Hourly Billing Will Undermine Your Cybersecurity Program

Published on 11th March 2021 Author: Rob Black

Hourly billing is as outdated as this time clock.

“Are you billing us hourly?”

I get that question every few weeks from an employee at one of my clients. My answer is always the same.

“No, you are on a fixed price contract.”

The employee immediately relaxes and asks the question on their mind, or answers the question that I’ve just asked.

Hourly billing undermines the success of a company’s cybersecurity program. While senior management might be comfortable with paying consultants hourly fees, employees are not. They fear that talking to the consultant is running up the bill. They have a concern for the bottom line and are less likely to engage with him/her.

They have a question that needs to be answered, but don’t want to put the company, or their jobs, at risk for using resources.

Trust is the most important element of a consultant’s relationship with a client company and its employees, but there is no defined amount of time it takes for trust to be established. It takes time – the relaxed and friendly first five minutes of a meeting might not move the needle on a project, but they serve an important function in building and maintaining the relationship between consultants and their clients.

Hourly billing creates a pressure that frequently restricts those small but meaningful interactions. And that’s just the beginning of how it negatively impacts the relationship.

Hourly billing isn’t good for client or consultant.

Hourly billing brings up many questions and issues that are difficult for the consultant to handle and negatively impact the value and quality of work provided to the client.

While hourly billing assigns the same value to every hour of consulting work, it isn’t actually tied to the value created by the work. Not every hour on the clock is used the same way. A weekly progress call doesn’t push the project forward in the same way that an hour of development does, but it’s an important part of the project.

With hourly billing, it’s very important to track the amount of time spent on each client. This introduces an element to the workflow and can be difficult to manage. Plus, it becomes complicated when handling hours for multiple clients. Back when I still did hourly billing for Fractional CISO, I received requests to evaluate the same vendor from two different clients. I had to schedule two separate calls with that vendor. It wasn’t an especially valuable use of my time, and is it fair for me to pass information I asked on behalf of one client on to the other?

In the world of cybersecurity consulting, it’s common that clients need a quick answer to a critical question. This requires a three minute phone call outside of our normal time. Should you bill that customer? I personally don’t like feeling like a bill-by-the-minute lawyer.

And what happens if that phone call comes in and interrupts me while I’m working on a project for another client? How should I account for that?

The (Dis)incentives of Hourly Billing

With hourly billing, clients are incentivized to keep hours low and consultants are incentivized to keep hours high. This creates friction in the relationship instead of trust and collaboration.

Clients will often request keeping the hours for any given task low, even if the consultant knows it will take more time. Clients may be suspicious of consultants who try to emphasize more time is needed. If consultants do attempt to meet this request, they end up prioritizing speed over the quality of work – leading in lower value deliverables. Plus, it’s plain stressful to feel like you’re on a time crunch!

On the other hand, hourly consultants can overstate the amount of time a project will take, and there’s no guarantee that spending 20 hours on a project will create a higher quality deliverable than spending 10 hours on the project.

Plus, this setup will negatively impact your security! If an expert cybersecurity consultant finds a serious flaw, they want to be able to spend the time needed to address it. When a client requests that less time be spent on a project, it’s possible that critical vulnerabilities can be overlooked or ignored.

The Solution: Fixed Price Contracts

Fixed-price contracts bring the interests of consultants and clients into better alignment and eliminates all of the pain points associated with hourly billing.

Clients get to know and agree to the price of the project in advance, so they know they’re paying a fair price. They can focus on ensuring they get a high-quality result. Consultants are encouraged to complete the projects in whatever time is needed to produce good work. Value is maximized for both parties.

We’re proud to operate Fractional CISO entirely on this basis, though we didn’t always used to. The pain encouraged me to adopt this solution. I feel that it works out – our clients never have to worry about picking up the phone to call us, we can take the time needed to maximize our client’s security.

Win-win.

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click. You won’t get billed hourly from us, we promise!

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).