Striking the right balance of experience and responsibility: Mark G. McCreary, partner and chief AI and IT security officer at Boston-based legal firm Fox Rothschild LLP, has seen both extremes: security being completely sidelined and security professionals given excessive, unjustified authority.In some firms, a newly appointed CSO might be positioned as a gatekeeper without the necessary governance, run books, or partner alignment to justify that veto power, McCreary explains. This imbalance becomes evident when policies exist, but the firm hasn’t practiced who does what under pressure, whether it’s legal and crisis response, technical actions, communications, or client outreach. Mature organizations proactively assign and rehearse these roles.Breckenridge agrees, saying, “Many so-called CSOs have never really owned a budget or led through a major data or security incident.”Considering the high stakes, why would any organization run the risk of hiring an under-experienced CSO? Usually it’s a mix of timing, optics, or a defensive hire that can be more externally driven than what makes sense internally, Breckenridge explains.For example, an organization may use a CSO title as “audit bait” to satisfy regulators or insurance carriers. In other cases, it’s a retention play; a talented technical architect is given a C-level title to keep them from being poached, despite them having no experience in P&L management, board governance, or organizational design.Call it a case of title before mandate, McCreary says. A new title might be created to satisfy client questionnaires or for marketing purposes, but the actual authority, budget, and scope of responsibility haven’t caught up.
Experience and skills a CSO should rightly have: Cutting through the hype, what should a top-notch CSO bring to the role?”A strong leader balances risk and revenue. A true CSO can translate complex cyber, privacy, and AI risks into specific client and matter risks, explaining them in business terms that a partnership easily understands,” McCreary says.In the case of legal firm Fox Rothschild, this means connecting threats directly to issues like conflicts, privilege, Outside Counsel Guidelines, and ultimately, client trust.”Effective governance needs to be operational from day one,” McCreary says. “Policy shouldn’t just sit on a shelf; it must be directly linked to practical playbooks, clearly defined roles, and escalation paths that the business regularly practices. Think incident response policies, cyber event frameworks, and data-breach playbooks all working together.
How a CSO can recognize they may have an inflated title: A CSO “imposter gap,” as Breckenridge calls it, usually appears in the boardroom, and when the individual spends more time delivering authority and decisions than delivering outcomes. “If you find yourself speaking only in technical vulnerabilities rather than business liabilities, you’re likely a director with a CSO title.”As many firms have different job architectures, title standing may also be dependent on the organization, their size and market segment, and overall functions and responsibilities of an IT security professional, Wald explains. Generally speaking, titles should be based on more commonly held competitive benchmarks in the market.”Usually, when entering into a role, IT security professionals are aware of the title that they are pursuing. It would be contingent on the hiring company to maintain the consistency of the role’s functions rather than evolve into a function that isn’t reflective of the initially stated title and tasks,” Wald says.To ensure that an employer and a CSO candidate are on the same page, Wald says the security pro “should be encouraged to speak to other immediate team members and partner stakeholders in product strategy, operations, business, finance, and legal teams, to gain insight and perspective on the prospects, needs, roadmap, and related touchpoints to help come to a consensus on the viability of that opportunity.”
How CSOs can be sure they’re the ‘real deal’: IT security leaders can know you’re the real deal when the business seeks your counsel on non-security issues and you are comfortable being challenged regarding other business decisions, Breckenridge explains.”When a business unit leader asks for your input on a new market entry or an M&A deal because they value your risk-adjusted perspective, you’ve arrived,” Breckenridge says. “You also know you’re ready when you can comfortably accept ‘informed risk’ and feel like you’re fine signing off on a known vulnerability because the business value of a launch outweighs the technical debt.”Other sure signs that you deserve the title: You can confidently execute the plan. You’re able to initiate an incident call, follow the firm’s IR policy, and execute the breach playbook without creating privilege problems or ethical”‘wall violations, McCreary explains.”You’ve established a cadence that truly moves the needle. You lead security standups and actively participate in AI task forces or subcommittees where decisions result in tangible outcomes, like new policies, controls, or training,” McCreary says. “You effectively educate your stakeholders. You deliver training and practical AI and infosec guidance that the organization genuinely uses.”
