I'm a cyber security specialist (in web application security) with a few certifications and 10+ years of experience.
I charge usually $350 an hour unless it's something I estimate will require the help of an outsider to which I may go as high at $1k an hour.
Answering everyone asking how we find clients - I love public speaking and so I try to do as much as I can. 80% of my clients saw me speak, the other 20% come from word to mouth. Highly recommend if you have the ability.
Man. I (CISSP, CISA), 20 years of experience, everything from development to dev management to sales and marketing to finance to fundraising, the whole shebang, do ISO27001 ISMS’s and coach through certifications… for $70/hr. But then, my clients are based in the U.K., where technology is still generally seen as worthless.
That's what a (Master-level) plumber charges per hour in Germany. By offering such discounted rates, people consider you 'less valuable' a priori.
I have indeed heard anti-"IT" sentiments in the UK, where managers often come from outside disciplines (e.g. "politics, philosophy and economics" type of oxbridge degrees). Some of these people adjust quickly and pick up technical skills naturally, whereas others couldn't insert a 9 V block battery into a toy without a YouTube video after a decade of "IT" exposure. But they also do not know what something is worth without a clear explanation, so your value is bound by your ability to articulate it.
Fair. Thank you. You’ve just inspired me to fire off a round of emails announcing a 500% rate increase, listing the pretty significant accomplishments I have achieved for each client, and underlining the point that their businesses would likely not exist were it not for my support over the many years I have worked with them. I don’t exaggerate - many of them would never have got off the ground without me dragging them through the startup thorns and driving their first few years of technical sales.
Either they’ll like it, or I’ll just quit technology, as the resentment just keeps growing.
Unless there is a massive recession, I would consider scaring off more than 80% an opportunity to spend time prospecting for better clients. I can’t speak for the UK, but I really suspect you can find them.
Also don’t forget that some fraction of the clients who balk at the increase from their anchor-bias price will come back to you after they see the low quality they get from other vendors at that price. Just be gracious when they leave.
I work in the UK and it's a fair estimate that a good percentage of senior managers haven't got a clue when it comes to IT and technology in general. Having said that, people aren't necessarily stupid: if the pitch is right, they would adopt the solution and pay decent consulting rates. The biggest problem is that both groups do struggle to meet each other.
Venture Capital and FANG pay obscene money because their business models can afford to, they just happen to be powered by software. The actual work of software development isn't somehow worth more to society than your average white collar job, at least in my opinion. It's just another job, and it would be better for the world if the pay came down rather than everywhere get inflated, so that software could thrive in other markets, not just the tech bubbles. Perhaps not the right forum to be preaching for that, and it's certainly not in my best interest either, but that's how I see it.
Their business models can afford to pay a lot because these companies generate that much cash. They drive that much cash because software can be highly leveraged (whereas plumbing cannot). Having salaries come down to means shifting where the profits are distributed and allowing the company owners and investors to capture more in comparison to the employees. I don't see how this is better?
It's still not great, but I am thinking of the negative externalities of tying up all software developers in tech bubbles, and having such a highly inflated class of worker in your cities.
Taxing those profits more readily might be one way to make the value from these insanely profitable software plays be more fairly distributed across society.
If this was true, then then purchasers would not be having to pay so much for the labor. No one is forcing them to.
Pricing is just a function of supply and demand. The high prices indicate more supply is needed to market participants. Maybe the participants can respond and provide sufficient supply to bring prices down. Maybe the participants are not able to respond with enough supply and prices stay elevated.
I think you are right. I also wonder how many people will still be interested in software after it stops being associated with big money and startup culture.
Sounds like it is less technical correct?
I find that there are a lot of auditing firms out there willing to do compliance work for cheap therefor bringing down the prices (still not super low).
Technical auditing and training in cyber security was always a kind of niche that allows you to charge more.
If you're doing $70/hr in the UK at CISO level you're way under some of your competitors.
Heck Pentesters charge more than that and they're 50%+ cheaper in the UK than the US.
My hourly rate in the UK as an Big-4 Infosec consultant 15+ years ago was way more than that and I wasn't doing CISO work. Partners (who were the kind of people doing that kind of work) were 10x your rate back then.
It's actually a similar price in Germany. There are higher paying jobs in Berlin, but in general it's not unusual to have this price in Europe. France and Spain is even lower.
There are definitely companies in the UK that will pay competitive rates for tech. $70/hr is lower than the median contracting rates for the UK, and I'd be suspicious if someone with 20 years experience was that cheap. I'd expect at minimum to be paying 1000 GBP/day.
