The Demise Of The Player/Manager CISO

The role of the CISO is changing.

For years we have talked about the requirement to make the top security and risk (S&R) role increasingly business-facing, and this is now turning into a reality. Surprisingly, however, we see an increasing number of non-IT security folk stepping up to take the CISO role, often ahead of experienced IT professionals.

These "next-gen" CISOs are commonly savvy business professionals, experienced at implementing change and evolving processes, and adept at dealing with strategies, resource plans and board-level discussions. Their placement into these S&R roles often comes as an unwelcome surprise to those that have been working within the IT security teams; however, we have to recognise that this new breed are simply filling a gap. Unfortunately, although we have talked about the professionalization of the role and the need for greater business engagement, many S&R professionals are still not ready for the leap, and this opens up an opportunity for others to steal their way in. 

Make no mistake; this is a significant change in the traditional S&R professional career path. 

In European football (soccer) leagues, there used to be a large number of players that progressed, through the "Player/Manager" role, to take charge of their teams, but that is becoming increasingly rare. The football (soccer) manager is now a professional job, focussing on aspects such as tactics, sports psychology, financial management, scientific analysis and diet rather than just the on-field aspects of "kick the ball and chase after it" (as my wife would describe it!). A similar revolution is happening in information security. The top role is no longer automatically handed to the longest service information risk professional in the firm. As the vacancy becomes open, organisations are seeking an entirely different animal to fill the role – someone who is not "trapped in the weeds" but one that can see the bigger picture, is able to relate that vision to the business strategy and then communicate effectively with the board members.

Join us at our upcoming EMEA Forrester Forum on June 10-11 in London, UK, where we will discuss the transformation of the CISO role and analyse what current CISOs and S&R professionals are doing to protect their career plan. 

Comments

Advice

... Remember, even with soccer coaches, not all perform the same, and certainly not all have the same standardised (ISO or whatever) work methods.
Ernst Happel is remembered for the, for him! ..., most elaborate, well-though out, risk-adjusted policy rule delivered just before an important match: 'Sr.w it, just play ball' (Kein geloel, gewohn fussballen).

So... (psychological / organisatonal) sensitivity of what's required, may indeed trump the best tech experience.
In the end, standing on two legs may take one furthest.