Business Excellence (Part 1): The economics of professional service practices in the Australian Cyber Security Market

Edward Farrell

The following “business excellence” series of articles are focused on the day to day operations and non-technical considerations of modern day cyber security practices. I wanted to share my own insights and observations of the cyber security industry away from a facade that is often presented to us in marketing, or from the coalface of day to day activities.

At the start of 2019 I conducted an analysis on the cyber security industry in Australia, specifically its penetration testing organisations, their staff, structure and it was evident in January a consolidation was looming. I did have a curiosity that I have long studied since this period; how to achieve economic sustainability and viability long term as a professional services business with a focus on independent penetration testing services. This curiosity was sparked yet again with several folks applying for our roles and most notably from a number of competing firms, as well as the salary offerings and expectations from organisations and their employees, and a revisit of the 2019 analysis. Below I’ve done a bit of a financial breakdown of cyber security practices, but also identified an area of concern.

Breaking down professional services

A professional services practice focuses on time and materials. This roughly translates to 220 billable days each year after weekends, sick leave and annual leave per billable staff member. Drawing down to non billable work, an effectively utilised resource can be expected to be billing anywhere from 130–190 days depending on their place in the organisation’s structure, its method of engagement delivery and tempo of operations.

Analysing supporting costs

On top of the cost of billable staff in a professional practice, other non billable personnel include:

1. The non billable activities of C level staff or team leaders (some of whom may be performing a reduced delivery function).
2. Sales personnel, and any bonuses that come with sales.
3. Support elements, including operations managers, advisors, accounting, marketing and HR.

Additionally, there are the fixed costs of digital infrastructure, office rents and day to day expenses.

A curiosity has come up every time we look at our competitors; there’s anywhere from 40–70% staff that do not participate directly in billable activities. Additionally, cursory analysis of digital infrastructure, fixed assets, marketing, sponsorship or other activities that contribute to expenditure also exists and is fairly significant. Sample calculations are available here, including one conducted against a competitor of Mercury.

The problem

Our analysis and breakdown of a number of cyber security firms indicates that most technically are not financially viable, even moreso in the event of a quarterly downturn.

If we look at current daily rates for consulting for cyber security services of assuming between $1,200 and $2,400 a day excluding GST, several problems emerge.

In the case of one firm we looked at, the daily rate for the 2x low experience consultants employed by the firm would have to be billing $2124 per day just for the organisation to break even (assuming certain salaries, utilisation rates for support amongst support staff and a low drag business model) or substantially higher to make a profit. Often when we deal with government clients these rates are commercially unviable; a review of the published rates at the digital marketplace indicates that in Government these rates rarely exceed $1800 per day excluding GST and higher rates are dependent on an expertise that is often absent.

Operating on an assumption of specific salaries that are being demanded in the market, the pressure of upper management, there is no way that a pure consulting practice can be commercially viable with the following exceptions:

1. There’s an increase in daily utilisation; in the case of our firm above, this would have meant a range of between 120–200% use of time which may cut into the sleep patterns of billable staff.
2. Billing isn’t performed with a daily rate calculation, which is unlikely in the Australian market unless theres a SaaS platform.
3. There is a downward pressure on wages, which is unlikely in the 2021 climate.
4. An increase in low cost staff has occurred in the Australian market which is not anticipated for several years.
   In the Australian employment market it is unlikely that we will ever see salary reductions; we would have seen this in half a dozen semi skilled industries crash since 1996 workplace changes. Additionally, we have the training liability and entry barrier, for which are substantially lower than cyber security services and thus unlikely to increase supply thus resulting in a downward pressure on wages.
5. The firm also sells product, licensing or a software as a service, in addition to its professional services, however this may undermine the firm’s professional integrity (I have only seen a handful of organisations achieve this effectively).
6. There’s more staff than can be publicly mapped, and the modelling conducted against a number of these organisations is inaccurate.
7. Non-billable staff are employed on a casual basis, and thus drawing a lower salary.
8. Non-billable staff are in fact billable which would make sense for some senior managers with existing skills or perhaps even the project manager, but not for the company accountant, EA, CFO, thought leader or resident instagram model.
9. Offshoring of work takes place contrary to Australian cyber security interests. One particularly shifty practice, complete with repurposed crypto currency enthusiasts and cross fitters, proudly proclaimed their Australian owned status whilst having all their delivery work force based in Indonesia.

I’d also be curious to see how this plays out in larger firms; the additional layers of management in concert with the inflexibility of these organisations risks creating a diseconomy of scale, however for the most part alot of these larger firms do have a multitude of services and products which more often than not offsets the professional services within these organisations.

Reality is that we will probably see the functional or financial dislocation of a number of cyber security firms in coming years as the economic models may not be viable, or as disrupting factors come into the market.