If we\u2019re lucky, We\u2019ll all have a chance once in our careers to take a risk and use our skills and experience to do something we truly love. Sometimes the career risk is low, but sometimes it\u2019s truly a leap of faith\u2014one that offers potentially big rewards as well as the risk of major setbacks.\u00a0Tammy Moskites took one such leap of faith. The former Time Warner Cable CISO had plenty of experience at traditional enterprises, including The Home Depot, Huntington National Bank, Nationwide and Aetna. And when she got word that there would soon be a major restructuring at Time Warner Cable, she realized that her role as CISO would be eliminated.[Smaller cities look to compete in a growing InfoSec job market]Forewarned of her upcoming unemployment, Moskites went on the lookout for new opportunities, and decided to do something completely different. During a conversation with Jeff Hudson, CEO at certificate and encryption key security firm Venafi, she temperature-checked the idea of moving from being a security executive for an enterprise\u2014a role she had always played\u2014to working on the vendor side of the business. \u201cI know my role is going to get eliminated with the restructuring, and I\u2019m very excited about the opportunity to possibly make a move to the vendor side,\u201d she said to Hudson.\u00a0\u201cHe kind of laughed at me,\u201d Moskites explained months after the fact. \u201cAnd he then asked, \u2018Are you serious?\u2019\u201dShe was. And Hudson took her up on her offer.\u00a0We are seeing more CISOs take chances today, and now that there\u2019s near zero unemployment for seasoned security managers, it seems there is plenty of wiggle room for them to do so. Those who have been in security for a decade or more have usually built security programs from scratch. They\u2019ve helped organizations recover from breaches. They\u2019ve mentored new professionals. They\u2019ve seen what works well and what doesn\u2019t. And now they are ready to try new things.Moskites is not entirely new to the vendor side, as she also sits on the board of advisers for Box and Qualys. And if you talk to her for 5 minutes, you can tell she\u2019s not only passionate about the opportunity, but also a believer in the need for more secure treatment and management of certificates and encryption keys.\u00a0\u201cThree out of every four organizations don\u2019t have security processes in place to manage the SSH keys,\u201d she says. \u201cOnce these keys are in place, they remain in place forever. It\u2019s a huge risk.\u201dMany of the same motivations inspired Eric Cowperthwaite to recently leave his CISO position at Providence Health and Services to join Core Security as vice president of advanced security and strategy. Cowperthwaite had been CISO at Providence Health and Services for seven years.\u00a0[10 tips to attract women to infosec jobs]\u201cI hope to bring my experience as a CISO to the vendor community, and to instill some sense of the difficulties of the CISO\u2019s job and how to best help them and what they\u2019re trying to do,\u201d he says.\u201cI think the trend is for more of us, when we find something that we really believe in, to use that as an opportunity to go out and talk to our peers and help educate them about why we are so passionate and how it can help them,\u201d Moskites says.However, Cowperthwaite wasn\u2019t completely sanguine about making such a big jump. \u201cI did not want to be perceived as selling out. From my perspective, it\u2019s genuinely about finding what I think is a very innovative set of intellectual property that can help drive organizations to a more secure place,\u201d he says.\u00a0Cowperthwaite was also concerned that he might have trouble getting the ear of the engineering team at Core, which he needs to do to discuss market needs. \u201cWould I actually be able to be a voice of the market into engineering? That\u2019s an extremely important thing. Engineering teams are smart as hell, but they rarely, if ever, know what it\u2019s like to be a practitioner. I think it\u2019s important to rejuvenate vendors with people who know what it\u2019s like to be a practitioner,\u201d Cowperthwaite says.None of this surprises Stan Black, CISO at Citrix Systems. Black says that hiring managers\u2019 demand for experienced security professionals is quite high. \u201cThey\u2019re looking for people who have actually made some mistakes and worked in large-scale environments, those that have credibility and can talk about any topic,\u201d he says.[Why security professionals need to get more creative with penetration testing (and how to do it)]And what\u2019s in store for those CISOs that decide to move to the vendor side of the industry? Black says their new positions may be quite rewarding, offering many new hats that enterprise CISOs don\u2019t not typically get to wear. And he would know: Black has considerable experience working as a CISO at numerous software and security vendors, including EMC, RSA and Nuance, before joining Citrix this fall.\u00a0However, before making his most recent move, Black established a set of criteria for any position he chose. \u201cI knew I didn\u2019t want to report to the CIO ever again. And I wanted join a company that possessed four key traits: They had to have integrity, a positive culture, a heritage in technology, and a strong vision. I love working with technology, personally. It\u2019s something I really enjoy and has to be a big part of what I do,\u201d he says.In his position at Citrix, Black reports to the COO, who is also the CFO. \u201cI am truly enabled to do my job. And to put my foot down, when it is appropriate, to protect our company and our customers,\u201d Black says.It\u2019s quite a challenge to help Citrix develop its products securely, keep its customers secure and keep the company itself secure, but Black also finds it quite rewarding. \u201cIn addition to being the corporate CISO, I provide oversight for Citrix products, where my job essentially is to define one framework and one set of standards and get everybody on board with a common vision,\u201d he says.\u00a0[HOCO CISO program breaking ground with "virtual" CISOs]To achieve these goals, Black says that he has to engage with many aspects of the business, including sales, marketing, internal audit, design, engineering and business leaders. \u201cIt\u2019s more of a question of who don\u2019t I work with,\u201d he says.When it comes to internal Citrix security, Black works closely with the physical security and safety teams. \u201cWe\u2019re running a converged security program, and the person that runs that\u2014the physical side and the safety side\u2014we\u2019re working incredibly well together and we\u2019re merging our two worlds together so we have visibility into our entire supply chain: products, services, people and data.\u201d\u00a0Given CISOs\u2019 ability to add value to all those critical areas, it\u2019s no surprise to learn security vendors are snapping them up.\u00a0\u201cSecurity companies often don\u2019t realize that their products aren\u2019t doing what security people need. I have sales people calling me constantly saying, \u2018This widget will make you more secure. You don\u2019t understand how important this is to you.\u2019 Most of the time they don\u2019t have a clue what is important to me,\u201d Black says.But that\u2019s exactly the kind of value that both Cowperthwaite and Moskites hope to provide to their new employers.\u00a0\u201cVendors need to hear the honest truth and help them understand practitioners. They really do. The fact that there\u2019s this chasm between vendors and practitioners and nobody trusts each other across this chasm is unacceptable. There is immense distrust across that boundary,\u201d Cowperthwaite says. \u201cIf I can help them breach that boundary and establish more trust, then I\u2019d consider the mission a success.\u201d[Security analysts evolving from security administrators]Helping to build that trust, both with the vendor community and within the company\u2019s own infrastructure, was one of the things that attracted Moskites to her new position\u2014plus she still gets to do what she\u2019s always done as CISO. \u201cI am still a security officer at Venafi. I\u2019m still doing the day-to-day securing of the company, writing security policies and procedures, but on a much smaller scale than at Time Warner. But only now as part of my job I actually talk to people about things that I\u2019m passionate about. And that\u2019s very cool.\u201dGeorge V. Hulme is a freelance security and technology writer based in Minnesota.