July 13, 2012
Lately I’ve received several requests for advice on breaking into the InfoSec field. I find myself repeating the same advice over and over, so I thought I’d post my thoughts here on Righteous IT to save time (at the risk of turning this into a career advice blog).
What Others are Writing
“Breaking into InfoSec” has been a hot topic in the community lately, and several authors are writing eloquently on this topic. Rather than repeating their good advice, let me just throw out some important links to read.
Every Tuesday, Lee Kushner and Mike Murray provide solid InfoSec career guidance in “Career Advice Tuesday” at the Information Security Leaders blog. One oft-repeated piece of advice in their blog is to develop a “career plan” for where you want to be with at least a five-year time horizon. While no plan survives contact with the enemy, having a plan means that you’re moving forward in a purposeful direction rather than just wandering at random.
Bruce Schneier recently posted “So You Want to Be a Security Expert” on his blog. I’m a firm believer in his “Study… Do… Show” mantra. Bruce gives a specific shout-out to security certifications, which are indeed useful for demonstrating a certain level of knowledge in a general discipline. But I wish that more people starting their careers put at least as much effort into doing research in their own areas of interest and writing blog posts, talks, and code to document what they’ve done. This is how we grow as an industry and incidentally it also shows potential employers something that distinguishes you from all the other “highly certified” professionals you’ll be competing against for jobs.
That Bruce Schneier article is part of a larger series of interviews with various InfoSec professionals on how to break into the InfoSec field, which is being created by Brian Krebs over at Krebs on Security. Brian’s blog is normally some great coverage of recent happenings in the Cyber Crime world, but these (often first-person) accounts of how to get started in InfoSec have been really interesting.
Similarly, Eric J. Huber has been running a series of enlightening interviews with leading lights in the field of Digital Forensic Investigation on his Fistful of Dongles blog. Somehow he became momentarily confused and also included me in this series. But apart from that oversight, these interviews always include interesting information on how to get started in the field.
If you’re paying attention, one thing about all of this advice is that it’s equally applicable to getting into any field. There are no magic tricks for getting started on an InfoSec career path that are different from any other career path. The corollary to that realization is that any of the classic career guidance books (from “What Color is Your Parachute” to now) can be helpful when you’re getting started in InfoSec or any other career.
It’s All About Your Network
When people ask me for career guidance, the one point that I emphasize repeatedly is that personal connections– your “network” of friends and colleagues– control your career destiny more than any other single factor. Every good job I’ve ever had, whether as a full-time employee or as a consultant, has come through personal connections.
When you’re just starting out your career, you’re also starting to create your professional network. This process begins during your educational history. The contacts you cultivate during college and grad school– both fellow students as well as faculty and administration– are at least as important as what you learn from your books and professors.
Many of you reading this may not have been fortunate enough to attend college, or your college days are long past. And even the people who did start to build their network in school need to continue building their networks after they leave their educational womb. You need to constantly be on the lookout for opportunities and venues to meet other people and create a robust, living network.
An important part of your personal network comes from your on-the-job friends and co-workers. If your employer sends you for training, part of your job at that training event is to make useful contacts with other people in the room. If they’re at the same training event with you, they’re almost certainly part of the same field and will be great people to interact with in the future– whether that’s getting help with a problem you’re stuck on or finding a new job.
But also look around your area for regular meetings of different groups and invest the time to attend the meetings. This could be anything from a Security BSides event, to a SAGE or LOPSA local group, or an ISACA or ISSA chapter meeting, or even Toastmasters. InfraGuard may have an active chapter in your area. SANS often has a “community night” associated with its conferences which you can attend for free and network with other people in your area.
Don’t have a local group in your area? Go start one! Try using LinkedIn to search for other IT and InfoSec professionals in your area and reach out to them. It doesn’t have to be anything formal. Just meet for dinner/drinks every month and talk about your experiences and research projects.
Social networking has become an extraordinary resource for reaching out and networking with other InfoSec professionals. While it will never fully replace face-to-face interactions, “knowing” somebody by interacting with them first via Twitter, LinkedIn, or Facebook can get you past the awkward chit-chat phase when you finally do meet them in real life. And it can help you engineer those meetings when you’re in the same geographic region.
When you come into an established group for the first time, I urge you to sit back and just listen for the first couple of meetings. Figure out who the “players” in the group are and get a feel for the “social norms” and nuances in the new group. You’ve probably had the experience of boorish newcomers coming in and making a pain of themselves in groups that you’re already a member of. Don’t be “that guy”.
Instead you want the group to recognize your positive contributions. That could be anything from providing helpful summaries of information provided at the meeting, to helping with setup and tear-down at meetings, to providing food and beverage, to providing additional links that are relevant to the meeting’s focus, to contributing your own research and presentations. Even just making new people (like you) feel welcome and accepted is a valuable contribution!
Small Fish, Big Pond
If there aren’t currently any gatherings for professional InfoSec people in your area, and you’re having trouble tracking people down on LinkedIn to start your own gathering, then this may be a sign that you’re in the wrong geographic location. Being the biggest fish in your small pond may be comfortable, but you need to put yourself in an uncomfortable situation in order to grow.
You need to be in a situation where you’re constantly being exposed to new information and new ways of doing things. You might think you’re getting this from reading articles and blogs on the Internet. But you really need people around you who will push you to improve your game. If you’re on your own reading about new technology on-line it’s easy to think, “That’s cool, I should look into that.” But meeting up with your InfoSec pals every month will do more to push you into actually doing that research than anything else.
When you’re learning on your own it’s easy to have “blind spots” and miss out on important information. While social media can help with this somewhat, it’s not a replacement for being in a room with a group of like-minded folks who are bouncing ideas and solutions off one another at a rapid rate.
