A couple years ago a family member who was thinking about starting their own consulting company reached out to me, and I wrote up a long answer to them about what I had learned so far that I hoped was helpful. Last week when I sat down with a friend and former colleague, who was in a similar place, I realized that I had never posted that advice publicly, and if it might be valuable to these people then it might also be valuable to a wider audience.
This was the question that started it off:
What is the one thing you wish someone would have told you when you were about to start your company?
And this is what I wrote in response:
I’ll pass on to you a few pieces of advice that I *did* get which were helpful, and then one thing which maybe wasn’t quite “a thing I wish someone would have told me,” but where I got a little bit lucky in the path that I took, this time around, in a way that turned out instructive.
You Need Money in the Bank
The first big piece of advice that I got, from a friend who’d started his own software consulting and training business, and which proved very useful to me, was to have at least a year’s worth of income saved up before I tried for it. I forget how much I shared with you at the funeral, but the brief outline of my story is that we launched the project I was on at Lyft successfully on January 1, 2020, and I got laid off in March 2020. I had a bit of money from the Lyft IPO saved, actually about a year and a half’s income, but I wasn’t sure what I was going to do, and spent some time casting around for new work and also recovering from what had been a pretty rough time at Lyft. (Despite the successful launch, in fifteen months I’d had five direct managers and four directors, and I was very burned out.)
A couple months in, after some unproductive conversations about potential full-time work, a friend connected me with an organization she had just left, who were at the time looking to hire a full-time security person. I liked them, but as our conversations developed, it became clear that they didn’t have a full-time person’s worth of work, and so, thinking that I was interested to try consulting and did have the money saved up, asked if they would be interested in having me consult for them, and they agreed. They’ve been my main client ever since, and actually I’m on my way to Boston for them right now.
It turned out to be *very* good that I had so much money saved up, even despite that I cut my expenses hard. I moved out of my own place into shared housing to cut rent and utilities and stretch things, and of course the pandemic meant I was spending a lot less on travel and entertainment and dining out, which are otherwise my big discretionary spending categories, but still I spent basically all of that savings, and kind of really just got the business off the ground in the nick of time.
Despite being with the same main client since I started, the work for them has been very bursty—some months, like this month where I’m spending two weeks with them in Boston, they have a lot of work for me and I’ll get paid a lot, and some months, all they’re paying me is a little pre-commitment to a couple hours a month, basically just to tide me over. They’ve been very good to work with and fairly understanding of freelancer economics, but not everybody is. Also the pandemic really slowed down both their work as well as my process of finding additional ongoing clients. A lot of my connections have come from in-person conferences, and they didn’t really start to pick up again until June 2022 (ie. this year [at the time of writing]).
I had a scare in May this year where I rolled off a couple big client projects, one client who I’d hoped would become an ongoing client declined to renew their contract with me, and then I got COVID, and so I spent most of the month in bed and unable to hustle. I hit the bottom of my bank account with a loud thud in June, and that was scary for a while—paying the minimum on my credit cards, tapping the very last of my savings. I started looking for full-time work, and in parallel I went to my main client and let them know that.
Fortunately by that point, we’d built up a good relationship, and they were on the cusp of standing up a new site in Boston and could see their way to using a lot more of my help, so it worked out, and it looks like I’m going to be able to continue doing this for a bit. However in many ways I got lucky—there was no reason it *had* to work out—and the savings cushion meant I got to have this crisis in a moment where I’ve built things to a point that I *could* get lucky like this, rather than six months or a year earlier when I might have had the crisis without those relationships ready to step in and support me, and had to wind down the business.
Be the Go-To Guy (or Gal, or Enby, or … you get the picture)
The second piece of advice that I got, which proved prescient, was that most of my work was not going to come from friends hiring me directly, but from friends-of-friends. (The source of this advice was, appropriately enough, a friend-of-a-friend—an Internet friend of mine introduced me to a guy he knew, Tom Critchlow, who runs his own SEO consulting business, and he was very good to talk to as someone who’d been in the same situation as me.) As Tom put it, he became known as “the SEO guy” among his friends, and then they started introducing *their* friends to him, when those friends needed SEO help.
And, in fact, this was how I’ve met pretty much all my clients—as I mentioned, my main client came because a friend of mine heard that one of her former co-workers was looking for a cybersecurity person, and introduced me, and so it went. My second significant client was an intro via an entrepreneurship community I’m part of, where the principals who I know fairly well introduced me as “the security guy” to an executive they were mentoring. And my third client, I met via a conference put on by a friend who runs an organization for privacy professionals. So Tom’s advice was to make sure your friends all know that you’re consulting and what you consult in, but not to look to them directly for work, and instead lean in any time you get one of these second-order introductions, and participate in environments like conferences and professional organizations which are designed to foster and grow them.
I don’t know what the security conferences, meetups etc are which are local to you, and to oversimplify there are the kinds of conferences that CISOs (Chief Information Security Officers) go to and the kind that people who are more on the practitioner side like us go to. There’s value in both for a consultant—I’ve had good conversations around the RSA Conference here in the Bay Area just as much as at a DEF CON or a BSides, but my heart is definitely more with the latter. CircleCityCon was just in Indianapolis a couple weeks ago and BlueTeamCon was in Chicago also a couple months ago—those are probably the most substantial practitioner conferences in your general area, and I haven’t been to either so can’t speak directly to them, but they both have a good reputation in my security circles. Unfortunately I don’t know of, and can’t speak to, any of the ones coming up soon close to you, but they’re likely around.
