Govern the explosion of shadow AI and establish guardrails for generative AI before it creates material data leakage.Move beyond prevention and operate as a business enabler, proving the organization can maintain a minimum viable business during a sustained outage.Address compliance burdens, such as SEC disclosure rules or the EU AI Act, not as a checklist, but as a strategic shield that protects enterprise value.”Resilience, transparency, and measurable assurance are now baseline expectations,” Breckenridge explains.
Living the evolution of cybersecurity leadership: One cybersecurity professional that has lived that transformation is Dale Hoak, who in July 2025 was promoted to the role of CISO at RegScale, a leading provider of continuous controls monitoring (CCM). Hoak originally joined RegScale as its first security hire and one of its first employees. Since then, he has helped the company build its security foundation.In announcing Hoak’s promotion at the time, RegScale CEO Travis Howerton noted, “The CISO role is often seen as a lifetime achievement award in this field, and Dale has earned it. With decades of experience in the Department of Defense and private sector, he has brought deep expertise, a relentless drive, and a clear vision to our security program.”In his years leading up to RegScale, Hoak “built security programs from scratch, fixed ones that were broken, operated in environments where downtime and data loss or failure had real consequences,” he says. “That experience gave me what I believe to be a strong operational background and mindset and healthy respect for practicality over theory. It’s how you do it, not how you think about it.”RegScale agreed when it offered Hoak its first cybersecurity role. For Hoak, the mission was clear: “Build trust and scale without slowing the business down,” he says. “RegScale lives in some of the most highly regulated environments out there. Security has to be an enabler; it can’t be a blocker. The CISO’s role in every company is to help the organizations get to ‘yes,’ because organizations often can’t get out of their own way.”As a CISO, you must understand how to make a positive impact on the business, he adds. You’re not just security. Part of your job in the C-suite is to help the organization make money, Hoak advises.
The journey through the ranks to CSO: Another cybersecurity professional who worked his way up the ranks, though through a multi-employer path, is Russ Kirby, now CISO at Ping Identity.”I’ve previously worked across technical, compliance, and business-facing roles, so I bring variety and breadth of experience,” Kirby explains. “The size and scale of those roles and companies has also been dramatically different, from startups to Fortune 50s. I can talk in context of the ‘now,’ but also look to the future and see where the company wants to go.”That experience led Kirby to the role of CISO at ForgeRock in 2019. When ForgeRock was acquired by Ping Identity and the companies officially merged in August 2023, he took over the role of global CISO at Ping Identity.”I view the CISO position as a business leadership role rather than just a technical one, focusing on people and strategy,” Kirby explains. “The ability to communicate and translate for a broad spectrum of audiences, technical, non-technical, business, non-business, is critical. As a CISO, you need to be able to help people understand the ‘why’ of what we do.”Once viewed primarily as a senior technologist focused on systems and controls, today’s CISO now sits at the heart of business strategy, Kirby says. The modern CISO is also, by necessity, a futurist: forecasting not just threats, but how digital trust, identity, and security will determine which businesses succeed and which fail.
Minimal business and technology skills for CSO candidates: The gold standard CSO candidate today has a T-shaped background: deep expertise in one or two domains with broad fluency across the rest of the security ecosystem, Breckenridge explains. Here, three areas stand out:
Deep experience in identity and access management is often more valuable today than traditional network security.Leaders who have lived through large-scale hybrid or multicloud migrations across AWS, Azure, or Google Cloud Platform understand the modern attack surface in a way legacy operators often do not.You do not need to be a data scientist, but you must understand model risk, data poisoning, automated agents, and how AI reshapes both offensive and defensive security dynamics within your environment.”On the technology side, proficiency in security automation and continuous control monitoring is increasingly critical,” Breckenridge explains. “In 2026, if you cannot automate compliance and evidence collection, you cannot scale. Manual security programs do not survive growth.”On the business side, financial acumen is non-negotiable, Breckenridge says. You must be able to explain a $5 million security investment in terms of revenue protection, contractual leverage, or reduced insurance premiums.”Boards think in terms of exposure, enterprise value, and downside risk. If you cannot translate your strategy into that framework, you will struggle to gain sustained support,” Breckenridge says.
Challenges and surprises that often await a new CSO: Once appointed or promoted to a CSO role, certain challenges and surprises may come up that new appointees will have to navigate.”One I learned early on, and I wasn’t ready for this, is that everything is a negotiation,” RegScale’s Hoak explains. “Whether you’re dealing with vendors or your own teams, you have to identify problems, and then negotiate with other folks to get them to understand it or to do what they need to do.””I’m used to the old days, where you tell somebody to do it, and they do it,” Hoak says. “Now, most everything is a negotiation, regardless of whether you’re going up or down, whether you’re talking to a superior or subordinate. The other thing is that rarely are the hardest problems technical in nature. Most of the time you’re dealing with either poor planning or poor communication. I find that I spend far more time doing research and root cause analysis now than actually fixing issues.”Ping Identity’s Kirby agrees, noting that most CSO burnout is caused by issues related to hero culture, micromanagement, and failure to delegate.”This is not a mental health crisis caused by hackers; it is a leadership design flaw,” Kirby explains. “The most important point is that it’s entirely fixable through modern delegation models, autonomous team structures, and trust-based leadership.”