Being in the right geographic location also provides more job opportunities, which also translates to more “interesting” job opportunities. Feel like you’ve topped out at your current job and aren’t being challenged? Things are much easier if your next job doesn’t require you to move your home.
But how do you get moved to the “big pond”? In my case, I took a pretty lousy job for a year because the job was willing to relocate me to the Silicon Valley. Remember that advice about having a “career plan”? It’s a lot easier to take a lousy job for a year if you view it as a step on the road to the career you want. During that year, I was busily getting plugged into various tech groups in the local scene, and by the end of the year it was almost embarrassingly easy for me to step into my next job, which was a lot of fun. The things I learned during my 12 years in the Silicon Valley were instrumental in shaping my career and massively increasing my knowledge-base. And the friends and contacts I made during that period are still with me today.
So pay your dues if you have to, but get yourself to one of the big high-tech centers: Silicon Valley, New York, Washington D.C., or Seattle. You may never be a “big fish” in any of these places, but you’ll be better for having had the experience.
March 4, 2012
Hal Pomeranz, Deer Run Associates
Taking time off is important for maintaining your health and sanity. But as a consultant, it’s easy to feel that time not spent billing is wasted time. And forcing yourself to take time off when you feel like you should be billing– or when you feel like you should be looking for your next assignment– is almost as bad as not taking time off at all.
The trick that I use is to set a reasonable billing goal for the year, and when I reach that goal I simply stop billing. Instead I shift over to “fun” projects that I’ve had to put off because of my work and travel schedule. Or Laura and I travel to fun places together as a vacation, which is very different from the business travel I do normally. Or I just “veg out” and read a book or play computer games. The timing on this strategy usually works out well, since I commonly meet my billing goal late in the year when it’s typically hard to drum up new business: both because of the holiday schedule and the lack of budget at the end of the year for my potential clients.
Setting the Goal
The key is that when you reach your billing goal you have to be at a place where you don’t feel like you need any more money to get you through the remainder of the year. That means you have to have billed enough money so that you can pay yourself enough to cover your annual expenses for a year and the standard taxes that accrue on that income. You should also have billed enough to cover any overhead costs related to running your business for the year.
One mistake that I made early in my consulting career was forgetting to factor in large annual costs like my property taxes and annual homeowners insurance bill. One option would be to pay these costs on a monthly basis so that you can more easily factor them into your monthly expenses. However, there’s usually an extra fee for doing so. My solution is to plan as if the year were 13 months long instead of 12 and use the “extra” month of salary to cover the heavy annual expenses that appear at the end of the year.
So now you’ve hopefully got a figure that covers your gross salary needs and business expenses, but what about retirement planning? You’d better be saving some money unless you plan on working until the day you die (hint: this is not a good plan). Look into ways that you can invest some of your gross billing into a pre-tax retirement plan, and be sure to talk to your accountant about how much your company is allowed to contribute in “matching funds” in order to maximize the amount you are allowed to invest each year. Then build the maximum allowable amount into your billing goal.
Have you been forced to eat into your “six months of burn rate” savings plan? If so, then you’d better build your reserves back up to full before you quit billing for the year. Downtime comes when you least expect it. And you might need that float to carry you for a little bit when you start billing again in the new year.
Similarly, if you’ve been deferring any maintenance on big ticket items, like your automobile or property, make sure you plan on funding those repairs. While some work can be delayed for months if necessary during bad times, failing to address these issues will eventually cost you more money if put off for too long.
Now how about funding what you’re going to do during your downtime? Maybe you want to take a trip someplace nice. Factor in the extra cost for travel and/or any special expenses you’re planning to accrue during your time off. Make sure your billing goal covers those costs.
So your billing goal then is the sum of several factors:
- Gross salary to cover personal expenses (including large annual costs)
- Money to cover expenses associated with your business
- Retirement funding
- Any money necessary to rebuild your “rainy day” savings
- Deferred maintenance costs
- Special costs associated with vacation or other plans
If you get to a place where you can cover all of the above costs, then that’s a good place to stop billing. And you’ll be able to enjoy your downtime and not stress about needing to make more money.
The only other factor to consider is the long-term financial outlook. Right now, I’m personally very pessimistic about the global economy and am expecting another significant downturn in early 2013 (based on my assumption that nobody’s going to let the economy splatter before the US Presidential elections conclude in November of 2012). So I’m going to bill as much as I can in the next year in order to have a “war chest” against future bad times.
Advantages of Pre-Planning
There’s an additional benefit to setting a billing goal besides getting yourself to a place where you feel OK taking time off. The billing goal clearly focuses you on how many hours you need to bill and at what rate in order to get to your “happy place”. One of the side-effects of this process is often the realization that you need to find a way to increase your billing rates.
I strongly recommend you sit down and plan a billing goal at the beginning of each fiscal year. It focuses your efforts by giving you a target to shoot for. And it improves your mental health by allowing you to take time off without stress.
Wrapping Up This Series
With this article I’ve covered everything that I wanted to say based on my experience as an independent consultant. I hope you’ve found the advice useful in your own decision making and planning. Thanks for sticking with me!
If you have questions that you feel I haven’t fully addressed, please feel free to leave them in the comments and I’ll be happy to respond. Who knows? Perhaps your question will prompt me to add another full blog post in the series.
February 26, 2012
Earlier in this series of articles on consulting, I mentioned that my wife and I run our business from our home. This prompted one reader to ask why we didn’t have separate office space. The short answer is because office space is pure overhead. Every month that office space is going to cost me the same amount of money, whether I’m actually billing or not. And if I’m in the middle of a lease, I may not be able to shed that overhead as rapidly as I’d like.
