Consulting (Part 6) — Work Finds Experts

In my last post in this series of articles on consulting, I suggested that you’re better off if you don’t have to spend a lot of unbillable overhead time searching for work.  The article covers several ways to position yourself so that you’re more likely to run into unsolicited contract offers– “make the work come to you” rather than having to go find your next assignment yourself.

Another mechanism for putting yourself into the path of potential job offers is to build a reputation as an expert in your chosen field.  This kind of reputation is more than just a way of getting your name in front of potential clients.  It also leads to more interesting and higher-paying jobs as a general rule.  Of course, it can also sometimes discourage people from calling– “Oh, they’d be too expensive to hire!”  But these are likely not people who you would want as customers.

Being recognized as an expert can “just happen” to some people who are at the right place at the right time, but it is also a reputation that can be developed through continuous improvement.  I actually started this process during my time as a full-time employee, 5-6 years before I went out on my own as a consultant.  You can start right now.

Leveling Up

Building your reputation as an expert is not unlike “leveling up” in your favorite computer game universe.  You start out as a novice and gradually work your way up through challenges, each of which unlocks the next level of challenges.

Before you start out on your quest, you must first identify the subject matter area to specialize in:

  • It should be something marketable. Becoming the world’s foremost authority in underwater basket-weaving might be extremely interesting, but it’s unlikely to bring in much cash.
  • Pick something that’s hard.  This ties into being marketable.  I’m sure you’ve heard the expression, “If it was easy everyone would be doing it.”  The consultant’s corollary is, “If everybody’s doing it, you can’t bill much money for it.”  Pick a field where there are significant technical “barriers to entry” for people getting into the field.
  • Don’t get too specific. Particularly in the technology field, becoming an expert in a specific technology niche hurts you when that technology ultimately gets abandoned in favor of the next big thing.  Yes, there are still COBOL programmers making lots of money, but fewer and fewer every year.
  • Don’t get too general.  “Jack of all trades, master of none” doesn’t help you sell your services.  Plus there’s too much to learn everything.  Pick a field and a specialization– my consulting business started out doing Unix administration and security, focusing heavily on Solaris, which was the most popular enterprise Unix platform at the time.
  • Pick something you enjoy doing.  Yes, you need money to live.  But you should also have fun with what you do for a living.

The next step is to build up knowledge in your chosen field.  You’re not enough of an expert to go out and consult, so you’ll probably spend some time learning on the job.  Look for jobs that stretch your capabilities and force you to learn new things about the area you’re interested in.  Yes, you’ll also likely be playing around with things in your own home lab environment.  But you need to face “real world” scenarios where you must balance competing forces: from the purely technical, to the political, to the budgetary.  If you only know something from doing it in a lab, then you don’t really know it.  And you don’t yet know what you don’t know.

The next step is what I think of as “getting on the radar”, or creating your initial body of work.  Most likely, this will take the form of blog postings and other self-published work.  Presenting at local user group meetings is another good mechanism for introducing yourself to the community.  Submit papers for conferences, but be prepared for rejection.  Learn from the feedback you get, and keep submitting better proposals until you get accepted.

Over a period of what can take several years, you will gradually work your way up into more prestigious venues that gets your work more visibility.  For example, you might transition from writing blog posts to getting your work published in journals and trade magazines (as the former Technical Editor for Sys Admin Magazine, I can tell you that technical publications are always desperate for good content).  Your local user group talks will move from regional to national venues and possibly even international events.

There are some signs to look for to show that you’re really starting to “break through” into expert status.  Getting invited to present at a conference is one indicator.  Other experts referencing or citing your work is another.  The clearest indicator is when you start to get paid for your writing and speaking.  Congratulations!  You’re an expert, though you may not feel that different from when you were a novice.  The more you know about a field, the more you realize how much you have to learn.

The other important aspect of this “leveling up” process is that it forces you to participate in the community and creates a professional network that you can fall back on when you do go out on your own.  And if you’re shy or introverted, you will be forced to come up with a strategy for coping with that so that you can succeed.  Also, teaching something to other people really makes you learn the subject to an amazing level of depth.

It’s also worth thinking about the possibility of writing a book.  Everybody’s heard of the person who “wrote the book” on a certain subject.  There’s a reason that phrase is in common usage– being the person who literally “wrote the book” is an invaluable calling card and addition to your stature in the field.  That being said, reputation is pretty much the only reason to write a book.  If you look at it as a short-term financial transaction, your “hourly rate”– amount of money you get as the author divided by the amount of time you spent writing– is trivial compared to what you could be earning on your job or as a consultant.  So you may want to write that book before you start consulting.

Ultimately, work will start finding you. Initially, it will probably take the form of full-time job offers.  This is great.  You can pick the ones that seem the most interesting and which have the most to teach you.  If you end up finding your happiness in a succession of full-time jobs and you never end up consulting, that’s great too.  You didn’t waste your time “leveling up” to expert status.  All that effort helped you land the sweet jobs you get offered.

