By Marcos Colón
February 16, 2017
As risks associated with critical assets have evolved over time, so has the role of the CISO. While some security professionals have climbed the ranks based on their technical know-how, it’s the transition into the business leadership role that tends to present the challenges for chief security officers.
More often than not, technical backgrounds don’t always translate into managing business risk effectively, just as business, compliance, or audit leaders that are used to interacting with the business may not necessarily understand the technical risks.
As employees within the security and risk department climb the ranks and get promoted into leadership roles, they will surely have a difficult time communicating risks and their strategy to the business given their deep-rooted technical background. But as business risks evolve, and information security becomes top of mind for the C-suite, security practitioners increasingly understand the importance of communicating these risks in an effective way.
“The security industry is still very immature from a tenure standpoint, so there’s still a lot of progression of technical competent resources moving into those leadership ranks,” says Mark Butler, technical information security officer of financial services technology provider Fiserv. “Getting their feet wet, trying to understand the finance models, the business revenue models, the business risk, then trying to overlay their…security capabilities on top of that and that’s where the challenge comes.”
Security leaders have adapted their approach to measurably reducing information security risks within the organization in ways that make business sense and is also easily understood by other stakeholders in the organization, from finance officers to business product owners, according to Butler.
In this video interview with InfoSec Insider, Butler discusses the evolving role of the CISO, how security practitioners earned their seat at the table and offers up advice to security practitioners that hope to one day become security leaders within their organization.
More Infosec Articles