December 20, 2022
The digital economy shows no sign of slowing down, and with growing billions of people using mobile technology, an increase in mobile interactions brings a corresponding increase in security threats. Data security is critical to both individuals and businesses and it’s thought that by 2025, cyber-attacks will be responsible for $10.5 trillion in annual damages
All this means there’s a huge market for cyber security, and though it’s a bit of a mad scramble of competition, it will be a long time before the market is saturated. If you’re looking for how to start a cyber security company, you’ve come to the right place. Now may be a good time to do it, and we’ve got some help for you in this piece.
Cyber Security Businesses: An Industry Overview
In 2021, the global cyber security market was valued at almost $140 billion. This is expected to increase with a CAGR of 13.4 until 2029 when it is expected to reach over $376 billion.
The market is driven by emerging e-commerce apps and the wider adoption of fundamental techs such as smart devices and machine learning. Advancements in these fields are driving improvements in security solutions, and major players are now launching AI-enabled, automated cyber threat detection, creating a high bar of entry for the top competition.
Growing demand for these solutions is being met by investment from countries all over the world and the banking, insurance, manufacturing, and healthcare industries in particular are expected to drive market growth by way of their increased adoption of such products in the foreseeable future.
This adoption of advanced tech is one of the rapidly emerging market trends to jump on, and with it, an increase in the adoption of cloud computing. This form of data storage is part of what’s fueling such significant international investment for internet security solutions, investigating network and internet security projects for governments, consequently inspiring an increase in adoption in multiple industries.
Challenges to the market have been significant. The pandemic resulted in 43% of small and medium business owners reporting temporary shutdowns, impacting the demand for internet security systems worldwide. On the other hand, governments, healthcare systems, and manufacturers all grew exponentially during this time, forcing key players to adjust their sights to prioritize the security industrial operations.
There is still a lack of expert talent to match the growing demand, and this is one of the key restraining factors in the industry.
However, these are challenges that create opportunities rather than stifle them. There remains a lack of sufficient spending on the problem of cyber security and plenty of opportunities for businesses that are capable of breaking into the market. There may be no better time for innovation in the industry for simpler, improvised technologies to protect the underserved market segments.
Starting a Cyber Security Business: Business Models and Revenue Streams
There are multiple ways to approach the market in the cybersecurity industry. If you’re thinking about starting a cyber security company, it’s a good idea to have an understanding of these business models to identify the strongest option for you. Let’s take a look:
For corporate cybersecurity, businesses often offer a form of outsourced IT support, allowing companies to hand over the responsibility of their tech support to a third party (you). If you go down this route, you’ll be making your money by serving multiple clients with a team behind you, whose resources are split across your clients as needed.
Whether or not you develop your own tools (see below) you’ll be able to find work installing security systems relatively easily. This approach is very involved and will cater to engineers as much as testers. It’s also going to be a lot harder to manage as a single person, though small teams are more than enough in many cases. Alternatively, clients may hire you to augment their in-house teams to get their new systems installed.
Installing and testing new security systems for clients will bring in a range of revenue depending on whether you specialize in certain systems or have a more generalized approach, and how large and detailed the systems are.
This is a more specific approach to security and involves actively testing security systems that are already in place. Again, this will be a company that serves multiple clients and simply tries to hack into their system to identify vulnerabilities.
This is a popular approach and can be set up at almost any scale. There’s a range in the amount you can make doing this based both on your level of expertise (the range of systems you’re capable of testing) and the scale at which you want to operate.
Larger-scale operations are at greater risk of what’s called “scope creep”, where the agreed-upon boundaries set by the client company are breached in the running of the tests, in which case there’s a danger of legal consequences, especially if key data was exposed.
This is a very different avenue than the above for a cyber security business to take Systems auditing involves making sure your clients are compliant and their security measures match or exceed the industry standard.
