going to have problems later, it’s a lot easier and cheaper to deal with it from the start.

Banking Account

Once you have the paperwork from the company being created, you can open the business bank account. If possible, you’ll want to link this directly to the account software that you use, to ensure that all your books are accurate. Many banks offer no-cost or low-cost small business banking accounts, though you may find it to be easier to work with a bank that you already have a personal account with.

Banks vary in what documentation they require, but it’s likely that they will require some document from the business that allows you to create an account on behalf of the business. There are many free templates available for this, and if you use a service to create the company, they will often include it as part of their package.

Business Credit / Charge Card

If possible, you should consider getting a credit or charge card for the business; as it’s a new business, it will likely depend on your personal credit, which is something that’s important to remember. This will make it easier to keep business-related expenses separate from personal expenses; which makes it easy to keep your books current, and ensures that everything is being recorded properly.

As with any credit card, it’s important that there is enough money coming in so that the bills are paid, and paid on time. It’s easy to get in trouble by over spending early on, buying nice-to-have items that aren’t critical to operations. During the early days, even if you have the credit available to buy it, unless you can’t avoid the expense, don’t buy it!

Using a charge card instead of a credit card (such as the American Express Gold Card) can help keep this spending in check, as the full balance is paid each month – this limits spending, as you can’t spend if you don’t have the money to pay for it at the end of the month.

Insurance

At a minimum, you need to purchase liability insurance before you take on your first client, to ensure you are protected in case anything goes wrong. Some clients will require proof of liability insurance as part of their on-boarding process, anywhere from $1MM to $5MM in coverage is commonly requested. For a company just starting, $1MM may be the best option in terms of coverage and price.

During the course of an engagement with a client, anything could happen, and you need to protect the business and yourself. Having this insurance in place will help in the event one of your clients turns around and sues you.

Define Service Lines

Once you have the core of the business created, it’s time to define, in detail, just what services you’ll offer to your clients. At this point in the process you have a good idea of what you want to offer, but you need to build it out in detail. It’s not enough to say that you’ll offer “application penetration testing” – you need to define how you’ll do it, what’s the process, what type of applications, etc.

Your clients may ask for these details, though even if they don’t, you need to have them documented so that you know you are providing a quality service, and a consistent service. Here are a few things that need to be developed:

  • Definition – One-page overview of what is being done (this, or a derivative will likely be included on your website, Statement of Work, and reports).
  • Skills – What skills are required to perform the service properly? Don’t plan on being the only person doing the work, you need to define what’s required to do this, so when you work with contractors, or move on to hiring your own employees, you’ve clearly defined which skills are needed.
  • Checklists4 – We all hate checklists, but if you want to establish a consistent service, you’ll need them. For a penetration test, this would be a baseline that all tests use (though not a limit of what can be done, always aim to go beyond a testing checklist), this gives you a clearly defined minimum that you know is always done.
  • Deliverables – What is provided to the client? This is often some form of written report, and may also include a presentation of findings, advice, etc.
  • Quality Assurance – How do you make sure that the service and the deliverables are up to the proper quality level? Who will be responsible for performing these quality reviews?
  • Process – This will be a step-by-step process that starts with scoping and engagement to handing over the final report (or other deliverables)
  • Pricing – How will you change for the service; for most consultants, this would be a day-rate, though depending on the service, you may opt to bill based on something else.
  • Marketing – You have to sell the service to get clients, so how do you get the word out to them? This could be blog posts, ads, etc. – what matters is that you have a documented plan so that when you launch the service, you get it in front of the right people.

For a new security consulting business, you may define a list like this of possible service lines:

  • Application Security Assessment
  • Network Security Assessment
  • Application Architecture Assessment
  • Network Architecture Assessment
  • Application Code Review
  • Application Threat Modeling
  • SDLC & Application Security Process Development

No matter what your service lines are going to be, there’s a critical thing to keep in mind: don’t offer anything that you can’t complete with confidence. For example, if you are comfortable performing a penetration test against a web application, but not mobile applications, don’t offer it! If you don’t perform the job properly, it will be noticed, questions will be asked, and you may not ever be able to repair the relationship. Offering a service that you don’t have confidence in will damage your company’s reputation, and your own very quickly.

