Cybernomics Radio
Welcome to Cybernomics, the podcast where we break down the latest enterprise innovations and challenges shaping the Information Security industry. Whether it’s AI, cloud computing, or digital transformation, we dive deep into the forces driving businesses forward.
Join host Josh Bruyning as he engages with industry experts and technology leaders to explore how businesses are leveraging technology for growth. From cutting-edge advancements to the economic impact of tech decisions, Cybernomics delivers insights that keep you ahead of the curve.
Tune in for expert analysis, compelling discussions, and a front-row seat to the future of Information Security.
Cybernomics Radio
#34 The Hidden Costs of Terminating a CISO - Greg Schaffer, Principal @vCISO Services
Greg and Josh pull back the curtain on the pitfalls and strategic voids left by frequent CISO transitions, which can leave companies vulnerable and scrambling for continuity. We shed light on the arduous onboarding process new CISOs face, taking months to assess existing security frameworks and the ripple effects this delay has on strategic initiatives. Our conversation also addresses the growing legal responsibilities that lie with corporate leaders and the potential fallout from negligence in cybersecurity leadership roles.
Beyond the boardroom, Greg invites us into a world where creativity meets cybersecurity, sharing his journey from novelist to CISO and the lessons learned along the way. We emphasize the importance of cultural fit and ethical leadership in fostering an environment where CISOs can thrive rather than being treated as expendable. This episode is not just about understanding cybersecurity; it's about recognizing the human element in protecting and nurturing those who hold these critical roles.
Welcome to this episode of Cybernomics where we talk about the intersection of cybersecurity and the economy finding the hidden costs of cybersecurity. I am your host, josh Bruning, and today I'm here with Greg Schaefer, who is the principal at vCISO Services, owner at Second Chance Publishing and host of the Virtual CISO Moment. And host of the Virtual CISO Moment. Greg, welcome to Cybernomics and congratulations on being the number one podcast in cybersecurity.
Speaker 2:Well, thank you for having me, josh, and yeah, I was pleased to hear that. It's from a million podcasts, I think, and quite honestly I'd not heard of them before. But anytime somebody has you at number one, I'm fine. I'm ahead of Steve Gibson security now, which made me feel good.
Speaker 1:Yeah, yeah, and I've been following Steve for a long, long time. When I just got into cybersecurity he was like my go-to podcast. But you know what? Oh gosh, yeah Me too, I mean, he, him and Leo were just wonderful and I can't believe they're still doing it all these years later. Yeah, but I think that they're really really, really technical. They go so deep into stuff that I wonder if they didn't hit number one for that one reason. It's mass appeal versus being very technical and very niche.
Speaker 2:Well and that's what I try to do is the virtual CISO moment podcast. It's just about telling people's stories and giving advice to small and mid-sized businesses, and I found that as as I'm sure you have too it's like people like to tell their story, so I always have the great job of just sitting back and asking questions and then listening, and I get to learn so much from people, and I think it's a human element that really helps with the podcast popularity.
Speaker 1:Yeah, yeah, which. I think you've put your finger on that pulse. And I'm not a technical security guy, right, I come from the sales world, I come from marketing, I come from people, the people side of cybersecurity, and that's something that's ticking up and it's something that we those who are really good at communication or some of the soft skills don't get as much recognition. But I think that you're one of those people in cybersecurity that has put your finger on that pulse. You're super easy to talk to and I love having a podcaster on the show, because when two podcasters get to talking, we never run out of anything to talk about, for better or worse.
Speaker 2:So thanks again no, you won't have any dead air. It's like that's for sure, and I mean information security and cybersecurity. It is such a people-driven business. It's all relationship-driven. Those who are in sales in cybersecurity are the most successful because they understand that the sales come from relationships, not the other way around.
Speaker 1:Yeah, and you're always selling cyber.
Speaker 2:Always selling cyber.