My experience was that after working in the industry for about 10 years with ever-increasing seniority, I had “topped out” in the technical track.  At this point a weird thing happens: most companies try to make you a manager.  Try it, you might like it.  Personally, I hated it because I like being “hands on” with technology.  The only role left for senior people who wish to stay “hands on” is consulting.  After being a manager for 18 months, I worked through my professional network to find a former co-worker who needed a consultant for a six-month engagement.  I signed the contract, and gave two weeks notice at my last employer.  I’ve never looked back.

Keeping It Up

The tricky part about being perceived as an expert is that it’s an ongoing process.  Our field is constantly evolving and you have to keep learning and publishing to stay ahead of the curve.  I spend a great deal of unbillable time on continuing education.  I will earn some money for writing articles about my research, and much of what I learn ultimately gets turned into training that I get paid for as well.  But in the final analysis, this “overhead” or opportunity cost for the time I spend on research is my sales and marketing budget.  And it’s a lot more interesting than printing glossy brochures or throwing expensive parties.

I give a lot of my work away for free.  Like my friend Celeste says, “Contribution is marketing.”  People often ask me if I think it hurts my business to give information away for free.  Not at all.  Consider:

  • If it’s easy enough to do that somebody could just read one of my articles or presentations and do it themselves, then it’s probably so uninteresting that I wouldn’t want to do it myself.  And I wouldn’t be able to charge much money for it if I did.
  • Even if an organization has the technical capability to do something, they may lack the resources to get it done.  In those instances, they’re going to call me, the person who “wrote the book” (or article or blog post as the case may be).

And ultimately, I do it because it’s just the right thing to do.  I get enormous value out of what others are contributing to the community.  I’m just trying to give back some of that value.

Consulting (Part 5) — Finding Work

One thing I haven’t addressed in this series on consulting is how to go about finding work for yourself.  This is a huge topic in and of itself, and I’ll likely spend several posts covering this subject.

At a high level, there are two basic approaches to getting your next assignment: you can go find the job, or it can come find you.  Going and finding the job means watching mailing lists and job boards for possible openings, and running down the leads.  Possibly you’re looking at even “cold calling” organizations in your area to see if they can use your expertise.  This is process is quite a bit of work, which you must remember ends up on the unbillable “overhead” side of the ledger.  It can also be difficult to conduct this kind of search while you’re working another contract.  And as I mentioned in a previous post, it’s desirable to have your next assignment lined up before your current one ends.

One option is to out-source your job search to somebody else– whether that’s a recruiter or a professional sales organization.  This, of course, has a cost associated with it.  I’ve never entered into such a deal myself, so I can’t speak to the exact costs, but you’ll have to decide whether the amount of work you get is worth the cost of acquiring the business through one of these means.  If you’re a solo consultant like me, I imagine a really motivated external sales person could bring in way more work than I could handle, which would make the whole arrangement less valuable on both sides.

So as you can no doubt guess by now, I’m going to advocate for the “let the work come to you” strategy.  First there’s the benefit of less overhead costs in finding your next assignment.  Second, you can generally command a higher billing rate.  Consider that the organization contacting you has identified a problem they’re having and recognized that you may have the expertise to help them solve it.  They wouldn’t be calling you if it weren’t urgent.  And the combination of those factors makes it easier to get the billing rate you want, and with less negotiation.

While it’s all very nice to say, “I want my work to come to me”, you can’t just wish things were that way.  You have to put yourself into a situation where that’s likely to happen.  So think about some of the directions that unsolicited work can come from and then position yourself in the path of those forces so that the work hits you.

Repeat Business

This one might seem obvious, but I often feel that a lot of consultants don’t think enough about this.  The best customer to acquire is one you already have. You already have a trusted working relationship in place, and you’ve probably already dealt with the annoying contract and accounts payable issues that waste time at the beginning of every new engagement.  So from a “cost of acquisition” perspective, getting additional work from a current or former client is a no-brainer.

Also, the more work you do for an organization, the more valuable you become to them.  You have knowledge of their processes, procedures, and systems– perhaps because you’ve implemented many of them!  You know the people at the company and have probably identified the “gate-keepers” who can either facilitate or thwart new projects.  That means you can (and should) demand higher billing rates on subsequent contracts.  And it will be worth it to the client because you’ll spend less time “ramping up” on their environment.  So while your hourly rate will be higher, you’ll still cost the customer less than bringing in a brand new firm to do the same job.

And even if you don’t end up doing multiple contracts for a given firm, there’s still the chance that they may recommend you to their friends in other organizations.  Referral business is great, because a “trusted third-party” is vouching for you with the new firm.  And this is one of many reasons why you need to work hard and focus on doing an outstanding job on each engagement.  Because nothing sells your service in the future better than your past performance with your clients.

Referral Arrangments

While we’re on the subject of referral business, it is possible to formalize such arrangements.  One approach is to create an arrangement to provide specialized services to an organization that can’t or doesn’t wish to maintain an in-house capability.  For example, this would be me making a deal to provide forensic services for a law firm that perhaps doesn’t have enough need to employ somebody full-time.  If I could make arrangements of this type with several smaller firms, then I’d likely have as much work as I could handle.

