{"id":7160,"date":"2026-02-19T07:00:00","date_gmt":"2026-02-19T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7160"},"modified":"2026-02-19T07:00:00","modified_gmt":"2026-02-19T07:00:00","slug":"from-in-house-ciso-to-consultant-what-you-need-to-know-before-making-the-leap","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7160","title":{"rendered":"From in-house CISO to consultant. What you need to know before making the leap"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

For Nikoloz Kokhreidze<\/a>, the move into cybersecurity consulting came gradually through a series of small steps. \u201cI accumulated enough experience across different industries, I started my newsletter, and I realized there\u2019s a community of people interested in what I have to say,\u201d he explains.<\/p>\n

What ultimately crystallized the decision was the thought that his impact didn\u2019t have to stop at the edge of one organization. \u201cI was solving the same problems repeatedly in one company,\u201d he says, \u201cwhen I could solve them for multiple companies simultaneously, multiplying my impact and helping more businesses grow through pragmatic security leadership.\u201d<\/p>\n

In August 2025, Kokhreidze launched his consulting business, Mandos. But he\u2019s careful not to romanticize the move. \u201cIt\u2019s important to stay realistic,\u201d he says. Going solo takes time and patience. It means figuring out where you can be most useful. And being willing to stay flexible. \u201cYou have to be ready to pivot when you have new ideas, or when things don\u2019t work out,\u201d he says.<\/p>\n

Like Kokhreidze, a growing number of CISOs are either moving into consulting roles or seriously considering it. The appeal is easy to see: more flexibility and quicker learning, alongside steady demand for experienced security leaders.<\/p>\n

Some of these professionals work as virtual CISOs (vCISOs)<\/a>, advising companies from a distance. Others operate as fractional CISOs, embedding into the organization one or two days a week.<\/p>\n

\u201cConsulting gives me more autonomy and control over how I work, while still letting me apply the same strategic approach to improving resilience, governance, and practical security execution,\u201d says Antanas Kedys<\/a>, founder and CEO at ACyber. He made the shift from an in-house CISO role to consulting in 2022, because he wanted to grow and work across different environments.<\/p>\n

When a CISO transitions into consulting, their role changes in ways that aren\u2019t always obvious at first. The new job means sharpening some skills, building entirely new ones and, perhaps hardest of all, learning to let go of control.<\/p>\n

\u201cAs a CISO, you can mandate; as a consultant, you can only influence,\u201d says Nigel Gibbons, director and senior advisor at NCC Group.<\/p>\n

How to prepare to make the leap from security leader to consultant<\/h2>\n

Long before stepping away from a full-time role, Kokhreidze and other security leaders tried to quietly plan ahead. They tested ideas, built visibility, reconnected with old contacts, and began mapping out who their potential clients might be. The list of potential should be a long one, because few conversations tend to turn into actual work.<\/p>\n

\u201cIf someone is not asking you right now to consult for them, it can take 12-18 months before you land your first client,\u201d says Carlota Sage. She held a part-time CISO role at a nonprofit before transitioning into vCISO work. Later, she went on to found Pocket CISO, which provides cybersecurity services to early-stage startups and small organizations.<\/p>\n

Kokhreidze agrees with her. For a smoother transition, he suggests CISOs line up their first clients while they\u2019re still employed. Otherwise, he says, it can take a long time to build momentum. And the pressure to make it work can quickly turn into panic. In that moment, security professionals may start \u201cunderpricing themselves because they need money immediately,\u201d he says. Once rates are set out of desperation, they\u2019re often hard to reset without straining the relationship.<\/p>\n

Other CISOs-turned-consultants also emphasize preparation. Kedys, for instance, stresses the need for a go-to-market focus. \u201cDecide who you want to advise (industry, company size, maturity), what problems you\u2019ll solve, and why you\u2019re credible for that,\u201d he says. \u201cThe combination of strong soft skills and a clear focus \u2014 who, how, and why \u2014 is the best starting point for a successful transition.\u201d<\/p>\n

Gibbons adds that consulting should grow out of a CISO\u2019s existing experience. He suggests treating that experience as a set of real-world case studies worth talking about, capturing the decisions, the trade-offs, what went wrong and what worked. He also stresses the importance of building relationships beyond the security function, including legal teams, auditors, regulators and investors. \u201cConsulting is ultimately a trust-based profession not a technical one,\u201d he adds.<\/p>\n

Skills that carry over into consulting<\/h2>\n

Many of the skills CISOs honed inside large organizations translate directly to the new consulting job, while others suddenly matter more than they ever did before. In addition to technical skills, it is often the practical ones that prove most valuable.<\/p>\n

The ability to prioritize \u2014 sharpened over years in a CISO role \u2014 becomes especially important in consulting. \u201cIt matters more than anything else,\u201d Gibbons argues, because in consulting environments resources are often limited. Consultants are paid not to know everything, but to know what matters most, which risks to tackle first, and which problems can safely wait.<\/p>\n

Crisis management is another essential skill. Paired with hands-on knowledge of cybersecurity processes and best practices, it gives former CISOs a real advantage as they move into consulting. Kedys highlights stress management: the ability to stay calm, focused and keep execution moving under pressure, which is just as valuable outside the enterprise as it ever was inside.<\/p>\n