Also where you go will depend on who you want to consult for, or for whom it makes most sense for you to consult given your prior experience. If you’re interested in building a cybersecurity practice focusing on a particular industry e.g. medical or defense then finding conferences like my privacy conference where the kind of people who you’ll want to work for will be, who might not necessarily themselves be security people, for example some of the ISAC (Information Sharing Analysis Centers) conferences like the ones put on by Health-ISAC.
You Have Pricing Power Now—and You Must Use It!
The third piece of advice, and a hard one for pretty much everybody, is to, as much as possible, charge your clients not based on how much the work *costs you to perform* but in proportion to how much *value it delivers to them* (summed up simply by my friend Patrick McKenzie, who goes by patio11 on the Internet, as “charge more,” and you might as well just read what he writes about it here).
The rule of thumb is that if you propose a number, and the client accepts it immediately, you didn’t ask for enough. One can definitely price oneself out of work, and I’ve done it more than once (and sometimes that’s been a good thing), but if you get a little bit of pushback on pricing that means you’ve found the right level. I quote my rack rate as $[REDACTED]/hour, though I’m charging one of my ongoing clients $[60% of REDACTED] (a nonprofit) and I’ve charged as much as $[2.5x REDACTED] (a hedge fund).
(This may seem like a lot of money, but the intuition—another piece of advice that a different friend who’s run successful consulting businesses gave me—is that you’ll spend 50% of your time on billable hours and 50% running the business, hustling for new clients, invoicing, bookkeeping, marketing, etc., so e.g. $250/hour works out to an annual salary of about $250k. I’m on a plane so can’t check my numbers but made about $[five figures, as previously mentioned it was a bad year] last year and am on track to bring in around $[six figures] this year—it’s only within the last couple months I’m actually hitting the 50% billable hours mark on a regular basis. There are ways to build income streams that don’t depend on billable hours but they’re harder, though by no means impossible.)
I’ve become fairly specialized in my particular niche of security, I’ve got a decade of experience, I’m working with well-capitalized organizations, and I’ve still had to drop my rates a fair bit since the tech-stock crash a few months ago, but even when my clients find my rates eye-watering and I have to ask for less and they have to stretch their budgets a bit, we’ve generally both come away very happy. I’m also more willing to charge people less for an ongoing engagement of several months than a one-off, or if I just like them a lot and am excited about the work ([REDACTED], on both counts).
Point being that it’s a dance, the first rate I quote is my opening ask, not the end of the story, and it’s better to go a couple rounds than to close the deal too quickly. (If I start launching products that people will pay for without interaction from me, that will require a different approach, although even there the same attitude is a very valuable one to have, the methods of customer segmentation are just different.)
I still don’t get this right all the time, and many of your counterparties will be seasoned professionals with decades of experience at contract and pricing negotiation, so be patient with yourself as you learn it—as Patrick says, it doesn’t come easy for most folks from our background and position, and you will screw up—but I’ve found it very rewarding to learn, both financially and paradoxically in the sense that in the end my clients value me more and our relationships are better. It may seem backwards but it really works. 🙂
You Need a First Client
This is now the piece of advice which is not necessarily something I wish I’d known but a thing I got lucky on. Everything about running a business, all the parts that may sound fun (meeting people, traveling, making T-shirts and stickers, maybe having employees) and all the parts that may sound not-fun (incorporation, getting a lawyer, insurance, bookkeeping, hiring employees, etc) are downstream of having clients, and so that is the thing to focus on first. Also ongoing clients, meaning people who pay you money every month, are better than one-off clients.
Once you have your first client or clients, then you can put the structures in place around that. (And in fact you can to some extent use their requirements to guide what structure you need. Client doesn’t require cybersecurity insurance? Don’t buy it!) I was lucky that my main client effectively fell into my lap. (And that “well maybe this isn’t full-time, how about contract” move I used is a good one, don’t shy away from full-time roles at least for smaller organizations, although of course don’t go in under false pretenses either.)
A consulting business that doesn’t have customers is dead. Everything comes after that. Land your first customer, and then figure it out.
I’d actually tried freelancing once before, back in 2012—before I got into security even, as a still-fairly-green software engineer—and it didn’t go well, basically because I didn’t have these things in place. I only had a couple months of income saved up, I didn’t have much of a network so I didn’t have friends who could refer me to people looking, I knew to charge more but I didn’t have much experience so people weren’t interested in hiring me for the gigs I wanted, and also frankly I just didn’t do a very good job of delivering value to the couple clients I did manage to land.
I wound up needing to go back to full-time work for other people, which was a disappointment, but I did learn a lot from that experience, and it informed my approach here. There’s no shame in that. I don’t think I would be nearly as successful now if I hadn’t had that experience, and the second time’s been the charm, so far 🤞.
Am I making sense?
Everybody’s in a different place, with different skills and experience, different networks, and different needs and wants, so there’s no advice that can perfectly fit everybody, but these are four touchstones that I’ve found most useful.
I’m not always great about email, but I’m happy to answer any more specific questions I can, as time and energy and so on allow. And good luck! I hope you find success. 🙂