Why I Started 909 Resources: Bringing transparency to the staffing game.

‍

Before I start on the rant, lets be clear I’m hitting the industry with a broad brush stroke - it’s not always the case; but I do think we have a trust issue in the staffing game.  As a practitioner for decades and now running a consultancy I see three sides of the debate.  

So, lets go…

A little while ago I was talking with a consultant who’d just learned what their client was actually paying for them.

Their take-home rate on a long-term project was solid. No complaints there.

Then they saw the bill rate.

The customer was being charged an 85% markup on their time.

SHIT… Eighty. Five. Percent.

This was a multi-million dollar relationship that had been going on for almost ten years. It was “strategic.” It was “trusted.” It was all the buzzy words we like to throw around.

And then the renewal didn’t happen.

The consultant was surprised. The client felt disappointed. And the large firm simply moved on to the next engagement.

Nobody wins there except the spreadsheet.

That conversation stuck with me, because it’s not an edge case. It is the business model for a lot of large firms and “global” consultancies. Especially around critical services like cybersecurity.

The Big 4-style problem

Let’s cut the bullshit for a second.

The Big 4 model is pretty simple:

• Sell “strategic advisory” to the board and execs
• Staff it with smart people who genuinely want to do good work
• Layer on a tangle of opaque rate cards, change orders, and “value-added” services
• Protect a margin number first, everything else second

And in the middle of that mess you have:

• Clients who think they’re paying for outcomes
• Consultants who think they’re being paid fairly
• A P&L that is laser-focused on utilization and markup

When that model gets applied to something like cybersecurity or compliance, it gets dangerous fast.

Cyber is not a “nice to have.” It is not a shiny strategy slide you look at once a quarter. It is the thing that keeps your business from becoming tomorrow’s “we regret to inform you” headline.

If you are paying 60–85% margins on that kind of work, you are taking two big risks:

1. You will eventually find out. Someone on your team will see the numbers. Someone will talk. And when that happens, trust evaporates overnight.
2. You will under-invest where it actually matters. You’ll hesitate on bringing in the talent you need because the cost looks insane, even though the individual consultant is not the problem.

The talent isn’t the issue.
The model is.

Why I built 909 Resources

I spent years inside big companies and in security leadership roles watching two things happen at the same time:

1. Great engineers and consultants getting bounced from project to project with almost zero transparency on what they were “worth” to the client.
2. Great companies overpaying through the nose, then acting shocked when the contract doesn’t renew and the relationship feels poisoned.

So I decided to do something annoyingly simple.

I created 909 Resources with three boring but non-negotiable rules:

1. Transparent pricing
2. A hard cap of 15% margin
3. We stay involved to make sure the work actually lands

That’s it. No secret rate cards. No “oh by the way you also need our platinum deployment advisory success enablement add-on.”

You know what your consultant makes.
You know what we make.
You know who is accountable for deliverables.

Why 15% and not “as much as we can get away with”?

Here’s my view:

• Cybersecurity work is hard enough without everyone guessing who is getting paid what.
• If your margin requires hiding the math, you have a trust problem, not a pricing strategy.

At 909, our margin is capped at 15%. Full stop.

That 15% is not just “recruiting tax.” It funds things I wish I’d had more of as a CSO and as a customer:

• Project and deliverable oversight
  We don’t just throw a consultant at you and vanish. We help shape the statement of work, keep an eye on progress, and make sure what you’re paying for is actually getting done.
• A sounding board for both sides
  Consultants can escalate when something is off. Clients can raise a flag when scope creep appears or priorities shift. We sit in the awkward middle and keep it honest.
• Fit over fill
  I don’t care how “billable” someone is if they’re wrong for the role. We want the consultant, the client, and the outcome to all be aligned. That’s selfish, by the way. Happy people stay longer.

Could we charge more? Sure.
Would it ruin the whole point? Absolutely.

“Big 4 is too risky” sounds dramatic. Is it?

Here’s what I mean when I say the classic Big 4 approach is too risky for cybersecurity:

• Misaligned incentives
  If the economic engine is “more hours, more people, higher rates,” then “finish the project efficiently and walk away with goodwill” is almost an anti-goal.
• Black-box delivery
  You get decks, meetings, and jargon, but very little line-of-sight into who is doing what, at what rate, and with what accountability.
• Short-term memory
  The second your contract ends or the project slows down, the team gets reassigned and the institutional knowledge disappears. Good luck during your next audit.

When the stakes are “our customer data, our reputation, our ability to operate,” that model isn’t just expensive. It’s reckless.

What 909 Resources actually does differently

Let me make this real.

When we place a consultant or a small team with a client, we:

• Agree upfront on the consultant’s rate and our 15% uplift
  No mystery invoice. Everyone knows the math.
• Stay engaged throughout the project
  We review deliverables, help course-correct when reality hits the plan, and make sure the work maps back to why you hired them in the first place.
• Protect both sides
  If you’re the client, you get a partner who gives you real feedback on whether you’re actually set up to succeed. If you’re the consultant, you get someone in your corner who’s not trying to squeeze your rate while marking you up 70%.
• Focus on long-term relationships, not one big hit
  I want you to look at your invoice after year one and think, “This is fair. Let’s keep going,” not “How fast can we unwind this?”

It’s not rocket science. It’s just grown-up, transparent business applied to a field that usually hides behind acronyms and day rates.

In closing

I didn’t start 909 Resources because the world needed yet another staffing firm.

I started it because:

• Consultants deserve to know what they’re worth.
• Clients deserve pricing that doesn’t require a decoder ring.
• Cybersecurity is too important to run on “whatever margin finance will tolerate.”

If you like 85% markups, ten-year contracts that evaporate overnight, and a fresh team every time you renew, there are plenty of firms who will happily help you out.

If you prefer transparent pricing, a 15% cap, and someone who actually sticks around to make sure the job gets done, that’s the gap 909 Resources was built to fill.

Happy to compare notes with anyone wrestling with this stuff. Worst case, we’ll both walk away a little wiser and slightly more annoyed at some invoices we’ve seen.