Do the numbers add up? revisiting the mathemetactics of a cyber security practice

Edward Farrell

A pure cyber security practice (or any services practice) is the science of applying time and space relative to staff in order to achieve an effect. This could be as part of a governance strategy, penetration testing, gap reviews, managed security services or any other number of services that come up.

The simple equation to this math in Australia is:

1. take 365 days in a year
2. remove ~15 public holidays (350 days)
3. Remove weekends by dividing by 7 and multiplying by 5 (250 days)
4. Remove 10 days sick leave, 20 days holidays per year (220 days)
5. Remove another 10–20 days to factor in professional development, down time and corporate events.

We’re left with around 200 consulting days a year per head. I note that unless its a permanent or long term engagement, it’s unlikely that 200 days will be achievable, so most businesses work on having their consulting staff delivering between 70–90%, or 140–180 days, with the remainder on sales, planning and non-billable tasks. These ratios might be less for seniors, who are providing oversight and sales, and are largely nonexistent for support staff.

Working backwards from this number, cyber security consulting roles range from $50,000 to 75,000 for entrants, $75,000 to $125,000 for seasoned consultants, and over to 150k for specialists or employees with deep expertise. Support staff salaries such as sales, ops and administration, will range from $60,000 up to $200,000, and higher if you’re bestowed with a thought leadership title. Factoring in another $15,000–20,0000 per head for operational costs (IE insurance, internet, phone bills, training and general expenses) means that we can operate on a per person expenditure for a business size of $75,000 to $220,000.

Analysing a recent panel employing the SIFA framework, a senior consultant was estimated to cost $1590 per day, and costs for consultancy can range between $1200 to $2500 depending on the expertise, time and nature of consulting, however if we were to model off our 1600 mark our per head revenue is around $224,000 to $288,000 assuming we’re working our delivery staff hard, which means that a 1:1 staff ratio will see a cyber security practice roughly break even. This isn’t ideal, as most organisations would want about 5–30% profit, and ideally higher if you can pull it off safely.

During a recent competitor analysis, I’d observed the following:

1. A firm that tried to cold call us on penetration testing services had 2x support staff with more post nominals in their job titles than royalty, and 1x junior conducting the actual work.
2. A second firm had 8 support staff (C level, sales and project management) with a 3 person consulting team conducting delivery in a south east asian country.
3. Another firm in Melbourne has a non billable team of 6 (HR, accountant, 2x sales, an OPS manager and the founder/CEO with no prior tech qualifications), and 2x pentesters.
4. One of the larger firms in Australia had a near 6:5 ratio (1.2:1) of delivery staff to non-delivery staff with in excess of 500 staff in their cyber security practice. One would expect that over time, an economy of scale would be achieved, however the firm in question appears to have employed a large number of graduates alongside the support staff and serious major leadership, leaving little financial room for in depth expertise.

Of course, at this rate one questions how can these firms remain profitable. There are ways around how a profit can be generated, or areas where this model of analysis is be flawed, namely:

1. Our main source of data is LinkedIn, where non sales or technical staff do not necessarily present themselves.
2. Support staff identified in our analysis may not differentiate between full time and part time. I know of an awesome HR person in another organisation working on part time hours, and other managers and execs may only be present in title as opposed to full time. This would reduce the operational cost of each.
3. Firms could be operating on different service models instead of time based testing, which could make them more profitable. An example of this is Hivint.
4. Non-billable staff could have a billable function such as mentorship or oversight, however in the 3 smaller firms we dived into this did not appear to be the case.
5. The sale of products alongside services could also facilitate a higher profit margin which would be the most likely case. Mercury and a number of other firms avoid this to maintain independence, however there are other organisations that have been effective at providing products and also helping organisations rationalise their product set, but this is the exception.
6. Organisations are overextending delivery costs to customers, or working consultants at excessive utilisation ratios.

A theory I have considered on the cries of “cyber skills shortage” has been institutions such as the large one analysed above one pushing people through certification and qualification with no mentorship and support, in order to increase the labor supply and reduce the per head cost of employees.

My ultimate concern is that we either have an inefficiency in the market that is due for correction (which is already coming through more efficient penetration testing firms) or ultimately organisations are not getting the services they’ve been promised at an exorbitant rate. The prophets of “skills shortage” may also be pumping people through qualifications and training similar to the MCSE certification drive of 15–20 years ago, the questions remain- will we as a society benefit from this sudden surge, and will the large firms be able to hold off long enough for the salary drop to be realised whilst still having functions and roles that can employ the newly minted.