Timothy Youngblood, CISO of McDonald's Corp, believes "The natural progression is for a CISO to move to more of a chief information risk officer (CIRO) role that works closely with finance, strategy, operations and other groups."
"The reasoning behind this is the CISO taking on more responsibilities in the realm of privacy, third-party risk management, and compliance. While moving away from operations ,e.g., network security, IAM."
The full magazine article can be referenced here: CISO Rising
I have to agree with Tim here and say the more I get into the management role of information security, the more my role gets into the three fields above. It's been quite the learning curve because I come from a technical background and not from the business side of the house. The skills are completely different. Is it good to have that back ground? Maybe, but it's definitely not needed.
The article also helps solidify my opinion on Security Analysts as not always being looked at as an entry level security position and should be setup as a long term career path. Analysts shouldn't feel pressured to move into management for career progression. Become that Tier III or IV rock star analyst and take comfort in the fact that you don't have to worry about disciplining John for showing up late two days in a row.
Further thoughts on the CISO role?
Anyone experience something completely different?