Assuring oneself, and the organization, that all is well in the role: To demonstrate both to themselves and the organization that they are right for the role, CSOs should ensure that security strategy, processes, and protective measures are being met, while showing very tight integrations with program leaders in legal, privacy, compliance, and integration and vendor relationships, Wald says.In the era of the SEC’s new disclosure rules, title inflation is no longer cosmetic, Breckenridge says. It’s a material risk. Holding a CSO title without real authority, budget, or program ownership exposes individuals to accountability for failures they don’t control.”The strongest security leaders I see are wary of titles without mandate. They care about scope, outcomes, and access, not optics,” Breckenridge says.To prove their worth, CSOs should move the needle from “incident-free days” to “resiliency metrics,” Breckenridge explains.”Prove that when things break, which inevitably they will, the recovery time is decreasing and the blast radius is shrinking,” Breckenridge says. “When you can show that security is a frictionless part of the CI/CD pipeline rather than a gate at the end, the organization will trust that the function is healthy. And, peers will seek their input early rather than late, which is often the strongest signal of credibility.”From a recruiting and career path standpoint, Breckenridge says inflated titles also distort long-term career trajectory. When abilities don’t match the title, it shows up quickly in future interviews, especially at the executive level where outcomes, governance, and credibility matter more than labels.”The key point being that the market is an objective judge,” Breckenridge says. “When leaders interview for their next role, they’re assessed on what they’ve actually owned, influenced, and delivered. Inflated titles tend to deflate fast when examined against real outcomes and operating experience.”
How CSOs can be sure they’re the ‘real deal’: IT security leaders can know you’re the real deal when the business seeks your counsel on non-security issues and you are comfortable being challenged regarding other business decisions, Breckenridge explains.”When a business unit leader asks for your input on a new market entry or an M&A deal because they value your risk-adjusted perspective, you’ve arrived,” Breckenridge says. “You also know you’re ready when you can comfortably accept ‘informed risk’ and feel like you’re fine signing off on a known vulnerability because the business value of a launch outweighs the technical debt.”Other sure signs that you deserve the title: You can confidently execute the plan. You’re able to initiate an incident call, follow the firm’s IR policy, and execute the breach playbook without creating privilege problems or ethical”‘wall violations, McCreary explains.”You’ve established a cadence that truly moves the needle. You lead security standups and actively participate in AI task forces or subcommittees where decisions result in tangible outcomes, like new policies, controls, or training,” McCreary says. “You effectively educate your stakeholders. You deliver training and practical AI and infosec guidance that the organization genuinely uses.”
Assuring oneself, and the organization, that all is well in the role: To demonstrate both to themselves and the organization that they are right for the role, CSOs should ensure that security strategy, processes, and protective measures are being met, while showing very tight integrations with program leaders in legal, privacy, compliance, and integration and vendor relationships, Wald says.In the era of the SEC’s new disclosure rules, title inflation is no longer cosmetic, Breckenridge says. It’s a material risk. Holding a CSO title without real authority, budget, or program ownership exposes individuals to accountability for failures they don’t control.”The strongest security leaders I see are wary of titles without mandate. They care about scope, outcomes, and access, not optics,” Breckenridge says.To prove their worth, CSOs should move the needle from “incident-free days” to “resiliency metrics,” Breckenridge explains.”Prove that when things break, which inevitably they will, the recovery time is decreasing and the blast radius is shrinking,” Breckenridge says. “When you can show that security is a frictionless part of the CI/CD pipeline rather than a gate at the end, the organization will trust that the function is healthy. And, peers will seek their input early rather than late, which is often the strongest signal of credibility.”From a recruiting and career path standpoint, Breckenridge says inflated titles also distort long-term career trajectory. When abilities don’t match the title, it shows up quickly in future interviews, especially at the executive level where outcomes, governance, and credibility matter more than labels.”The key point being that the market is an objective judge,” Breckenridge says. “When leaders interview for their next role, they’re assessed on what they’ve actually owned, influenced, and delivered. Inflated titles tend to deflate fast when examined against real outcomes and operating experience.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4137589/how-to-know-youre-a-real-deal-cso-and-whether-that-job-opening-truly-seeks-one.html