I had 15 years of experience when I last updated my rates - and I chronically undervalue myself. I’m responsible for the better part of a billion pounds of revenue, without exaggeration, across my clients, over the decades.
Part of the issue I’ve faced is that I usually start working with folks when they’re 2-3 people, and I grow them - but my rates end up stuck at the 2-3 people company level, not at the 1000+ person company level that they’ve mostly become.
I also consistently manage to get gipped out of equity, as I’m always “just madaxe”, who humbly grinds away and doesn’t feel right taking a slice of someone else’s pie.
"and doesn’t feel right taking a slice of someone else’s pie"
I hate to say it, but you need to get over that. This very mindset has screwed me over more times than I care to think about. I'm in the $2B+ generated revenue part of my career. I've got a lot of scars, bruises and broken dreams that brought me here. Built an entire start-up, that sold for $256M, got screwed out of $2M. That was on the low-end of what I've lost in various endeavours. And I have stupidly made that mistake several times. Over the years I've learned some hard lessons.
I now take the approach that "I charge this much per day/week for my time, if you cannot afford that and wish to give me equity in lieu of (some of) my pay, these are my terms." And I don't do 4 year vesting with 1 year cliff. If I am taking a significant pay cut, e.g. 60% to 70% from my usual day rate, the cliff is 90 days on an accelerated vesting schedule. And it is a grant, not options, I'm not giving back money to get what I earned.
You also need to start negotiating your contracts to have a quaterly or bi-annual rate increase from "I'm doing you a solid here with a big discount" so that three years later, after built all the tech for the start-up, you aren't earning less than the Junior who struggles to remember the difference between margins and offsets. On client discounts (I've stopped giving them except where large chunks of equity are concerned), you can backload them too, so that should the client cut you loose because you bumped your rate by 10% last year, as stated in your contract, they pay a termination fee. Some clients will balk and nope out, those clients you don't want. It took me decades to figure out I was allowed to say "no" to potential work.
Right now I am charging less than what I have in the past, $1,000/day as opposed to $1,600 to $2,000/day, because I need some stress free time, and at 6pm, I turn off my computer and forget about my work.
Have you considered finding somebody to act as your “talent agent“? I don’t know exactly how this would work, but with so much money being left on the table I think it makes a ton of sense to be creative. I totally understand how awkward it can be to ask for more, but if part of the block is your own personality, there must be someone out there who would have less of a problem asking for what you deserve. The ROI would almost certainly be huge regardless of their cut.
Every technical meetup group I have been involved with his perennially desperate for speakers. If you make the effort to be present both physically and virtually for about three meet up groups over the course of about three months, I think it’s very likely you could get slotted in to speak by month 6. It’s possible they would add you on as a moderator for the group, guaranteeing persistent visibility if you are willing to put in the work (assuming you are a honest and decent person, this is a win-win because these communities have a huge positive externalities)
Yeah, the fixed “cost“ (in effort) of bringing someone in can totally dominate the financial cost for smaller engagements. Especially when a manager is spending their large company’s dollars.
I’ve seen some companies charge very little ($2-$5k) for a pen test. How are you able to charge $350/hour for essentially the same work? Is there some pitch or playbook you’re using to justify the price for doing the same work?
A $5K is pentest is just some guy running a couple of off-the-shelf, open source, or scriptkiddie tools and handing you the reports.
For $350/hr you get
- someone knowing which pentest tools to start with
- someone knowing how to follow up with more focused attention on problem areas and run additional tests
- someone analyzing the raw reports to understand the causes of the vulnerabilities
- a multi-page written formal report with interpretations and recommendations for mitigation, including a cost/risk/benefit summaries.
Edit to add: in my experience the companies offering cheap pentests and handing you the logs are the ones that then say, "If you want to understand these logs and know what to do about them, you can contract with us at $VERY_HIGH_RATE"
I've seen a couple of the cheap pen tests by a few German companies.
The whole thing looked like a 1-2 days of work and the person doing it was doing the basic stuff, but definitely conducted by a knowledgeable person and when problems were found reasonable suggestions were offered in the report. The apps were standard - frontend in Angular, backend in Spring Boot on Tomcat.
basic DoS, XSS, SQLi, token abuse, open ports with not up to date services, generic vulnerability scanner, basic password brute forcing
I charge usually $350 an hour unless it's something I estimate will require the help of an outsider to which I may go as high at $1k an hour.
Answering everyone asking how we find clients - I love public speaking and so I try to do as much as I can. 80% of my clients saw me speak, the other 20% come from word to mouth. Highly recommend if you have the ability.