For Nikoloz Kokhreidze, the move into cybersecurity consulting came gradually through a series of small steps. “I accumulated enough experience across different industries, I started my newsletter, and I realized there’s a community of people interested in what I have to say,” he explains.
What ultimately crystallized the decision was the thought that his impact didn’t have to stop at the edge of one organization. “I was solving the same problems repeatedly in one company,” he says, “when I could solve them for multiple companies simultaneously, multiplying my impact and helping more businesses grow through pragmatic security leadership.”
In August 2025, Kokhreidze launched his consulting business, Mandos. But he’s careful not to romanticize the move. “It’s important to stay realistic,” he says. Going solo takes time and patience. It means figuring out where you can be most useful. And being willing to stay flexible. “You have to be ready to pivot when you have new ideas, or when things don’t work out,” he says.
Like Kokhreidze, a growing number of CISOs are either moving into consulting roles or seriously considering it. The appeal is easy to see: more flexibility and quicker learning, alongside steady demand for experienced security leaders.
Some of these professionals work as virtual CISOs (vCISOs), advising companies from a distance. Others operate as fractional CISOs, embedding into the organization one or two days a week.
“Consulting gives me more autonomy and control over how I work, while still letting me apply the same strategic approach to improving resilience, governance, and practical security execution,” says Antanas Kedys, founder and CEO at ACyber. He made the shift from an in-house CISO role to consulting in 2022, because he wanted to grow and work across different environments.
When a CISO transitions into consulting, their role changes in ways that aren’t always obvious at first. The new job means sharpening some skills, building entirely new ones and, perhaps hardest of all, learning to let go of control.
“As a CISO, you can mandate; as a consultant, you can only influence,” says Nigel Gibbons, director and senior advisor at NCC Group.
How to prepare to make the leap from security leader to consultant
Long before stepping away from a full-time role, Kokhreidze and other security leaders tried to quietly plan ahead. They tested ideas, built visibility, reconnected with old contacts, and began mapping out who their potential clients might be. The list of potential should be a long one, because few conversations tend to turn into actual work.
“If someone is not asking you right now to consult for them, it can take 12-18 months before you land your first client,” says Carlota Sage. She held a part-time CISO role at a nonprofit before transitioning into vCISO work. Later, she went on to found Pocket CISO, which provides cybersecurity services to early-stage startups and small organizations.
Kokhreidze agrees with her. For a smoother transition, he suggests CISOs line up their first clients while they’re still employed. Otherwise, he says, it can take a long time to build momentum. And the pressure to make it work can quickly turn into panic. In that moment, security professionals may start “underpricing themselves because they need money immediately,” he says. Once rates are set out of desperation, they’re often hard to reset without straining the relationship.
Other CISOs-turned-consultants also emphasize preparation. Kedys, for instance, stresses the need for a go-to-market focus. “Decide who you want to advise (industry, company size, maturity), what problems you’ll solve, and why you’re credible for that,” he says. “The combination of strong soft skills and a clear focus — who, how, and why — is the best starting point for a successful transition.”
Gibbons adds that consulting should grow out of a CISO’s existing experience. He suggests treating that experience as a set of real-world case studies worth talking about, capturing the decisions, the trade-offs, what went wrong and what worked. He also stresses the importance of building relationships beyond the security function, including legal teams, auditors, regulators and investors. “Consulting is ultimately a trust-based profession not a technical one,” he adds.
Skills that carry over into consulting
Many of the skills CISOs honed inside large organizations translate directly to the new consulting job, while others suddenly matter more than they ever did before. In addition to technical skills, it is often the practical ones that prove most valuable.
The ability to prioritize — sharpened over years in a CISO role — becomes especially important in consulting. “It matters more than anything else,” Gibbons argues, because in consulting environments resources are often limited. Consultants are paid not to know everything, but to know what matters most, which risks to tackle first, and which problems can safely wait.
Crisis management is another essential skill. Paired with hands-on knowledge of cybersecurity processes and best practices, it gives former CISOs a real advantage as they move into consulting. Kedys highlights stress management: the ability to stay calm, focused and keep execution moving under pressure, which is just as valuable outside the enterprise as it ever was inside.
