---

@emb021 wrote:

$2-3 million for a CISO??

 

Yeah, I don't think so.

 

I am a vCISO for several companies and I don't make 6 figures (tho I should), certainly nothing close to that.

 

---

@emb021 what's it like to be a vCISO? How much time do you need to dedicate to each client? Sounds like a cool gig 

As a virtual CISO myself I have been assigned to a single agency (5000+ employees) and currently assigned to two smaller agencies (1- ~100 employees, 2- ~250 employees) and can tell you there are pluses and minuses with each assignment. When I was at the larger agency I had more control of every detail of security from deciding direction to leading the cyber program. At the smaller agencies it is more of policy creation and guidance role.

The big negative is that you are sometimes treated like a contract employee (which I guess you technically are) and sometimes not given complete access or control needed to do the job.

The time is based on the contract we had with each client. Usually so many hours per month. This was taken up by regular meetings I had with the client to go over things, checking to make sure things were operating smoothly.

Now, depending on the client, I spent more time with them at the beginning of the engagement because I was often focused on either developing or improving policies and procedures, and getting them put into place. Part of that is making sure controls are in place and that evidence is being gathered on a regular basis. There are many activities that need to done on a regular basis (annual, quarterly, monthly, bi-monthly, weekly, etc). This is especially important for companies who must maintain HITRUST, SOC, PCI, ISO27001, etc.
What is frustrating is what happens when client X is in a crisis and this impacts the time I would spend with client A, B, and C? I had one client hit by ransomware and I had to help them out, but this impacted me in regards to the time I was spending with another client who needed me to help them prep for SOC 2.