IT security consulting is an excellent way to grow as a security professional. In contrast to an corporate role, consultants are exposed to a variety of business situations and industries. Those who succeed in the consulting world find themselves equipped with greater skills and cutting-edge knowledge of new technologies.Before you enter consulting, take note of the field\u2019s current opportunities and challenges. \u201cMigrating security services to the cloud, incident response, forensics and security risk assessments are areas in high demand,\u201d comments Brian Honan, founder of BH Consulting. The Ireland-based IT security consulting firm has grown to 10 consultants and serves clients in Ireland, Europe, the United Kingdom and the US.Aspiring consultants need to understand the various firms involved in the security business. Each type of organization will vary by specialization, geographic emphasis and growth prospects. An individual\u2019s career options will be impact by their location and the skills they bring to the market. \u201cEconomically, it is important to understand that the two groups in consulting: those who generate the projects and those who do the work. Those who sell the projects always earn the highest income,\u201d explains Peter Block, author of Flawless Consulting.[ ALSO ON CSO: The balance of career power is shifting toward security ]Large consulting firms such as Accenture, Deloitte, KPMG, PWC and EY all have technology and security groups at their organization. At a large multi-service firm, consultants benefit from strong institutional support (e.g. Deloitte runs Deloitte University to support professional development). The trade-off to these firms is that IT security may not always be a focus of the firm.\u201cDeloitte\u2019s cyber security practice and related areas are growing rapidly,\u201d commented Marc MacKinnon, partner in Deloitte Canada\u2019s Enterprise Risk Services practice. \u201cAspiring security consultants need to show a passion for the field. In interviews, I often ask candidates for their assessment on breaking news stories relating to data breaches and security matters. Their response tells me a lot about their interest level,\u201d he explained.\u201cA junior consultant in our cybersecurity groups has a unique opportunity to contribute. In many consulting organizations, junior staff simply execute on the direction of others. In this group, junior consultants are directly contributing to our methodology and approach. That is a tremendous opportunity to grow and learn,\u201d MacKinnon added.The future is bright for security consultants. \u201cWe expect to do a lot of hiring for security talent in Canada this year and in 2017,\u201d he added. Deloitte is currently hiring for a variety of cybersecurity consulting roles. As of March 2016, the firm was looking for interns, analysts and consultants across the United States. Typical job titles include IT Security Solution Developer, Cyber Risk Assessments Consultant, and Cyber Risk Technical Architect.The steady stream of cybersecurity incidents in the news means demand for security focused consulting firms. Examples in this category include Root9b, RSA, Fortinet and Palo Alto Networks. These firms typically focus on a specific niche: Palo Alto Networks focuses on threat detection and prevention while Forcepoint focuses on Internet of Things (IoT) security.\u201cAchieving success in this industry requires two skillsets: consulting and IT security capabilities,\u201d explains Reg Harnish, CEO of GreyCastle Security. Established in 2011, GreyCastle has over 20 security consultants and had six open job roles as of March 2016. \u201cFinding qualified consultants is challenging so we take several approaches. We recruit at tradeshows, conferences and from local colleges and universities,\u201d Harnish explains.\u201cTo address the talent shortage, we partnered with Hudson Valley Community College to offer a 10-week Cybersecurity 101 program,\u201d Harnish explains. \u201cI already know of two promising students in the course that we are thinking about as potential employees,\u201d he added. The program subject matter is taught by GreyCastle Security staff while the administration is handled by the college.\u201cOur consultants are expected to develop a primary and secondary area of focus related to our practice areas,\u201d Harnish continued. GreyCastle\u2019s six practice areas are Risk Assessment, Awareness, Vulnerability Assessment, Penetration Testing, ISO [Information Security Officer] As A Service and Incident Response. The firm\u2019s client base includes numerous health care and higher education institutions in the United States as well as private companies.Large technology companies also offer cybersecurity consulting services to their clients. \u201cEvery morning, I face new problems to solve and research. That constant variety and change makes the work exciting,\u201d commented John Kuhn, senior threat researcher at IBM Managed Security Services. \u201cIBM hires a variety of security professionals in different areas and we have partnered with universities to develop the next generation of security talent,\u201d Kuhn explained.[ ALSO: 4 infosec hiring tips to attract top talent ]\u201cGetting your hands dirty is one of the best ways to get started in security consulting. For example, an aspiring malware analyst could analyze one of those applications, deconstruct it and then write a paper about their process. Going through that process would impress me,\u201d Kuhn explains.IBM has become a major player in the security field. IBM Security has over 7,500 researchers, developers, and subject matter experts focused on security. In 2015, the company added over 1,000 new employees to the security business. Opportunities at IBM include security research, working on security products, and consulting.The entrepreneurial optionBecoming an independent security consultant is often an excellent option for those keen to break into the field. Running an independent practice requires several capabilities beyond technical knowledge. Sales and marketing skills represent the stumbling block for most novice consultants. Fortunately, there are ways to overcome this approach.\u201cFor brand new solo consultants, your first clients tend to come from your personal network,\u201d explains Block. \u201cLearning to manage client expectations is important: some clients are looking for magical, turn-key solutions and that needs to be discussed,\u201d he added.\u201cWhen I set up BH Consulting in 2004, I was lucky that many in my network needed my skills. Ever since then, our client base has grown. Referrals from existing clients have been a major source of growth,\u201d comments Honan.