I just wanted to chime in quickly. I've found much of the advice given by patio11 to be plain wrong in my experience.
These conversations quickly fill up with Latin phrases barely copied out of wikipedia and I don't have the time or patience to discuss this with people I know nothing about.
Take this as you wish, most of the stuff he says is exactly what a person looking in would THINK, but it is not the truth.
And maybe thats the difference between your experience and patio11's?
He did take the time (and lots of it) to write up his advice (though if you read his earlier stuff it was much less advice and much more "here is this thing I'm doing, lets see if it works").
He also has near endless patience when discussing this stuff with others. It doesn't hurt that he is a persuasive writer, and it is a skill he has obviously and publicly worked at.
I for one would love to hear an opposing viewpoint, especially if it could be as well written and the author allowed as much access as patio11 does.
Yes I am. I make analytics applications for sales&marketing departments. Forecasting/Simulation, Segmentation, Text analytics, etc. Typical client - establishment with 500-1000 employees. Projects are delivered to the clients as a SaaS solution, because they need maintenance. Quarterly invoices, 1 year minimum contract.
Awesome. That sounds like a lucrative space to be in: presumably, everything you get asked to do is directly in the service of making companies more money, and so you can anchor your prices to the value you're providing.
What part of Patrick's consulting advice doesn't ring true to you?
(I spent a little over 10 years as a software engineering consultant, ending just last year when I started this new company; when the consultancy I cofounded sold, we had around 30 people on the team).
Penetration testing is not really software engineering consulting, and security spending is about as far as you can get from anchoring pricing to value. It's closer to selling insurance, but the value is even more dubious.
The exception might be in cases where a company is already spending a lot on security by doing it poorly, and you show them how to do it better. But, that is pretty much none of the market that I've seen.
Our modal project was part of the software engineering budget of a software product company.
I think you may think Matasano was more of an IT shop than it actually was. The term "penetration testing" doesn't do anyone any favors, since it means everything from "running Metasploit" (the kind of work we did not do) to "evaluating firmware".
This is really neither here nor there, right; the more specialized you want to say our work does, the stronger my consulting advice gets.
There are too many little things to sit down and make an argument. That's why I didn't want to get into a debate. You either see this or you don't. It's not easy to show it, but I will make just 1 example not to be completely without foundation.
The context is making (high touch) enterprise sales. In a blog post he reveals "the secret" that departments/teams have a credit card and purchaes below certain threshold are made with it and without allocating budget. He advices the reader to price his product/service to fall bellow that threshold so people in the department can purchase on their own discretion. It sounds logical and $6,000/year is a nice sum if you don't do a lot of custom stuff for clients.
On the other hand, you want your invoice's line to be as high on their books as possible. If your service is on some low manager's sheet, you are nobody there. He gets moved, quits, the company decides to cut costs or a thousand other things - you lose the client. You don't want a nobody pushing the needle for you on their side. You want it sponsored by a Director at the very least, but VP and above are more desirable. You want to be vetted. You want to be on the Approved Vendor List. You don't want payments every month, you want them on lumpier sums.
When reading something, it is a good exercise to think about the opposing situation for a second.
These conversations quickly fill up with Latin phrases barely copied out of wikipedia and I don't have the time or patience to discuss this with people I know nothing about.
Take this as you wish, most of the stuff he says is exactly what a person looking in would THINK, but it is not the truth.