Yesterday I learned that more friends of mine from Foundstone have departed to start their own companies. I could probably list a dozen such companies with whom I do work, from whom I get leads, or to whom I pass leads. It seems this is a really popular way for security specialists to do work they enjoy without the burden of corporate management.
I think clients like this approach because they always interact directly with the people doing the work. They can target specialists and only bring in the people they need. When I am hired for a project that extends beyond network-centric monitoring, response, and/or forensics, I call on one or more friends I trust. For example, one client needs help with monitoring, infrastructure, and applications, so I am driving to the client with the best guys I know for each subject.
I wonder if it might be useful for all of us "single-digit security service providers" (i.e., those of us with less than ten employees) to meet, perhaps at Black Hat USA? So many people asked if I was attending Black Hat last year, but I didn't make it. This year I think I will attend, and it might be cool for all of the security small business owners to meet and share war stories and capabilities. I'd like to expand my list of trusted colleagues, but I usually only feel comfortable recommending another person after I've met them and hopefully seen what skills they offer. This is related to my personal LinkedIn policy.
While I know a lot of people at bigger companies, I'm never really going to call on a large company for help unless the project is beyond what I could do with a small team. So, please don't be offended if you want to attend this meeting but work for a big consulting firm or defense contractor. Your company doesn't need any help from my company, believe me!
If there's interest in large companies looking to subcontract work to small companies, I think we can talk about arranging a second meeting for that sort of social networking. I do that too and so do my friends. If you work at a large company and want to meet potential subcontractors, also please email me and we'll set up a second meeting to accommodate those interests.
If either of these meetings at Black Hat sound like a good idea, please comment here and/or email taosecurity [at] gmail [dot] com. Thank you.