Too Many Brain Surgeons: Cyber-Security Industry Revenue Per Consultant

George Beaton, director of Beaton Capital and Beaton Research + Consulting, released a nice piece of analysis earlier in the year (here: http://www.brw.com.au/p/professions/consulting_brain_surgeons_build_tpB8SIbvA1ZA1BOzhtxIIL), which included 'revenue per head' data for both listed consulting & integration firms, and strategic management consulting firms.  Included in the former are the likes of Accenture and Capgemini; and included in the latter are the likes of Bain, Booz, BCG & McKinsey.

Note that there are two distinct figures in this sphere of analysis: 'revenue per head' which is revenue divided by the number of all staff including non-billable staff, and 'revenue per consultant' which is revenue divided by the number of billable staff only.  The latter figure, 'revenue per consultant' is effectively a measure of the level of rates able to be charged for consultants, combined with their utilisation - ie, the number of days billed out of the number of available days.  The other figure, 'revenue per head' is a more accurate business-assessment metric since you can have a great revenue per consultant, but if you have a huge sales and support structure getting that business in the door and administering the business, then your revenue per head will actually be fairly poor.  Beaton's figures are 'revenue per head'.

Back to Beaton's analysis... the headline numbers are this: 

beaton1.png
  • Group 1 - Accenture, Atos, Booz Allen Hamilton, Capgemini, Marsh & McLennan and FTI Consulting - Revenue per head (2011) was US$130,000
  • Group 2 - Bain & Company, Booz & Co, Boston Consulting Group and McKinsey & Co - Revenue per head (2011) was US$457,000

For anyone who has spent any time in the consulting business, it is hardly surprising to see that the latter group have significantly higher revenue per head.  For a start, they are substantially smaller businesses: The companies in the Group 1 list above had 510,000 staff between them, whereas the companies in the Group 2 list had only 31,000 staff between them.  To put that in a bit more perspective, according to their latest fact sheet, Accenture on their own have approximately 275,000 staff (http://newsroom.accenture.com/fact+sheet/), so in staff number terms, if you add together Bain & Company, Booz & Co, Boston Consulting Group and McKinsey & Co, you get something that is 11% of the size of Accenture.  (I acknowledge that I'm comparing 2011 data for the former group with 2013 data for Accenture here, but with a gap that big it hasn't happened overnight).

Beaton names the former group 'factories', and the latter group 'brain surgeons', which I'm sure pleases the surgeons... But that said, it's not intended to be a put-down, rather a broad generalisation of the different models, with scale-driven implementation on one-side and highly specialised niche advice on the other side.

staff.png

The interesting part of this for me is actually not the difference in the numbers, or the size of the revenue per head figure for the strategy consultants at US$457,000 (in fact it wouldn't have surprised me at all for it to have been higher than this).  The interesting part is that with revenue per head at a level of US$130,000, those companies in Group 1 can still make substantial profits.  Probably all Australian cyber-security consulting firms would go out of business trying to operate at that level of revenue per head.  Accenture in 2013 posted an operating profit of $4.34 Billion, representing a profit margin of over 15%.  The difference is scale, and the effective and viable use of off-shore resources (according to the Times of India, in 2011, a third of Accenture's employees were in India). 

So what does this all have to do with the cyber-security industry in Australia?  A few observations:

  • The majority of the consulting firms want to be brain surgeons, and nobody really wants to (or finds it viable to) be a factory.  This is a shame, because clients want and need both.  That said, few (if any) of the consulting firms have the scale (or access to international resources) to be a factory.  The closest thing we have to a factory in the security area is probably Dimension Data, and even there I'm not sure they would agree with me.
  • Many consulting firms in the Australian market would struggle to make ends meet with a revenue per head figure of even twice the factory level (ie, $260,000) because of three weaknesses:
    1. Average-cost per head being too high through not having enough entry-level staff (In fact, it is interesting that this weakness is self-perpetuating since the 'skills crisis' we currently have in the industry is in no small part the result of a lack of willingness or ability of companies including the consulting firms to bring entry-level / graduate staff on board, and train them.);
    2. Having too many non-billable staff (both in sales and administration); and
    3. Having too many overhead costs.
  • Consulting firms are starting to get wedged between clients who want factories (or at least, want to pay a factory price point) and senior staff who would like to be brain surgeons and of course expect to be paid as brain surgeons.  Selling brain surgeons at factory-worker rates will send any consulting firm broke.
  • International companies such as Wipro, Tata and Infosys, as well as Accenture themselves, are positioning to take advantage of these opportunities.  

Who is going to be the cyber-security 'factory' that the market needs?  We can't all be surgeons.