A thing I keep noticing about security professionals, after a few years in the field: we tend to be unusually candid. Genuinely passionate. Mission-driven in a way that’s almost a tell. When a security person describes their work, you hear actual conviction. When the same person describes a meeting they sat in earlier that day, you often hear bewilderment.

This is because the business is not candid, not passionate, and not mission-driven. The business is transactional. Both things can be true at the same time, in the same building, and most security careers eventually come down to making peace with that gap.

The gap, concretely

The security person walks into a vendor risk review with the question: “is this product safe to use with customer data?”

The business walks in with the question: “is this product cheap enough, fast enough to deploy, and will the customer’s procurement team accept the answer we already decided to give?”

Both questions are legitimate. They are not the same question. They produce different decisions when answered honestly. The friction in most security careers is the discovery that the second question almost always wins, and the first question is usually answered after the fact, in language that makes the second question look like the first.

This is not a bug in your organization. It’s the default mode of every for-profit company.

The wrong reactions

Some security people respond by becoming cynical. They stop pushing back on bad vendor choices, stop writing thoughtful threat models, stop caring about the difference between “compliant” and “actually secure.” They protect themselves by lowering their standards to match what the business will accept. They get promoted. They become the security person other security people don’t trust.

Some go the opposite way. They double down on the mission, refuse to translate it into business terms, become known internally as the “no person,” lose every fight, and eventually leave for another company where the same pattern plays out. They keep their integrity. They also keep their relative powerlessness.

Neither of these is the move.

The actual move

Stay candid. Keep the conviction. And translate.

Translation is the unglamorous skill nobody teaches in security. It looks like:

  • Knowing that “we shouldn’t onboard this vendor” lands wrong, and “onboarding this vendor adds $X expected loss based on Y published breach rate, vs. $Z in deal value, here’s the math” lands right.
  • Knowing that “this control is not implemented” is true but useless to the CRO, and “this control gap is blocking the $4M Enterprise contract, here’s the smallest fix that unblocks it” gets prioritized.
  • Knowing that the CFO doesn’t care about your CVSS scores but does care about cyber insurance premiums going up by 30% if you don’t address them.

This is not “becoming a business person.” It’s keeping the security analysis honest and packaging it in the language the decision-maker actually thinks in. The analysis stays the same. The wrapper changes.

What this costs

It costs energy. Translation is real work. Doing it well means reading the company’s actual financials, knowing which deals are in the pipeline, sitting in QBRs that don’t directly involve you. Most security people don’t want to do this. Fair enough. But that’s the trade.

It also costs a specific kind of identity. The security person who translates well will be perceived by other security people as having “gone business.” This is partially accurate and partially a coping mechanism by people who didn’t make the same trade. You’ll lose some peer respect to gain organizational influence. Both matter; you pick.

What stays the same

What doesn’t change, and shouldn’t, is the passion and the candor. You can be the security person who knows how to talk to the CFO, who shows up in QBRs, who got the security team a real budget by translating risk into revenue. And you can still be the security person who looks at a system and tells the truth about it. Privately, in the room, when it matters.

The dishonest version of “going business” lies in both directions: tells the security team that everything is great, tells the business that security is impossible. The honest version tells everyone the same thing in different languages.

What the role actually is

We’re chief risk officers and sales enablers. Both, simultaneously, whether or not anyone in the org calls us those things.

Chief risk officer: keep an accurate, current, defensible read of where the company’s exposure sits, and surface the parts of it that matter to the people who set the priorities. Not a CVSS dump. Not a slide deck. A short, honest narrative that ends in “here’s the call I’d make if it were mine.”

Sales enabler: equip the people closest to the customer to talk security themselves, so you’re not the bottleneck on every deal. Train your SCs and AEs to handle the easy 80% of security questions confidently, with the right language, in the room. Build a public trust center the customer can browse without scheduling a call. Maintain a clear internal source of what’s shareable today, what’s NDA-only, and what’s never shared, so the people you’ve trained can grab the right artifact in 30 seconds instead of paging you on Slack.

The trust-center-and-shareables story sits on top of one thing most security teams have not done well: data classification. If you can’t tell your AE which page of the SOC 2 report can go out unredacted, versus what needs the customer to sign an NDA first, you can’t enable them. You’re stuck reviewing every send by hand. Strong data classification is the unsexy foundation that makes sales enablement scale. Without it, every deal is artisanal, and the security team is the bottleneck.

The deals that close because security made it frictionless are the deals that pay for the security team.

These are the two halves of the job once you’re past IC. Some companies will give you the titles, most won’t. The work is the same regardless.

Most security people are good enough at the technical half. The reason most don’t get further is the other half.

Translation is the job.