Want to hire a cyber security consultant? You need to know what qualifications actually matter. First, understand what a consultant actually does. Then you can judge if they're right for the job.

Here's what to look for when choosing a consultant for your business.

Do Consultants Need a Degree?

Short answer: not always.

Many excellent consultants have degrees in computer science, cyber security, or IT. But plenty of the best ones don't. They learned by doing.

What matters more is practical experience. Someone who's spent years protecting real businesses knows things no university teaches.

That said, a relevant degree shows they understand the basics. It's a good starting point. Just don't treat it as essential.

Key Fact: The cyber security skills gap means there aren't enough qualified people. Many employers now accept experience and certifications instead of degrees.

Industry Certifications That Matter

Certifications prove specific skills. They require exams and often ongoing learning. Here are the main ones to look for:

CISSP (Certified Information Systems Security Professional)

This is the gold standard. It covers all aspects of security at a senior level.

To get it, you need five years of experience. The exam is tough. Holders know their stuff.

If a consultant has CISSP, they've proven themselves. It's run by (ISC)², a respected body.

CISM (Certified Information Security Manager)

This focuses on managing security programmes. It's about governance, risk, and strategy.

Good for consultants who advise on security policy rather than hands-on technical work. Run by ISACA.

Security+ (CompTIA)

An entry-level certification. It covers the basics well.

Fine for junior consultants or those new to the field. Senior people should have something more advanced.

CEH (Certified Ethical Hacker)

Focuses on offensive security. How to find weak spots by thinking like a hacker.

Good for consultants who do penetration testing or vulnerability assessments. See my consultant vs pen tester guide for more on this.

CREST Certifications

UK-specific certifications for penetration testing. CREST is well respected in Britain.

If you need technical testing, CREST qualifications are a solid indicator of skill.

Certification Focus Experience Needed
CISSP Broad security expertise 5 years
CISM Security management 5 years
Security+ Entry-level basics None required
CEH Ethical hacking 2 years recommended
CREST UK penetration testing Varies by level

Experience Trumps Paper

Here's the truth: experience matters more than certificates.

A consultant who's handled real breaches knows what works. Someone who's only studied theory doesn't.

When hiring, ask about:

  • Years working in security (not just IT)
  • Types of businesses they've helped
  • Real examples of problems they've solved
  • Industries they know well

A consultant with ten years of hands-on work beats someone fresh from a course, even if the newbie has more letters after their name.

Quick Tip: Ask consultants to describe a challenging situation they've faced. How they handled it tells you more than any CV.

What Experience Levels Mean

Consultants fall into rough experience levels. Here's what to expect at each:

Junior (1-3 Years)

  • Knows the basics solidly
  • Good for simple assessments
  • Needs supervision on complex work
  • Lower cost

Mid-Level (3-7 Years)

  • Can handle most projects independently
  • Has seen a range of problems
  • Good balance of skill and cost
  • Right for most small-medium businesses

Senior (7+ Years)

  • Strategic thinking and technical depth
  • Handles complex, large-scale work
  • Commands higher rates
  • Best for big projects or critical systems
Level Typical UK Day Rate Best For
Junior £300 - £450 Simple assessments, documentation
Mid-Level £450 - £700 Most business security needs
Senior £700 - £1,200+ Complex projects, strategy work

Soft Skills Matter Too

Technical skills aren't everything. A good consultant also needs:

Communication

Can they explain complex things simply? If they drown you in jargon, their reports will be useless.

Ask them to explain a security concept in plain English. If they can't, move on.

Business Understanding

Security exists to protect your business, not as an end in itself. Good consultants understand your goals. They recommend solutions that fit your budget and needs.

Someone who suggests expensive controls for a low-risk problem doesn't get it.

Trustworthiness

You're giving this person access to your systems. Your secrets. Your data.

Check references. Look for a track record. Trust your gut about whether they seem honest.

Warning: Be wary of consultants who oversell fear. "You must do this or you'll be hacked!" is a red flag. Good consultants explain risks calmly and let you decide.

Qualifications for Specific Needs

Different jobs need different backgrounds:

For Compliance Help

Look for experience with the specific rules you need to meet. GDPR. Cyber Essentials. PCI DSS. ISO 27001.

Ask if they've helped similar businesses get certified before.

For Technical Testing

CREST, OSCP, or CEH certifications show testing skills. Ask about their methodology. What tools do they use?

Experience with your type of systems matters. Cloud? Web apps? Networks? Find someone who knows your tech.

For Strategy and Governance

CISSP or CISM plus senior experience. They should have worked with boards and executives before.

Ask how they tie security to business goals. Generic answers mean generic advice.

For Incident Response

Look for experience handling real breaches. Certifications like GCIH help. But actual breach experience matters more.

Ask about cases they've worked. How did they contain the damage? What did they learn?

Red Flags to Avoid

Some warning signs when evaluating qualifications:

  • Can't explain what their certifications mean
  • No references from actual clients
  • All theory, no practical examples
  • Vague about their experience
  • Won't answer direct questions
  • Oversells or uses scare tactics

Good consultants are confident but honest. They'll tell you what they don't know. They recommend others when a job isn't right for them.

For more guidance, see my guide on finding a good consultant and the full list of consultant responsibilities.

Common Questions

What's the most important qualification? +

Relevant experience. Certifications and degrees help, but nothing beats hands-on work with real security problems. Ask about projects they've completed, not just exams they've passed.

Do I need a consultant with a degree? +

Not necessarily. Many excellent consultants are self-taught or came through non-traditional routes. Focus on what they can do, not where they studied. Certifications and proven experience often matter more than academic degrees.

What does CISSP mean? +

Certified Information Systems Security Professional. It's a senior certification covering all areas of security. Holders need five years of experience and pass a difficult exam. It's widely respected as the gold standard in the industry.

How do I verify someone's qualifications? +

Most certification bodies have online directories. You can check CISSP holders on the (ISC)² website, for example. Ask for references from past clients. Look them up on LinkedIn to check their history adds up.

Are UK-specific qualifications important? +

For compliance work, yes. Someone who knows UK data protection law, Cyber Essentials, and the NCSC guidance will be more useful than someone who only knows US regulations. For technical work, qualifications are more universal.

Should I choose someone with more certifications? +

Not automatically. Quality beats quantity. One person with CISSP and ten years of experience is usually better than someone with five basic certifications and two years of work. Look for depth, not a long list of letters.

Looking for Security Expertise?

I help UK businesses find and fix security gaps. Want to discuss your needs? Let's chat.

View Cyber Security Services