Another example would be a sub-contracting arrangement, similar to the one I currently have going with Mandiant.  When they get busy, they have a small group of consultants that they can call on to help deal with the overload.  Obviously, if I’m on another assignment when they call then they’ll have to get somebody else to fill in.  And when they’re less busy, I still need to find my own work.  But so far the arrangement has been quite agreeable.

Finally, as a individual, there are often times when job offers come in while I’m busy on another contract.  It’s better to be able to at least give the prospective client a referral to somebody else than it is to just say, “I’m too busy”, and leave them to find somebody for themselves.  People will remember you helped them, even if that help is getting them to the person who did the work for them.

So it’s good to have your own network of trusted friends in the consulting business who you would feel good about referring the business to.  You can try formalizing this arrangement if you want.  At various times I’ve made agreements with other consultants to receive a “finder’s fee” for work we refer to each other.  But because this is such a small industry, keeping track of how a given firm actually acquired a particular customer can be a difficult headache.  And there can be hard feelings if one side of the arrangement thinks they’re not getting their fair fees.  I find it’s better in the long run to just refer business without expecting direct compensation in return.  Karma is a powerful force– believe that you’ll eventually get what you deserve.  Because you will.

Professional Networking

But in order to have a trusted group of people to refer business to, you have to get out and network with your peers in the industry and figure out who’s smart and trustworthy.  So this means a level of interaction greater than just shaking somebody’s hand and exchanging business cards at some social event.  This is one of the reasons why technical gatherings like conferences and local user group meetings are so important.  You have the chance to meet people– sometimes at multiple events– and see how they interact with their peers when discussing technical challenges.  And of course you have the opportunity to model your own behaviors under the  same conditions, which makes it something of a double-edged sword.

To leverage your professional network for business, you need to “stand out” in a positive way and not just be somebody who’s there but fades into the background.  That means providing value to the community you’re interacting with.  Value can come from doing your own research and publishing the findings, giving presentations, answering questions in a helpful, timely manner on community mailing lists and forums, organizing events and gatherings, and even just making people in the community or who are new to the community feel more comfortable and accepted.

How did I end up in this subcontracting arrangement with Mandiant?  Because of my professional network.  Rob Lee and I are both active in the SANS Instructor Community and had talked a lot about issues in Forensics.  And I’d helped him with Linux questions and issues with the SIFT Workstation.  So when he was looking for people to help Mandiant, I was a “trusted entity” he felt good about calling on.  And I got involved with SANS in the first place (almost 20 years ago now) through my professional network as well: one of my former co-workers, Michele Guel.

So your professional network is one of your most important tools.  Try to give more than you take, and you’ll do great.  Besides the unsolicited referrals you may get from other members of your community, people will be more likely to help you when you ask them directly.  The trick is to build up enough good will so that when you do have to make an “ask” request, people will be motivated to help you.

Consulting Advice from a Friend

I’m on vacation for a little while, but wanted to leave you with something to read on the subject of consulting. Celeste Stokely is an old friend and long-time consultant. She was a huge help to me when I was first getting started with my business. Everybody should take the time to read her Golden Rules of Consulting and her advice on one Key to Successful Consulting.  These documents contain fundamental principles that I use every day to guide my business.

Consulting (Part 4) — Insurance Matters

Many folks who are thinking about striking out on their own are concerned about having affordable medical insurance.  COBRA benefits from a previous employer are incredibly expensive and generally are only available for a limited period.  But insurers typically don’t want to deal with individuals or small businesses that are just starting out and have no revenue history.

One common option is to take advantage of health care benefits from a spouse or domestic partner.  If one member of the couple is working a full-time job with benefits, then the they can carry the insurance load while the other half of the partnership builds their independent consulting business.  Of course this doesn’t work if the prospective consultant is the only earner for the partnership.

The other approach I usually recommend is to obtain group healthcare benefits through a membership organization such as the ACM or IEEE.  For the cost of relatively modest annual dues, you can access health and other insurance services through the organization’s group plans at much lower rates than you would get as an individual.  Aside from these large international groups, there may be local organizations in your area that provide similar benefits and have lower annual dues and/or less restrictive policies about who’s allowed to become a member.  For example, when we relocated to Oregon, we found the Software Association of Oregon to be a reasonable choice for obtaining health insurance.

Beyond health insurance, however, there are several other types of insurance that you should be aware of because you will have to carry them during the course of your business:

General Liability
This is basic insurance coverage for your business that takes care of problems outside of your day-to-day job. For example, you’re commuting to your job site and you accidentally hit the proverbial little old lady walking across the street. This insurance will help cover the associated costs.Clients often require that you carry $1-5million in general liability coverage as part of the consulting agreement. The good news is that this sort of insurance is widely available and rates are quite reasonable (tens of dollars annually for each $1million of coverage). The same organization you’re obtaining your group health benefits from may provide access to General Liability for your business.