During bad periods, extra overhead is the weight that drags you down. I’ve previously discussed having six months of “burn money” saved up to help you through these periods. One way to make your savings go further is to take a hard look at what recurring costs are necessary, and which can be done away with.
When I think about the absolute necessities for keeping our business going, the list is really very short:
- Internet/Data Service — Obviously, we run a high tech business and Internet and data connectivity are a must. Over the years, the most cost-effective solution that I’ve found is to use an inexpensive residential data plan for our home offices and have a dedicated server at a colocation facility acting as the “public” face of Deer Run. I get better availability and more throughput by having the server at the colo, and “residential service + colo” is still less per month than the expensive “business level” service plans offered by my local data providers.
- Telephony — These days, cell phones are a must. We also have a POTS line from our local telco which is the main number for Deer Run. Extravagantly, we also have a separate POTS line for our fax machine. While I enjoy having the POTS lines around as a backup, the reality is that they’re not at all necessary. If we ever do another move that requires us to print new business cards and letterhead, I would likely drop this service.
- Insurance — An earlier article in the series talks about insurance issues. We carry our general liability coverage and an extra rider on our homeowners policy to cover the replacement cost of our computer systems in the event of a catastrophic event like a fire. Do not try to skimp on this.
- Accountant/Attorney — Also do not skimp on legal and financial advice. The good news about these costs is that they only tend to accrue when you’re actively working. If business drops off, then you won’t need these services as much, other than perhaps year-end tax preparation.
- Taxes — Related to the above, make sure you pay all of the taxes that you owe. The out-of-pocket and opportunity costs related to dealing with an audit, taxes, and penalties are significant.
From a business perspective, anything else falls into the “unnecessary overhead” category in my world. Think long and hard before taking on any additional recurring costs besides those listed above.
We’ve managed to keep our business going through two major economic downturns where business was scarce for 6-12 months. In both cases, we weathered the storm by dialing our expenses down to the bare minimum and deferring maintenance that was not absolutely necessary until the economic outlook improved. In this “hibernation” mode, we were able to turn our “six months” of savings into enough money to get us through an entire year.
Since I started this post by mentioning the office space issue, I did want to note that even though we work from home we do have dedicated office space. In fact, three of the four bedrooms in our home comprise the “World Headquarters” of Deer Run Associates. Laura and I each have separate offices with doors that close– a must for when we’re both working from home. We also have a third “overflow office” for visitors which also holds our server and networking equipment along with our paper files and other storage.
You are allowed to claim a deduction for the office space used for a home-based business. You must be careful to only use the office space for business and not for personal reasons. I will also note that the IRS has sent unannounced representatives to visit both our California and Oregon offices to verify that the office space was being used as we claimed. While the IRS agents were unfailingly polite, I was also glad that our office space looked as professional as could be when they arrived.
January 1, 2012
Hal Pomeranz, Deer Run Associates
The last two installments in this series of articles on consulting have focused on how to go about finding work. But one of the important questions every consultant should consider is who their target customer is. The answer to this question affects how you go about selling your services. For example, if you decide that providing services to the legal industry is the way you want to go, then you should look at writing articles for Bar Association journals and speaking at legal conferences. Also, when you get inquiries about possible consulting engagements, having a clear answer to the “Where do I want to be working?” question can help you decide which engagements are worth pursuing and which you should no bid.
However, the simple question of how to target your services has several facets that should all be considered. Let’s walk through the major ones.
What Are You Selling?
In the last installment I talked about picking an area of expertise. But even within that specialty there are sub-disciplines and specializations that you should consider when trying to determine the “sweet spot” for your perfect consulting engagement. For example, consider the field of Digital Forensics that I’m currently working in. Under that broad umbrella are people who do incident response, traditional hard drive forensics, media exploitation, mobile forensics, malware analysis, e-discovery, and other specialties. Having a clear focus on which area you prefer to work in allows you to more clearly articulate your marketing message. It will guide the sorts of publications and presentations you want to be known for and help you narrow down the 30 second “elevator pitch” you want to give to potential clients.
Which is not to say that you should only do work in a specific niche market. It pays to take on jobs outside of your comfort zone which can stretch your capabilities and force you to learn new skills. Expertise in a particular area will get you a job, but a broad base will allow you to have a long-term and prosperous consulting career.
What Level of Work?
The other aspect of homing in on your specific offering as a consultant is determining what level of work you are targeting. For example, when I first started out my practice doing general IT and InfoSec operations, there seemed to be essentially infinite amounts of work for basic day-to-day system and network administration. But I wanted to do more interesting/challenging “big” infrastructure level architecture and deployment work. There were many fewer of those jobs to be found, and actually landing them took more work.
You can visualize this as a pyramid. At the base of the pyramid is a large group of potential clients who need basic “block and tackle” type services. Since there’s little differentiation in service offerings and a larger pool of potential suppliers, rates are lower. But since there’s a large amount of available work, there’s less overhead for “downtime” between jobs. As you move up the pyramid the jobs get more interesting, and the number of people who can provide the service goes down, so billing rates go up. But the number of interesting, high bill rate jobs becomes smaller and smaller.
You’re trying to find the best spot that maximizes your billing rate while minimizing the time you spend looking for your next engagement. And, of course, which provides work that you’re interested in doing. There’s plenty of people making large amounts of money as PCI assessors, but that’s not work that I would personally ever want to do.
What Industry Do You Want To Work In?
Some people like the fast-paced, high-pressure Wall Street environment. Others like working with Law Enforcement. Some find the Federal Government a comfortable niche. The question of who you work for is intimately tied up with the services that you offer. Some consultants identify the industry they want to work for first– because a given sector may be perceived as more stable and/or have more money to spend– and then try to figure out what services to offer to that industry and how to sell them.
