The bus-factor is a very versatile tool, both as a consultant and as a customer.
Say you are just getting started with cybersecurity in your organization, you need to build a security program but, for lack of adequate candidates, can't recruit easily. You decide to recruit internally:
- Some IT/networking people
- a developer who's really into CTFs
- someone from legal part time
- your DPO to tag along
OK, now what? you need a CISO and you need this team to accumulate some experience, hopefully without enduring too much damage while staying compliant with your contractual and regulatory environment.
That's when I come in. I'm a consultant, I've been doing CISO work for years. I'm not looking for a ten-years stint. I may have convincing arguments, but still I represent a bus factor of 1. If I leave early then you are left holding the bag.
Why commit at all in this situation?
Here's my answer: I'm fully transparent about my objectives, when I come in I am here to build for the long term. That means beyond my own expiration date. To accomplish that I use standards.
At any point in time you will have a full and complete access to a knowledge base with:
- Where we are => current OKRs, current KPIs
- What's next => Next Actions for every project in the security program
- What's over the horizon => complete calendar of recurring actions, projects and deadlines
This is a well-honed structure that can be easily explored by anyone. Need to replace me with 2 weeks of notice? No problem.
My value isn't in keeping your operational autonomy for myself.