For years we have talked about the requirement to make the top security and risk (S&R) role increasingly business-facing, and this is now turning into a reality. Surprisingly, however, we see an increasing number of non-IT security folk stepping up to take the CISO role, often ahead of experienced IT professionals.
These "next-gen" CISOs are commonly savvy business professionals, experienced at implementing change and evolving processes, and adept at dealing with strategies, resource plans and board-level discussions. Their placement into these S&R roles often comes as an unwelcome surprise to those that have been working within the IT security teams; however, we have to recognise that this new breed are simply filling a gap. Unfortunately, although we have talked about the professionalization of the role and the need for greater business engagement, many S&R professionals are still not ready for the leap, and this opens up an opportunity for others to steal their way in.
Make no mistake; this is a significant change in the traditional S&R professional career path.