Is Consulting the Right Gig for You?Insights from a CISO Who Made the Transition
CISOs who are pondering starting an independent consulting firm must carefully weigh whether they can live with the potential financial risks as the business builds, says Kate Borten, a former CISO who heads The Marblehead Group consultancy.
"You also have to be self-motivated and fairly organized to be able to manage your own business," she says in an interview with Information Security Media Group.
Borten, who formerly served in various security leadership roles at healthcare organizations, says she started her own firm rather than joining an established consultancy because "I decided I would have much more control over my life by doing this independently."
She stresses that there are plenty of opportunities for information security consultants, especially in the healthcare arena, because "there are so many organizations that need a better understanding of what information security is all about, how to assess risk and what reasonable security controls need to be put in place."
But success as a consultant, Borten says, "is going to come down to the business skills that really don't have anything to do with information security ... making the contacts and understanding how to frame information security in business terms and not get too technical."
Borten says her background in software and system development has proven helpful in her consulting career.
"As a software developer, I early on recognized the need to be able to communicate with my business users in the organization about what they needed - what's the business function that my system needs to support to help you do your job better?" She points out that, as a consultant, she now uses "that same sort of ability to talk about security in business, operational and workflow terms and not get technical - to be able to bridge that gap between the technical aspect of security and what the business leadership needs to know."
An experienced CISO who becomes a consultant can be a valuable resource to organizations struggling with security, Borten adds. "I feel as though I really understand what they are facing. ... I've worked inside organizations, so I understand the stresses, the difficulties of, for example, certain parts of the organization that are very resistant to security. ..."
In this interview, Borten discusses:
- How she made the transition from CISO to consultant;
- The pros and cons of joining a large consulting firm vs. starting an independent firm;
- The similar skills necessary for success as a CISO and as a consultant.
Before founding The Marblehead Group in 1999, Borten led the enterprisewide security program at Massachusetts General Hospital in Boston and established the first information security program at Beth Israel Deaconess Medical Center and its parent organization, CareGroup, as its chief information security officer.