Professional Liability
Also called “Errors and Omissions” insurance, think of this one like malpractice insurance for a doctor. If a client can show negligence or sub-standard work deliverable, this insurance would cover the costs of a claim against your business.Again, sometimes you are contractually obligated to carry Professional Liability insurance under the terms of your consulting agreement. But frankly, I’m not at all confident that if it comes to a settlement that the insurance will actually provide any benefit. I suspect that there are enough loopholes in the typical Professional Liability policy that the insurer will find a way to not honor their obligations.

So frankly I regard Professional Liability insurance as a tax on my earnings that I’m obligated to pay because of the terms of my consulting agreement. As such, I generally try to find the least expensive policy I can that provides the required level of coverage (usually $1-3million). I’ve seen rates for this type of insurance that are all over the map– from tens of dollars per year to low thousands! Clearly the insurers have not developed decent actuarial tables for this sort of thing.

Disability
Disability insurance covers lost wages– or at least a portion of them– in the event that you are unable to work due to significant medical problems. Particularly if you are the only earner for your household, you may wish to look into this type of insurance. As consultants there’s no “safety net”: if you’re unable to work, then you’re unable to bill, and the money stops coming in.The only problem is that disability insurance is very expensive, requires a major medical workup, and also requires that you pay premiums for some period of time (a year or two) before the benefits actually become available. I’ve never been able to find disability insurance for any price I’ve been willing to pay.

In the absence of disability insurance, you have to “self insure”. I’ve mentioned keeping “six months of expenses” in the bank against hard times. In my case, I actually have a year or more worth of expenses in various liquid investments that I could cash in if the need arises. If I can’t figure out a way to start earning again in that time, then something more drastic will have to happen (like selling our home and living off the proceeds).

One more insurance item that you ought to think about is the cost of replacing all of your computer equipment and other office furnishings in the event of a fire or other disaster.  If you’re running your business from your home as I do, you may be counting on your homeowners policy to cover the cost of replacing all of your equipment.  But you’ll probably be surprised to learn that your homeowners policy does not cover this in most cases– or at least not the replacement cost of purchasing new equipment.  Talk to your insurer.  You may be required to take out a special “rider” at an additional cost to cover these expenses.

You’re also going to need to think about how you’re going to replace lost customer data and all of your business records in the event of a disaster such as this.  Our accountant keeps copies of all of our critical business records in his offices (which are in a different state from where we live).  And we do a weekly backup of all of our critical data to an (encrypted) external hard drive that gets put into a secure storage facility that’s distant from our home offices (actually we have two hard drives that we swap in and out).  So in the event of a disaster, we should never lose more than a week’s worth of data.

As a consultant, there’s enough stress in your life without worrying about what’s going to happen if there’s a major medical issue or other disaster in your life.  Preparing for these possible calamities in advance– whether through commercial insurers or “self insuring”– can free you up to focus on other important issues like helping your clients and growing your business.

Consulting (Part 3) – Billing Rates

There seems to be a lot of uncertainty among consultants of my acquaintance on how to set billing rates.  I’ve seen several different magic formulas, but they all seem to arrive at roughly the same place.  Personally, I find it easiest to relate my consulting rate to a salary equivalent for a full-time employee (FTE).

Suppose you wanted to earn the equivalent of $10,000 salary, plus the benefits a FTE would normally accrue.  As I mentioned back in Part 1 of this series, this “loaded salary” figure including benefits costs can be 50-100% greater than the base pay.  So to earn the equivalent of a FTE’s $10K, you’d have to bill $15-20K.

Now you need to factor in how many hours you expect to work per year.  FTEs might put in 2000 hours/year, but consultants lose hours because they have to spend time looking for jobs and doing non-paying tasks to keep their business going (taxes, paying bills, invoicing and collections, etc).  Plus you’ll probably want some time off at some point.  Frankly, it’s a great year if you can work 1500 billable hours.  For a lot of consultants who are just starting out 1200 billable hours/year is a more realistic target.

Putting those numbers together means that you need to bill $10-15/hour to make the annual equivalent of $10K in loaded salary.  I suggest you be conservative and shoot for the high end of that range.  Based on this hourly number, there are a couple of approaches you can take to set your final billing rate.

One common approach used by many folks who are just starting out as consultants is to simply set your billing rate to be equivalent to what you’re earning as a FTE.  For example, if your current job pays $100K/year, you would set your billing rate to $150/hour.

Another approach would be to go to a job search site like Dice or Monster and see what salaries are being offered for jobs in your field, and then apply our hourly metric to that.   One advantage to these sites is that you can home in on jobs by geographic location– rates can and do vary from place to place.  For example, looking at job postings in the DC area for Senior Forensic Examiners, I’m seeing salaries in the $150-200K range.  So equivalent hourly billing rates would be $225-$300/hour, which is pretty much in line with what firms seem to be charging.  Of course you would have to be qualified for such a position to command that billing rate.