Even as a small company that needs the revenue, you are far better offer turning down work than taking work that you can’t do right.

Create Documents & Standards

There are a number of documents and document templates that need to be created, these will be used in marketing, scoping, sales, service delivery, and general operation of the business.

At this point you may wish to invest in having a logo designed, as that will help to produce a professional look for the documents below, and allow you to also design company letterhead and business cards. You’ll want a logo for the website that you’ll be creating, so it’s a good investment.

Service-Related Documents

As part of selling and delivering services, there are a number of documents that will be needed; here are the basics:

  • Scoping Form – For each service offered, you should prepare a scoping document (which may or may not be sent to a client to complete) that captures all of the details needed to prepare a statement of work. Having this document available when discussing a potential engagement with a client will make it much easier to get the details needed, and ensure that there is minimal follow-up needed to get additional information.
  • Statement of Work (SOW) Templates – For each service offered, there should be a SOW template, so that you can provide a quote very quickly when a request for new work comes in. This is something that you should be able to turn-around quickly, so that you can respond while it’s fresh in everyone’s mind.
  • Reporting Templates – For each service offered, create appropriate reporting templates. There are third-party services available that simplify/automate portions of the reporting process, though for a company that’s just starting, keeping things simple is best. You may find some inspiration here, though keep in mind to respect all copyrights.
  • Information Request – You will need to collect final details around the engagement, it may be URLs, it may be contact information, there is always information needed to start an engagement that may not have been collected during the scoping process. Create a template for each service offered based on the most common information for that service, then customize for the engagement to get exactly what you need.

Business Documents

As part of normal business, there are a number of documents that will be needed. This is a few of the most critical, though you will quickly begin adding to the list:

  • Master Service Agreement (MSA) – This is the document that sets all of the basic terms that apply to your dealings with a client. It will often be negotiated and revised, and is typically included by reference in all of the SOWs that you send to a client. This has important legal impact and should be reviewed by an attorney.
  • Mutual Non-Disclosure Agreement (NDA) – While the MSA may include an NDA itself, it’s common that a mutual NDA will be needed before getting to the point that the MSA is signed. This is a must have. It should be noted that clients may provide their own NDA, though this often prevent you from disclosing their information, but doesn’t prevent them from disclosing anything that you have provided to them.
  • Contractor Agreement – As a small business, you will likely need to bring in additional help from time to time, this is an agreement that covers the work to be done, an NDA, security polices, copyright assignment, and the like. You may not need this immediately, but you will likely need it sooner than you would expect.
Security Policy

A document that gets a special mention is a Security Policy; for a company with access to highly sensitive information, it’s important that you clearly define for that information will be protected. Where is data stored, what data is encrypted and how, how is email & chat secured, requiring that all devices use full disk encryption, etc. Some clients may ask for this, though even if they don’t, it’s something you need to ensure that you are taking all the right steps.

If you suffer a breach, due to the sensitivity of the data involved, it could be the end of your business.

Website, Email, & Tech

There are a number of things that need to be built out at this point, such as email infrastructure, a website, CRM, time tracking, and various others. These all come with some cost, and an impact on the business and the workflows that you’ll develop as you build your business.

Email

While these is the option of building a custom email infrastructure, this is likely to be a less than ideal use of time at this point – you need to spend time building the business, not building and managing servers that could be more efficiently managed by others.

There are two primary players for business email at this point, Google with their G Suite and Microsoft’s Office 365. The pricing is fairly similar for each, though Microsoft’s offering includes the desktop version of their Office tools, which are essentially must-have for working with many of the documents that you will be handling.

With either option, it would be best to use S/MIME or GPG encryption for email, to provide additional security to communication within the company, and with clients that feel the same. This isn’t always the easiest thing to get working properly, but it adds substantially to the security of email content.

