In this Help Net Security interview, Marina Marceta, CISO at Heineken, discusses what it takes for CISOs to be seen as business-aligned leaders rather than technical overseers. She shares how connecting security to business impact can shift perceptions and strengthen partnerships across the company. Marceta focuses on the value of a security culture that supports innovation while keeping risk in check.
What mindset shifts are essential for CISOs who want to be seen as strategic leaders rather than technical guardians?
Entrepreneurship, innovation, creativity and ingenuity are behaviours that are very encouraged and valued in our organization. As you can imagine, they clash with a rigid classical security doctrine in which you want people to follow rules, and not break.
It required a paradigm shift of how we perceive risk and security, and for me personally, the journey has been through a compliance security lens. Starting as an auditor and later leading a cyber defense team. It’s easy to fall into the black-and-white trap of being the function that always says “no” or speaks in cryptic tech jargon. It’s a scary world out there with so many attacks happening in every industry. The classical reaction of most security professionals is to tighten defences and impose even more rules.
My stakeholders often come back with the question: So what? How does MFA help me sell more beer?
The answer should always tie back to a business outcome: This helps protect our reputation, revenue and customer confidence in our brands. Security should be seen as a partner that enables strategic business initiatives, not something that slows them down.
CISOs need to shift the mindset from pure compliance to asking: How does our cyber strategy support the business and its values? What calculated risks do we want the business to take? Where do we need their attention and help to embed security into the DNA of our people and our company?
What practical advice would you give CISOs on framing security discussions in a way that resonates with non-technical executives and board members?
Drop the jargon. Seriously. No one wants to hear about CVEs or zero-days in a board meeting. Use risk and impact language: “This could cost us X million EUR or impact operations.” Tie security to brand reputation, compliance, and shareholder value and experimentation to achieve growth, productivity, a future fit organization. And keep it short, execs love clarity, not complexity.
Another angle I like to bring into the conversation is: Why are we even talking about security? What incidents have happened that impacted the business or a specific function? Real examples make it tangible and relatable. It’s much easier to understand risk when you can connect it to your day-to-day work, no matter your role in the company.
This approach also helps pull security out of the “narrow security team” bubble. Incidents don’t just happen in isolation, they happen everywhere.
And when we compare ourselves to peer companies and look at what’s recently happened to them, it puts cyber risk into perspective.
How can CISOs craft a consistent global security strategy that still allows for local flexibility and compliance?
I don’t have a silver bullet here, it’s the holy grail of security. Our global footprint is large, which makes the local market complexities a reality.
What we are experimenting with now is to think of the security strategy like a guardrail, not a straitjacket. Define global principles and most importantly, risk appetite, baseline controls, reporting standards, but let regions adapt to local laws and cultural nuances. There is always room for flexibility and experimentation. Especially for areas of your organization that are more mature.
Of course, this is possible where there is a robust security monitoring implemented in an environment, and you have a mature security culture you can afford some flexibility and calculated risk. Research, development, experimentation, relentless learning and even failure are something we encourage in Heineken. You cannot have that without the freedom to operate and some flexibility.
What’s your perspective on how CISOs can foster shared accountability for cyber risk across the enterprise?
Make it everyone’s business. Cyber risk is a business risk. So, bake security into KPIs, performance reviews, and project planning. And when teams get it right, celebrate them! Honestly, storytelling works wonders. Share real examples of breaches and their business impact. People remember stories way more than policies.
At Heineken, I’m lucky. Our Executive team is genuinely interested and aware of our cybersecurity posture, which sets a strong example from the top. But let’s be real: a top-down approach alone never works as well as getting people to own it as part of their day-to-day responsibility. That’s why our Security by Culture teams focus on upskilling paths and bootcamps to turn colleagues into cyber champions. We’re not fully there yet, but we’re definitely on the right track.
How can CISOs mentor or develop the next generation of cybersecurity leaders within their organizations?
Be visible and approachable. Share the lessons that shaped you as a leader, what worked, what didn’t, and the principles that guide your decisions. I’m passionate about building diverse teams where everyone gets the same opportunities, no matter age, gender, or background. Diversity makes us stronger, and when there’s trust and openness, it sparks mentoring, coaching, and knowledge sharing.
Make coaching and mentoring non-negotiable, and carve out time for it. It’s easy to push aside when you’re busy putting out security fires, but neglecting people’s growth and well-being is a big miss. Be authentic and vulnerable, walk the talk. Share the real stories, including failures and what made you stronger.
Too often, people focus only on titles, certifications, and tech skills. Don’t get me wrong, they matter, but they’re not enough to make a well-rounded leader. Be curious about other teams, and don’t shy away from lateral moves, they enrich your experience.
Empower people to take extreme ownership. Give juniors a shot with stretch assignments that mix tech and business, and provide a safety net for learning. Encourage certifications, but also soft skills like communication and leadership. And most importantly? Build a culture where saying “I don’t know” or asking questions is seen as strength, not weakness.