{"id":15960,"date":"2026-03-16T07:09:49","date_gmt":"2026-03-16T07:09:49","guid":{"rendered":"https:\/\/newestek.com\/?p=15960"},"modified":"2026-03-16T07:09:49","modified_gmt":"2026-03-16T07:09:49","slug":"what-it-takes-to-win-that-cso-role","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15960","title":{"rendered":"What it takes to win that CSO role"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>CSO and CISO roles are among the hardest to fill in IT. Which should be good news for cybersecurity professionals that aspire to leadership positions as the organization\u2019s top security exec.<\/p>\n<p>For those that do, the authority, clout, pay, and benefits are increasing significantly. But so too are the responsibility and accountability placed on cybersecurity leaders today. Now typically part of the C-suite, many CSOs and CISOs report directly to the CEO, and all are expected to be a driving force for organizational security, compliance, and, in many cases, overall business success. So while either title may be very personally rewarding, the role is definitely not for the faint of heart.<\/p>\n<p>With that in mind, we asked current and recently elevated CSOs, as well as executive recruiters, about what it takes to land a top security executive appointment or promotion, and how those interested in earning the CSO or CISO role should go about getting it.<\/p>\n<h2 class=\"wp-block-heading\" id=\"evolving-responsibilities-and-expectations-for-csos\">Evolving responsibilities and expectations for CSOs<\/h2>\n<p>One person who has seen the CSO role significantly evolve is <a href=\"http:\/\/www.linkedin.com\/in\/kananibreckenridge\">Kanani Breckenridge<\/a>, CEO and headhuntress at San Diego-based Kismet Search.<\/p>\n<p>\u201cI\u2019ve been recruiting for the CSO and CISO functions for over 25 years,\u201d Breckenridge explains. \u201cI started in 1999 during the dot-com bubble, when security was largely perimeter defense and antivirus software. Since then, I\u2019ve watched the role evolve from technical gatekeeper to enterprise risk executive. Today\u2019s CSO sits at the intersection of technology, regulatory exposure, revenue continuity, and brand trust. It is no longer a back-office function. It is a board-level accountability role.\u201d<\/p>\n<p>With this new responsibility, Breckenridge says CSO candidates today are typically expected to:<\/p>\n<ul class=\"wp-block-list\">\n<li>Govern the explosion of shadow AI and establish guardrails for generative AI before it creates material data leakage.<\/li>\n<li>Move beyond prevention and operate as a business enabler, proving the organization can maintain a minimum viable business during a sustained outage.<\/li>\n<li>Address compliance burdens, such as SEC disclosure rules or the EU AI Act, not as a checklist, but as a strategic shield that protects enterprise value.<\/li>\n<\/ul>\n<p>\u201cResilience, transparency, and measurable assurance are now baseline expectations,\u201d Breckenridge explains.<\/p>\n<h2 class=\"wp-block-heading\" id=\"living-the-evolution-of-cybersecurity-leadership\">Living the evolution of cybersecurity leadership<\/h2>\n<p>One cybersecurity professional that has lived that transformation is <a href=\"https:\/\/www.linkedin.com\/in\/dalehoakcyberpro\/\">Dale Hoak<\/a>, who in July 2025 was promoted to the role of CISO at RegScale, a leading provider of continuous controls monitoring (CCM). Hoak originally joined RegScale as its first security hire and one of its first employees. Since then, he has helped the company build its security foundation.<\/p>\n<p>In announcing Hoak\u2019s promotion at the time, RegScale CEO <a href=\"https:\/\/www.linkedin.com\/in\/travishowerton\/\">Travis Howerton<\/a> noted, \u201cThe CISO role is often seen as a lifetime achievement award in this field, and Dale has earned it. With decades of experience in the Department of Defense and private sector, he has brought deep expertise, a relentless drive, and a clear vision to our security program.\u201d<\/p>\n<p>In his years leading up to RegScale, Hoak \u201cbuilt security programs from scratch, fixed ones that were broken, operated in environments where downtime and data loss or failure had real consequences,\u201d he says. \u201cThat experience gave me what I believe to be a strong operational background and mindset and healthy respect for practicality over theory. It\u2019s how you do it, not how you think about it.