Credibility Strategy / Narrative Consulting

• Mid-market companies (300–500 employees) are overserved by large firms. They get junior staff, cookie-cutter frameworks, and bills that far exceed value delivered. A Forrester study found boutique firms achieve 27% higher implementation success rates than generalist firms on complex, industry-specific challenges.
• Boutique firms respond 43% faster to changing client requirements than large consulting organizations.
• Your price point is a sweet spot. Companies that need IGA work but cannot justify $150K+ engagements with Deloitte are your exact buyer. You are not competing with the Big Four. You are the alternative to the Big Four for companies that were never going to hire them anyway.

Priority 1: Okta (Highest ROI)

Why: Your 11 Terraform modules are already Okta-focused. This is your strongest existing signal.

Path:

1. Get Okta Certified Administrator (prerequisite)
2. Get Okta Certified Consultant
3. Apply for Okta Elevate Partner Program as a Solution Provider
4. Earn digital badges (Tech Champion, etc.) that display on the partner directory

What it unlocks:

• Listing in Okta's partner directory (buyers search this when they need implementation help)
• Deal registration (protects your pipeline when Okta refers business to you)
• Co-marketing opportunities and Okta logo usage rights
• Access to partner training, NFR licenses, and pre-release features

Priority 2: ISACA Chapter Engagement

Why: Not a vendor partnership, but functionally similar. ISACA chapters are where your buyers network.

Path:

1. Join ISACA ($135/year)
2. Attend your local chapter meetings
3. Volunteer to present at a chapter meeting within 6 months (these are always looking for speakers)
4. Aim for a chapter board position within 12 months

What it unlocks:

• Direct access to CISOs, compliance managers, and IT directors at target companies
• Speaking credibility (ISACA chapter speaker is a real credential)
• CISM certification pathway with member pricing

Priority 3: Identity Defined Security Alliance (IDSA)

Why: Niche industry group specifically for identity security. Smaller community means higher visibility.

Path:

1. Apply for membership
2. Contribute to their frameworks and publications
3. Participate in working groups

What it unlocks:

• Association with major identity vendors (Okta, SailPoint, CyberArk, Ping are all members)
• Thought leadership platform in your exact niche
• Networking with identity-focused buyers

Okta Certified Administrator

• Cost: ~$250 exam fee
• Study time: 2–4 weeks (you likely already know 80% of this given your Terraform modules)
• Credibility signal: “I am not just theoretically knowledgeable about Okta — I am certified by Okta”
• Business impact: Prerequisite for partner program, listed on your profiles

Okta Certified Consultant

• Cost: ~$250 exam fee
• Study time: 2–3 weeks after Admin cert
• Credibility signal: Implementation-level certification, not just admin
• Business impact: Higher partner tier eligibility, stronger positioning for Governance Buildout engagements

CISM (Certified Information Security Manager)

• Cost: $575 (ISACA member) / $760 (non-member)
• Study time: 2–3 months, ~150 hours
• Credibility signal: Governance and risk management focus directly aligned to your service offerings
• Business impact: This is the cert that speaks directly to CISOs and compliance officers. More relevant to your practice than CISSP.
• Requirement: 5 years of information security management experience (up to 2 years can be waived with other certifications or education)

CISSP (Certified Information Systems Security Professional)

• Cost: $749 exam fee
• Study time: 3–6 months, ~250 hours
• Credibility signal: The most recognized security certification globally. Procurement teams know this one even if they do not know what it means.
• Business impact: Removes the “are they qualified?” question permanently
• Requirement: 5 years of cumulative, paid work experience in 2+ of 8 CISSP domains
• Note: If you do not have 5 years yet, you can pass the exam and become an Associate of (ISC)2 while accumulating experience

Tactic 1: The Assessment-to-Testimonial Pipeline

Your $3,500 Identity Infrastructure Assessment is your greatest social proof engine. Here is how to weaponize it:

1. Deliver the assessment with clear, actionable findings
2. Two days after delivery, send a short email: “Would you be willing to share a brief quote about your experience? Even 2–3 sentences would be incredibly valuable. I can draft something based on our conversations if that is easier.”
3. Offer a draft. Most people will not write a testimonial from scratch. Write it for them based on what they said during the engagement, then ask them to approve or edit.
4. Ask for permission to create an anonymized case study. “A 350-person fintech company needed to prepare for SOC 2 Type II. We identified 14 critical IGA gaps in 10 days...”
5. Request a LinkedIn recommendation in the same conversation. LinkedIn recommendations are searchable and permanent.

