cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AppDefects
Community Champion

CISO Talent Gap

Do you have leadership aspirations? Want to become the next powerhouse CISO? This report is a MUST READ in order to learn the how to manage factors critical to success. The report examines the evolution of security management practices and the emergence of the "virtual CISO" for small and medium businesses. The report also suggests that CISO salaries are in the $2-3 million USD range (page 23), but that's not any of my friends...

 

CYBER BUSINESS EXECUTIVE RESEARCH: SECURITY LEADERSHIP TALENT GAP Effective Strategies to Recruit, R...

 

5 Replies
emb021
Contributor III

$2-3 million for a CISO??

 

Yeah, I don't think so.

 

I am a vCISO for several companies and I don't make 6 figures (tho I should), certainly nothing close to that.

 

 

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, GSLC, GSTRT, ISSA Fellow
AppDefects
Community Champion


@emb021 wrote:

$2-3 million for a CISO??

 

Yeah, I don't think so.

 

I am a vCISO for several companies and I don't make 6 figures (tho I should), certainly nothing close to that.

 


@emb021 what's it like to be a vCISO? How much time do you need to dedicate to each client? Sounds like a cool gig Smiley Very Happy

CISOScott
Community Champion

As a virtual CISO myself I have been assigned to a single agency (5000+ employees) and currently assigned to two smaller agencies (1- ~100 employees, 2- ~250 employees) and can tell you there are pluses and minuses with each assignment. When I was at the larger agency I had more control of every detail of security from deciding direction to leading the cyber program. At the smaller agencies it is more of policy creation and guidance role.

The big negative is that you are sometimes treated like a contract employee (which I guess you technically are) and sometimes not given complete access or control needed to do the job.

crycos
Viewer II

Nice report, however, it seems to be more of a marketing material being released by a cybersecurity firm providing such services. 

emb021
Contributor III

The time is based on the contract we had with each client. Usually so many hours per month. This was taken up by regular meetings I had with the client to go over things, checking to make sure things were operating smoothly.

Now, depending on the client, I spent more time with them at the beginning of the engagement because I was often focused on either developing or improving policies and procedures, and getting them put into place. Part of that is making sure controls are in place and that evidence is being gathered on a regular basis. There are many activities that need to done on a regular basis (annual, quarterly, monthly, bi-monthly, weekly, etc). This is especially important for companies who must maintain HITRUST, SOC, PCI, ISO27001, etc.
What is frustrating is what happens when client X is in a crisis and this impacts the time I would spend with client A, B, and C? I had one client hit by ransomware and I had to help them out, but this impacted me in regards to the time I was spending with another client who needed me to help them prep for SOC 2.
---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, GSLC, GSTRT, ISSA Fellow