Speaker 1:Internally, externally, everything, but today what I'd like to talk to you about is just for fair, being transparent and fair warning for everybody who's listening to this. It's not a new topic. We're not going to be talking about something groundbreaking or groundshaking here. It's something that's been revised over and over again and kind of rehashed, but I like to take the temperature of this particular topic every year or so, which is the downside of firing the CISO. Or, in other words, what are the hidden costs of terminating the CISO and is that even a problem going into 2025? One of the main problems of cybersecurity and of businesses is the tenure of the CISO is typically around 18 months. That doesn't give the CISO a lot of time to do a lot of things, and it seems a bit unfair, and I think that has changed over time. So I'd love to get your take on where are we today with companies retaining CISOs, and is this as big of a problem as it always has been? What do you think?
Speaker 2:Well, I think that, historically, one of the reasons why you have that sort of churn rate and there are various numbers, but we'll land on 18 months for now is not necessarily so much the company side as much as it is the CISO side sometimes. And what I mean by that is that sometimes, well, let me predicate that by saying that there are some folks out there and I'm probably going to make a few people upset, but there are some folks out there who are in the CISO role who don't need to be in, and their motif is they go into an organization, they find a problem and they find a solution, a technical solution. They implement that technical solution. They sell the board of directors on the technical solution. They implement the technical solution. The technical solution doesn't have quite the ROI that was expected, but by that point in time, where are we at? We're at 18 months. They've now gotten their experience and they go and move on to the next organization.
Speaker 2:I'm not saying that that's all CISOs, but that is part of the issue out there. It's not necessarily you don't? It's, I think, without having actual stats in front of me, I don't think that there is like a big issue of CISOs getting terminated in 18 months, with the exception of if they obviously were in charge of a program that had a breach, that had something to do with their lack of skill or lack of duty paying attention to it. But regardless, we do have this churn still and it is still there. But, regardless, we do have this churn still and it is still there and it has some serious ramifications upon the business, not only in the recruiting area but also in the security area as well. Because if you don't have that continuity we'll probably talk about this more in depth but if you don't have that continuity of leadership, sometimes you just have all these different priorities that every 18 months you focus on priorities that, every 18 months, you'd focus on?
Speaker 1:Do you think that businesses have a false expectation when they hire CISOs, in thinking that maybe the CISO will help to drive revenue? Is this something that could explain the reason for the churn?
Speaker 2:I don't think that a lot of businesses think necessarily that the CISO will help drive revenue as much as that. They expect the CISO to understand revenue and also understand costs and they want the CISO to be able to explain risks, not in pretty colored charts like we do with heat maps and all that red, yellow green.
Speaker 2:They want quantifiable numbers and it's very difficult for some CISOs to be actually able to do that. They'll just say that hey, you know this company over here, a large company, had a breach and it cost them X millions of dollars or whatever, and we need to avoid that. Well, they don't equate together. What that company lost isn't necessarily what we would call cost exposure is. So the more successful CISO understands the business aspect of the costs involved, won't just propose a tool to fix something just because that's the latest and greatest tool that's out there.
Speaker 2:They also know how to speak business language. They also know how to understand risk in terms of the overall organization. So you have to remember the board of directors. They're not just dealing with cybersecurity or information security risk and, as a side note, I tend to have to say this all the time I'm one of those who believes that the correct term for the field is information security and that cybersecurity is the technical subset. So that's why I say both. So that's why I say both. But there's a lot of other risks that the board of directors have to deal with And-informed decisions. So how can they do that? They have to understand the risk environment, not only from the info and cyber side, but from the business in general, and that's kind of a rarity out there as far as your typical chief information security officer.
Speaker 1:Yeah, one of the things that business leaders may often overlook is the information gap going from one CISO to another. Let's say there's a CISO that's been let go. There's like, let's say, a number of weeks to a number of months between finding a new CISO. Let's say you're going in as a VC, so, and you've got to pick up the pieces left behind by the last CISO. What are some of those pieces that you have to pick up, where you're talking to the business leader and saying, look, these are some things that were left undone. They incur further costs. There's more cleanup than we thought, so can you give us a little bit of a rundown on what are some of those hidden costs left in the gap between CISOs?
