I certainly understand where you guys are coming from. On certain clients they are definitely in the "break-fix" mindset. "We only need you in if we can't do business, otherwise we don't want to see you" But we like to keep clients on a retainer so we have a minimum amount of hours to work with to ensure updates and such, but sometimes you can't just put that into a monthly retainer, not to mention that I don't believe all our consultants are capable of thorough security evaluations, hence the idea of eventually breaking it off into a seperate division (which I believe it most certainly should be).

It is certainly hard trying to balance billable time, but the point is that when I go to an existing client and say, "WE are no offering a selection of security analysis plans." I guess I'm trying to come up with a reason for clients to start thinking of it as seperate invoice items from the network and sys administration stuff, because in reality it is a job all its own, if it is to be done properly.

What kinds of services have you guys seen offered by security consulting firms? My first thoughts are basic security analysis and consulting, and auditing. The analysis and consulting would probably be more sparse, but I figure we can get return clients from periodic auditing agreements, as this is somethign that no one does but everyone needs.

Oh well, if you have any ideas on how to slowly break this off into its own entity please let me know.

Thanks again!

Regards,
Wizeman