This approach uses a set of compliance protocols and checklists, which the client company will be tested against. In some ways, it’s similar to the penetration testing above, only that the scope is determined by the industry standard, rather than the client. The checklists will cover various security elements such as physical and technical safeguards, employee awareness, and other standards set by the industry.
Ongoing monitoring of security systems also falls under this category, as it follows a similar principle of maintaining an agreed-upon standard over time.
Revenue in this business model can come from multiple clients or potentially government agencies or industry leaders themselves.
Outsourced Chief Technology Officer
Again, a very different approach, in which your company would act as the CTO for a client company. This is more of a managerial role that can be occupied by a single person or a smaller team, and would likely involve dealing with negotiations and consultancy around the purchase of software and fulfilling the leadership role for the company as they relate to the stakeholders with technological issues.
However, much of the leadership is not available to outsourced CTOs as they relate to the client company, which can make this a tricky position to fill. It’s possible for a sole proprietor to take on this approach, or for a cybersecurity company to provide qualified people to different clients. This again will provide varying revenue based on scale and experience.
For a more third-party approach to cybersecurity, it’s possible to become a vendor of tools and products that other cyber security businesses will want to use. Sometimes these companies will have other revenue streams too, perhaps in the form of any of the aforementioned business models, but as a developer of tools and services for other companies, you could have a range of clients across any industry.
The revenue streams here will depend on your specialty, your market, and the quality of your tools.
How to Start a Cyber Security Company: Startup Costs
The first thing to mention is that this is a highly-skilled venture, and without the appropriate education and certifications, you’ll be unlikely to be able to compete. The good news is that there are some very affordable credentials you can get if you’ve already got the foundational education behind you.
Further good news is that it may not cost very much at all to get started once you’ve got these documents. To cover the certifications, check out the National Initiative for Cybersecurity Careers and Studies.
So, for a single person starting a cyber security company, certifications could cost you the first $5000, and from there you’ll need:
- A computer system - $2000 to $5000
- Relevant tools (software) - $3000 - $5000
- Website - $1000 to $3000
- Startup Costs - $100 to $200
- Business Licenses and Insurance - $200 to $600
- Marketing Media - $100 to $300
Adding it all up, you’re looking at something between $11400 and $19100 with the certification included.
So, the figures aren’t astronomical for a small-scale startup. And you can make that money back fairly quickly if you find clients.
If you’re installing security systems, you could make revenue of between $1000 and $10,0000 per job. Your margins generally will be higher with a smaller team, but you’ll be able to handle fewer clients, so typically profit will improve with scale.
Based on jobs of $2000 each, you could be serving three clients a month and bring in $72,000 in revenue. If you’re a one-person team, almost all of that will be profit, and this is a conservative estimate: you should be able to handle a lot more work than that.
If you’re scaling up, you’ll need a headquarters and to cover the costs of your staff, but you’ll be able to take on far more clients. If you’re able to get referrals from your good work, you could see ten new clients per month, and without increasing your prices you’re now bringing in $240,000 in revenue. Even at 30%, that’s your $72,000 profit and you will be able to offer monitoring and auditing services to these same clients for substantially more money.
Ongoing monitoring could bring you in another $2000 per client, per month, essentially doubling your revenue on the conservative side.
So, if you think you’re qualified, and you like the sound of these numbers, you might be wondering how to get everything started.
How to Start a Cyber Security Company
As we mentioned, your certifications are important. A degree is all but essential, but you’ll also need to show that you’ve got some experience. There are countless certifications available to prove this, and the following examples are simply for context. Please note, these are not necessarily the best ones for your business, nor are they being endorsed over any others that are available. You’ll likely want to pick multiple certifications that suit your approach and it’s important you do your research to figure out which ones those should be.
- Certified Ethical Hacker – For penetration testers, this is a good one. The EC-Council certification vouches for your ability to test systems for weakness. This certificate costs around $100.