Document Management System

You will need a secure way to store documents and make them available to others within the company. There are numerous options available for this, you could setup a server behind a VPN and use Git or SVN, use Boxcryptor with DropBox, a private GitHub repository with GPG encrypted files, etc. The list of options goes on and on, what’s important is that the files are encrypted, ideally have version control so you can restore to a prior version if needed, and can be accessed without too much hassle.

Which path you go with depends on what you are comfortable with, but what matters is that the data is protected. Keep in mind, this is where you will be storing reports and other sensitive information, so this is the most valuable data that you protect.

Website

Creating a new website for a business is both very easy, and very hard: getting a basic site up is easy, creating content that sells your service is a lot harder. This will take time, and likely something you will tweak constantly to optimize it for the best performance possible.

One of the first questions that you will need to answer is, does it use a CMS? Using a content management system typically is easier, faster, and allows you spend more time on things that are more important. On the downside, it increases the chances of an attack. You can use a static generator, which are fairly easy for those with a technical background, they have a much lower attack surface, but often requires more time to add or update content.

The website should be on an isolated server, one that doesn’t have access to anything sensitive. This ensures that if the server is attacked, your clients aren’t going to see their secrets shared across the internet – there is no faster route to failure than proving to be a poor steward of your client’s secrets.

CRM

There are countless CRM systems available, each with their own strengths and weaknesses. While this may seem like the kind of thing that is only needed by the larger companies, even the smaller players will be able to perform better with a CRM in place. It allows you to track your sales, from the time that you receive an inquiry till the contract is signed. Keeping track of your sales pipeline is vital for a small business – you need to be able to gauge where your sales are going so that you can adjust staffing, or start eating at cheap restaurants to save money.

Using a CRM also allows you to keep tract of potential customers better than you could on your own; when there’s an option to automate something that you are doing, it’s often a good idea. You’ll have far more on your mind than you may expect.

Social Media Accounts

Even if you don’t have a marketing plan in place, or are just planning on relying on word of mouth to get your name out there, it’s important that you have the accounts setup, and that you are posting at least on occasion, as well as checking any mentions. They may not be a source for much business at first, but if you don’t have them, or aren’t managing them properly, they can cost you business. Keep in mind, clients will often research a new vendor in various ways before they sign a contract, you don’t want to give them any reason to back out.

Legal

At this point, there are a number of things that you need to do, if you haven’t already:

  • Have all of your agreements reviewed by your attorney, this includes your NDA, MSA, SOW, and the like.
  • Register a trademark on your company name and logo.

This is a great time to also have your attorney answer any final questions you have, make sure that you and your partners are protected, and that everything is in order. Legal advice may be expensive – but it’s far cheaper to get the advice up front and fix issues before you find yourself paying far more to your attorney to defend you in a lawsuit.

Finally, Good Luck!

I hope that this has been useful, and given you some extra information or additional things to think about on your journey. There are, of course, many more things that you may need to think about, and will likely need to address as you get your business off of the ground – this is a starting point.


  1. Starting a business without a legal entity is possible (operating as a sole proprietorship), though isn’t wise. The use of a separate legal entity is to limit your liability in case of a lawsuit or the business going bankrupt. While there is a lot that goes into setting up a legal entity, the level of protection that it provides is critical to protecting yourself. 
  2. If you have offices in two states, you would generally create your company in the state that is considered to be the home of the business, and then file as a foreign company in the other state. You will still have to pay certain taxes in each state where you are operating as a foreign company, but you are still operating as a single legal entity. 
  3. There are services in most states that will lease you an “office” – which consists of a mailbox and sometimes permission to use a conference room – for the purpose of establishing a presence in the state. This lease will include everything that a normal office lease would include, except that the physical space that you are leasing isn’t a dedicated space. These leases are often less than $50/month. Do they actually establish a presence in the state? Do they allow you to say that business is being transacted in that state? You’ll need to talk to an attorney for that advice. 
  4. There are quite a few standards that checklists for penetration tests can be built from, using a published standard as a starting point will make it easier to convey to clients how you perform testing, and will help to ensure that you’ve not missed anything. For application testing, I strongly advise looking at the OWASP ASVS