Beyond that, your own experiences lining up work should help you calibrate your billing rate.  If you name your billing rate to a new client and they accept it immediately without flinching, then you just “left money on the table”.  Name a higher billing rate next time.  If you have more work coming in than you can handle, increase your billing rate until the incoming workload drops to a manageable level.  If on the other hand you’re having trouble finding jobs, reduce your billing rate to make your services more attractive.

And that’s really all there is to it.  Setting your billing rate doesn’t have to be a deeply mysterious, arcane process– simple arithmetic will suffice.  The reason consultants are often unwilling to discuss billing rates is because they want to avoid allegations of price-fixing, which can carry substantial penalties.  Personally, I never discuss billing rates with anybody other than my clients and would urge you to follow the same policy.

Consulting (Part 2) — An Important Cash-Flow Lesson

Money matters seem to be uppermost in people’s minds when they ask me about consulting. Mostly they want to talk about how quickly and how high they can crank up their billing rate.  But before we even get to that information I need to teach you one very basic, yet very important thing you need to know about managing your cash-flow as a consultant.

Part of the contract you agree on with your client will spell out the terms under which you invoice and get paid.  For example, “bi-weekly, net 30” would mean that you invoice every two weeks (“bi-weekly”) and the client has 30 days from receipt of your invoice to cut the check (“net 30”).  Sounds fine to you, especially because you’re mentally calculating all of the cash that your amazing hourly rate will bring in, so you sign on the dotted line.

30 days later you’re behind on rent and starving.  And you won’t get paid for at least two more weeks. What just happened?  You made one of the classic consulting blunders that all newbies make.  You forgot to anticipate the lag-time between the start of the contract and your first income.

Let’s project our “bi-weekly, net 30” example to its inevitable conclusion. Say the start of your contract is “Day 1”.  You don’t even get to submit your first invoice until the end of Day 12– and it really hits the Accounts Payable department at your client on Day 15 at the earliest.  From there, they have 30 days before they actually have to cut you the check.  So you’re a minimum of 45 days out before you get your first payment.

And even if the client is on time cutting that first check, there are inevitable delays.  It will likely be mailed to you, so figure in 3-5 days for the USPS to jack around with it.  Then when you present it at your bank, they may put a hold on the funds for up to a week.  Now you’re looking at maybe 8 full weeks before you can actually start spending that money.

And let me tell you from personal experience, the first check is never on time.  What happens in the real world is that your invoice goes through the Accounts Payable system, and gets approvals from the people in the company who you’re doing the work for to authorize the funds.  But then when Accounts Payable gets around to actually triggering the payment they realize that (a) you’re a new vendor and you have to jump through a whole bunch of paperwork hoops for their system to pay you, or (b) they mistake you for another vendor and send your check to the other guy (true story, it actually happened to me), or (c) some other arcane craziness in their processing ensues.  Suddenly that 45 day goal for getting your first check cut seems like wishful thinking.

How are you going to live for the 45-60+ days it may take before you can spend that first check?  Remember what I said in Part 1 of this series about having six months worth of expenses in the bank?  Well this cash-flow issue when starting new contracts is one of the reasons why that six month “float” is so vital.  You may have to dip into those savings while you’re waiting for the money to start rolling in.  And by the way, when the money does start rolling in, you want to “pay back” those savings as quickly as possible so they’ll be intact for future emergencies.

Now the good news is that once the first check gets kicked out of the system, clients are usually good about paying other invoices on time.  And when the contract is over, you’re still going to have 30 days worth of outstanding invoices that will be catching up with you.  So if you can arrange for your next contract to start right after the one you just finished, then the outstanding invoices from your previous assignment will carry you over the inevitable payment start-up problems with your next client.  It’s gaps between contracts that are a problem.

So hint #1 for managing your cash-flow is to starting looking for your next contract before the current one ends.  This is a delicate balancing act.  First, it might not be clear exactly when your current contract is going to end.  Second, your next client isn’t going to wait forever, so you can’t start looking around too early.  I find that 30 days before the end of my current gig is the earliest reasonable date that I can start talking to people about my next engagement.

Hint #2 is to carefully manage your payment terms.  Even if the client wants you to bill bi-weekly, see if they’ll let you submit your first invoice after a week– “just to flush out any issues with Accounts Payable,” you say.  Also see if they’ll agree to shorter payment terms.  At this point, I’m insisting on “net 15” with most clients (they’ll still be late on the first check, but at least you find the problems quicker).  If it’s a fixed-price contract, I insist on a chunk of the money up front before I begin work.

Hint #3 is to be pro-active.  If possible, hand-deliver your first invoice to Accounts Payable.  Be friendly.  Introduce yourself as a new vendor and ask if there’s any special paperwork they need to enter you into their system.  A week before your first check is due to be cut, send them a note asking if there’s anything further they need in order to process the payment, referencing your company name, invoice number, and the responsible management in the company you’re working for.  And if they actually pay you on time, send them a nice thank you note (I’ve even sent flowers).

