I want to start with thanking the folks at #bsidesbos2020 for having me present this past Saturday. The organizers did a tremendous job pulling off the 10-year anniversary of BSides in Boston!

For folks who either missed it in the discord channel or missed the talk – here is the link to the deck – https://bit.ly/2RWa2Ud. Due to tremendous feedback I received after the talk, I wanted to share some of the questions and answers with folks.

Let’s get started:

Slide 1 – Why:

Money

A lot of folks wanted a bit more information on the salaries for CISOs in Boston and New England. Drawn from our open source career ladders project (located here – https://bit.ly/3cOcUMI). Here is what they look like:

Where Low Medium High
Boston/ New England 250K 335K 400K

 

Surprisingly, there is very little salary differentiation for a true-CISO role across New England. The key here is “true CISO Role”. You need to be actually doing the job to make this money. A few folks get the title, but are really individual contributors or junior managers. You will not make this kind of money in these positions.

Have-to

After the talk, many folks reached out and said that maybe this might not be the role I want (to be honest about 85% of people I talk too about this come to same conclusion). What I want to say is that you can have a pretty good career staying technical and never be a CISO.  As an example, here is the product security architect salary range for Boston:

Where Low Medium High
Boston 162K 203K 244K

 

While not 400K, 240K is not bad given that you will have considerably less stress and not be working 24X7.

Little “c” on Prestige

This was a controversial statement. I know the press always talks about how security is now in the “C” suite. That said, it has been my experience (and that of many of my peers), that while you do participate in those meetings – honestly, your opinion is not likely to count as much as the CFO or the COO. This, I believe, comes from the perception that many CISOs are technical rather than business folks. Can this be overcome? Absolutely, if you are willing to get out of your comfort zone and take on business tasks or carry a number. If not, you will be a little “c”.

Slide 2: What

SME %

A lot folks commented that 5% seems low. Like I mentioned in the talk, they are hiring you as a business leader and not a technical implementer. The caveat I will give is that in some micro teams (<5 people total), this total may creep up to 15-20%. This lift is usually taken from the paperwork bucket as team & regulatory items may be less in such a small team. The cautionary tale is to not let the % lift come from meetings. As I stressed in my presentation, this is the most important thing you can be doing for your program and team.

Evals

My opinion is that this is one of the most important things you can do to guarantee the success of your program. You are only as good as the team you lead. If you are not meeting your folks on a periodic basis and working with them on their growth plans, your team will likely only be as good as it is today – with a potential downside if folks get complacent or leave.

Marketing

Folks seemed to have a negative reaction to my statement on security needing to “do” marketing. What I will tell you is that if you want to be successful, you need to employ marketing principles/activities. Take a glance at the article Chris Romeo over at Security Journey and I wrote on this topic – https://bit.ly/2Gan7H9

Slide 3: HOW – Prepping for the Job

Business Skills

There were quite a few questions around what business skills should someone be learning to prepare for the role. Here is a short list:

  1. Management – Leading, staffing models, diversity, hiring
  2. Human Resources skills – employment law, comp & benefits
  3. Finance – FP&A, basic accounting, basic treasury concepts, be able to read a 10-K filling
  4. Marketing – campaigns, content marketing, public relations, analyst relations
  5. Law – basic cyber, privacy, constitutional, IP, and contract law
  6. Sales – sales process, pipelines, channel management

Cross Discipline Networking

Building off the list above, you should have at least the following 7 contacts that you can talk to when you need to.

  1. Human Resources recruitment
  2. Human Resources Benefits/employment specialist (or a firm contact)
  3. FP&A specialist
  4. Controller or senior accountant
  5. Public Relations specialist
  6. Contract Lawyer
  7. Sales Leader

External Squirrels

Many folks asked how they can grow their list of these contacts. To be honest, there are many resources out there to assist, you just need to get out and work them. Here are a few to consider:

  1. Mass TLC CISO Group (#masstlc) – regional group for high tech companies
  2. Evanta – CISO – https://www.evanta.com/ciso
  3. Present at conferences when you can. CISOs do attend/listen.

And there are many more regional opportunities for folks. Get out there.

Slide 4: HOW – Landing

BISO

I made brief mention of this in the talk. Think of this as a “mini-CISO” for a particular function or business unit at a larger company. This is a great opportunity to not only learn the skills of being a CISO (with the support of the larger org to fall back on) but also to determine if this is a career you want to pursue. These only occur in the larger (say $ +1B companies) but they are a worth a look.

Down-to-Up

Seems that this might have been unclear for folks in the presentation. Let me clarify this with an example:

Sally is a senior manager of information security at a large tech company. She manages a team of 20 and has a budget of $5M. She has a CISO opportunity with a team of 5 and a budget of $2M.

She steps down from the team size/budget to take on the responsibility of a total program with the upside for the next role. I tell folks – you don’t take a new job for the new job, but rather you take the new job for the job you will get after that one.

Probation

I made a point to say you need to get through probation. In reality, there are likely 2 probationary periods. The first is the official HR period which is usually 90 days. The second is your “c” level probation which is more like a year. You need to clear both of these periods to stay on.

Slide 5: When

Burnout

This is real. I have seen this emerging for many years now. Here is link to an article I wrote last year around this topic – https://bit.ly/36hZYx6. Do not let the job consume you. If you need help, please get it, as the job is not worth it. Finally, here is a shout-up to the folks at https://www.mentalhealthhackers.org/ – they do a great job at conferences, and I urge you to support them if you can.

Business Role

This appeared to be scary to some folks. Let’s face it, if you are doing the “true” CISO gig, you are a businessperson and the jump is not as high as you think it is. The business skills and contacts you have learned/made have you positioned to be successful. All you need to do is take a risk and try it (and yes, I know security folks are not known for being big risk takers.)

I hope this post provides clarity for folks and I’ll close with a final thank you and shout out to the BSides folks!

Stay safe,

Marc