But if there\u2019s one translatable skill that everyone talks about, that skill is communication. \u201cAll of your security and compliance knowledge is wasted if you cannot communicate to a business audience,\u201d Sage says.<\/p>\n

Kokhreidze agrees. Instead of leading with controls, tools or technical details, he focuses on what CTOs and other business leaders actually care about: outcomes. He talks about how security protects revenue, supports resilience, or builds confidence with regulators.<\/p>\n

New skills needed in the toolkit<\/h2>\n

As CISOs move into consulting, they quickly discover they need new skills as well, some of which they may have deliberately avoided in their in-house roles. Chief among them is sales. \u201cEighty percent of your work is actually selling yourself,\u201d says Kokhreidze. \u201cYou are first a business, and CISO second.\u201d<\/p>\n

And being a business is time-consuming. Consultants must juggle personal branding, marketing, accounting, and writing. Writing and online presence, in particular, matter because done well, they signal credibility and give current and future clients a sense of how a CISO thinks.<\/p>\n

The multiple roles consultants have to play \u2014 switching between delivery, sales, marketing and admin while juggling several clients \u2014 come with a real mental toll. For many former in-house executives, adjusting to that constant context switching is one of the hardest parts of leaving a structured organization behind. \u201cIf you\u2019re running your own consulting firm, context switching can be a struggle,\u201d Sage says.<\/p>\n

In time, many consultants learn that discipline matters, and that saying no is part of the job. \u201cYou must become comfortable saying no to work that dilutes your positioning or turns you back into an outsourced operator rather than a trusted advisor,\u201d Gibbons says.<\/p>\n

Setting the right price<\/h2>\n

Many CISOs know their value inside an enterprise but translating that value into a consulting price is a different challenge altogether. It requires a shift from thinking like an employee to thinking like a business.<\/p>\n

\u201cSkills are not different from a product,\u201d Kedys says. \u201cYou just need to find the right product (in this case, the skill) and wrap it in a way a market will be most likely to take it.\u201d<\/p>\n

That understanding, he adds, comes from market analysis: observing how executives buy, what they value, and what comparable services cost.<\/p>\n

Sage agrees with the idea of analyzing the market but says that CISOs coming from large enterprises and targeting small and mid-sized organizations often need to recalibrate their expectations. What feels like a modest rate to a global organization can be misaligned with the realities of smaller clients, particularly those buying advisory services for the first time.<\/p>\n

When thinking about pricing, Kokhreidze took a two-way approach. He looked at the market and assessed his value. Then he set a realistic income goal and worked backwards, factoring in how many clients he could serve well. The result was a pricing model that favored quality over volume, a trade-off he knew the clients he wanted to work with would resonate with.<\/p>\n

\u201cB2B companies closing enterprise deals understand that professional security leadership costs far less than losing a single \u20ac10M+ contract to failed security reviews,\u201d Kokhreidze says.<\/p>\n

When setting prices, one of the most common mistakes is charging for time rather than for the value the consultant brings to the table. Early in his career, Gibbons priced his work by the day instead of by the consequences it helped clients avoid. Over time, he moved toward outcome-based engagements, such as board assurance, regulatory readiness and post-incident recovery, so clients can understand more easily what they\u2019re paying for.<\/p>\n

\u201cClients are buying judgment, not hours,\u201d Gibbons says.\u00a0<\/p>\n

This approach, however, is not universal. Some more traditional organizations remain firmly attached to day rates. In those environments, shifting negotiations can be difficult regardless of the expertise being offered.<\/p>\n

Potential mistakes to avoid<\/h2>\n

Ask experienced consultants what mistakes newcomers tend to make, and the answers tend to be consistent. The biggest mistakes are rarely about security skills. They tend to cluster around mindset, money, and figuring out how to show up in the market.<\/p>\n

\u201cThe hardest lesson was realizing that being a great CISO doesn\u2019t guarantee clients at all,\u201d Kokhreidze says. \u201cI quickly learned that professional expertise means nothing without strong sales and qualification skills, because you\u2019ll waste months chasing companies that either don\u2019t have the problem you\u2019re trying to solve or aren\u2019t ready to invest in fixing it.\u201d<\/p>\n

Gibbons sees a related issue: consultants trying to recreate an in-house role from the outside. They take on operational responsibility, running programs or becoming embedded indefinitely. \u201cThat erodes margins and credibility,\u201d he says.<\/p>\n

Another common misstep he points to is leading with tools, frameworks or certifications rather than judgment and experience. \u201cClients do not hire former CISOs for policy templates,\u201d he argues. \u201cThey hire them to help make hard decisions with incomplete information.\u201d<\/p>\n

Even CISOs who plan carefully before making the leap often discover that the freedom of consulting comes with hidden costs. As Sage puts it, \u201cMost CISOs consulting for the first time underestimate how much time and effort go into just managing your own business.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

For Nikoloz Kokhreidze, the move into cybersecurity consulting came gradually through a series of small steps. \u201cI accumulated enough experience across different industries, I started my newsletter, and I realized there\u2019s a community of people interested in what I have to say,\u201d he explains. What ultimately crystallized the decision was the thought that his impact […]<\/p>\n","protected":false},"author":0,"featured_media":7161,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7160","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7160"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7160"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7160\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7161"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7160"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7160"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7160"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}