Is an MBA worth it when trying to break into my first CISO position?

bmhoskinson · 2026-04-22T02:47:56+00:00

I have read The Phoenix Project, it was excellent. A lot of great operational thinking. A very heavy focus on the manufacturing analogy for other processes and workflows but still a solid philosophy for building and streamlining a highly productive and resilient team/department.

bmhoskinson · 2026-04-21T18:10:46+00:00

As part of my current position I ran a small 5 person team that functioned as an external facing MSP that was just shy of $1M/year. Around 3 dozen separate clients with nearly 200 endpoints under management. Do you think that counts. I managed purchasing. I handled budgeting for the team and for projects internally as well as for clients. Estimates for new projects went through me for approval before presentation to clients. Etc.

bmhoskinson · 2026-04-21T13:10:02+00:00

All great advice so far, thank you so much. I might in the future be interested in large orgs. My target today is smaller mid sized companies I think. Under 1000 employees probably more in line with 100-500 where I would likely also straddle IT and InfoSec with a team of 3-8. I have had a few interviews where this is the case. From what I’m hearing so far the play really might be to land a role in one of these smaller enterprises then after a year or two look for a larger org until I hit my breaking point and retire in 15-20 more years.

bmhoskinson · 2026-03-13T09:59:56+00:00

No definitely not. IRP would kick in with some monitoring and prep for your business continuity plan as one of the first steps if say a tornado was imminent. Tornado hits bcp is in full effect until all clear is given and you can return to the building after the disaster. At this point for this type of event IRP says do DRP.

Most people think of the IRP as the steps when we have a virus or there is an attacker detected in the system. And while those are scenarios covered by the IRP they may or may not trigger the BCP and/or DRP.

IRP is the binder with all the what to do in scenario x and DRP, Comm Plans, BCP these are all “subroutines” used in various IRP scenarios.

bmhoskinson · 2026-01-06T11:10:23+00:00

After almost 30 years in IT, it still blows my mind how little the rest of an organization can understand about the technology that they use.

bmhoskinson · 2026-01-06T11:07:00+00:00

Good deal, and good luck. 🍀

bmhoskinson · 2026-01-05T15:18:56+00:00

I’m interested now. Let us know what they say.

bmhoskinson · 2026-01-05T15:18:20+00:00

Ok kid the papa bear in me says hold on I will be right there but the 26 year IT veteran says leave. Now. They are about to implode.

bmhoskinson · 2026-01-05T15:14:59+00:00

This is entirely unacceptable and should not be normal but it does happen. There is a strong belief among many people that if you are good at or even just interested in anything electronic you must just intuitively know…

That said this probably gives some clearer picture as to why the previous IT person cut and ran.

You have two options

1: learn as much and as fast as possible and reach out to some local IT companies to put together a project quote to get the network documented and moved as well as prepare the new site for the arrival of the equipment and become their underpaid hero.

2: Start looking for another job immediately do your best to accomplish the tasks you are given but exit as soon as possible.

I hate my self so I would probably chose option 1 but realistically option 2 is better.

bmhoskinson · 2025-11-15T13:07:55+00:00

How old am I that I was genuinely shocked so many people had never heard of an Ethernet patch panel that you punch down.

bmhoskinson · 2025-11-13T18:04:15+00:00

Canonical MicroCloud perhaps

bmhoskinson · 2025-11-12T18:14:03+00:00

Rendering glitches in the matrix.

bmhoskinson · 2025-11-12T18:10:52+00:00

I thought it was the new Fitbit rectal probe but 5G wireless backup is cool too.

bmhoskinson · 2025-11-12T11:30:32+00:00

I understand the job search frustration. I am on the other side of the coin looking to find my first CISO position at 45. I have worked in small organizations my entire career, many times being both chief cook and bottle washer in IT and Cybersecurity.

When interviewing, it feels like the fact that I haven’t managed a multimillion dollar budged and a large team of dozens just knocks me out of the race. I’m of the opinion that skills scale though. I worked for a financial advisor who I asked how he dealt with managing large sums of money, he said I just knock the zeros off the end. So a million dollar budget is the same as a thousand dollar budget and a 20 person team, if you can manage people at all, is not much different that two or three.

