After a decade as a permanent full time employee in cybersecurity, I was in debt. Then I got made redundant along with 24 other people.

That redundancy was the best thing that happened to my career.

Within months of crossing over to contract work, I was earning 3 to 5 times what I made as a permanent employee. I was doing the exact same tasks. The difference wasn’t my skills. It was understanding how companies actually spend money on security.

The Diagram

Over 20 years working in IT and cybersecurity across Greece, the UK and Canada, I’ve worked every arrangement on this spectrum.

On the left you have the Employee arrangements. Stable, predictable, not tax efficient. On the right you have Business Owner arrangements. Variable, flexible, and where the real money is.

The center is the pivot point. Most cybersecurity professionals never cross it.

The Permanent Employee Years

I started on the left side of that diagram. Junior Security Analyst, part of an InfoSec team, doing vulnerability scans, phishing tests, endpoint deployments, policy updates.

The pay was entry level. Raises depended on annual objectives. I got a bonus a few times when I was working in the UK. Nobody told me it was taxable.

The pace was slow. The ceiling was low. After a decade of this, including on call rotations, I was still in debt.

Then came the redundancy notice.

Crossing Over to Contract Work

When I started applying for permanent roles again, recruiters were suddenly helpful. Redundancy makes you a sympathetic candidate. But after two rounds of interviews with no offers, I took my first contract role.

That’s when I learned what contractors had known all along.

Every company has buckets of money called OPEX and CAPEX. These stand for Operating and Capital Expenses. Some departments have allocated project budgets they must spend each year or they lose it. That’s where external consultants come in.

When I worked in UK government, every January we had to find contractors to use up the remaining budget. If we didn’t spend it, next year’s allocation would drop.

Now, companies don’t find contractors randomly. They partner with recruitment agencies. Smaller companies work with multiple agencies but larger companies have only 2 or 3 agencies that they work with exclusively. Sometimes there’s a Managed Service Provider in between who has the contract with the end client but needs bodies to deliver it.

Here’s where you come in. To work as a contractor, you need a few things:

• A business incorporated

• A business bank account

• Liability insurance

From the company’s perspective, engaging a business with its own liability insurance is a risk mitigation strategy. It’s often easier for them than hiring you as an employee.

Once you have these set up, you can start applying for contract roles. An example workflow goes like this. You find a contract role on LinkedIn. The job posting will be titled something like “Cybersecurity Analyst 6 Month Contract”, fully remote or hybrid.

The decision cycle is way faster than permanent job applications. I have been offered contract roles after a single 20 minute phone interview. Sometimes after two rounds, but never the drawn out permanent hire process.

The money goes into the business and you have flexibility on how to pay yourself. Usually this is through a combination of minimum salary and dividends. It’s tax efficient in ways that permanent employment never is.

The pros of this arrangement is that you might be doing the exact same task that you were doing as a permanent employee but being paid 3 to 5 times more.

UK Business Tax Reform

After 4 years of working on contract roles through my UK limited company, the government introduced IR35 legislation. This put the onus on the clients hiring small business owners like myself and made them liable for additional tax if they were audited and my engagement was deemed to be that of an employee rather than a contractor.

My contracts were written correctly. I could provide replacement resources if needed. That didn’t make a difference. Most companies hired the Big 4 (KPMG, PWC, Deloitte, E&Y) to assess their contractor arrangements, and overnight nobody wanted to hire anyone with a limited company.

If you wanted to keep working as a contractor, you had to register as an employee of an umbrella company that could subcontract you to the client. The daily rate was still better than being a permanent employee but all the income was now taxable. I didn’t have paid holiday or sick days. Over the coming months the daily rates dropped even further.

The timing of the global pandemic made remote working mandatory and this made the situation more bearable. But the UK contractor market was permanently changed. I started looking at North American markets instead.

Direct Clients and Partnerships

Since I still had a business I started working directly with clients. This is the best arrangement. It is not easier as you have to be the marketing, sales, project and delivery person.

At the same time as remote work became the norm, it became possible to work with people globally. While working on moving and starting another company in Canada, I found consulting companies that had an overflow of clients they couldn’t serve. Instead of going through recruitment agencies, they partnered with other small business owners like myself and worked on SOW (Statement of Work) projects. These would be one off 40 hour engagements or longer term projects.

This arrangement provides a stream of leads and you can focus on delivery.

The Cycle

Here’s what nobody tells you. Until you have your own clients, you’re caught between a wheel of contract roles and permanent roles. Sometimes the contract market is slow and you have to take a permanent role. Sometimes it’s the opposite.

In January 2024 I went back into permanent employment. In March 2025 I was laid off for no reason. There just wasn’t enough work. In VC funded startups, higher paid roles go first. This was the second time in my career I was laid off in 22 years. Not bad.

But 2025 was different. Neither market worked. The AI hype, tariffs, economic uncertainty. Everything combined to freeze hiring. Contract roles that used to need 1 or 2 interviews now wanted to take you through 3 or 4 rounds. And they still couldn’t decide.

It was unreasonably hard to land even another contract role. That’s when I focused on getting my own clients.

What This Means For You

I don’t have a playbook anymore.

Everything I described above worked for 20 years. The permanent to contractor jump. The wheel between contract and permanent roles when one market went cold.

In 2025, all of it stopped working at the same time.

If you’re a permanent employee in cybersecurity wondering why contractors doing the same work earn multiples of your salary, now you know the mechanics. But knowing the mechanics doesn’t help when the machine is broken.

One thing still works: partnerships with larger consultancies. Building real relationships has been more beneficial in the long run than getting a higher contract rate or higher billable hours.

Another thing that’s worked at every level: don’t give textbook answers. When you’re interviewing for a contract role or pitching a client, understand the problem they’re trying to solve. Explain how you’d approach it as if you’re already part of the team. Take something you did elsewhere and apply it to their environment in real time, using whatever detail they’ve shared. Make them see you already solving their pain points.

Throughout all this I learned what amazing consultants look like. Naval Ravikant talks about these traits in an interview: talent, curiosity, good nature, low ego, high drive, and vision. Earned respect, not networked connections. He says the best way to match with people is through work, not just networking. Deeply understand and admire their work. Offer help. Ask good questions. Contribute.

That’s been my north star for a long time. Find people you deeply respect. Do good work with them. Build trust over time.

This isn’t a playbook. It’s a map of where the roads used to go, and a compass for what might come next.Cybersecurity Notes is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.