Speaker 2:Well, when a new CISO comes on board, they don't want to immediately pick up whatever the previous CISO was doing, unless it's a project that is considerably long and has a defined end. That's one thing. That's more tactical at that point in time. But strategically, the incoming CISO needs to work more on understanding the environment first in order to determine the correct strategic directions going forward. So you have a new CISO coming in and it's the same thing in the virtual CISO world. It's just that it's on a smaller scale, smaller businesses and we work with more folks. But the general approach is well, first let's figure out the as-is of the organization. So the CISO comes in. There's going to be some time to figure out. Where are we at? They're going to look through documentation. They're going to look through audits. They're going to talk to all the business leaders. They're going to look at any events and breaches Hopefully there weren't any, but obviously that happens or near breaches or incidents. They're going to get a feel of that. Now, that's all going to take time. So let's just say okay, you have a CISO that leaves in the beginning of the year. Well, the recruiting process in and of itself is going to take quite some time. So let's just say you're lucky and you get in a new CISO six months later. Now that new CISO is going to spend the first 90 to 120 days let's just say as a round figure so at least like three, four months, getting to know the landscape.
Speaker 2:So you talk about the cost of losing a CISO. You basically have lost almost a year of strategic work. So then the CISO comes in and finally figures out everything that's going on and then that person can then start to determine their direction and their methodology, their strategy. They have to try to start selling their strategy in order to solve the issues out there. Now that might mean abandoning some of the strategic initiatives that the previous CISO had done before. But the new CISO coming in should never take at face value that we're going to. We're going to if there was a strategic plan and it was already planned out that later in this year we were going to do X.
Speaker 2:Now you need to put a hold on that and just say well, at the very least the CISO needs to understand the why behind it, and chances are the CISO might agree Okay, we want to do that. And you talk about cost to the business. We want to do that and you talk about cost to the business. So you've lost 10 months now, let's say, of significant information security strategic planning. You've lost the recruiting dollars that go in. You've lost the. I mean, how much does it cost to recruit a CISO? I don't really know what the numbers are, but it's a percentage of salary and CISOs are kind of expensive nowadays, you know. I mean, you know 300,000 plus per year. That's not cheap. So lots of expenses involved, without a doubt.
Speaker 1:Yeah, yeah. Not to mention, you know, in that time you might get breached and you know you may be held liable in a court of law for whatever happens after that breach or what happened before that breach. Because I don't know if the law stipulates an amount of time that a company may have to find a new CISO. Maybe there's a grace period where they give you like six months. If you didn't have one, At least you've been looking for one Maybe they give you a pass. If you didn't have one, at least you've been looking for one. Maybe they give you a pass. But do you know anything about that? Uh, I don't. Do they give you any kind of legal leeway while you're looking for a cso? If you were to get breached.
Speaker 2:I've never heard of something like that.
Speaker 2:I'd be surprised if there is that because it's like you're responsible for the security of your companies and your customers information, regardless of whether or not you have a CISO in there. I mean the company is responsible and how you determine that, how you make that happen, that's really on the C-suite and the board of directors. Now, talking about CISO professional liability, that's an interesting area right now because there have been last year and year before a couple of CISOs that have faced legal action and repercussions because a trial found that they were negligent in their duties, which now has gone to the point of like, well, what kind of insurance should they be carrying? Whether it be like professional insurance personally, or if they're part of the company's professional insurances that they have for for directors and and officers and and and such, and that would be part of the compensation package. It's a.
Speaker 2:It's an interesting situation because I've seen and heard that there's some the idea that some CISOs are perhaps not wanting to stay in the field because they feel now that, oh, this is becoming where we're becoming now the scapegoats and then that becomes a nobody wants to work underneath that. I mean, you want to work in a team environment. You don't want to work thinking that you're going to be blamed for something? That was one of the first questions I asked in one of my CISO interviews back when I was doing that full time, before I started the virtual stuff, and I really wanted to get a feel. It's like it was for a government agency and I'm like, well, if there's another breach because they had one before they didn't have a CISO that's where they were hiring me. If you have another breach, it's like, are you just trying to hire someone so that you can fire someone if something happens?
Speaker 1:And.
Speaker 2:I was convinced that that was not the case.
