Posted on 2023-03-21 by Matt Strahan in Volkis News
Earlier this year Alexei and I were staring at the screen, looking at a report that was less than flattering for the company. The reading of the report was simple: we were doing less billable work than we expected.
Unpacking the what and why of this problem drove us to change our processes and hire our first dedicated project coordinator.
The structure of our reporting
In any organisation, keeping your finger on the pulse is easier said than done.
When it’s just a few people it’s rather easy. You simply ask people something like “hey, how are you going?” every so often. You can easily get a good feel for what’s coming in, how busy everyone is, who’s overworked, and the amount of work you need to have come in to sustain the team. The day-to-day conversations you have are usually enough to know what everyone is doing and to understand what you need to do to make things work smoothly.
Add in just a few more people and the number of interactions that have to happen for everyone to know everything using simple conversations begins to multiply. The amount of time you need to expend just to be on top of what everyone else is doing begins to take over your entire week. This means you need to start building reports and structures to have any hope of being across what’s happening.
The first report for us would be a simple billability report. “Billability” is a word with a bad reputation in cyber security consulting. This is because managers, I believe, don’t often understand what they’re looking at and end up taking the opposite actions to what they should be taking.
The percentage of the time that consultants spend on billable work compared to their total capacity is called their “billability”. This metric is used quite often in all types of professional services, including law firms, accountancies, and IT.
“Brilliant,” the bad manager thinks after getting this report, “I’ll just punish those consultants with low billability and reward those with high billability!”
This is a mistake. Let’s have a look at the potential causes of low and high billability:
- Low billability: Consultants rarely directly control the amount of billable work they’re assigned. If there’s poor sales then every consultant will be shown to have low billability. A specialist might have low billability because they are waiting for work they are specialised in. Even if the consultant is actively refusing work it’s not necessarily an indicator that they’re slow. Has enough time been allocated to do a good job? Does the consultant have the support they need? Is their time being taken by important non-billable tasks?
- High billability: Usually this is not an indicator of success but is a problem in its own right. I see high billability as an indicator that a consultant is likely going to be burnt out. They might even be cutting corners and not doing a good job on their work.
Both low billability and high billability are potential indicators of problems, but they’re indicators of problems in the entire project lifecycle not problems with individuals themselves.
The other significant report we look at is the project report. This shows on a project by project basis the financials, profitability, time budget, and time spent on the work. It ends up being a giant spreadsheet with each project occupying a row, but considering we’re still relatively small there’s huge value being able to understand the figures on a project by project basis.
Those numbers aren’t good
When we were staring at these two reports we could see that things weren’t quite right. Two glaring alarms were firing, alarms that definitely impacted profitability and if left unchecked could even threaten the long-term sustainability of the business:
- Our billability figures were lower than expected
- We were spending more time on work than was scoped
These are clear problems. That said, even though the problems are clear the solutions aren’t necessarily easy. It’s common to jump straight to a solution that would be just plain incorrect, for example:
- Our billability figures were lower than expected, so let’s forcibly schedule more billable work for people. I’m sure they’ll adapt!
- We were spending more time on work than was scoped, so let’s add 20% to all our scopings.
This would, again, be a mistake. Instead, before we make any decisions we need to find out more about these problems.
How it reported vs how we felt
The billability reports were a surprise because, overall, they didn’t match up with how we felt. There were times where we were delivering a lot of billable work without any worries and there were times where we weren’t delivering much but felt like we were flat out. There was obviously more to this story.
When we investigated we found a bunch of key issues that were small but, added together, caused us a whole lot of grief and ended up with us simply not being as efficient as we could be.
- We didn’t always have the requirements for work lined up in time to start. This caused delays.
- Consultants had to chase clients and partners for information. Sometimes this wasn’t easy or done in time to start the work, causing delays.
- Delays to work ended up cascading into the next project and the one after. Sometimes consultants were doing several reports at once.
- There was insufficient connection between presales and postsales. Consultants sometimes started pieces of work without fully understanding everything about what they needed to do.
All of these were “sometimes” things. They are all very easily solved when we’re two, three, four, or five people - you just talk with eachother and, since everyone knows what everyone else is doing, you just sort it all out. Now we’re getting to 10 it gets a bit harder. It takes more and more effort to keep track of what everyone else is doing and it’s unreasonable to expect everyone to expend that effort.
This was the first of what may be many of Volkis’ growing pains.
Fixing the issues
Luckily all of these issues fit into the same category: we needed better project coordination. Usually we are adverse to hire when we have issues like this. Our first preference is to automate, our second preference is to build a better process.
Ultimately though the work that consultants were doing themselves simply wasn’t very fun for them and that in itself was part of the problem. Penetration testers don’t really enjoy chasing clients or chasing information. They don’t like having to juggle schedules. For us, we just want them to focus on what they do best.
After a lot of internal discussion (and I mean a lot!), we moved forward and hired Victoria Pirovani as our new project coordinator. So far it’s been great - projects are running smoother and everyone feels a bit more relaxed. You could even tell the “pre-Vic” and “post-Vic” projects with the ones that we set up ourselves seeming to have troubles all at once because the requirements weren’t in place!
Onwards and upwards
This is not going to be the first time we go “something’s wrong, what could it be?” and if we’re lucky it won’t be the last time. That’s really just the way it is in business - new challenges will appear as we bring on new people and the company gets bigger and more complex. It’s part of the fun!
With our transparency value I’ll look forward to bringing more of how we work to the world. We’ve already got our State of Volkis page for this year up and I’ll be writing about that soon. Hopefully people will get stuff out of it and who knows? Maybe you’ll start a company and face these same issues yourselves!
About the author
Matthew Strahan is Co-Founder and Managing Director at Volkis. He has over a decade of dedicated cyber security experience, including penetration testing, governance, compliance, incident response, technical security and risk management. You can catch him on Twitter and LinkedIn.
Photo by Lukas Blazek on Unsplash.
If you need help with your security,
get in touch with Volkis.
Follow us on Twitter and
LinkedIn