The Good, The Bad, and The Ugly of Fractional CISO Life

Let’s face it, everything we see on social media is the best side of things. We all see the successes and failures of people and their endeavors.

We hear about the new job, but not about the 100’s of applications and ghosted messages.

We hear about the new successful launch but not about the tens of failures preceding that.

We see the wins, but not the losses that had a mental toll on someone prior.

While entrepreneurship can be very rewarding, it’s not easy nor always straightforward.

Ok, you get it right? Great.

I’ve been a Fractional CISO for many years now, probably more than 80 or 90% of other people out there.

I’ve had my successes and failures.

And now I’m teaching others the craft.

However, I’m a realist. I’m not trying to paint a rosy picture of Fractional life. 

Most fractional executives burn out actually, and go back to FTE life.

Why?

Mostly because of unmet or disparate expectations

Just like marriage. It takes work to make it successful.

Anyway, I digress.

One of the first things I teach in my Fractional CISO success course, and will make available for free, is The Good, The Bad, and The Ugly.

I think it’s important to understand what you’re getting into when trying to start a fractional business.

So let’s go over briefly what’s involved. I’ll try to go in detail, but it’s the weekend with the kiddos and I need to ship this sooner than later.

You can also download slides from the course here.

The Good

So let’s go over some of the benefits of being a Fractional CISO.

Flexible schedule

As with any business or endeavor, you own  your calendar. Of course, this is a double edged sword, but you can determine your schedule with your client as you wish.

Do they need you all the time? Are you ok with that? Charge them more, and seal the deal.

Do you want to work only in your local hours? Do they need a high SLA or low SLA? Figure it out and charge them appropriately.

The downside of this is trying to take time off. If you have a vCISO friend that sub for you, that will make it easier for you to unplug.

They Listen To You

Yes, they actually listen to you! You are a paid consultant and they are paying you for your expertise and experience. They want an authoritative. Answer. As long as you have the confidence in delivering that answer with data and experience, that communicates in a way they understand, then they will listen to you.

Of course, this is sometimes to an extent. If they have you only for sales enablement (a fancy term for filling out DDQs) and think falsely their security is actually good, they may not want to hear your advice.

However, once you burst their bubble and show them that they still have public S3 buckets and that half their confidential files are shared publicly, they tend to listen.

The Bad

Let’s get into the Bad.

Stay In Your Lane

As an experienced security leader, you know exactly what good looks like. So when you suggest they need to invest in (better) penetration testing or application security training for their engineers, it might be met with a lower priority.

This is where you need to be delicate in how you approach startups with security.

They may have reluctantly made the budget to bring you on for SOC 2 or sales enablement, and now you are recommending other things that might “slow” them down or cost more money.

Or they might have expected you to wave a magic wand and solve all their security problems.

This is an opportunity though to be creative and work your CISO magic.

As with all security leadership, full-time or contract, you must be savvy in communication, technology, and understanding the business needs.

The trick is adapting this to your approach as a Fractional executive.

The Ugly

Feast or Famine

Depending on how you design your business, it can be very feast or famine.

This is the downside with almost all agency businesses.

This is especially the case if you charge hourly.

Note: I talk about this extensively in the pricing module of the course and how to avoid it

Mismatch of Needs

Once a client is “done” with your work, then you are out looking for the next engagement.

I’ve come in to replace other vCISO’s before because they didn’t understand startups well or maybe had a legacy way of thinking.

I’ve been replaced too, for cheaper and less white glove options (just fill out DDQ’s please and stay in your lane).

That’s fine.

The trick is to have full clarity of the engagement and expectations on both sides before starting.

They may want someone to write code and terraform. 

Or maybe they just need someone professional to talk with their clients and fill out DDQ’s.

Maybe they have compliance and are truly interested in taking their security to the next level (my favorite).

Are you that person?

Knowing what questions to ask and how to scope your engagement can make or break your business (and your happiness).

Conclusion

My goal with this post was to give you insight into the world of Fractional CISO life.

I cover this and TONS more in my course, Fractional CISO Success. It’s filled with practical experience, war stories, and templates on how to get started and launch quickly.

I have a live cohort starting July 14th! And runs for the entire week. We’ll be meeting daily at 12pm Pacific.

If you are a CISO, Security Leader, or MSSP looking to launch a fractional CISO business, and want to cut the time to launch in half this course is for you.

If you have any questions at all, reply to this email or email me at [email protected]

Some Interviews on vCISO Life

Below are two interview on the topic. Enjoy!

In Other News…

Here are some interesting articles and posts I ran into this week you might find interesting:

Commentary:

Secrets Broker

☕️ Secrets are such an issue all the time. It’s often not done well. Best case is to eliminate apps from seeing secrets altogether, but of course this introduces a fault tolerance issue / trade off.

Qualities to look for in a CEO (rr CISO for that matter)

☕️ Good listicle that also applies to CISO and security leaders in my opinion.

CISO AI Playbook

☕️ As we are all debating the AI replacement of security team members, this article presents are really good practical view of the matter.

Being Too Ambitious = Self- Sabotage

☕️ This article really spoke to me. Listened to the entire thing. I should probably make it a weekly listen. Inspired me to pickup and read a chapter from the 10X Rule

When To Say No

☕️ Related to the above, an excellent listen as you endeavor on your next career or personal goal.