Hint #4 is to not be afraid to be the bad cop.  In addition to payment terms, have your contract spell out penalties for late payment.  I normally charge credit card level interest on late payments– around 1.5% per month, compounded.  And if your client is more than a month delinquent on their first payment (remember this means you’ll have been working there for two months without getting paid), tell them you’re going to stop work until they pay you the outstanding invoices.  This will usually light a fire under the management of the team you’re working for and get any Accounts Payable logjams broken up.

Normally you have to live through some huge payment SNAFUs like I have in order to be hard-hearted about getting paid on time.  But you’re doing your best work for your client, and you deserve to be paid according to the agreed upon terms.  If you follow my advice here, hopefully any issues you have will be taken care of quickly.  And they won’t impact your quality of life, because you’ll have enough float to carry you over the rough spots.

Meditate on this advice.  In the next installment we’ll talk about how to figure out your billing rate.

Consulting (Part 1) — The Case for Consulting

Introduction

January 2012 will mark the 15th anniversary of the founding of the consulting business I run with my wife.  Lately I’ve had a number of people asking me questions about consulting– how to get started, how it works, pitfalls, etc.  I’m more than happy to answer these sorts of questions because I’m still “paying it forward” for all of the great advice I received when I was just starting out.

However, in an effort to reach a larger audience and to not have to repeat myself as much, I’ve decided to devote some blog space to the basic advice that I cover in my usual consulting talks.  This is a huge topic area, and I’m expecting to write several posts to cover just the foundational stuff.  I’ll crank them out as time allows.  If there’s anything you’re particularly curious about, be sure to leave a comment and I’ll try to address questions as the series rolls along.

In this first installment, I wanted to talk about some of the basic pro/con arguments you hear about being a consultant, and give you the view from where I sit.  Let’s call this installment…

The Case for Consulting

Pro: Consultants Make a Lot of Money

This is definitely one of the first items that piques people’s interest in becoming a consultant.  You hear about consultants making hundreds of dollars per hour, divide your annual salary by 2000 hrs/yr, and start thinking the grass is greener on the consulting side of the fence.

Yes, top consultants bill at hundreds of dollars per hour.  But guess what?  We don’t get to bill 2000 hours per year.  There are all sorts of unbillable “overhead” tasks that take away from our billable time:

  • Marketing, finding new clients
  • Invoicing, collections, time and expense reporting
  • Taxes and other official paperwork
  • Arranging insurance and other benefits
  • Continuing education, training

The list goes on, but the point is that when you become a consultant you’re really working two jobs: the work you’re doing for your client that you get paid for, and the work you do to keep your own business running which you do as “overhead”.

Also, there are costs that you pay when you’re on your own that you never see as a full-time employee (FTE, for short).  Normally your employer covers a portion of your healthcare and other benefits and sometimes contributes to a retirement account on your behalf, as well as paying the employer’s share of taxes.  If you talk to your employer, you’ll find that they typically figure these costs as being 50-100% of the employees’ base salary (you’ll hear this referred to as an employee’s “loaded salary”).  So you have to factor in these costs when trying to figure the net take home pay as a consultant.

The compensation discussion is a huge topic in itself, and will be covered in detail in a later post in this series.  Yes, if you have financial discipline and a clear understanding of your costs, you can make a lot of money as a consultant.  But be wary of straight “apples to apples” comparisons between full-time employees and consultants, because things are never that simple.

Con: Consulting is “Risky”

People ask me all the time if I’m worried about where my next job is coming from.  In fifteen years, I’ve lived through two major downturns.  Yes, there have been times when consulting work has been scarce.  This is another reason that consultants bill at such high hourly rates– we’re factoring the inevitable cost of being out of work.  Sometimes this is just a brief period while were transitioning from one contract to the next, and sometimes there’s a protracted drought.

The difference between a successful consultant and somebody who’s going hungry is an understanding that downturns happen and preparing for them.  The best advice I ever got when I was first starting out what to make sure I had six months of expenses (rent/mortgage, utilities, car/insurance payments, food, medical, etc) in the bank before I started my consulting business.  I’m going to come back to this point over and over because it’s important in lots of ways, but at its most basic your “six months in the bank” is shelter against bad times.

What fascinates me, however, is the belief that a lot of people seem to have that as a FTE they somehow have more job security than your average consultant.  In practice, I believe these people couldn’t be more wrong.  At least here in the United States, most people are “at will” employees and they can be let go at any time at the complete discretion of their employers and with little or no notice.  So really we’re all what the HR types like to refer to as “contingent employees”.  Why shouldn’t you be compensated like one?

I know that many people can understand this argument intellectually and still have a hard time with the notion of going out their own.  Sometimes our gut overrules our brain and makes the consulting lifestyle untenable.  But even if you don’t end up as a consultant, I recommend you think about putting some money away for the rainy day when you might be out of work.

