While the original book, even to my own surprise, appears even more valid today than it was when I first wrote it, my own understanding of the underlying principles has continued to evolve.

Especially two key ones.

One of them suggests another new paradigm, but I’ll keep that for last.

First, and perhaps the toughest to tackle, is about the future of the CISO. As in, is there a future for this role?

Let me get the big statement out of the way:

No.

There isn’t.

The current incarnation of the standalone CISO role as part of the executive committee is, in a business sense, simply unnecessary. And as soon as senior corporate leaders grow comfortable enough—as in less fearful—to realize security is ...