\u201d<\/p>\n<p>RegScale agreed when it offered Hoak its first cybersecurity role. For Hoak, the mission was clear: \u201cBuild trust and scale without slowing the business down,\u201d he says. \u201cRegScale lives in some of the most highly regulated environments out there. Security has to be an enabler; it can\u2019t be a blocker. The CISO\u2019s role in every company is to help the organizations get to \u2018yes,\u2019 because organizations often can\u2019t get out of their own way.\u201d<\/p>\n<p>As a CISO, you must understand how to make a positive impact on the business, he adds. You\u2019re not just security. Part of your job in the C-suite is to help the organization make money, Hoak advises.<\/p>\n<h2 class=\"wp-block-heading\" id=\"the-journey-through-the-ranks-to-cso\">The journey through the ranks to CSO<\/h2>\n<p>Another cybersecurity professional who worked his way up the ranks, though through a multi-employer path, is <a href=\"https:\/\/www.linkedin.com\/in\/russ-k-05534322\/?originalSubdomain=uk\">Russ Kirby<\/a>, now CISO at Ping Identity.<\/p>\n<p>\u201cI\u2019ve previously worked across technical, compliance, and business-facing roles, so I bring variety and breadth of experience,\u201d Kirby explains. \u201cThe size and scale of those roles and companies has also been dramatically different \u2014 from startups to Fortune 50s. I can talk in context of the \u2018now,\u2019 but also look to the future and see where the company wants to go.\u201d<\/p>\n<p>That experience led Kirby to the role of CISO at ForgeRock in 2019. When ForgeRock was acquired by Ping Identity and the companies officially merged in August 2023, he took over the role of global CISO at Ping Identity.<\/p>\n<p>\u201cI view the CISO position as a business leadership role rather than just a technical one, focusing on people and strategy,\u201d Kirby explains. \u201cThe ability to communicate and translate for a broad spectrum of audiences \u2014 technical, non-technical, business, non-business \u2014 is critical. As a CISO, you need to be able to help people understand the \u2018why\u2019 of what we do.\u201d<\/p>\n<p>Once viewed primarily as a senior technologist focused on systems and controls, today\u2019s CISO now sits at the heart of business strategy, Kirby says. The modern CISO is also, by necessity, a futurist: forecasting not just threats, but how digital trust, identity, and security will determine which businesses succeed and which fail.<\/p>\n<h2 class=\"wp-block-heading\" id=\"minimal-business-and-technology-skills-for-cso-candidates\">Minimal business and technology skills for CSO candidates<\/h2>\n<p>The gold standard CSO candidate today has a T-shaped background: deep expertise in one or two domains with broad fluency across the rest of the security ecosystem, Breckenridge explains. Here, three areas stand out:<\/p>\n<ul class=\"wp-block-list\">\n<li>Deep experience in <a href=\"https:\/\/www.csoonline.com\/article\/518296\/what-is-iam-identity-and-access-management-explained.html\">identity and access management<\/a> is often more valuable today than traditional network security.<\/li>\n<li>Leaders who have lived through large-scale hybrid or multicloud migrations across AWS, Azure, or Google Cloud Platform understand the modern attack surface in a way legacy operators often do not.<\/li>\n<li>You do not need to be a data scientist, but you must understand model risk, data poisoning, automated agents, and how AI reshapes both offensive and defensive security dynamics within your environment.<\/li>\n<\/ul>\n<p>\u201cOn the technology side, proficiency in security automation and continuous control monitoring is increasingly critical,\u201d Breckenridge explains. \u201cIn 2026, if you cannot automate compliance and evidence collection, you cannot scale. Manual security programs do not survive growth.\u201d<\/p>\n<p>On the business side, financial acumen is non-negotiable, Breckenridge says. You must be able to explain a $5 million security investment in terms of revenue protection, contractual leverage, or reduced insurance premiums.<\/p>\n<p>\u201cBoards think in terms of exposure, enterprise value, and downside risk. If you cannot translate your strategy into that framework, you will struggle to gain sustained support,\u201d Breckenridge says.<\/p>\n<h2 class=\"wp-block-heading\" id=\"challenges-and-surprises-that-often-await-a-new-cso\">Challenges and surprises that often await a new CSO<\/h2>\n<p>Once appointed or promoted to a CSO role, certain challenges and surprises may come up that new appointees will have to navigate.