[tptacek]

Nothing in life is free. If you hire Jr. Mahmud to take over 80% of your job, and your aggregate productivity drops by 1000%, you will probably lose your client and be forced out of business.

So don't do that.

A steady $200/hr consulting gig offers an awful lot of wiggle room to figure this stuff out. When we hire a new consultant, (a) we're very picky and (b) they tag-team with us on projects, often for months, without being billable. That costs money in the short term, but pays for itself in the long term.

Also, it's wrong to assume that a consulting gig has to be performed by one person. Time and again friends of mine have found that they could hire cheap for 20-40% of their project work (documentation, test harness coding, automation, etc) and then had that person grow quickly into a full-on replacement. And all due respect to 'mahmud's domain knowledge, but the examples I'm thinking of are pretty high end.

At the end of the day, this problem is a fundamental challenge of running a business, and I have to respectfully/tentatively suggest that if you can't figure out how to hire and train a replacement for your own work, you stand very little chance of running a successful software company, where you'll also have to hire QA, ops, marketing, and sales.

Think of this current challenge like a warmup.

[mattm]

Can you explain this? I don't understand it.

"they tag-team with us on projects, often for months, without being billable"

[tptacek]

I hire Joe the Up-And-Coming Vulnerability Researcher (or rather, Cory does, since we hired someone to replace me 2 years ago so I could do more product work; see how this works?)

Joe and I work on projects together for 2 months.

I'm the billable resource on those projects. Joe doesn't bill.

I start out working harder (I have to deliver for clients and ramp Joe up). Pretty soon Joe ramps up and we start delivering the same work a lot faster. Eventually, Joe's so demonstrably capable (in our case, he's finding the same number or more security vulnerabilities in code that I am) that he becomes a billable resource, scheduled just like anyone else.

Depending on who you hire, this process can take months, or it can take weeks. If you hire someone with experience in your field, it may not take more than a week or two. If you hire out of University, it might take 2 months. It's almost always worth it.

I actually think Matasano has a harder time doing this than many other companies would. Our clients are extremely discriminating (we're a high-end firm) and we have to be very careful about hiring. We have clients that pick researchers from our firm by name. Staff bios go on every proposal. I can't imagine that this is the case for, say, iPhone development; most consulting companies are paying for an outcome, while security research contracts are paid in part for the process.