topic Re: CISO Talent Gap in Career Discussions

CISO Talent Gap

AppDefects — Mon, 09 Oct 2023 09:32:01 GMT

Do you have leadership aspirations? Want to become the next powerhouse CISO? This report is a MUST READ in order to learn the how to manage factors critical to success. The report examines the evolution of security management practices and the emergence of the "virtual CISO" for small and medium businesses. The report also suggests that CISO salaries are in the $2-3 million USD range (page 23), but that's not any of my friends...

CYBER BUSINESS EXECUTIVE RESEARCH: SECURITY LEADERSHIP TALENT GAP Effective Strategies to Recruit, Retain, and Develop CISO Talent in Challenging Times

Re: CISO Talent Gap

emb021 — Tue, 26 May 2020 15:21:16 GMT

$2-3 million for a CISO??

Yeah, I don't think so.

I am a vCISO for several companies and I don't make 6 figures (tho I should), certainly nothing close to that.

Re: CISO Talent Gap

AppDefects — Wed, 27 May 2020 04:09:31 GMT

@emb021 wrote:
$2-3 million for a CISO??

Yeah, I don't think so.

I am a vCISO for several companies and I don't make 6 figures (tho I should), certainly nothing close to that.

@emb021 what's it like to be a vCISO? How much time do you need to dedicate to each client? Sounds like a cool gig

Re: CISO Talent Gap

CISOScott — Wed, 27 May 2020 14:51:03 GMT

As a virtual CISO myself I have been assigned to a single agency (5000+ employees) and currently assigned to two smaller agencies (1- ~100 employees, 2- ~250 employees) and can tell you there are pluses and minuses with each assignment. When I was at the larger agency I had more control of every detail of security from deciding direction to leading the cyber program. At the smaller agencies it is more of policy creation and guidance role.

The big negative is that you are sometimes treated like a contract employee (which I guess you technically are) and sometimes not given complete access or control needed to do the job.

Re: CISO Talent Gap

crycos — Tue, 17 May 2022 15:05:54 GMT

Nice report, however, it seems to be more of a marketing material being released by a cybersecurity firm providing such services.

Re: CISO Talent Gap

emb021 — Tue, 17 May 2022 18:03:07 GMT

The time is based on the contract we had with each client. Usually so many hours per month. This was taken up by regular meetings I had with the client to go over things, checking to make sure things were operating smoothly.

Now, depending on the client, I spent more time with them at the beginning of the engagement because I was often focused on either developing or improving policies and procedures, and getting them put into place. Part of that is making sure controls are in place and that evidence is being gathered on a regular basis. There are many activities that need to done on a regular basis (annual, quarterly, monthly, bi-monthly, weekly, etc). This is especially important for companies who must maintain HITRUST, SOC, PCI, ISO27001, etc.
What is frustrating is what happens when client X is in a crisis and this impacts the time I would spend with client A, B, and C? I had one client hit by ransomware and I had to help them out, but this impacted me in regards to the time I was spending with another client who needed me to help them prep for SOC 2.