When you’re first starting out, it’s typically easiest to provide consulting services to the industry where you got your experience as a full-time employee. You will have a better “network” of contacts in that industry and be more familiar with the problems and needs of your potential clients.
But once you get your legs under you as a consultant, it may be worthwhile to investigate other industries and see whether you might find interesting work and higher billing rates elsewhere. Start inviting people in your target industry to lunch, and really listen to where their pain points are. Be frank about asking what service offerings you could provide that would most help them.
Where’s the Work?
Once you’ve identified and industry and a service offering to provide, it’s worth considering where the highest concentrations of that kind of work are located. Wanting to do IT infrastructure work for high-tech companies, I moved to the Silicon Valley which had the highest density of that kind of work available. This increased my pool of potential jobs and reduced the amount of overhead I needed to invest in travelling to my work site.
But it’s worth noting that, twelve years after moving to Silicon Valley, I ended up moving to a smaller community in Oregon for “quality of life” reasons. There are all kinds of criteria that go into the decision about where to live– family ties, cost of living, access to healthcare, recreation, etc. Consulting has always been a “lifestyle” business for me, so the demands of your business shouldn’t be the overriding factor in determining your location.
Of course, your location may limit the choices of available work and the industries you work in. Or you pursue the path that I have and spend a lot of time on the road travelling to various client sites. You may have to balance your desire to live in a particular location with the issue of having to spend most of your time going someplace else to find work.
Who Are You Selling To?
The next question is where to direct your sales pitch. Some services get sold to C-level staff in the Boardroom– audit, compliance, and data mining are examples. Technical services get sold to technicians and technical management at a lower level of the hierarchy. The higher up the food chain you go, the higher billing rates you can typically command, but the longer the sales cycle is going to be, meaning more overhead.
Different level sales require different language and presentation. Your target market also determines where you spend your time getting noticed. C-level execs read very different media and frequent different meeting venues from technical folks in the trenches.
Ultimately, this one often comes down to your comfort zone. I like being hands-on with technology and talking about technical topics with other like-minded people. So it’s most natural for me to sell specialized technical services to my peer group. But perhaps I might command a higher billing rate if I sold my services to their CEOs.
Short Term or Long Term?
Are you excited about taking on a lot of smaller, tactical jobs in rapid succession or tackling a bigger project with a longer time-frame? The one obvious advantage to longer-term engagements is that there’s less overhead involved in finding work and getting up to speed on your role. Plus you get a chance to do “bigger” projects and really get into watching the life-cycle and evolution of your work.
Or boredom could set in. Or you could find the technical skills you’re not using starting to atrophy. The nice thing about shorter-term contracts is you can really get a wide variety of marketable experience in a relatively short amount of time.
The type of work you’re doing may determine the length of a typical contract. For example, if you’re doing Incident Response work, there are no long-term engagements. You ride in, clean up the town, and then hand things over to the local sheriff. Unless you want to become the local sheriff, of course. But at that point you won’t be doing IR consulting anymore, you’ll be doing operational InfoSec work.
You Don’t Have To Have All The Answers!
The more you can think about these questions before starting your consulting practice, the less overhead you’ll tend to have looking for work. But you don’t have to have specific answers nailed down for each question. And you shouldn’t limit yourself when you’re first starting out anyway. Stumble around a little bit and try out different types of engagements.
But every year sit down and think about your past work history. What engagements were the most fun and interesting? Which were the most comfortable working environments? What was the most lucrative? Then think about the best engagements in the context of the questions discussed above and try to home in on the best kinds of work for you and the right industries, locations, and people to sell that work to.
December 18, 2011
In my last post in this series of articles on consulting, I suggested that you’re better off if you don’t have to spend a lot of unbillable overhead time searching for work. The article covers several ways to position yourself so that you’re more likely to run into unsolicited contract offers– “make the work come to you” rather than having to go find your next assignment yourself.
Another mechanism for putting yourself into the path of potential job offers is to build a reputation as an expert in your chosen field. This kind of reputation is more than just a way of getting your name in front of potential clients. It also leads to more interesting and higher-paying jobs as a general rule. Of course, it can also sometimes discourage people from calling– “Oh, they’d be too expensive to hire!” But these are likely not people who you would want as customers.
Being recognized as an expert can “just happen” to some people who are at the right place at the right time, but it is also a reputation that can be developed through continuous improvement. I actually started this process during my time as a full-time employee, 5-6 years before I went out on my own as a consultant. You can start right now.
Building your reputation as an expert is not unlike “leveling up” in your favorite computer game universe. You start out as a novice and gradually work your way up through challenges, each of which unlocks the next level of challenges.
Before you start out on your quest, you must first identify the subject matter area to specialize in:
- It should be something marketable. Becoming the world’s foremost authority in underwater basket-weaving might be extremely interesting, but it’s unlikely to bring in much cash.
- Pick something that’s hard. This ties into being marketable. I’m sure you’ve heard the expression, “If it was easy everyone would be doing it.” The consultant’s corollary is, “If everybody’s doing it, you can’t bill much money for it.” Pick a field where there are significant technical “barriers to entry” for people getting into the field.
- Don’t get too specific. Particularly in the technology field, becoming an expert in a specific technology niche hurts you when that technology ultimately gets abandoned in favor of the next big thing. Yes, there are still COBOL programmers making lots of money, but fewer and fewer every year.
- Don’t get too general. ”Jack of all trades, master of none” doesn’t help you sell your services. Plus there’s too much to learn everything. Pick a field and a specialization– my consulting business started out doing Unix administration and security, focusing heavily on Solaris, which was the most popular enterprise Unix platform at the time.
- Pick something you enjoy doing. Yes, you need money to live. But you should also have fun with what you do for a living.