Speaker 1:That is the case in so many companies and this is something that I talk, that Charles Payne and I talk about a lot. Charles Payne is the I don't think he's a CISO anymore. I think he's a retired CISO. But he's pretty young to be a retired CISO. Do you ever retire? I think he's a retired CISO but he's pretty young to be a retired CISO. Do you ever retire?
Speaker 1:But we talk a lot about the CISO being a scapegoat and the first time he and I had talked about this we were in New York City. We were driving in an SUV. We were back at the back of an Uber XL with a bunch of cybersecurity folks leaving a CISO event, going to another event, and this topic came up and said the CISO is a scapegoat. And there was another CISO in the car who just disagreed vehemently and was like couldn't accept, in my opinion, couldn't accept that the CISO is a scapegoat and can be reduced to such. That is a very degrading term and when you've dedicated your life to this thing and you've wanted to be a CISO for your entire life, you've worked 10, 20 plus years to get there.
Speaker 1:To be reduced to a scapegoat. I know is painful, but in a lot of cases, it's true, and I think that you know asking that question before you're hired. I mean, how do you even bring that up? How did you ask that question? You don't just go hey, are you hiring me to fire me? Actually, that's exactly what I did, oh, great. Okay, I ask that.
Speaker 2:But really, one of the ways that you can figure that out is you look at the company culture. No matter what job that you're interviewing for, and particularly as you move up the chain of command, so to speak and it doesn't have to be just InfoSec you really need to understand the culture, and there's a difference between being a scapegoat and being responsible for your actions. Being a scapegoat is you're the one who is blamed, no matter what happens. Being responsible for your actions is okay. I made a mistake that caused a breach. I therefore then deserve to be fired. I'm not fired because I'm a scapegoat. I'm fired because, somewhere along the line, I messed up in my responsibility. I mean, there's a reason why Caesars have paid a lot of money. They have a lot of responsibility. And again, I go back to what I said in the beginning of the podcast.
Speaker 2:I think that there are some out there that don't really understand that aspect of it. It's not to say that you're never going to get breached and that you have to get to that point. That's impossible. I mean anybody who says, well, you have to get to a point of never being breached, that's not going to happen. But what you have to be able to do is understand that you have enough compensating controls in place, enough processes in place, and you can demonstrate. It's like well, we have tried to reduce the risk by X, y and Z and yet we were still breached. The CISO, that can demonstrate that they should be fine, unless the culture is one that is looking to fine folks to punish or even fire if anything goes wrong.
Speaker 2:If financials are off and they don't meet their profits for the quarter, does that mean that the CFO gets fired automatically? Well, maybe it does. If the CFO mismanaged some funds or investments or I don't know, mismanaged the budget, but it doesn't. If sales were down, well then, does the director of marketing, do they get fired? Or chief marketing officer do they get fired? You see what I'm saying. The director of marketing Do they get fired. Chief marketing officer, do they get? You see what I'm saying? It's like the culture has to be in place that that assigns responsibility based on an accountability they have to match. You can't have accountability without responsibility, and a lot of times that's what scapegoat is you, you, you're, you're assigning accountability without giving responsibility and, in some cases, authority where needed. That never works.
Speaker 1:Yeah, I've got the sense that there aren't a ton of companies that are out here that are just terminating CISOs or using them as scapegoats.
Speaker 1:I know that it exists. I can't put a number on it, but I have a sense that it's a minority of companies that we can collectively call evil corp's. You know, that's doing all kinds of shenanigans and maybe they need scapegoats and fall guys and people who are expendable. But let's say you're working for one of those evil companies evil corporations that are in the minority and that's a I'm being hyperbolic there. They may have good reasons why they're evil, giving them the benefit of the doubt. But let's say you're a CISO, you're going into this situation and maybe they're not up front that you can ask them point blank am I here to be terminated or am I here as a scapegoat? They may say no, but they've got their fingers, you know, crossed behind their back. What are some of the markers that you would look for to tell you that this company doesn't really take the CISO seriously and doesn't really want to give much power to the CISO?
Speaker 2:Well, I think it's all about how the CISO interacts with the other levels of executive management and vice versa.
