This guest blog post comes from Carlota Sage, a member of our Vision and Voice: Women in Cybersecurity community.
I was coworking with a friend recently when they asked me, “How did you know?”
I was editing the new Pocket CISO website at the time. “How did I know what?”
“Any of it. How did you know it was time to leave FireEye? How did you know it was time to start your own company? How did you know it was time to shut that down and go somewhere else? How did you know to leave there and start over again? How did you know?”
Truth be told, it wasn’t a question of knowing. It was about constantly evaluating my options.
“I didn’t know. I just have a threshold. Sometimes that threshold is money. But most of the time, that threshold is my Joy-to-Disappointment (JtD) ratio.”
Long before Marie Kondo popularized the “Does this spark joy?” question, I had my JtD ratio: Does the disappointment in my work environment outweigh the joy my work gives me?
When my answer tips towards yes, I know I have to enact either a course correction or an exit plan. It’s the same if there’s no disappointment but no joy. I’m just not someone who can coast comfortably.
When I left FireEye, a major security product vendor at the time, my plan was to take a few months off and start building a product platform. But with my mother’s terminal cancer diagnosis and subsequent passing, I chose to take a year plus off to grieve and reconnect with my dad. Losing a parent shakes your foundation, and I found I just didn’t have the appetite for a start-up as I processed my grief. But I also needed to take care of my father, so I fell into consulting. Sometimes joy takes a back seat to having to eat.
As I reviewed and set a new product strategy for a client, I kept flagging security issues. They were large enough that I encouraged them to hire a Chief Information Security Officer (CISO), going so far as to source a few candidates from my network. They weren’t ready for that, and asked if I could be their part-time CISO instead.
And thus, I became a virtual CISO.
I really loved virtual CISO work. What I didn’t love was working mostly alone or running a small business. With the pressure of the pandemic and uncertainty of the economic and political landscape at the end of 2020, I realized my JtD ratio was out of whack. Without a vision or team, the stress of running a solo consulting business was robbing me of all the joy of the work.
I lucked into what I had hoped would be the job I retired from - as a vCISO with a boutique security consulting firm. I liked the founder, I loved the team, and the work gave me joy. When I’d originally approached the founder with the idea that later became my company, Pocket CISO, he was resistant, “It’s not our model…not that we couldn’t spin up a separate company to do it.”
Later, he decided that it was a good model and asked me to build out the service delivery. I pushed back; “I like you, but I can’t build this out without equity.” Unwilling to give me equity in the existing firm and seeming not to remember his own suggestion of spinning up a separate company, I asked for a written statement giving me 50% ownership of the product line, which would only provide equity if he decided to sell the service line or company. He wasn’t comfortable with that, either, and instead said he’d do it himself. I debated reminding him of his own words, and then realized there was no point. Once you see that someone regards you as less than a peer, there can be no joy in working with them. There will only ever be disappointment.
Most people would probably quietly trudge along while they look for other work. The company can and should build the service delivery line without me (they’d be foolish not to!). But I honestly believe they can’t do it as quickly or as successfully as I would. Seeing no reason to give them the benefit of my experience without equity, I left.
I ended up finding another consulting firm that liked the idea, and was willing to let me launch Pocket CISO as 100% mine while I did other vCISO consulting with them. And it turned out to be an even better match for me personally. They had already invested significantly in the inclusivity in cybersecurity organizations I hold dear, something my former company wasn’t willing to do. They were also 100% remote long before the pandemic, something my former employer was very much against.
I felt torn, though, as I tried to articulate the differences between my offerings with Tiro Security and Pocket CISO. In the end, I decided to focus exclusively on Pocket CISO, partnering with Tiro on projects needing vCISO services. I can’t express how much I appreciate Kris and his team for supporting me in this decision.
I imagine from the outside, I may look uncommitted or job-hoppy. But every decision I have made on my JtD ratio has moved me forward, sometimes personally, sometimes professionally, but most times both. The JtD ratio gives me a simple decision framework that allows me to move quickly with certainty, even if I’m not sure what the next step or outcome may actually be. I would never have taken the leap to run a (mostly) solo consultancy again without it - it pushes me well outside my comfort zone yet gives me a metric that confirms I’m doing the right thing.
As the saying goes, “You’re winning or you’re learning,” and while I may not always be overjoyed, I’ve definitely never been disappointed by the wins or lessons I’ve earned by following my Joy-to-Disappointment ratio.