The next step is to build up knowledge in your chosen field. You’re not enough of an expert to go out and consult, so you’ll probably spend some time learning on the job. Look for jobs that stretch your capabilities and force you to learn new things about the area you’re interested in. Yes, you’ll also likely be playing around with things in your own home lab environment. But you need to face “real world” scenarios where you must balance competing forces: from the purely technical, to the political, to the budgetary. If you only know something from doing it in a lab, then you don’t really know it. And you don’t yet know what you don’t know.
The next step is what I think of as “getting on the radar”, or creating your initial body of work. Most likely, this will take the form of blog postings and other self-published work. Presenting at local user group meetings is another good mechanism for introducing yourself to the community. Submit papers for conferences, but be prepared for rejection. Learn from the feedback you get, and keep submitting better proposals until you get accepted.
Over a period of what can take several years, you will gradually work your way up into more prestigious venues that gets your work more visibility. For example, you might transition from writing blog posts to getting your work published in journals and trade magazines (as the former Technical Editor for Sys Admin Magazine, I can tell you that technical publications are always desperate for good content). Your local user group talks will move from regional to national venues and possibly even international events.
There are some signs to look for to show that you’re really starting to “break through” into expert status. Getting invited to present at a conference is one indicator. Other experts referencing or citing your work is another. The clearest indicator is when you start to get paid for your writing and speaking. Congratulations! You’re an expert, though you may not feel that different from when you were a novice. The more you know about a field, the more you realize how much you have to learn.
The other important aspect of this “leveling up” process is that it forces you to participate in the community and creates a professional network that you can fall back on when you do go out on your own. And if you’re shy or introverted, you will be forced to come up with a strategy for coping with that so that you can succeed. Also, teaching something to other people really makes you learn the subject to an amazing level of depth.
It’s also worth thinking about the possibility of writing a book. Everybody’s heard of the person who “wrote the book” on a certain subject. There’s a reason that phrase is in common usage– being the person who literally “wrote the book” is an invaluable calling card and addition to your stature in the field. That being said, reputation is pretty much the only reason to write a book. If you look at it as a short-term financial transaction, your “hourly rate”– amount of money you get as the author divided by the amount of time you spent writing– is trivial compared to what you could be earning on your job or as a consultant. So you may want to write that book before you start consulting.
Ultimately, work will start finding you. Initially, it will probably take the form of full-time job offers. This is great. You can pick the ones that seem the most interesting and which have the most to teach you. If you end up finding your happiness in a succession of full-time jobs and you never end up consulting, that’s great too. You didn’t waste your time “leveling up” to expert status. All that effort helped you land the sweet jobs you get offered.
My experience was that after working in the industry for about 10 years with ever-increasing seniority, I had “topped out” in the technical track. At this point a weird thing happens: most companies try to make you a manager. Try it, you might like it. Personally, I hated it because I like being “hands on” with technology. The only role left for senior people who wish to stay “hands on” is consulting. After being a manager for 18 months, I worked through my professional network to find a former co-worker who needed a consultant for a six-month engagement. I signed the contract, and gave two weeks notice at my last employer. I’ve never looked back.
Keeping It Up
The tricky part about being perceived as an expert is that it’s an ongoing process. Our field is constantly evolving and you have to keep learning and publishing to stay ahead of the curve. I spend a great deal of unbillable time on continuing education. I will earn some money for writing articles about my research, and much of what I learn ultimately gets turned into training that I get paid for as well. But in the final analysis, this “overhead” or opportunity cost for the time I spend on research is my sales and marketing budget. And it’s a lot more interesting than printing glossy brochures or throwing expensive parties.
I give a lot of my work away for free. Like my friend Celeste says, “Contribution is marketing.” People often ask me if I think it hurts my business to give information away for free. Not at all. Consider:
- If it’s easy enough to do that somebody could just read one of my articles or presentations and do it themselves, then it’s probably so uninteresting that I wouldn’t want to do it myself. And I wouldn’t be able to charge much money for it if I did.
- Even if an organization has the technical capability to do something, they may lack the resources to get it done. In those instances, they’re going to call me, the person who “wrote the book” (or article or blog post as the case may be).
And ultimately, I do it because it’s just the right thing to do. I get enormous value out of what others are contributing to the community. I’m just trying to give back some of that value.
December 11, 2011
One thing I haven’t addressed in this series on consulting is how to go about finding work for yourself. This is a huge topic in and of itself, and I’ll likely spend several posts covering this subject.
At a high level, there are two basic approaches to getting your next assignment: you can go find the job, or it can come find you. Going and finding the job means watching mailing lists and job boards for possible openings, and running down the leads. Possibly you’re looking at even “cold calling” organizations in your area to see if they can use your expertise. This is process is quite a bit of work, which you must remember ends up on the unbillable “overhead” side of the ledger. It can also be difficult to conduct this kind of search while you’re working another contract. And as I mentioned in a previous post, it’s desirable to have your next assignment lined up before your current one ends.
One option is to out-source your job search to somebody else– whether that’s a recruiter or a professional sales organization. This, of course, has a cost associated with it. I’ve never entered into such a deal myself, so I can’t speak to the exact costs, but you’ll have to decide whether the amount of work you get is worth the cost of acquiring the business through one of these means. If you’re a solo consultant like me, I imagine a really motivated external sales person could bring in way more work than I could handle, which would make the whole arrangement less valuable on both sides.
So as you can no doubt guess by now, I’m going to advocate for the “let the work come to you” strategy. First there’s the benefit of less overhead costs in finding your next assignment. Second, you can generally command a higher billing rate. Consider that the organization contacting you has identified a problem they’re having and recognized that you may have the expertise to help them solve it. They wouldn’t be calling you if it weren’t urgent. And the combination of those factors makes it easier to get the billing rate you want, and with less negotiation.
