Why you are going to pay me a million dollars a year to be your CISO

For me a job is usually never about the compensation. I’m a challenge seeking type personality. However, if I said why you’re going to pay me X it isn’t likely you’d read the essay. This is my sales pitch why every major corporation should be clamoring at my door to hire me. The bottom line up front is wherever I go I make measurably better. I bring a mission orientation, a service leadership bias, and a substance over form mentality to almost everything in my life. I take on jobs that I like and my entire being is applied to things I do because my work, hobby, and life all revolve around the simple task of reducing the risk to assets of an organization.


Let’s be honest about a few things. I’ve been in government, academia, and industry. I’ve not only been “there” I’ve succeeded beyond most people’s imaginings. I’ve won awards, and been given bonuses. One of my former employees says I should tell people I gather accolades like my twin sons collect comic books. How many candidates can say they’ve been radically successful in multiple fields while serving substantially different constituencies? I thrive on challenge and turn that towards an organizations success.


I’m an international level subject matter expert on information security.


As an academic I wasn’t just an adjunct working semester to semester (and I do respect adjuncts as I’m married to one), I was a senior professor at a major university with tenure. What was I teaching and researching? Information security and digital forensics. Some of my work informed the very construction of multiple nations cyber security programs. From Estonia, Sweden, Germany and even the United States my research was used to inform senior decision makers. I’ve gone to Russia, China, and several other countries to help them understand facets of information security.


I have real world hands on experience.


In industry I worked on some of the largest information technology teams ever assembled and with some of the greatest professionals of my life. I worked on Y2K for a major telecom, built out an entire remote services security and operations program for one of the largest OEMs in IT, and worked with the security teams of every blue-chip tech company. I am lucky as I learned from the best and led some of the best.


While working for the federal government I have led a major military commands security program through multiple major incidents. Through policy and directives, I built a strategic footprint for the reduction of risk across the organization. Ask me how we stopped 90% of phishing in one project alone.  I’ve been THE senior intelligence officer for cyber at the third largest agency in government. To top that off I testified in front of congress multiple times on some of the largest incidents in the history of the nation.


I’m a subject matter expert on leadership.


I was once hired into a job as a subject matter expert and I was a good follower. A good leader knows when to follow, but I have a proven track record of leading diverse teams. Consider I’ve taught leadership at the National War College, various military staff colleges, and even a few public universities. One of my former bosses said I was the key to their ability to lead. I never got in the way but I made every decision by the organization better.  He said I was the “BASF of leadership”. Another former boss was the officiant at my wedding. I’ve been the officiant at my student’s weddings. This participation in major milestones in people’s lives are indicators of trust, enthusiasm, and leadership both up and down the organizational structure. This is integral to the next point.


I build and refine teams. I can engage in organizational engineering and accomplish more with less. Here is a key point. A former colleague said I was the most famous person nobody had met. Once he started looking for me he found me everywhere. When I left the program we were working on, he went on to get promoted, then promoted again, and finally ended up running his own organizations information security program. Bringing technical skill to a program is great, but bringing leadership that increases the value of every person in that program is much better. As a low key, easy to get along with leader, and no-nonsense type person I get a lot from teams I lead.


What about building teams in a world where cyber hiring is tough? I have no issue. There is a deep rolodex (antique method of keeping contacts) that I travel with that has hundreds of former students and colleagues in diverse information skill sets who would welcome working for me. I have NEVER had problems filling seats with great people or getting people to work for me. Given appropriate compensation and an interesting problem set I have lots of interested people. Part of that is I’m known for doing cool stuff, and part of it is I’m known for taking care of my people.


I’ll give you real answers to real problems that help you make and save money.


So, why would you pay me a million dollars a year to run your information security practice? I have the technical skills, the academic pedigree, the leadership skills to be successful. The military command I was CISO at rates near the Fortune 100. I’ve produced threat intelligence on every major critical infrastructure segment so I know the lay of the land. I’ve worked closely with all of the ISACs so I know the customer sets. But, the fact I can do the job is not the reason you’ll fork over a seven-digit salary.


Have you had to figure out how much a breach will cost you? You will pay me the big bucks because the yearly return on investment for a large enough corporation will likely be 25 to 1. I will save you that much money each year, and will produce savings in the realm of  25 savings to 1 security dollar a year or more easily. Given the breadth of responsibility and the current threat environment those skills will allow me to talk to your boards and owners about risk in a dollars and cents objective way. From strategic intent to tactical implementation stopping one breach a year will save an organization that much money. Better, the philosophy and capability I bring to your problem sets at the corporate leadership level means we’ll reduce the risk to your organization substantially while impacting business the least.


I’m a realist but not a fatalist.


Stopping bad guys from getting into networks and chasing the successful adversary is why people like me put up with long hours. This is the CIO/CISO great puzzle and game. I’d be an idiot if I said I’d stop all the breaches. Beware the fairy sparkle dust of wishful thinking. When they happen I’ll save you money. If you’re large enough I’m willing to bet you have adversaries in your network right now. There are likely unwanted guests moving laterally and snarfing up data or possibly changing it to their particular requirements. I bring the partnerships, the knowledge of the industry, and the understanding of compliance architectures to solve the brand erosion and leadership confidence risks of a breach. I bring the knowledge of how to implement and activate functional and accurate operating procedures so information security becomes a culture of success rather than the domain of burned out heroes.


I’m usually humble but now I’m looking for a job.


I suck at writing resumes. There is no ISO or RFC for writing a resume. No standard template and everybody contradicts each other. Write about only your successes, no make that your duties, but never talk bad about anybody. I’ve only been hired directly off my resume once. I’ve been hired numerous times without a resume. So, how do I get the word out I’m looking? On the one hand I’ve done a lot. On the other hand I’ve led a lot. Nobody gets anywhere in the world without the help of others. People help me to be successful, and I help organization to reduce risk to their operations and bottom line. The only question a suitable organization should be asking is when can I start.

Leave a Reply