One of the things I’ve realized in the past year (2024) is that one of the things that is very misleading is being a consultant, because you can do many things but don’t have the role, nor the benefits, perks, and certainly not the money that goes along with what you do. I have worked with several clients and I’ve seen really many things that could blow your mind. Sometimes companies are worried about stuff that is not relevant while tolerating risks that are horrible, and also with talent. This is not all rant but rather an acknowledgement that clear goals can be hard to attain, let alone share with people and is one of the biggest challenges in our time.

Being a CISO is a mindset, I’ve seen and heard of many CISOs from all walks of life, as close or far as you can imagine from technology, so just technical skills are not it, just strategy is not it, managerial skills is not. So what is is?

Part of the discovery is the willingness to learn to lead, to manage, to prepare, to brainstorm, to tabletop, and to communicate risks in a meaningful manner to the relevant stakeholders. Yet, what happens when they do not want to listen? Oh, now we approach murky waters for sure, as this is something I’ve seen countless times, companies that stack breaches as if they were ornaments in the Christmas tree and that still do things the same way. And also some smaller companies that have been doing pretty well and have very robust information security posture.

I will leave you for know saying, stay curious!