While it’s all very nice to say, “I want my work to come to me”, you can’t just wish things were that way. You have to put yourself into a situation where that’s likely to happen. So think about some of the directions that unsolicited work can come from and then position yourself in the path of those forces so that the work hits you.
This one might seem obvious, but I often feel that a lot of consultants don’t think enough about this. The best customer to acquire is one you already have. You already have a trusted working relationship in place, and you’ve probably already dealt with the annoying contract and accounts payable issues that waste time at the beginning of every new engagement. So from a “cost of acquisition” perspective, getting additional work from a current or former client is a no-brainer.
Also, the more work you do for an organization, the more valuable you become to them. You have knowledge of their processes, procedures, and systems– perhaps because you’ve implemented many of them! You know the people at the company and have probably identified the “gate-keepers” who can either facilitate or thwart new projects. That means you can (and should) demand higher billing rates on subsequent contracts. And it will be worth it to the client because you’ll spend less time “ramping up” on their environment. So while your hourly rate will be higher, you’ll still cost the customer less than bringing in a brand new firm to do the same job.
And even if you don’t end up doing multiple contracts for a given firm, there’s still the chance that they may recommend you to their friends in other organizations. Referral business is great, because a “trusted third-party” is vouching for you with the new firm. And this is one of many reasons why you need to work hard and focus on doing an outstanding job on each engagement. Because nothing sells your service in the future better than your past performance with your clients.
While we’re on the subject of referral business, it is possible to formalize such arrangements. One approach is to create an arrangement to provide specialized services to an organization that can’t or doesn’t wish to maintain an in-house capability. For example, this would be me making a deal to provide forensic services for a law firm that perhaps doesn’t have enough need to employ somebody full-time. If I could make arrangements of this type with several smaller firms, then I’d likely have as much work as I could handle.
Another example would be a sub-contracting arrangement, similar to the one I currently have going with Mandiant. When they get busy, they have a small group of consultants that they can call on to help deal with the overload. Obviously, if I’m on another assignment when they call then they’ll have to get somebody else to fill in. And when they’re less busy, I still need to find my own work. But so far the arrangement has been quite agreeable.
Finally, as a individual, there are often times when job offers come in while I’m busy on another contract. It’s better to be able to at least give the prospective client a referral to somebody else than it is to just say, “I’m too busy”, and leave them to find somebody for themselves. People will remember you helped them, even if that help is getting them to the person who did the work for them.
So it’s good to have your own network of trusted friends in the consulting business who you would feel good about referring the business to. You can try formalizing this arrangement if you want. At various times I’ve made agreements with other consultants to receive a “finder’s fee” for work we refer to each other. But because this is such a small industry, keeping track of how a given firm actually acquired a particular customer can be a difficult headache. And there can be hard feelings if one side of the arrangement thinks they’re not getting their fair fees. I find it’s better in the long run to just refer business without expecting direct compensation in return. Karma is a powerful force– believe that you’ll eventually get what you deserve. Because you will.
But in order to have a trusted group of people to refer business to, you have to get out and network with your peers in the industry and figure out who’s smart and trustworthy. So this means a level of interaction greater than just shaking somebody’s hand and exchanging business cards at some social event. This is one of the reasons why technical gatherings like conferences and local user group meetings are so important. You have the chance to meet people– sometimes at multiple events– and see how they interact with their peers when discussing technical challenges. And of course you have the opportunity to model your own behaviors under the same conditions, which makes it something of a double-edged sword.
To leverage your professional network for business, you need to “stand out” in a positive way and not just be somebody who’s there but fades into the background. That means providing value to the community you’re interacting with. Value can come from doing your own research and publishing the findings, giving presentations, answering questions in a helpful, timely manner on community mailing lists and forums, organizing events and gatherings, and even just making people in the community or who are new to the community feel more comfortable and accepted.
How did I end up in this subcontracting arrangement with Mandiant? Because of my professional network. Rob Lee and I are both active in the SANS Instructor Community and had talked a lot about issues in Forensics. And I’d helped him with Linux questions and issues with the SIFT Workstation. So when he was looking for people to help Mandiant, I was a “trusted entity” he felt good about calling on. And I got involved with SANS in the first place (almost 20 years ago now) through my professional network as well: one of my former co-workers, Michele Guel.
So your professional network is one of your most important tools. Try to give more than you take, and you’ll do great. Besides the unsolicited referrals you may get from other members of your community, people will be more likely to help you when you ask them directly. The trick is to build up enough good will so that when you do have to make an “ask” request, people will be motivated to help you.
October 30, 2011
I’m on vacation for a little while, but wanted to leave you with something to read on the subject of consulting. Celeste Stokely is an old friend and long-time consultant. She was a huge help to me when I was first getting started with my business. Everybody should take the time to read her Golden Rules of Consulting and her advice on one Key to Successful Consulting. These documents contain fundamental principles that I use every day to guide my business.
October 16, 2011
Hal Pomeranz, Deer Run Associates
Many folks who are thinking about striking out on their own are concerned about having affordable medical insurance. COBRA benefits from a previous employer are incredibly expensive and generally are only available for a limited period. But insurers typically don’t want to deal with individuals or small businesses that are just starting out and have no revenue history.
One common option is to take advantage of health care benefits from a spouse or domestic partner. If one member of the couple is working a full-time job with benefits, then the they can carry the insurance load while the other half of the partnership builds their independent consulting business. Of course this doesn’t work if the prospective consultant is the only earner for the partnership.