- Certified Cloud Security Professional (CCSP) – This is from the ISC2 and it demonstrates that you can design, maintain, and secure cloud infrastructure, apps, and data. It costs around $600 and might come in handy if you’re looking to develop your own tools.
- Certified Information Security Manager (CISM) – This certification from ISACA backs you up in your ability to manage information systems and IT security. This one costs around $760 and would be useful for managed service business models.
Once you’ve got your docs behind you, you’re going to need to have a business plan. You should have an idea of the model you’re planning to use by this time so that you can get the relevant missing qualifications, but you might not have delved any deeper than this yet. Your business plan is the time to really find out whom you’re going to be as a business and how you’re going to reach your clients.
It begins with market research and competitor analyses. This is where you’ll identify your prospects and what they’re looking for, and also analyze what your competition is currently doing for them. From there, you’ll be able to design your approach in a way that you will be offering something that your clients can’t get anywhere else.
You’ll then work on your pricing structures in a way that’s competitive and you’ll need to figure out your financial documents. Working with projections can be tricky when you’re not yet making any money, but it’s important to be as accurate as possible.
Your market research should provide enough detailed information to put your financial documents together including complete financial projections. ProjectionHub has a professional services template that is specifically designed for this purpose and perfect for cybersecurity firms who are doing planning. The template is entirely customizable to your needs and comes with full support so you can create professional-looking projections that will appeal to investors or lenders if you’re going down that route.
You’re also going to have to choose your legal structure. Whether you go for a sole proprietorship or limited company will depend on the kind of liability you’re comfortable with and how much work you want to put into your paperwork. There are also partnerships, corporations, and other structures to look into, each with its pros and cons that you’ll need to weigh up.
By the time you’ve done all this, you’re almost there. Getting a business license isn’t expensive, and from there you can get a company bank account and card. You’ll need to look up the requirements for your state, since they vary, and then you’ll find out which kinds of insurance you’re legally required to have.
For example, General Liability Insurance is commonly required to get your license in most states.
If you’re going to use external funds, there are quite a lot of options here too. There are grants which you should check out first, special loans, investors, and specific venture capital funds that focus primarily on this industry.
Whomever you choose, make sure your financial papers are in order first, as these might be the first thing that lenders or investors consider.
Starting a Cyber Security Company: Final Considerations
Now it’s time to market your services and get your first clients. However, there are some loose ends you might want to tie up while doing this, so we’ll go over a few last-minute considerations for setting up and running your company in this section.
You don’t have to do this yourself. Depending on your budget, time constraints, and skill set, you might consider outsourcing it. Regardless, you’ll have designed your marketing strategy from your marketing research as part of your business plan, so now’s the time to enact it.
Hiring experts can be great value for money if you can afford it, but however you go about it, make sure your website, your social media, and your entire online presence is active, consistent in their messaging, and streamlined to ensure clients can contact you if they need to. Use SEO principles to show up in searches locally, and lean into your network if you have one.
Make sure you don’t go into agreements without legal backing. Drafting your contracts well is important for your own protection and the future success of your business. Cybersecurity often deals with some very sensitive information so you need to ensure you don’t get hindered by legal troubles from a lack of forethought in your contract designs.
Another key consideration to running your business is the hiring process (if you’re bringing people on board). Again, you’ll be vouching for people you don’t know here, who will be given access to the inner workings of companies and their clients. This means you need to vet people well and consider paying extra for someone who is well-established.
This could be considered a risk mitigation strategy that will ensure you don’t fall into any pits as you’re starting up. Remember also that reputation and trust are critically important at the early stages of your company, so pick people you are proud of.
Now might be a great time to figure out how to start a cyber security company, if you’re already qualified. And if you’re not, the industry looks to be on an upward trajectory for long enough that you have time to get into it.
There are multiple approaches you can use, all of which come with their own demands and benefits. Once you know which suits you, it’s just a matter of getting a solid business plan done, getting your financial documents in order, and securing the funding. Then, get out there and find clients!