Speaker 2:And we'll start there with executive management, because it's very rare that a CISO is a true chief I once heard I wish I could remember who to attribute this to, but he probably stole this quote from somebody else anyway. But the quote is essentially if you don't report, if you're a CISO and you don't report to the C-suite or the board of directors, or to the CEO or the board of directors, then you're a chief of nothing. And most CISOs they report in up to some level. Some will report to the CFO, some will report to the chief risk officer, which I think is the proper place for it, if not to the CEO. Some report to the CIO or the CTO, which I think has their own set of problems as far as a conflict of interest. So definitely reporting structure, just looking at that and understanding that beforehand could be a red flag. But just because a CISO reports to a CIO does not necessarily knock that job out of contention, I don't think.
Speaker 2:But then and I did this and I failed actually just to be completely transparent in the job that I was thinking about I failed in analyzing the culture. I didn't want to see things that were right in front of me, and that was the lesson I took away. So when I'm interviewing, I'm seeing interactions between folks that would be part of my peers or part of all that I was reporting to the CIO. That position was, and I didn't like what I saw, but I wanted that position so bad, I wanted that CISO title with this government organization so bad that it kind of blinded of blinded, and so I think that the risk there is for the applicant is you have to make sure that you're able to keep your eyes wide open and be objective about Remember, when you're interviewing, you're interviewing them as well too.
Speaker 2:You have an opportunity to see their culture, and then you know you can get into some other red flags. Look at budget numbers, ask for budget numbers, and how much is actually? What kind of funding will you have? What kind of staff will you have? What kind of expectations? Why did the last CISO leave? That's always a great question for any position. Why did my predecessor leave? I couldn't ask this in this one because there was no predecessor. I was the first, but I think those would be some of the questions to ask.
Speaker 1:Do you think it's more cost effective for companies to how do I say this delicately? Do you think it's more cost effective for a company to have a CISO that's expendable, that when something happens they can let them go and they can sort of refresh and wash their hands clean of any liability, or to have a CISO who's on board, who will be there long term, but they have to purchase a buttload of cybersecurity insurance. Maybe the premiums are higher? Because let me just give you some context.
Speaker 1:The premise is some may feel and some may disagree with this that the reason that CISOs may be expandable is because of the rising costs of cybersecurity insurance, where, if the CISO recommends you buy cybersecurity insurance, not only are you paying for the CISO, but you're also paying for the insurance policy. The premiums are ridiculous. So if something goes wrong, instead of relying on the cybersecurity insurance company, you can fire the CISO and then you're without security for another six months to a year, but you're kind of outpacing the cost of what it would be to actually just implement some cybersecurity insurance. Does that question make sense, or is the premise not right there?
Speaker 2:No, I understand what you're saying, but I don't think that that's really much of an issue. First of all, if you fire a CISO, the next one you bring on board, you're probably going to have to offer more money to, and so that's going to offset whatever other increases you might have in cyber insurance or other insurance. Two things, first of all, the CISO community is rather close-knit. I mean, I know a lot of people who know a lot of people, who know a lot of people, and if a company starts to have a reputation of firing folks because of being expendable, so to speak, you're not going to have a quality CISO that wants to work for that organization. So they're going to get in like green CISOs or CISOs in name only that really don't have the risk management chops to be able to work it, which ultimately, is going to put the company more at risk. So I guess the way I would answer your question is what does the company value more, putting aside the fact that, yes, of course, the goal of all companies is to make money and not lose money, but what does the company really value more? Do they value short-term gains or losses, or do they value actually managing risk? And those that manage risk are the ones it's going to be more cost effective to keep the CISO on for an extended period of time.
Speaker 2:I think you know I'm also one of those two. I'm old school, I think that somebody leaves a job after 18 months. That's too quick. Anyway, you'll have some folks that say no, it's okay to jump jobs and all of that. I come from a time where folks that say no, it's okay to jump jobs and all that I've. I come from a time where, um, just for context, that you were pretty much expected If you took a job, you, unless something really bad happened, you're going to give at least three years there.
Speaker 2:That there was just the culture back then. So that kind of taints? My uh uh answer probably. Again, I'm a dinosaur, I get it, I understand. But if you're a real, true business leader, you're going to think about your people first, so this won't be an issue. You don't want to be someone who is looking for scapegoats. Those aren't, in the long run, those aren't effective business leaders in my opinion. They're insecure. They don't know how to manage a business. I think that's my answer. I don't think I have anything else to add.