The other approach I usually recommend is to obtain group healthcare benefits through a membership organization such as the ACM or IEEE. For the cost of relatively modest annual dues, you can access health and other insurance services through the organization’s group plans at much lower rates than you would get as an individual. Aside from these large international groups, there may be local organizations in your area that provide similar benefits and have lower annual dues and/or less restrictive policies about who’s allowed to become a member. For example, when we relocated to Oregon, we found the Software Association of Oregon to be a reasonable choice for obtaining health insurance.
Beyond health insurance, however, there are several other types of insurance that you should be aware of because you will have to carry them during the course of your business:
- General Liability
- This is basic insurance coverage for your business that takes care of problems outside of your day-to-day job. For example, you’re commuting to your job site and you accidentally hit the proverbial little old lady walking across the street. This insurance will help cover the associated costs.Clients often require that you carry $1-5million in general liability coverage as part of the consulting agreement. The good news is that this sort of insurance is widely available and rates are quite reasonable (tens of dollars annually for each $1million of coverage). The same organization you’re obtaining your group health benefits from may provide access to General Liability for your business.
- Professional Liability
- Also called “Errors and Omissions” insurance, think of this one like malpractice insurance for a doctor. If a client can show negligence or sub-standard work deliverable, this insurance would cover the costs of a claim against your business.Again, sometimes you are contractually obligated to carry Professional Liability insurance under the terms of your consulting agreement. But frankly, I’m not at all confident that if it comes to a settlement that the insurance will actually provide any benefit. I suspect that there are enough loopholes in the typical Professional Liability policy that the insurer will find a way to not honor their obligations.
So frankly I regard Professional Liability insurance as a tax on my earnings that I’m obligated to pay because of the terms of my consulting agreement. As such, I generally try to find the least expensive policy I can that provides the required level of coverage (usually $1-3million). I’ve seen rates for this type of insurance that are all over the map– from tens of dollars per year to low thousands! Clearly the insurers have not developed decent actuarial tables for this sort of thing.
- Disability insurance covers lost wages– or at least a portion of them– in the event that you are unable to work due to significant medical problems. Particularly if you are the only earner for your household, you may wish to look into this type of insurance. As consultants there’s no “safety net”: if you’re unable to work, then you’re unable to bill, and the money stops coming in.The only problem is that disability insurance is very expensive, requires a major medical workup, and also requires that you pay premiums for some period of time (a year or two) before the benefits actually become available. I’ve never been able to find disability insurance for any price I’ve been willing to pay.
In the absence of disability insurance, you have to “self insure”. I’ve mentioned keeping “six months of expenses” in the bank against hard times. In my case, I actually have a year or more worth of expenses in various liquid investments that I could cash in if the need arises. If I can’t figure out a way to start earning again in that time, then something more drastic will have to happen (like selling our home and living off the proceeds).
One more insurance item that you ought to think about is the cost of replacing all of your computer equipment and other office furnishings in the event of a fire or other disaster. If you’re running your business from your home as I do, you may be counting on your homeowners policy to cover the cost of replacing all of your equipment. But you’ll probably be surprised to learn that your homeowners policy does not cover this in most cases– or at least not the replacement cost of purchasing new equipment. Talk to your insurer. You may be required to take out a special “rider” at an additional cost to cover these expenses.
You’re also going to need to think about how you’re going to replace lost customer data and all of your business records in the event of a disaster such as this. Our accountant keeps copies of all of our critical business records in his offices (which are in a different state from where we live). And we do a weekly backup of all of our critical data to an (encrypted) external hard drive that gets put into a secure storage facility that’s distant from our home offices (actually we have two hard drives that we swap in and out). So in the event of a disaster, we should never lose more than a week’s worth of data.
As a consultant, there’s enough stress in your life without worrying about what’s going to happen if there’s a major medical issue or other disaster in your life. Preparing for these possible calamities in advance– whether through commercial insurers or “self insuring”– can free you up to focus on other important issues like helping your clients and growing your business.
October 2, 2011
There seems to be a lot of uncertainty among consultants of my acquaintance on how to set billing rates. I’ve seen several different magic formulas, but they all seem to arrive at roughly the same place. Personally, I find it easiest to relate my consulting rate to a salary equivalent for a full-time employee (FTE).
Suppose you wanted to earn the equivalent of $10,000 salary, plus the benefits a FTE would normally accrue. As I mentioned back in Part 1 of this series, this “loaded salary” figure including benefits costs can be 50-100% greater than the base pay. So to earn the equivalent of a FTE’s $10K, you’d have to bill $15-20K.
Now you need to factor in how many hours you expect to work per year. FTEs might put in 2000 hours/year, but consultants lose hours because they have to spend time looking for jobs and doing non-paying tasks to keep their business going (taxes, paying bills, invoicing and collections, etc). Plus you’ll probably want some time off at some point. Frankly, it’s a great year if you can work 1500 billable hours. For a lot of consultants who are just starting out 1200 billable hours/year is a more realistic target.
Putting those numbers together means that you need to bill $10-15/hour to make the annual equivalent of $10K in loaded salary. I suggest you be conservative and shoot for the high end of that range. Based on this hourly number, there are a couple of approaches you can take to set your final billing rate.
One common approach used by many folks who are just starting out as consultants is to simply set your billing rate to be equivalent to what you’re earning as a FTE. For example, if your current job pays $100K/year, you would set your billing rate to $150/hour.
Another approach would be to go to a job search site like Dice or Monster and see what salaries are being offered for jobs in your field, and then apply our hourly metric to that. One advantage to these sites is that you can home in on jobs by geographic location– rates can and do vary from place to place. For example, looking at job postings in the DC area for Senior Forensic Examiners, I’m seeing salaries in the $150-200K range. So equivalent hourly billing rates would be $225-$300/hour, which is pretty much in line with what firms seem to be charging. Of course you would have to be qualified for such a position to command that billing rate.
