A person in risk & security can generally be thought of as acting like one of the following:

  • Engineer
  • Analyst
  • Influencer

Interestingly (and helpfully), this is independent of official title. You’ve probably met engineers whose main operating mode is as the advocate, or leaders who act more like high-level analysts, or ops or risk analysts who focus on building capabilities.

Like all models, this has limitations, but it is useful. It can help you think about what’s missing, where strengths are, what structure should look like, etc.

H/T to David Ames who introduced me to this concept, though with a different name for the third role.