Here's how you can determine your rates as an information security consultant.

Setting consultancy rates as an information security consultant involves assessing your skills, experience, and certifications. Evaluate your expertise in areas like penetration testing, cybersecurity frameworks, or regulatory compliance, which add value to your services. Certifications like CISSP or CEH validate your skills and can justify higher rates. Consider your past projects and the complexity of issues resolved as benchmarks for determining your professional worth. Adjust rates based on market demand and competition while ensuring they reflect your unique qualifications and the value you bring to clients.

•Research Market Rates: Investigate what other consultants with similar experience and expertise are charging. Look at industry reports, job postings, and speak with colleagues or mentors. •Assess Your Skills and Experience: Evaluate your specific skills, certifications (e.g., CISSP, CISM), and years of experience in Information Security. •Consider Your Value Proposition: Reflect on the unique value you bring to clients. This could include specialized knowledge in a niche area, successful project outcomes, or specific industry expertise. •Calculate Costs: Determine your overhead costs, including equipment, software, insurance, and professional development. Ensure your rates cover these expenses.

An exceptionally important area to highlight. All too often we see new entrant firms, or those who do not invest in their relationships drop price. This is not good. Information security is a trust business. And with that trust comes integrity. If a firm comes to a consultancy, it is because they need to solve a problem. And they need generally quality with this. But many firms do not hire the right level of skills and often there are things missed that may be crucial to the cyber integrity of a project. Fair pricing is essential as building for quality takes significant time and attention. There are also the components where if margins are squeezed so is service and the essential help that is required. Focus on quality and equity.

Value is everything as infosec should drive an ROI. This is fundamental. I advocate also for exceptional service coupled with skills as this is more often than not dropped in our world of cyber. We need to have our attention on our clients & to enable them. We must help them. Service seems to have been forgotten yet there is so much need for it. It takes a relentless focus to create it too. The default in “busy” world is to drop back service. Our industry has a long way to go to recover from this. We do it by default but can and must always improve. It’s utterly essential as it’s closely coupled with enablement and quality. Further collaboration is fully reliant on service. Let’s strive to be exceptional. Standards! We may achieve it!

Information security is generally transformed and risk reduced by an iterative approach. But generally that does not suit cyber companies, especially Pen Testing companies who want to deliver projects which are delivered and invoiced. So there is great potential in delivering outcomes which acknowledge not only budgets, but that dovetails in with a client's ability to make change. Perhaps a scope can be spread? Perhaps we consider multiple phases that suit the client and not the consultancy so much? This spreads the impact and makes sure that not only is the budget efficient, that material outcomes for risk reduction are achieved. There is a benefit of raising standards through this approach and it is valuable to consider.