Beyond that, your own experiences lining up work should help you calibrate your billing rate. If you name your billing rate to a new client and they accept it immediately without flinching, then you just “left money on the table”. Name a higher billing rate next time. If you have more work coming in than you can handle, increase your billing rate until the incoming workload drops to a manageable level. If on the other hand you’re having trouble finding jobs, reduce your billing rate to make your services more attractive.
And that’s really all there is to it. Setting your billing rate doesn’t have to be a deeply mysterious, arcane process– simple arithmetic will suffice. The reason consultants are often unwilling to discuss billing rates is because they want to avoid allegations of price-fixing, which can carry substantial penalties. Personally, I never discuss billing rates with anybody other than my clients and would urge you to follow the same policy.
September 18, 2011
Money matters seem to be uppermost in people’s minds when they ask me about consulting. Mostly they want to talk about how quickly and how high they can crank up their billing rate. But before we even get to that information I need to teach you one very basic, yet very important thing you need to know about managing your cash-flow as a consultant.
Part of the contract you agree on with your client will spell out the terms under which you invoice and get paid. For example, “bi-weekly, net 30″ would mean that you invoice every two weeks (“bi-weekly”) and the client has 30 days from receipt of your invoice to cut the check (“net 30″). Sounds fine to you, especially because you’re mentally calculating all of the cash that your amazing hourly rate will bring in, so you sign on the dotted line.
30 days later you’re behind on rent and starving. And you won’t get paid for at least two more weeks. What just happened? You made one of the classic consulting blunders that all newbies make. You forgot to anticipate the lag-time between the start of the contract and your first income.
Let’s project our “bi-weekly, net 30″ example to its inevitable conclusion. Say the start of your contract is “Day 1″. You don’t even get to submit your first invoice until the end of Day 12– and it really hits the Accounts Payable department at your client on Day 15 at the earliest. From there, they have 30 days before they actually have to cut you the check. So you’re a minimum of 45 days out before you get your first payment.
And even if the client is on time cutting that first check, there are inevitable delays. It will likely be mailed to you, so figure in 3-5 days for the USPS to jack around with it. Then when you present it at your bank, they may put a hold on the funds for up to a week. Now you’re looking at maybe 8 full weeks before you can actually start spending that money.
And let me tell you from personal experience, the first check is never on time. What happens in the real world is that your invoice goes through the Accounts Payable system, and gets approvals from the people in the company who you’re doing the work for to authorize the funds. But then when Accounts Payable gets around to actually triggering the payment they realize that (a) you’re a new vendor and you have to jump through a whole bunch of paperwork hoops for their system to pay you, or (b) they mistake you for another vendor and send your check to the other guy (true story, it actually happened to me), or (c) some other arcane craziness in their processing ensues. Suddenly that 45 day goal for getting your first check cut seems like wishful thinking.
How are you going to live for the 45-60+ days it may take before you can spend that first check? Remember what I said in Part 1 of this series about having six months worth of expenses in the bank? Well this cash-flow issue when starting new contracts is one of the reasons why that six month “float” is so vital. You may have to dip into those savings while you’re waiting for the money to start rolling in. And by the way, when the money does start rolling in, you want to “pay back” those savings as quickly as possible so they’ll be intact for future emergencies.
Now the good news is that once the first check gets kicked out of the system, clients are usually good about paying other invoices on time. And when the contract is over, you’re still going to have 30 days worth of outstanding invoices that will be catching up with you. So if you can arrange for your next contract to start right after the one you just finished, then the outstanding invoices from your previous assignment will carry you over the inevitable payment start-up problems with your next client. It’s gaps between contracts that are a problem.
So hint #1 for managing your cash-flow is to starting looking for your next contract before the current one ends. This is a delicate balancing act. First, it might not be clear exactly when your current contract is going to end. Second, your next client isn’t going to wait forever, so you can’t start looking around too early. I find that 30 days before the end of my current gig is the earliest reasonable date that I can start talking to people about my next engagement.
Hint #2 is to carefully manage your payment terms. Even if the client wants you to bill bi-weekly, see if they’ll let you submit your first invoice after a week– “just to flush out any issues with Accounts Payable,” you say. Also see if they’ll agree to shorter payment terms. At this point, I’m insisting on “net 15″ with most clients (they’ll still be late on the first check, but at least you find the problems quicker). If it’s a fixed-price contract, I insist on a chunk of the money up front before I begin work.
Hint #3 is to be pro-active. If possible, hand-deliver your first invoice to Accounts Payable. Be friendly. Introduce yourself as a new vendor and ask if there’s any special paperwork they need to enter you into their system. A week before your first check is due to be cut, send them a note asking if there’s anything further they need in order to process the payment, referencing your company name, invoice number, and the responsible management in the company you’re working for. And if they actually pay you on time, send them a nice thank you note (I’ve even sent flowers).
Hint #4 is to not be afraid to be the bad cop. In addition to payment terms, have your contract spell out penalties for late payment. I normally charge credit card level interest on late payments– around 1.5% per month, compounded. And if your client is more than a month delinquent on their first payment (remember this means you’ll have been working there for two months without getting paid), tell them you’re going to stop work until they pay you the outstanding invoices. This will usually light a fire under the management of the team you’re working for and get any Accounts Payable logjams broken up.
Normally you have to live through some huge payment SNAFUs like I have in order to be hard-hearted about getting paid on time. But you’re doing your best work for your client, and you deserve to be paid according to the agreed upon terms. If you follow my advice here, hopefully any issues you have will be taken care of quickly. And they won’t impact your quality of life, because you’ll have enough float to carry you over the rough spots.
Meditate on this advice. In the next installment we’ll talk about how to figure out your billing rate.