For years we have talked about the requirement to make the top security and risk (S&R) role increasingly business-facing, and this is now turning into a reality. Surprisingly, however, we see an increasing number of non-IT security folk stepping up to take the CISO role, often ahead of experienced IT professionals.
These "next-gen" CISOs are commonly savvy business professionals, experienced at implementing change and evolving processes, and adept at dealing with strategies, resource plans and board-level discussions. Their placement into these S&R roles often comes as an unwelcome surprise to those that have been working within the IT security teams; however, we have to recognise that this new breed are simply filling a gap. Unfortunately, although we have talked about the professionalization of the role and the need for greater business engagement, many S&R professionals are still not ready for the leap, and this opens up an opportunity for others to steal their way in.
Make no mistake; this is a significant change in the traditional S&R professional career path.
I presented the keynote at the Biztech2 event in Mumbai last week. It was a big evening, as almost all key Indian CIOs were present at the event. The theme of my keynote was “The Empowered BT CIO,” which triggered some interesting thoughts, as all of the discussions that I had after the presentation were mainly around “business” with hardly any mention of “technology.” Below are the key points mentioned by CIOs in my discussions with them:
“We do all the work and business leaders take all the credit. But if something goes wrong, we are the ones who get the blame.”
“The money is with the finance and marketing departments, and we have to depend on them for our budget. My CEO should change this structure.”
“I don’t have followers in my organization.”
“My organization doesn’t give me the same importance as it gives the CFO or CMO.”
“Through technology innovation, I helped the company reduce IT spending and save money.”
All of these points have one thing in common: “my present role and issues that I face today.” But no one talked about their future role! My response to them was consistent, as I categorically highlighted that CIOs have two options:
Continue with your current approach — but then the future role of the CIO will be dismal.
Step up and take the challenge to shape the business. Take it as an opportunity to transform your role in the empowered world.