Awesome. That sounds like a lucrative space to be in: presumably, everything you get asked to do is directly in the service of making companies more money, and so you can anchor your prices to the value you're providing.
What part of Patrick's consulting advice doesn't ring true to you?
(I spent a little over 10 years as a software engineering consultant, ending just last year when I started this new company; when the consultancy I cofounded sold, we had around 30 people on the team).
Penetration testing is not really software engineering consulting, and security spending is about as far as you can get from anchoring pricing to value. It's closer to selling insurance, but the value is even more dubious.
The exception might be in cases where a company is already spending a lot on security by doing it poorly, and you show them how to do it better. But, that is pretty much none of the market that I've seen.
Our modal project was part of the software engineering budget of a software product company.
I think you may think Matasano was more of an IT shop than it actually was. The term "penetration testing" doesn't do anyone any favors, since it means everything from "running Metasploit" (the kind of work we did not do) to "evaluating firmware".
This is really neither here nor there, right; the more specialized you want to say our work does, the stronger my consulting advice gets.
There are too many little things to sit down and make an argument. That's why I didn't want to get into a debate. You either see this or you don't. It's not easy to show it, but I will make just 1 example not to be completely without foundation.
The context is making (high touch) enterprise sales. In a blog post he reveals "the secret" that departments/teams have a credit card and purchaes below certain threshold are made with it and without allocating budget. He advices the reader to price his product/service to fall bellow that threshold so people in the department can purchase on their own discretion. It sounds logical and $6,000/year is a nice sum if you don't do a lot of custom stuff for clients.
On the other hand, you want your invoice's line to be as high on their books as possible. If your service is on some low manager's sheet, you are nobody there. He gets moved, quits, the company decides to cut costs or a thousand other things - you lose the client. You don't want a nobody pushing the needle for you on their side. You want it sponsored by a Director at the very least, but VP and above are more desirable. You want to be vetted. You want to be on the Approved Vendor List. You don't want payments every month, you want them on lumpier sums.
When reading something, it is a good exercise to think about the opposing situation for a second.
What part of Patrick's consulting advice doesn't ring true to you?
(I spent a little over 10 years as a software engineering consultant, ending just last year when I started this new company; when the consultancy I cofounded sold, we had around 30 people on the team).