I want to start with thanking the folks at #bsidesbos2020 for having me present this past Saturday.
The organizers did a
tremendous job pulling off the 10-year anniversary of BSides in Boston!
For folks who either missed it in the discord channel or missed the talk – here is the link to the deck. Due to
tremendous feedback I received after the talk, I wanted to share some of the questions
and answers with folks.
Let’s get started:
Slide 1 – Why
A lot of folks wanted a bit more information on the salaries for CISOs in Boston and New
England. Drawn from our open
source career ladders project.
Surprisingly, there is very little salary differentiation for a true-CISO role across New
England. The key here is “true
CISO Role”. You need to be actually doing the job to make this money. A few folks get the
title, but are really
individual contributors or junior managers. You will not make this kind of money in these
After the talk, many folks reached out and said that maybe this might not be the role I want
(to be honest about 85% of
people I talk too about this come to same conclusion). What I want to say is that you can
have a pretty good career
staying technical and never be a CISO. As an example, here is the product security architect
salary range for Boston:
While not 400K, 240K is not bad given that you will have considerably less stress and not be
Little “c” on Prestige
This was a controversial statement. I know the press always talks about how security is now
in the “C” suite. That said,
it has been my experience (and that of many of my peers), that while you do participate in
those meetings – honestly,
your opinion is not likely to count as much as the CFO or the COO. This, I believe, comes
from the perception that many
CISOs are technical rather than business folks. Can this be overcome? Absolutely, if you are
willing to get out of your
comfort zone and take on business tasks or carry a number. If not, you will be a little “c”.
Slide 2: What
A lot folks commented that 5% seems low. Like I mentioned in the talk, they are hiring you as
a business leader and not
a technical implementer. The caveat I will give is that in some micro teams (<5 people
total), this total may creep up
to 15-20%. This lift is usually taken from the paperwork bucket as team & regulatory items
may be less in such a
small team. The cautionary tale is to not let the % lift come from meetings. As I stressed
in my presentation, this
is the most important thing you can be doing for your program and team.
My opinion is that this is one of the most important things you can do to guarantee the
success of your program. You are
only as good as the team you lead. If you are not meeting your folks on a periodic basis and
working with them on their
growth plans, your team will likely only be as good as it is today – with a potential
downside if folks get complacent
Folks seemed to have a negative reaction to my statement on security needing to “do”
marketing. What I will tell you is
that if you want to be successful, you need to employ marketing principles/activities. Take
a glance at the article
Chris Romeo over at Security Journey and I wrote on this topic – https://bit.ly/2Gan7H9
Slide 3: HOW – Prepping for the Job
There were quite a few questions around what business skills should someone be learning to
prepare for the role. Here is
a short list:
Present at conferences when you can. CISOs do attend/listen.
And there are many more regional opportunities for folks. Get out there.
Slide 4: HOW – Landing
I made brief mention of this in the talk. Think of this as a “mini-CISO” for a particular
function or business unit at a
larger company. This is a great opportunity to not only learn the skills of being a CISO
(with the support of the larger
org to fall back on) but also to determine if this is a career you want to pursue. These
only occur in the larger (say $
+1B companies) but they are a worth a look.
Seems that this might have been unclear for folks in the presentation. Let me clarify this
with an example:
Sally is a senior manager of information security at a large tech company. She manages a team
of 20 and has a budget of
$5M. She has a CISO opportunity with a team of 5 and a budget of $2M.
She steps down from the team size/budget to take on the responsibility of a total program
with the upside for the next
role. I tell folks – you don’t take a new job for the new job, but rather you take the new
job for the job you will get
after that one.
I made a point to say you need to get through probation. In reality, there are likely 2
probationary periods. The first
is the official HR period which is usually 90 days. The second is your “c” level probation
which is more like a year.
You need to clear both of these periods to stay on.
Slide 5: When
This is real. I have seen this emerging for many years now. Here is link to an article I
wrote last year around this
topic – https://bit.ly/36hZYx6. Do not
let the job consume you. If you need help, please get it, as the job is not worth
it. Finally, here is a shout-up to the folks at https://www.mentalhealthhackers.org/ – they
do a great job at
conferences, and I urge you to support them if you can.
This appeared to be scary to some folks. Let’s face it, if you are doing the “true” CISO gig,
you are a businessperson
and the jump is not as high as you think it is. The business skills and contacts you have
learned/made have you
positioned to be successful. All you need to do is take a risk and try it (and yes, I know
security folks are not known
for being big risk takers.)
I hope this post provides clarity for folks and I’ll close with a final thank you and shout
out to the BSides folks!