Speaker 1:All right, so there are two ways to look at this. Then there's one legitimate route where a CISO can be terminated legitimately. They were incompetent, they messed up, they screwed up, they did something, and that incurs the same costs as if you terminated a CISO for whatever reason. They're the scapegoat. And it seems to me that the second option, the scapegoat version if a CISO loses their job over that, it will incur more costs to the business to do it that way. So what is the moral of the story here? Greg, if you were to sum this all up, what would you say to business owners who are at risk of losing their CISO?
Speaker 2:It's the same advice that I give to businesses and that I give to people Just if you're ethical in whatever you do I like to use the term if you have a heart of a servant, you're always going to be successful. Now, I'm talking about the employee at this point in time, not the employer, but the reason is because what you value is service, and everything else will come. I think it's the same thing on the business side as well, too. If you practice ethical business operations, whether that be in how you treat your employees, or how you treat your partners, or how you treat your contractors and staff, or how you just conduct deals, you're going to be in a much better position when all is said and done long term, because you know getting biblical here for a second you do reap what you sow, and I think that's, I think that's really the summation of the story.
Speaker 2:I think that the more that we layer on these other items like, the more that the business starts to think about a CISO as being expendable and okay, this is our insurance policy, we'll just get rid of the CISO if something happens policy. We'll just get rid of the CISO if something happens. You don't want something to happen. So why start to plan that way? Why don't you just encourage your staff and then the CISO?
Speaker 2:As I said in the beginning, if you have a CISO who is just trying to climb up the ladder, they're like, well, I'll join this company for 18 months and get them somewhere. And well, if my recommendations don't work out well 18 months they probably weren't expecting me to stay I'll just move on to something higher wage. That's not terribly ethical in my mind as well. I get it that people should climb the ladder and I have nothing against that. But it gets into your heart and what is in your heart, and if your heart's pure and you're ethical, all the other stuff will work itself out some way. I don't want that to sound like a cop-out answer, but there are so many times when you layer all sorts of problems on and the answers are actually real simple. We just can't see it because we layer these problems on top of them.
Speaker 1:Yeah, yeah. And just like you did, asking the right questions, I think, can go a long way before you even engage on both sides the business asking the right questions of the incoming CISO and the CISO asking the right questions of the business to make sure that there's an understanding between both parties. Okay, great. Well, you know what I think we kicked that dead horse. I think it's zombified at this point Zombified yeah, yeah.
Speaker 1:So I think we have at least I have a pretty good understanding of the hidden costs of terminating the CISO and just going between those CISOs and the various know the various nuances of CISOdom Great. I want to talk a little bit about your publishing company right. You are an author, you are a novelist. How did you a CISO, which I, again, I typically associate CISOs with being very highly technical people, not super creative.
Speaker 1:But I'm also reading this book called Unmasked, about neurodivergent people and I'm learning that neurodivergent people are everywhere, people with autism, with ADHD, who may seem like the perfect fit for a technical role because with those neurodiverse divergent qualities usually come with mathematical skills, very direct skills. But I'm also learning that there are a lot of people who we may think are just fit the bill of, you know, being like a, like a Sheldon from Big Bang Theory or whatever but may be really well suited and they apply those energies and those superpowers to creative things, and you know.
Speaker 1:So now I'm beginning to look at the world a little bit differently and so I'm seeing that a CISO or somebody who is very technical, super smart, is really good with numbers, good with math, also moving into the realm of creativity and art and writing and those kinds of things. So, while I have you on the line, a real live, you know, twofer, someone who is both gifted in the engineering sciences and cybersecurity and technical parts and all that, but also noveling. How do you go from security to being a novelist? Which one came first? Are you a novelist at heart or a cso at heart?
Speaker 2:oh, the writing came first. I I wrote my first novel uh, in high school and uh, it's somewhere in a box, somewhere in my house what was it about?
