In 2022, I sat in a meeting where three companies were pitching vCISO services to a consortium of 26 organizations. The question was simple: “Tell us how your vCISO services work.”

The first company — a consulting firm from the east coast — answered: “Well, we sell you a block of hours, and as you need services performed, we deduct from your hours.”

The second company, from Canada, said: “We essentially work the same way.”

I sat there feeling the anger build. Not surprise. Anger. Because I’d seen this before. Big consulting brands, polished slide decks, confident delivery — and absolutely no understanding of what a vCISO is actually supposed to do. Selling blocks of hours isn’t a vCISO service. That’s a staffing arrangement with a fancy title. Those 26 organizations deserved better than that, and they almost didn’t get it.

I wasn’t there to answer questions. I was there to observe. But I couldn’t help myself.

I interrupted our FRSecure rep and asked if I could take it. Then I told the room: we don’t work that way. We don’t sell blocks of hours. We show up with mutual accountability, help you manage information security risk, and make sure the decisions you make actually get implemented properly. That’s what a vCISO does.

That meeting didn’t start the mission. The mission — To Fix the Broken Industry — has been alive since before I founded FRSecure in 2008. But that room crystallized something for me. The problem wasn’t just bad actors. It was low expectations. Organizations didn’t know what to demand, and too many practitioners were happy to deliver less.

The CvCISO Program came out of that. And the CvCISO Code is its foundation — the line in the sand that says: if you call yourself a CvCISO, this is what that actually means.

---

These Are Not Suggestions

The Code opens with this:

“These are not aspirational ideals. They are working commitments — the standard by which a CvCISO is measured, and by which we hold ourselves accountable every day.”

The security industry loves aspirational language. We’re great at writing codes of conduct that look good on a website and change absolutely nothing. This isn’t that.

Every principle in this Code is something I’ve seen violated. By other practitioners. By large, well-funded firms with impressive client lists. And honestly? A few times early in my career, by me — before I knew better and before I’d built the discipline to do better.

These aren’t edge cases. They’re patterns. And those patterns cause real damage to real organizations.

Let’s go through them.

---

1. Mission Before Money

I serve the security interests of the organizations that depend on me — not the comfort of their leadership, not the quota of a vendor, and not my own financial convenience.

When mission and money conflict, mission wins. Always.

Those two companies in that meeting weren’t thinking about the security needs of 26 organizations. They were thinking about billable hours. That’s the clearest example of this problem I’ve ever sat in a room with, but it’s everywhere.

Plenty of vCISOs are essentially vendor reps with a fancier title. They recommend tools their friends sell, tools that kick back revenue to them, or tools that generate more billable work downstream. They tell clients what clients want to hear because a happy client is a retained client.

That’s not security leadership. That’s a conflict of interest dressed up in a suit.

Your job — our job — is to serve the mission of the organization. That means recommending what they actually need. It means delivering a hard finding even when the CEO doesn’t want to hear it. It means telling a client they’re not ready for something they’re excited about.

When mission and money conflict, mission wins. Every time. No exceptions. If you can’t commit to that, you shouldn’t be doing this work.

---

2. Accountability Without Excuses

I own the outcomes of my work, not just the recommendations I deliver. If I said it was secure and it wasn’t, I don’t look for someone else to blame.

Accountability means standing behind your judgment — including when that judgment turns out to be wrong.

This is where a lot of vCISOs hide: behind the phrase “I made recommendations, but they didn’t implement them.”

Yes. And?

If you’re the security leader, you own the outcome. Not just the PowerPoint. Not just the risk register. The actual security posture of the organization. When something goes wrong, the first question I ask myself isn’t “who else is at fault?” It’s “what did I miss, and what do I own here?”

That doesn’t mean you absorb blame that isn’t yours. Accountability isn’t self-flagellation. It means you don’t deflect. You face it, figure out what happened, and correct it.

“Mutual accountability” isn’t a marketing phrase I threw at that meeting room in 2022. It’s how I’ve tried to operate for twenty-plus years. It’s hard. It’s uncomfortable. That’s exactly why it matters.

---

3. Integrity Over Comfort

I say what needs to be said, even when it’s unwelcome. I deliver hard findings clearly. I disagree when I disagree — professionally, directly, and with reasoning.

Holding back the truth is not diplomacy. It is a failure of integrity.

The security industry has a softening problem. We’ve been so obsessed with being “business-aligned” and “not the department of no” that a lot of us have stopped telling the truth plainly.

I’ve seen assessment reports where the most critical finding is buried in Appendix C, surrounded by so much hedging language that the executive team missed it entirely. I’ve seen vCISOs nod along in meetings when they knew the plan was wrong — because pushback felt like a threat to the engagement.

