From Dirty Laundry to Cleaning up Your Security Program: How I became a vCISO

“People don’t leave a company, they leave their manager.”?

So what does it mean that I quit working for myself as a solo consultant to work for someone else instead?

Let’s find out.

Who plans on becoming a vCISO?

I never meant to be a?vCISO.

I mean, who grows up thinking, “I want to be a Chief Information Security Officer!” much less thinking “I want to be a part-time?CISO?for a bunch of companies!” I didn’t even know about cybersecurity until a good fifteen years into my tech career.

A childhood friend recently told me, “of course you ended up in cybersecurity! Don’t you remember that time a bunch of us wanted to break into the empty house down the street and you laid out all the possible consequences of our actions and made us?accept the risk?before you’d go with us?”

Okay, yeah, of course I ended up in cybersecurity!

But it took me a while to find my way.

Two Roads Diverged in the Yellow Wood, and I decided to go off-roading…

My path into cybersecurity isn’t just winding, it’s so convoluted I can barely draw the map. And unlike Robert Frost’s famous poem, I didn’t take the path less traveled by to get to where I am. I didn’t take a cybersecurity path at all.

I started out majoring in Marine Biology, then realized my love of all things ocean simply wasn’t going to overcome the aquaphobia I’d developed when I nearly drowned as a child. So I dropped out of college and worked random jobs while I decided what to be when I grew up. I eventually stumbled upon website development in the late ‘90s and used that to put myself through college for?textile chemistry!?

Yes, I not only got my degree in dyes and finishes, I was a chemist for a nonprofit dedicated to the research and marketing of the glorious cotton fiber for an entire eight months. When I found myself networking all of the lab equipment to automagically dump data into an Access database, I realized it was time to get back into tech.

But hey, at least I use my degree every time I do laundry!

From there, I took on architecting, developing & migrating large scale content management systems and websites, then made knowledge bases for places like NETGEAR and Netflix, and then did a bit of consulting on the help center for Facebook. In 2013, I landed a six week contract with the IT team at a little 300-350 person security company called FireEye. My contract got extended, and by the end of the year we had over 1,100 people.

I came on full-time in the Support & Services organization to do knowledge strategy:?optimizing our technology platforms to support business processes and human behavior. That included being the admin for our Community platform – the software driving our forums and knowledge base.

One day, the marketing guy running the Community was frustrated that he couldn’t find “our IPMI documentation” and asked for my help. IPMI? I explained that IPMI meant “Intelligent Platform Management Interface” and?was a hardware standard, not one of our products, and he asked if I would be willing to answer the customer directly. I popped into the Community and, well, let’s just say I got addicted to helping people. Sometimes it was small stuff, like Linux, hardware or product questions. Sometimes it was big stuff, like making sure our customers had the absolute latest information about?WannaCry?and NotPetya.?And sometimes it was just helping a security person get through a frustrating day. I ended up taking over the Community and working my strategy magic there.

I loved every minute of it, and realized that cybersecurity was my calling. Even though I’d just finished a masters in Information & Knowledge Strategy, I was enjoying security so much?I started studying for my CISSP.

When I left FireEye, my intention was to do knowledge strategy, community and culture consulting to security startups and teams until I could build out a software product that was in my head. Instead, I found myself doing technology strategy consulting for my favorite non-profit. I red flagged a few security issues during product reviews and kept trying to get them to hire a security person. (Hint: Your application should absolutely never roll back operating system patches!) I made so much noise about security, they finally asked me if I’d build their security program.

The great thing about working with a non-profit is that they allowed me to share the bones of everything I made for them back to the industry at large, like my?risk and recovery estimates?and?security maturity models?(Note: these links both download *.xls files from GitHub). I was able to tap my amazing and generous infosec network to crowdsource feedback on these things, so I knew what I was giving back to the community was valuable and needed.

I’d gone from vCTO work to vCISO work and, surprisingly, I was totally grooving on it.

Until I wasn’t.

How Carlota got her Groove back.

Honestly, I did not enjoy running a small business. At first I outsourced the things I really hated – taxes and accounting. Then I hired a friend to be my part time admin to handle mail and chase fidgety things. Then I got to a point where I knew I either needed to hustle up more clients and possibly hire someone else, or shut everything down and go join another company.

The pandemic made that decision a little bit easier. I did extremely well in 2020, but as I saw my clients and potential clients tighten their belts for the uncertainty of 2021, I could see this year was going to be slim. And while I knew I could survive it, I also knew I wasn’t going to grow, either as a business or – more importantly – as a human.

I began shutting things down and started looking for work back in the security product vendor space – I couldn’t find any “full-time” vCISO roles at the time. Just as I was deep into a set of interviews with my top vendor choice, Rob posted an opening for a vCISO role in an international vCISO association where we were both members.

We had interacted before and I just loved his ethos and approach to securing medium sized businesses. I couldn’t believe my luck!

The?interview process?was one of the best I’d ever been through – thoughtful, challenging, well organized, and I always felt like I was getting constructive feedback throughout. I knew I was going to be disappointed if I didn’t get the offer.

And then I got the offer.

JACKPOT!

And now, here I am one month in, and there is zero doubt in my mind that rebooting my career with Fractional CISO was the absolute best possible choice. I love this team, I love our clients, and I love the impact I make both internally and externally.

Bonus – I don’t have to do taxes or accounting! I can contribute to the business growth in ways that are more satisfying and sustainable for me personally.

So I kicked off this blog wondering what it means to quit working for yourself. Did I fail in some way? I don’t think so – I did some great work as a solo vCISO. I just chose to grow in a different way, and I’m thrilled to be growing with Fractional CISO!

Want to get great cybersecurity content delivered to your inbox??Click here?to sign up for our monthly newsletter, Tales from the Click.