Tactic 2: The Pro Bono Assessment

Offer 1–2 free assessments to companies in your target verticals under these conditions:

• They agree to a detailed case study (anonymized is fine)
• They agree to a testimonial quote
• They agree to serve as a reference for future prospects

Tactic 3: Open Source as Social Proof

Your 11 Okta Terraform modules at github.com/sean-iam/narrative-terraform-modules are an asset that no Big Four consultant has. Here is how to leverage them:

• Add a professional README with architecture diagrams, use cases, and a link to narrativeconsulting.com
• Track stars, forks, and downloads and display them on your site: “Trusted by X organizations” (even 50 stars is meaningful in a niche Terraform module space)
• Write a blog post explaining the design decisions behind each module. This demonstrates depth of thought, not just code.
• Reference them in every proposal: “Our approach is infrastructure-as-code first. Here is our open source Okta module library that organizations already use in production.”
• Contribute to Okta's official documentation or community — this creates a paper trail of expertise that prospects can verify

Tactic 4: LinkedIn Social Proof Blitz

Over 30 days:

1. Post 3x/week about IGA topics (not sales pitches — genuine insights from your work)
2. Comment substantively on 5 posts/day from CISOs, compliance leaders, and identity professionals
3. Request LinkedIn recommendations from every former colleague, manager, and client who knows your IGA work
4. Join and actively participate in LinkedIn groups: “Identity and Access Management Professionals,” “ISACA,” “Okta Community”

Tactic 5: The Assessment Engine as Proof of Expertise

Your public /assessment/ pages are brilliant for this. Every prospect who completes the assessment experiences your expertise before they ever talk to you. Make sure the assessment:

• Delivers genuinely useful output (not a glorified lead gen form)
• References real frameworks (NIST 800-53, SOC 2 TSC, CIS Controls)
• Ends with “Prepared by Narrative Consulting” branding that positions you as the authority

1. Speaking at ISACA Chapter Meetings Very High Impact

• Local ISACA chapters are always short on speakers
• Propose a talk: “Identity Governance Gaps That Fail SOC 2 Audits: Lessons from the Field”
• Audience: exactly your buyers (CISOs, compliance managers, IT directors)
• Frequency: 1 talk per quarter
• Lead generation: hand out business cards, offer free assessment signups
• Timeline: Can start within 60 days of ISACA membership

2. Submitting to Identiverse CFP Very High Impact

• Identiverse is THE identity conference (3,000+ attendees, curated by independent content committee)
• CFP is open to anyone — they judge on content quality, not firm size
• Propose: “Infrastructure-as-Code for Identity Governance: Terraform Patterns for SOC 2 Compliance”
• Even a rejected submission gets your name in front of the content committee
• If accepted, this is an instant credibility multiplier

3. Gartner IAM Summit Attendance + Networking High Impact

• 1,500+ attendees, 20+ Gartner analysts
• You will not speak here initially, but attending and networking aggressively puts you in the room with your exact buyers
• Collect contacts. Follow up within 48 hours.
• Cost: ~$3,000–4,000 registration. Worth it if you convert even one lead.

4. Writing for Industry Publications High Impact

Target publications: CSO Online, Dark Reading, SC Magazine, ISACA Journal, Help Net Security

Do not pitch generic articles. Pitch specific, opinionated, data-backed pieces:

• “Why 80% of Mid-Market SOC 2 Audits Fail on Identity Controls”
• “The $50K Mistake: When Companies Over-Invest in IGA Tooling Before Fixing Governance”
• “Terraform for Identity: Why Infrastructure-as-Code Is the Future of IGA”

Frequency: 1 published article per quarter is sufficient. Quality over quantity.

How to pitch: Most of these publications accept contributor submissions. Find the editor on LinkedIn, send a 3-sentence pitch with a proposed headline and 3-bullet outline.

