“If someone is not asking you right now to consult for them, it can take 12-18 months before you land your first client,” says Carlota Sage. She held a part-time CISO role at a nonprofit before transitioning into vCISO work. Later, she went on to found Pocket CISO, which provides cybersecurity services to early-stage startups and small organizations.
Kokhreidze agrees with her. For a smoother transition, he suggests CISOs line up their first clients while they’re still employed. Otherwise, he says, it can take a long time to build momentum. And the pressure to make it work can quickly turn into panic. In that moment, security professionals may start “underpricing themselves because they need money immediately,” he says. Once rates are set out of desperation, they’re often hard to reset without straining the relationship.
Other CISOs-turned-consultants also emphasize preparation. Kedys, for instance, stresses the need for a go-to-market focus. “Decide who you want to advise (industry, company size, maturity), what problems you’ll solve, and why you’re credible for that,” he says. “The combination of strong soft skills and a clear focus — who, how, and why — is the best starting point for a successful transition.”