<\/p>\n<p>\u201cOne I learned early on, and I wasn\u2019t ready for this, is that everything is a negotiation,\u201d RegScale\u2019s Hoak explains. \u201cWhether you\u2019re dealing with vendors or your own teams, you have to identify problems, and then negotiate with other folks to get them to understand it or to do what they need to do.\u201d<\/p>\n<p>\u201cI\u2019m used to the old days, where you tell somebody to do it, and they do it,\u201d Hoak says. \u201cNow, most everything is a negotiation, regardless of whether you\u2019re going up or down, whether you\u2019re talking to a superior or subordinate. The other thing is that rarely are the hardest problems technical in nature. Most of the time you\u2019re dealing with either poor planning or poor communication. I find that I spend far more time doing research and root cause analysis now than actually fixing issues.\u201d<\/p>\n<p>Ping Identity\u2019s Kirby agrees, noting that most CSO burnout is caused by issues related to hero culture, micromanagement, and failure to delegate.<\/p>\n<p>\u201cThis is not a mental health crisis caused by hackers; it is a leadership design flaw,\u201d Kirby explains. \u201cThe most important point is that it\u2019s entirely fixable through modern delegation models, autonomous team structures, and trust-based leadership.\u201d<\/p>\n<h2 class=\"wp-block-heading\" id=\"steps-to-take-toward-landing-a-cso-role\">Steps to take toward landing a CSO role<\/h2>\n<p>What are best steps a CSO candidate or aspirant can take to land a coveted role?<\/p>\n<p>It starts with transitioning your mindset from being the \u201cNo\u201d person to being the \u201cHow\u201d person, Breckenridge explains. The modern CSO must evolve from cost center to trust center as the role has shifted to being a more integrated part of the overall business and associated with revenue. Security should be a reason a customer feels confident signing a contract, not the reason a product launch is delayed.<\/p>\n<p>\u201cFocus on continuous assurance,\u201d Breckenridge says. \u201cAt any given moment, you should be able to demonstrate that your controls are functioning as intended. That level of transparency transforms board conversations from reactive to strategic.\u201d<\/p>\n<p>From a recruiting perspective, Breckenridge advises candidates not to pursue the title without the competence and real operating depth to back it up. Technology is evolving quickly, the regulatory environment is tightening, and this role <a href=\"https:\/\/www.csoonline.com\/article\/2505459\/how-cisos-can-protect-their-personal-liability.html\">carries genuine personal exposure<\/a>.<\/p>\n<p>When candidates move between companies, they are evaluated on measurable scope, authority, and outcomes, Breckenridge adds. Boards and hiring committees look closely at what happened under your watch. If there were material incidents, weak controls, or inflated scope relative to your actual mandate, that becomes visible very quickly. Title inflation does not hold up under due diligence.<\/p>\n<p>\u201cThe successful leaders who build durable careers in this role align accountability with authority, speak fluently in both risk and revenue, and position security as an embedded strategic function of the business,\u201d Breckenridge says. \u201cWhen you do that well, you are not simply protecting the company. You are strengthening its resilience and long-term enterprise value.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>CSO and CISO roles are among the hardest to fill in IT. Which should be good news for cybersecurity professionals that aspire to leadership positions as the organization\u2019s top security exec. For those that do, the authority, clout, pay, and benefits are increasing significantly. But so too are the responsibility and accountability placed on cybersecurity leaders today. Now typically part of the C-suite, many CSOs&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15960\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15960","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15960","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15960"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15960\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15960"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15960"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15960"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}