Pro: Consultants Have “Freedom”

I usually hear this one from folks who are unhappy with their current job duties and are envious of my ability to “pick and choose” the work that I take on.  During good economic times, I do have a certain amount of leeway on the jobs I decide to take on and can optimize for more interesting assignments.  But during the bad times, you take whatever you can get.

Also, having taken on an assignment, you have to see it through to the end.  As an independent consultant, I have a limited of “bandwidth” and can typically only support one or two major clients at a time.  If a really interesting project comes along when I’m busy with other work, I have to let it go by or risk alienating my current clients.  In this business your reputation is the key to your success.  Doing a bad or incomplete job because you let yourself be distracted by the new, shiny contract is a sure path to the end of your consulting career.

Another consulting freedom that I hear FTEs envy is the ability for consultants to take time off “whenever they feel like it”.  Sure, if a client is not expecting me on-site and I don’t have any pressing deadlines, I can take time off whenever I feel like it.  It’s definitely a benefit of my lifestyle.

But you have to understand that I don’t get paid during this time.  Vacation, medical leave, and all other periods of “downtime” that are necessary to ensure your health/sanity and prevent burn-out are all part of that unbillable “overhead” I talked about earlier.  So a better way to talk about this freedom is to say consultants can take time off whenever they can afford to.

One more consulting freedom I wanted to mention is the freedom from a certain amount of organizational politics.  Normally, by the time an organization has made the choice to hire a high-priced expert, they’ve already realized that they have a significant problem and have “cleared the decks” of the typical political impediments to making the problem go away.  This is a wonderful thing.

In Summation

I love the consulting lifestyle, but recognize that it’s not for everybody.  There is substantial risk and you spend a lot of time working on mundane aspects of running your business.  But you can earn good money and enjoy substantial freedoms unavailable to FTEs.  I hope you’ll join me for future articles in this series when I drill down on specific details like figuring your billing rate and managing your cash flow, finding and managing clients, and classic blunders that all new consultants commit.

Practical, Visual, Three-Dimensional Pedagogy for Internet Protocol Packet Header Control Fields

Tell me what this is:

TCP Header in Lego(TM)
TCP Header in Lego(TM)

If you said, “Hey! That’s a TCP header diagram in Lego(TM)”, or perhaps, “Holy &^%@! That idiot made a TCP header diagram in Lego(TM)!”, then you’re exactly right!  This is another one of those wild, wacky ideas that we dreamed up in the middle of one of my SANS classes (note to the SANS staff: shorter breaks might be a good idea).  I bet my students never thought I’d actually do it.

Of course, you know I couldn’t stop with just doing the TCP header:

IP Header in Lego(TM)
IP Header in Lego(TM)

Now why am I wasting all that space on the building plate in each case?  Why so you can put them together of course:

TCP/IP in Lego(TM)
TCP/IP in Lego(TM)

The use of color here really highlights certain portions of the packet header.  For example, the source and destination addresses and ports really jump out.  But there are some other, more subtle color patterns that I worked in here.  For example, if you look closely you’ll see that I matched the color of the ACK bit with the blue in the ACK number field.  Similarly the colors of the SYN bit and the sequence number match, as do the URG bit and urgent pointer field.

Actually I wish I had a couple of more colors available.  Yes, Lego(TM) comes in dozens of colors these days, but they only make 2×8 blocks (aka one “Lego(TM) Byte”) in six colors: White, Black, Red, Yellow, Blue, and Beige.

Lego(TM) Byte, Nibble, and Bit
Lego(TM) Byte, Nibble, and Bit

So while I tried to use Beige exclusively for size fields, Red for reserved bits, Yellow for checksums, and so on, I ultimately ended up having to use these colors for other fields as well– for example, the yellow sequence number fields in the TCP header.  Maybe I should have just bought a bunch of “nibbles” (2×4 blocks) in other colors and not been so choosy about using full “Lego(TM) Bytes”.

Serious Fun

Cute idea, but is there any practical value?  After a lengthy conversation with my inner child (who is generally more mature than my outer persona), I realized that there was a fun learning game we could make out of all this.  So I labelled all the blocks.  Yes, that’s right. I. Labelled. Every. Single. Block. I even did the individual bits:

TCP Header "Bits" in Lego(TM). Labelled.
TCP Header “Bits” in Lego(TM). Labelled.

So the game becomes learning where all the fields are in the various packet headers so that you can re-create the packet diagrams from piles that look like this:

Lego(TM) blocks waiting to become TCP header diagram
Lego(TM) blocks waiting to become TCP header diagram

Now we can teach students how to decode packet headers by letting them play with Legos(TM).  And that means we can all write off our Lego(TM) collections as a business expense!  How cool is that?

Admit It.  You Can’t Wait To Do It Too!

Project Tools
Project Tools

If you’ve got a hankering to try this out for yourself, it doesn’t take a whole lot.  I way overbought on the Lego front: six green base-plates, and 20 2×8 “Lego(TM) Bytes”, 8 “Nibbles” (2×4 blocks), and 16 “Bits” in each color.  Total cost for the Lego(TM) was around US$100 delivered.

