When I speak with candidates who are either leaving government roles or actively looking for a new role, I am often asked what programs or courses related to cybersecurity they could take to improve their marketability. A one-size-fits-all answer is a challenge because the operational knowledge needed by someone charged with cybersecurity is similarly broad and complex as the various accountabilities of non-technology security risk roles.
The concept of convergence of both roles whereby a single point of accountability leads the strategy and governance for all security risk initiatives can be an effective approach. While the idea has been out there for quite a while, it is still not widely utilized. There are, however, numerous examples of interdependencies that indicate a need to understand the points of vulnerabilities to best provide a cohesive, coordinated effort to limit and/or mitigate security related risks.