New (And Not So New) Roles in Security

It’s Not Just About Engineers

Helen Patton
5 min readJul 31, 2022


Every security leader is required to build a security team that can manage an organization’s security risks and requirements. Historically, that has meant hiring security engineers, architects or technical analysts. After all, security is a technically-driven profession.

A wall painted with multiple colors to look like jigsaw puzzle pieces.
Photo by Ashkan Forouzani on Unsplash

It’s true to say that technical resources (that is, folks who build, maintain, or assess information systems) are needed to run an effective security organization. But a leader who only hires for these skills and roles is missing important elements of a well-rounded and future-focused security program. Here are some roles to consider hiring (or finding elsewhere):

Compliance Operations

When building a security strategy, most organizations start with the things they must have, aka compliance. But rules and regulations are tricky things.

First, the regulations often leave room for interpretation, which means you can’t just take a list of regulations and magically know how to apply them in your organization — someone must interpret the regulations against your technology stack, your operational processes, and your organization’s risk tolerance. Lawyers can help but typically don’t have the technical expertise to do this work.

Second, the rules and regulations keep changing. And there are a lot of them. As a company grows the type of data they use, the locations they operate in, and the products they sell, they bump into new and interesting requirements. Even if the business stays relatively static, the number of new security and privacy regulations is growing daily. You need someone who can stay in touch with those changes, and incorporate them into the work your organization does.

Look for people to do this work who enjoy dealing with the minutia of interpreting regulations — business analysts, process engineers, legal analysts, etc. Engage with industry groups who can help you begin the analysis of new regulations (ISACs and ISAOs are a good place to start). If your organization is large enough to have policy lobbyists, make them your friend.

Story Tellers



Helen Patton

Cyber Security, Technology Ethics, and Humanity. What else? I can be found at or on Twitter @CisoHelen or on Mastodon