5. Contributing to NIST/Industry Frameworks Very High Impact

• NIST holds public comment periods on SP 800-63 (Digital Identity Guidelines) and other identity-related publications
• Submitting substantive comments gets your name in NIST records
• This is a long game but an extremely credible signal: “Contributed to NIST SP 800-63 revision”
• Watch for comment periods at csrc.nist.gov

1. Never quote hourly rates.

The moment you say “$200/hour,” you are a freelancer. Your assessment is $3,500. Period. If a client asks “how many hours is that?” respond with: “The assessment is scoped to deliver a complete identity governance gap analysis mapped to your compliance framework. It typically takes 8–12 business days from kickoff to final deliverable.”

2. Three-tier anchoring is correct.

Your structure (Assessment at $3,500 → Buildout at $8,500 → Hardening at $5,000) creates a natural upsell path. 68% of buyers choose the middle option in a three-tier structure. The Assessment is your entry point; the Buildout is your core revenue.

3. The Advisory Retainer ($1,500/mo) is your most important product.

This is recurring revenue AND a credibility signal. Frame it as: “Ongoing identity governance advisory to maintain compliance posture between audit cycles.” This positions you as a long-term strategic partner, not a one-off contractor.

4. Add a premium tier.

Consider a “Comprehensive IGA Program” at $15,000–$20,000 that bundles Assessment + Buildout + 3 months of Advisory. This serves two purposes:

• Anchors the Buildout as the “middle” option (making $8,500 feel reasonable)
• Captures clients who want a complete solution and would otherwise go to a larger firm

5. Proposals should show “Value Comparison.”

In every proposal, include a section: “How This Compares.” Show what a comparable engagement would cost from a Big Four firm ($50K–$150K for comparable scope) and from a generalist freelancer ($2K–$5K but with no methodology, no frameworks, no deliverable templates). Position yourself in the “expert boutique” middle.

6. Payment terms signal professionalism.

• Net 30 (standard enterprise terms)
• 50% upfront for new clients (protects you, signals you are in demand)
• Monthly invoicing for retainers
• Accept ACH, wire, and check. Credit card is fine but do not lead with it.

1. SOC 2 / Compliance Auditors

Why they refer: Auditors frequently identify IGA gaps during SOC 2 readiness assessments but cannot fix them (independence rules). They need someone to refer clients to for remediation.

How to build these relationships:

• Identify 5–10 boutique SOC 2 audit firms in your geography or target verticals
• Offer to present to their team on “Common IGA Findings in SOC 2 Audits and How to Remediate”
• Create a one-page “IGA Remediation Services” document they can hand to clients
• Propose a formal referral arrangement: you refer clients who need audits to them, they refer clients who need IGA remediation to you

Target firms: A-LIGN, Schellman, Prescient Assurance, Johanson Group, or regional firms

2. Managed Service Providers (MSPs)

Why they refer: MSPs manage infrastructure but typically lack deep IGA expertise. When their clients need identity governance for compliance, they need a specialist.

How to build these relationships:

• Join MSP-focused communities and events (Channel Futures, ASCII Group)
• Offer white-label IGA services: the MSP maintains the client relationship, you deliver the IGA work under their brand
• Create a “Partner Program” page on your site aimed at MSPs
• Pricing for MSP partners: wholesale rate (20–30% discount off retail) in exchange for volume and no sales effort on your part

3. Cybersecurity / Privacy Legal Counsel

Why they refer: Attorneys advising on data privacy, breach response, and compliance often need to recommend technical consultants for implementation. They want someone they trust will not create legal risk.

How to build these relationships:

• Attend local bar association technology law events
• Offer CLE (Continuing Legal Education) presentations on IGA topics
• Have your MSA and SOW templates reviewed by one of these attorneys (they become invested in your success)

The dirty secret of mid-market procurement is this: they do not actually want to hire Deloitte. They want to hire someone who makes them feel as safe as hiring Deloitte. That feeling comes from:

1. Proof you are real (LLC, insurance, business infrastructure)
2. Proof you are competent (certifications, case studies, published work)
3. Proof others trust you (testimonials, references, partner badges)
4. Proof they are not taking a risk (continuity plan, documentation-first approach, insurance)

Stack these four layers and the “you are too small” objection evaporates. You are not too small. You are specialized. And in identity governance, specialized is exactly what they need.