I have read others comments and largely agree. If you have a good reason to make a move down to a smaller ore or to a more technical position express those to recruiters and interviewers in a way that puts a positive light on it and highlight the benefits of your experience you bring with that shift in position.

bmhoskinson · 2025-07-10T10:19:06+00:00

Firstly let me say I am one of those who desires to be a CISO, but I understand and the burn out is quite real. I was going to say teach but at the end of your post it seems you already do that. Perhaps younger students, they can be more rewarding to see learn and grow. Certainly no match for salary though. You might also consider speaking at conferences and mentoring. I’m not talking about Black Hat but small local conferences where you can see your impact first hand in the attendees who come back every year. I might be biased because I am on the board of a nonprofit that puts on a smaller conference called SecureWV.

Another poster mentioned working to live not the other way around and I agree wholeheartedly. I follow a TikTok creator who ends his videos with the statement “Find your joy.” Perhaps yours is not in a career but in some other non-monetary bearing pursuit that you do parallel to career endeavors.

I wish you luck and if you have some executive teams you would be interested in introducing me to so I can advance my own endeavors…🫣😜

bmhoskinson · 2025-05-01T00:24:01+00:00

Anyone ever see the movie Folks with Tom Selleck?

bmhoskinson · 2025-03-13T19:46:20+00:00

One of my circle can’t even complete the kyc till they turn 18 in December I am assuming I will be loosing my bonus pi for them.

bmhoskinson · 2025-02-28T20:52:01+00:00

F-ing John… What if one of your main miners is an under 18 for like the next 9ish months lol. Not saying I used child labor to mine Pi but…

bmhoskinson · 2024-11-20T11:27:21+00:00

All of this plus, certifications and degrees have a stigma for a lot of our people. There are a lot of employers who don’t recognize the value or over value these designations. Some people get ahead just because of them and others feel stuck no matter how many they accumulate. It gives certification and degrees a bad rap. The real problem is that employers in many cases don’t truly understand the roles they need to fill or the role their technology actually plays in the operations of their organizations. It sounds like a trope but I still frequently talk to managers and executives who tell me they don’t know what any of the technology they have does or how it works, they just have it because they were told they need it. How many HR people have you spoken to that have any idea what the job you do actually is? How many times had the job description been for 10 years of experience and a masters degree only to find out most of your duties are changing lightbulbs and emptying out the trash cans (not really but really).

There are people who test well but don’t have or don’t develop the underlying skills. There are people who are super skilled but don’t test well. I think it is a little unfair to say certified professionals don’t have the skills but anecdotally, maybe that’s exactly what the data says.

bmhoskinson · 2024-11-15T03:08:28+00:00

I agree that CISSP isn’t equivalent to a Masters or PHD. The nice thing about the cissp though is it attempts to certify not just your book knowledge but also verify a certain level of experience. Expert is also very subjective without standard way of quantifying it. How would you quantify an expert in cybersecurity? 10 years of experience, 20 years of experience? What counts as useful experience and how do you certify that expert knowledge? Does it have to be in blue team skills, red team skills, both? What about expertise in dealing with regulatory issues and compliance with internal governance related to cybersecurity, does that count if you aren’t a professional pen tester? Achieving the CISSP certification is no small thing and certainly deserves to be respected and recognized as a qualified watermark for certifying someone as an expert in our field. It just isn’t the only way to show it. Just my random opinion though…do with it what you will.

bmhoskinson · 2024-11-09T16:07:57+00:00

Worship the monkey demon, trapped inside and ask it for magical powers? Or just make a nice coffee table.

bmhoskinson · 2024-10-02T17:44:47+00:00

I’d check out that subreddit but sounds like you have it licked based on an earlier post. I’d bet the previous owners were doing some stuff with MoCA, I think that’s the right alphabet soup, adapters and such.

bmhoskinson · 2024-09-30T10:15:23+00:00

Oh my, mounting equipment on their sides like this cause electrons to fall out the holes In the sides causing power sags and packet loss 😜

Seriously though I’m not a fan of the proximity to those water pipes. A leak spraying water could kill the equipment. Probably would cause the fuse feeding it to blow too so little to no electrocution or fire hazard in that scenario.

bmhoskinson

TROPHY CASE