That’s not diplomacy. That’s failing your client.

You can deliver hard things professionally. You can disagree without being a jerk about it. But you cannot soften a finding to the point where the client doesn’t understand the risk they’re carrying. That’s not kindness. That’s negligence.

Say the thing. Say it clearly. Back it up with evidence and reasoning. Let the client decide what to do with it — that’s their right. But they deserve the truth. Full stop.

---

4. Competence as a Moral Obligation

The organizations I serve are trusting me with something that matters. I owe them genuine expertise, not the appearance of it.

I never stop learning. I admit what I don’t know, and never let a credential substitute for the judgment it was supposed to represent.

I built a certification program, so I want to be precise here: I love certifications. They matter. But a credential is a starting point, not a resting place.

The most dangerous people in security aren’t the ones who don’t know things. They’re the ones who stopped learning and kept billing. The threat landscape changes. Regulations change. Attack techniques change. If you’re operating on what you knew three years ago and haven’t done the work to stay current, you are not serving your clients — you’re selling them the appearance of leadership.

The harder part is admitting what you don’t know. This industry has a culture of projecting confidence even in uncertainty, because uncertainty looks like weakness. It isn’t. “I don’t know, but here’s how I’m going to find out” is one of the most credible things a security professional can say.

Own your limits. Stay current. Never let a credential substitute for judgment.

---

5. Community Over Competition

I don’t hoard what I’ve learned. This profession gets better when more people are genuinely good at it — and that’s on me too.

I invest in the people coming up behind me. I share what I’ve learned — including what I got wrong. A stronger community of CvCISOs means better security for the organizations and the people we serve.

Some practitioners treat their knowledge like a trade secret — something to protect from other consultants who might compete for clients. That mentality poisons this profession.

We are not in competition with each other. We are in competition with the attackers, the systemic weaknesses, and the low expectations that let those two companies walk into that meeting room and give that answer.

Share what you know. Share what you got wrong — that’s often more valuable than the wins. If you learned something the hard way, don’t make the person behind you learn it the same way.

More genuinely good CvCISOs means better security for more organizations. That’s the point of all of this.

---

6. Know When to Walk Away

I protect my ability to do good work. When a client relationship prevents me from being honest, holds me accountable for decisions I wasn’t permitted to make, or consistently asks me to compromise this Code — I have an obligation to address it directly, and if necessary, to walk away.

Staying in a relationship that undermines these principles doesn’t serve the client. It doesn’t serve the profession. And it doesn’t serve me.

Sometimes the right move is to fire the client.

Not dramatically. Not out of ego. But as an honest acknowledgment that the relationship has broken down in a way that prevents you from doing good work.

If a client won’t let you be honest with them, you are not their security leader — you’re their security decoration. That’s worse than them having no vCISO, because it gives them false confidence while the real problems go unaddressed.

If a client holds you accountable for outcomes that resulted from decisions you explicitly advised against — and keeps doing it — address it directly. Try to fix it. If it can’t be fixed, walk away.

Your integrity is the only thing that makes this work worth doing. Don’t trade it for a retainer.

---

To the Organizations Hiring vCISOs

You need to raise your expectations — and you need to know what to ask for.

Not everyone calling themselves a vCISO is operating by anything close to these principles. Some are selling blocks of hours and calling it leadership. Some are recommending tools for the wrong reasons. Some genuinely mean well but don’t have the depth to back it up.

Ask hard questions. Ask them what they’ve gotten wrong and how they handled it. Ask how they deliver a finding that leadership doesn’t want to hear. Ask what happens when mission and money conflict.

Watch how they answer. The good ones won’t have perfect answers — but they’ll be honest about the imperfection. That’s what you want. That’s what you deserve.

---

To the Broader Security Community

The vCISO market is broken. That’s not a hot take. It’s what I’ve watched happen for two decades, and it’s why I’m still angry about it.

We fix it by raising the standard — on ourselves first. By holding each other accountable. By refusing to let bad practice go unnamed just because calling it out is uncomfortable.

The CvCISO Code is a stake in the ground. It doesn’t fix everything. But it names what we should expect from each other — and what the organizations depending on us have every right to expect.

If you’re doing this work honestly, I want you in this community. If you’re cutting corners, hiding behind deliverables, or selling blocks of hours and calling it security leadership — this Code isn’t for you. Neither is this program.

The mission is to fix a broken industry. It started a long time ago. It isn’t finished yet.

---

The CvCISO Code is the foundation of the CvCISO Program. If you’re doing this work and want to do it right, we want to hear from you.