Same revenue, same headcount, six turns of EBITDA apart
Put two ServiceNow partners side by side. Both are Elite-badged. Both run around $18M in services revenue with roughly 90 consultants. Both have healthy utilization and a clean recurring-upgrade book. On paper they are twins.
One of them sells at 8x EBITDA. The other sells at 14x. Same growth, same logos in the deck, same Santa Clara badge on the wall. The difference isn't size or quality of delivery — it's whose budget signs the renewal. And once you understand that, the Elite badge stops looking like a moat and starts looking like table stakes.
The first partner is an ITSM generalist. They configure incident and change forms, run quarterly platform upgrades, and clean up catalog items. Good work, genuinely. But it lives inside the CIO's discretionary efficiency budget — the exact line item that gets trimmed in the first hard quarter. Offshore delivery centers have pushed onshore blended rates for this work down into the $135–$165/hour range, because the world is not short of people who can build an approval workflow.
The second partner does Security Operations and GRC/IRM. They wire vulnerability scanners into the platform, stand up incident-response workflows the CISO reports to the board, and build the compliance posture that keeps the company out of regulatory trouble. That work doesn't get cut when the quarter goes sideways — with the SEC's four-day material-incident reporting rule and CMMC deadlines on the calendar, it gets more urgent. Per the Gartner IT spending forecast, security budgets keep outpacing general IT for exactly this reason: one is optional, the other is survival.
That is the whole game. A buyer paying 14x isn't paying for billable hours. They're paying for a revenue stream attached to a budget that legally cannot be paused.
Run the math on a 1,000-seat deployment and the gap stops being a story
The premium is easy to dismiss as narrative until you put it through a P&L. Take one client, 1,000 users, and price the same engagement two ways.
On the ITSM side, you're staffing $135–$165/hour consultants against a license base that runs around $100/user/month, with implementation fees tracking somewhere in the 3x–5x annual contract value band. Gross margin sits near 45%, because the talent is abundant and the rate is capped by whatever an offshore center quotes against you.
On the SecOps side, the seats cost the client $150–$200+ per user per month — advanced modules carry advanced pricing — and implementation lands at the top of that same 3x–5x ACV range because the work is harder to scope and riskier to get wrong. More importantly, the people. A SecOps consultant has to hold the ServiceNow platform knowledge and the security credentials (CISSP, CISM) that let them sit across from a CISO and not get found out. That hybrid is scarce, so blended rates run $225–$295/hour. The roughly $90/hour delta doesn't get eaten by overhead — it falls almost straight to gross margin, pushing it past 60%. Fewer, more senior bodies generating more revenue each is also the cleanest way to drive revenue-per-employee, which is the efficiency number a buyer's analyst circles first.
Then there's what happens after go-live, and this is where the two businesses truly diverge. An ITSM win is a "land" — you delivered, you hope they call you for the next module. A SecOps win is an "expand" by default. The moment you've integrated a client's Tenable or Qualys feeds into the platform, you own the single source of truth for their security posture. That ownership converts into managed GRC and vCISO retainers — recurring, high-margin revenue a generalist literally cannot sell because they were never trusted with the security data in the first place. The platform's own acquisition moves into security only deepen that moat; the vendor is actively expanding the surface area a specialist gets paid to own.
The diligence questions that decide whether you get 14x or 9x
If you hold one of these partners and you're heading to market, here's the trap: you cannot type "SecOps specialist" into the CIM and collect the premium. Buyers active in cybersecurity M&A have seen the costume. They'll pressure-test three things in technical diligence, and your answers set the multiple.
"What happens if your two best security architects quit?" If the honest answer is "the practice evaporates," you don't have a SecOps business — you have Dave and Sarah with a logo. The fix isn't more hiring; it's productizing what's in their heads. Build accelerators — pre-built CMMC and NIST workflow packages that sit on the platform and do 70% of the engagement before a senior even logs in. A buyer pays for IP that survives attrition. "We'd hire more" is an 8x answer; "here's the accelerator" is a 14x answer.
"Show me the security numbers, not the blended ones." Fifty certified specialists who passed the exam but never ran a live deployment is a paper tiger, and a sharp buyer will find it. Before you go to market, split your case studies — SecOps in one column, ITSM in another, never merged. Pull CSAT for security projects specifically. And surface net revenue retention for security clients on its own line; a real specialist book runs 120%+, and that single number does more for the multiple than any slide of badges.
"Are you building toward the platform or against it?" If your team is still hand-rolling custom integrations to legacy security tools while the vendor ships Service Graph Connectors for exactly that job, you're not creating value — you're manufacturing technical debt the buyer will have to pay to unwind. Alignment with the product roadmap is a diligence checkbox now, not a nice-to-have.
The one-line version to carry into your next board meeting: generalists get sold on capacity — we have bodies. Specialists get sold on capability — we contain risk. Before you scope the next engagement, ask which budget it's billed to. That answer, repeated across your book, is the difference between a 9x exit and a 14x one.