But if there’s one translatable skill that everyone talks about, that skill is communication. “All of your security and compliance knowledge is wasted if you cannot communicate to a business audience,” Sage says.
Kokhreidze agrees. Instead of leading with controls, tools or technical details, he focuses on what CTOs and other business leaders actually care about: outcomes. He talks about how security protects revenue, supports resilience, or builds confidence with regulators.
New skills needed in the toolkit
As CISOs move into consulting, they quickly discover they need new skills as well, some of which they may have deliberately avoided in their in-house roles. Chief among them is sales. “Eighty percent of your work is actually selling yourself,” says Kokhreidze. “You are first a business, and CISO second.”
And being a business is time-consuming. Consultants must juggle personal branding, marketing, accounting, and writing. Writing and online presence, in particular, matter because done well, they signal credibility and give current and future clients a sense of how a CISO thinks.
The multiple roles consultants have to play — switching between delivery, sales, marketing and admin while juggling several clients — come with a real mental toll. For many former in-house executives, adjusting to that constant context switching is one of the hardest parts of leaving a structured organization behind. “If you’re running your own consulting firm, context switching can be a struggle,” Sage says.
In time, many consultants learn that discipline matters, and that saying no is part of the job. “You must become comfortable saying no to work that dilutes your positioning or turns you back into an outsourced operator rather than a trusted advisor,” Gibbons says.
Setting the right price
Many CISOs know their value inside an enterprise but translating that value into a consulting price is a different challenge altogether. It requires a shift from thinking like an employee to thinking like a business.
“Skills are not different from a product,” Kedys says. “You just need to find the right product (in this case, the skill) and wrap it in a way a market will be most likely to take it.”
That understanding, he adds, comes from market analysis: observing how executives buy, what they value, and what comparable services cost.
Sage agrees with the idea of analyzing the market but says that CISOs coming from large enterprises and targeting small and mid-sized organizations often need to recalibrate their expectations. What feels like a modest rate to a global organization can be misaligned with the realities of smaller clients, particularly those buying advisory services for the first time.
When thinking about pricing, Kokhreidze took a two-way approach. He looked at the market and assessed his value. Then he set a realistic income goal and worked backwards, factoring in how many clients he could serve well. The result was a pricing model that favored quality over volume, a trade-off he knew the clients he wanted to work with would resonate with.
“B2B companies closing enterprise deals understand that professional security leadership costs far less than losing a single €10M+ contract to failed security reviews,” Kokhreidze says.
When setting prices, one of the most common mistakes is charging for time rather than for the value the consultant brings to the table. Early in his career, Gibbons priced his work by the day instead of by the consequences it helped clients avoid. Over time, he moved toward outcome-based engagements, such as board assurance, regulatory readiness and post-incident recovery, so clients can understand more easily what they’re paying for.
“Clients are buying judgment, not hours,” Gibbons says.
This approach, however, is not universal. Some more traditional organizations remain firmly attached to day rates. In those environments, shifting negotiations can be difficult regardless of the expertise being offered.
Potential mistakes to avoid
Ask experienced consultants what mistakes newcomers tend to make, and the answers tend to be consistent. The biggest mistakes are rarely about security skills. They tend to cluster around mindset, money, and figuring out how to show up in the market.
“The hardest lesson was realizing that being a great CISO doesn’t guarantee clients at all,” Kokhreidze says. “I quickly learned that professional expertise means nothing without strong sales and qualification skills, because you’ll waste months chasing companies that either don’t have the problem you’re trying to solve or aren’t ready to invest in fixing it.”
Gibbons sees a related issue: consultants trying to recreate an in-house role from the outside. They take on operational responsibility, running programs or becoming embedded indefinitely. “That erodes margins and credibility,” he says.
Another common misstep he points to is leading with tools, frameworks or certifications rather than judgment and experience. “Clients do not hire former CISOs for policy templates,” he argues. “They hire them to help make hard decisions with incomplete information.”
Even CISOs who plan carefully before making the leap often discover that the freedom of consulting comes with hidden costs. As Sage puts it, “Most CISOs consulting for the first time underestimate how much time and effort go into just managing your own business.”
No Responses