Speaker 2:uh, it was a very uh it had a very pretentious title called the Balance of Power and it had to deal with a Soviet invasion of the United States Think Red Dawn, but done a lot worse. And I was actually writing it before Red Dawn, remember, I'm a child of the Cold War, so we grew up distrusting the Soviets, but the reason for me writing then is the same as it is now. It was an escapist from my school studies. I was also, I guess I should say I wasn't the most model student, not from the academic side. When I was in middle school I was measured with a genius IQ. It was 160-something and my mom was very upset about that because she didn't want the school to treat me any differently.
Speaker 1:I thought you were going to say she was upset about that because it wasn't 170-something. No, no.
Speaker 2:I'm not a good enough genius, but I could tend to get bored easily and I also was more of an introvert, didn't like clicks and all that and so writing provided me an escape.
Speaker 2:I was actually expelled from three high schools in my four years of high school, but still was able to graduate in four years, but anyway, I wrote then. It was just a way to unpack, decompress We'll see some moment. One of the end questions I asked him is like so cybersecurity is a very stressful field. What do you do to decompress? And I love hearing different stories about what people do and and so I kept that with me. So, so the first novel that I wrote actually started 30 years ago, ish, and it was therapy for me when I was going through my divorce, and eventually I repackaged that and self-published it in 2014. So it's been 11 years now, but I would write that as a break from doing my CISO duties at a bank that I was at at that point in time. But I enjoy it, and it's not just fiction. I've got one book that's been in development hold for the longest time, about halfway through as far as novels go. It's called Fatherhood and it's tackling abortion from the father's point of view, and that's a very touchy subject to talk about anyway. So I might finish that at some point in time.
Speaker 2:But you know, this whole virtual CISO thing. I got into the virtual CISO world, I kind of had very, very modest goals for virtual CISO. My goal as far as salary was like $60,000 a year was all that I really wanted to make Because I wanted to do it part-time, because I wanted to spend the rest of my time writing. Well, the business I found out I was a good entrepreneur and who knew? I never knew. I'm like, wow, and the business grew and it grew and it grew and it sucked up my time and I haven't had a chance to do as much writing. So eventually I'll get back to that. So I think it's just balance. I think life is we do better when we balance and not focus. And certainly focus on one area and certainly there there's a huge difference as you were talking about in the beginning, beginning between the technical side and the creativity side. I mean you see a couple of guitars behind me. It's like I've written songs, nothing that I would term good.
Speaker 2:But, you know, it's the creative process.
Speaker 1:There's a problem where you're not good at anything those, that's the problem that gets the most attention. But there is a problem of being good at a lot of things, because you only get one life to live.
Speaker 2:Yeah, and I? I don't know, maybe I'll try to figure out how to clone myself.
Speaker 1:Hey, if you figured out, let me know because that'd be great. I could do with like three or four clones while I sip margaritas on the beach and they can do all the work and take care of it. There you go, all right, great. Well, greg, thank you so much for joining me here on Cybernomics. I'm super excited to be on your show and talk about media and kind of dig in a little bit more on the human side of cybersecurity and how we connect and all that stuff. If people want to find you, what is the best way for them to do that and to learn more about your vCISO services?
Speaker 2:Yeah, I think the best way is just to hit me up on LinkedIn. I'm pretty active on there. I never used to be up until a few years ago, but I've realized the value of the platform and I love to engage with folks. Don't send a connection request and then try to sell me something. Or don't send a connection request and then ask me to be your mentor. I mean, let's establish a relationship first. That's the real value of it. So Gregory Schaefer is my LinkedIn handle. I guess you could say that's probably the best way to get a hold of me.
Speaker 1:All right, and check out Greg's podcast, the Virtual CISO Moment, and you can check out our episode when it airs I'm not sure when that's going to be, but we'll be talking about. Actually. That's a really good segue. What you said don't hit somebody up and then try to sell them something. Form a relationship, form a connection, earn it and life will be much better for you. So thanks again for listening to this episode of Cybernomics. Check us out at bruningcom B-R-U-Y-N-I-N-Gcom. The media side of this business is just us helping as many tech companies build thought leadership through podcasts as much as we possibly can. So thanks again, thanks, greg, and we'll see you in the next one. Bye, all right, so we could stop there.