Labelling was accomplished with my P-Touch(TM) labeller.  3/8″ ribbon is precisely the right height to be placed on the side of a Lego(TM) block.  It also helps to have a razor blade type tool to help separate the P-Touch(TM) labels from their backing and apply them to the blocks.

And of course I have to give a shout-out to the late, great Richard Stevens and his biblical tome TCP/IP Illustrated: Vol 1.  If you don’t already own this book, buy it. Seriously.

Final Thoughts

Finally, to all of you who think I need a life, all I have to say is:

Labelled TTL "Lego(TM) Byte"
Labelled TTL “Lego(TM) Byte”

Baby, I’m living the dream!

With a Little Help from an Adaptor Kit

Not too long ago, I was bemoaning the fact that my mother still uses floppy disks and that it’s becoming harder and harder to get her set up with a computer that actually has a floppy drive.  Then one of my friends suggested a brilliant idea, which I’ve only just gotten around to implementing:

Floppy Disk w/ Low-Tech USB Adaptor

“Just tell her it’s an adaptor!”, my friend suggested.  Heck man, not only is it an adaptor, it also spectacularly increases the amount of stuff you can store on that floppy!  I wonder if my Mom will go for it?

Not News is Bad News

I read an article this morning about on-line banking fraud that was so awful it prompted me to dust off the Righteous IT blog and write about it.  Sure, it’s a sponsored article from a financial industry site and not really journalism, so maybe I shouldn’t expect too much.  But the problem is that the misinformation in this article– which is so typical of other articles related to on-line banking fraud– is actually hampering our ability to make the situation better.

Let’s start with the “money quote” in the article from F-Secure’s Sean Sullivan: “Last year there were more online bank robberies than there were actual on-site bank robberies.”  You can be sure that this quote is going to get a lot of airplay on Twitter and in the popular press.  I even understand what Sean is saying here– there were numerically more cases of on-line banking fraud than there were physical hold-ups at banking institutions.  I might even believe this.

The problem with the quote is that it ignores one important point.  When a real-world bank is held up, the bank’s insurance covers the cost of any losses.  When a small business is the victim of on-line banking fraud, the bank is not legally obligated to make good the loss– a fact that is even noted later in the original article.  The reality is that in on-line banking fraud, the bank is not the victim, their customers are.  So while the quote is surely an attention-grabber, it ignores the critical fact that in the on-line world, the financial institutions have managed to transfer a whole lot of risk squarely into the laps of their customers.

The article goes on to extol the virtues of multi-factor authentication systems, including passwords, keys, security questions, personalized pictures, and so on.  We even get another quote from Sean Sullivan: “The more layers you have before you get to your account, the safer you are.”  Really? Then why does Sullivan also state in the same article, “Some more advanced types of Trojans can make fraudulent transfers and drain your account while you are logged on to the account online.”

The reality that banks may not want to admit right now is that readily available malware kits like Zeus are completely bypassing the bank’s on-line security protocols.  This happens because the attacker has simply taken over the victim’s machine and is using the victim’s own credentials to conduct the fraudulent transactions. It doesn’t matter how many “layers” you have when the attackers own the victim’s system.  To borrow Bruce Schneier’s phrase, all of those hoops that your on-line bank makes you jump through are not much more than “security theatre” at this point.

Finally there’s the standard wrap-up for an article of this type: the dreaded “How to Help Protect Your Account” list of bullet items.  These lists always include advice on keeping your anti-virus/anti-spyware up-to-date and turning on auto-updates (it’s #2 in the list in this article).  Well guess what?  Perhaps more than half of the PCs infected with the Zeus banking malware had up-to-date virus signatures and patches.

And of course there’s the exhortation to “Use a strong password with letters and numbers combined.”  How exactly is a strong password going to help you when the attackers learn what the password is as soon as you enter it into your web browser?  Can we please stop suggesting that passwords– strong or otherwise– are going to help here?

At this point, I’m not sure there’s a way for normal users to achieve a reasonable level of security for on-line banking.  The “attack surface” of a typical home computer is so vast that attackers will find a way to compromise the system.  The best suggestion I’ve heard floated to date– using a dedicated computer for on-line banking— seems too expensive to be reasonable for home users, or even a typical small business (to say nothing of the inconvenience factor).

The bottom line is that current on-line security measures are not stopping thieves. We need to stop publishing articles that suggest that there is some magic litany of security steps an average user can take to make their on-line banking secure.  If users were to abandon on-line banking– which is a huge money-saver for financial institutions compared to bricks and mortar branches with live tellers– you can bet that the banks might actually start working on some more effective security measures.

Similarly, as long as the banks can keep pushing their liability onto their customers, they have no incentive to fix the problem.  We need more customers who are willing to go after their banks to recover their lost funds.  Small business groups should agitate for the same sorts of protections that are afforded to individual accounts.  By pushing the liability back onto the financial institutions, we make it more likely that the banks will actually spend their own money beefing up their on-line security measures and back-end fraud detection.