The original post: /r/cybersecurity by /u/HomeOwnershipFunLOL on 2025-01-23 15:49:42.

Curious if anyone has made or has thought about making this sort of transition.

I’ve worked my way up from an entry-level security analyst to leading an Infosec/Cyber department. It’s all great fun - being able to set the policies, standards, oversight, etc., but it’s eternally frustrating to watch IT just do the bare minimum and keep the lights on rather than optimize and invest, honestly, in their own programs. Obviously it’s my job to translate business requirements and risks into IT operational needs and codify such in our standards, but I have no authority (nor should I) to actually direct process changes. We have a a natural tension…which is perfect and expected, but it feels like they can’t even handle the ITIL basics most of them time…I’ll keep on reporting and doing my gig as the cyber guy, I have no operational responsibilities outside of leading IR basically, but has anyone else had this frustration?

Is there a distinct advantage coming from a security background to a leadership position in IT? I personally have always seen deep IT knowledge as a prerequisite for cyber/infosec anyway (at least to actually be taken seriously by your peers), whereas most CIO’s/pure IT people often just see cyber/infosec as an annoyance, and lack any sort of deep understanding most of the time (again…in general, not always).

Has anyone thought about or made a transition like this? Obviously it’s not really kosher on paper to be “CIO/CISO” combo, but I guess it could be the case at smaller/mid size companies with limited budgets.

Would you consider such a move a step back in your career, and “out of cyber?”