Steps to take toward landing a CSO role: What are best steps a CSO candidate or aspirant can take to land a coveted role?It starts with transitioning your mindset from being the “No” person to being the “How” person, Breckenridge explains. The modern CSO must evolve from cost center to trust center as the role has shifted to being a more integrated part of the overall business and associated with revenue. Security should be a reason a customer feels confident signing a contract, not the reason a product launch is delayed.”Focus on continuous assurance,” Breckenridge says. “At any given moment, you should be able to demonstrate that your controls are functioning as intended. That level of transparency transforms board conversations from reactive to strategic.”From a recruiting perspective, Breckenridge advises candidates not to pursue the title without the competence and real operating depth to back it up. Technology is evolving quickly, the regulatory environment is tightening, and this role carries genuine personal exposure.When candidates move between companies, they are evaluated on measurable scope, authority, and outcomes, Breckenridge adds. Boards and hiring committees look closely at what happened under your watch. If there were material incidents, weak controls, or inflated scope relative to your actual mandate, that becomes visible very quickly. Title inflation does not hold up under due diligence.”The successful leaders who build durable careers in this role align accountability with authority, speak fluently in both risk and revenue, and position security as an embedded strategic function of the business,” Breckenridge says. “When you do that well, you are not simply protecting the company. You are strengthening its resilience and long-term enterprise value.”
Minimal business and technology skills for CSO candidates: The gold standard CSO candidate today has a T-shaped background: deep expertise in one or two domains with broad fluency across the rest of the security ecosystem, Breckenridge explains. Here, three areas stand out:
Deep experience in identity and access management is often more valuable today than traditional network security.Leaders who have lived through large-scale hybrid or multicloud migrations across AWS, Azure, or Google Cloud Platform understand the modern attack surface in a way legacy operators often do not.You do not need to be a data scientist, but you must understand model risk, data poisoning, automated agents, and how AI reshapes both offensive and defensive security dynamics within your environment.”On the technology side, proficiency in security automation and continuous control monitoring is increasingly critical,” Breckenridge explains. “In 2026, if you cannot automate compliance and evidence collection, you cannot scale. Manual security programs do not survive growth.”On the business side, financial acumen is non-negotiable, Breckenridge says. You must be able to explain a $5 million security investment in terms of revenue protection, contractual leverage, or reduced insurance premiums.”Boards think in terms of exposure, enterprise value, and downside risk. If you cannot translate your strategy into that framework, you will struggle to gain sustained support,” Breckenridge says.
Challenges and surprises that often await a new CSO: Once appointed or promoted to a CSO role, certain challenges and surprises may come up that new appointees will have to navigate.”One I learned early on, and I wasn’t ready for this, is that everything is a negotiation,” RegScale’s Hoak explains. “Whether you’re dealing with vendors or your own teams, you have to identify problems, and then negotiate with other folks to get them to understand it or to do what they need to do.””I’m used to the old days, where you tell somebody to do it, and they do it,” Hoak says. “Now, most everything is a negotiation, regardless of whether you’re going up or down, whether you’re talking to a superior or subordinate. The other thing is that rarely are the hardest problems technical in nature. Most of the time you’re dealing with either poor planning or poor communication. I find that I spend far more time doing research and root cause analysis now than actually fixing issues.”Ping Identity’s Kirby agrees, noting that most CSO burnout is caused by issues related to hero culture, micromanagement, and failure to delegate.”This is not a mental health crisis caused by hackers; it is a leadership design flaw,” Kirby explains. “The most important point is that it’s entirely fixable through modern delegation models, autonomous team structures, and trust-based leadership.”
Steps to take toward landing a CSO role: What are best steps a CSO candidate or aspirant can take to land a coveted role?It starts with transitioning your mindset from being the “No” person to being the “How” person, Breckenridge explains. The modern CSO must evolve from cost center to trust center as the role has shifted to being a more integrated part of the overall business and associated with revenue. Security should be a reason a customer feels confident signing a contract, not the reason a product launch is delayed.”Focus on continuous assurance,” Breckenridge says. “At any given moment, you should be able to demonstrate that your controls are functioning as intended. That level of transparency transforms board conversations from reactive to strategic.”From a recruiting perspective, Breckenridge advises candidates not to pursue the title without the competence and real operating depth to back it up. Technology is evolving quickly, the regulatory environment is tightening, and this role carries genuine personal exposure.When candidates move between companies, they are evaluated on measurable scope, authority, and outcomes, Breckenridge adds. Boards and hiring committees look closely at what happened under your watch. If there were material incidents, weak controls, or inflated scope relative to your actual mandate, that becomes visible very quickly. Title inflation does not hold up under due diligence.”The successful leaders who build durable careers in this role align accountability with authority, speak fluently in both risk and revenue, and position security as an embedded strategic function of the business,” Breckenridge says. “When you do that well, you are not simply protecting the company. You are strengthening its resilience and long-term enterprise value.”
Steps to take toward landing a CSO role: What are best steps a CSO candidate or aspirant can take to land a coveted role?It starts with transitioning your mindset from being the “No” person to being the “How” person, Breckenridge explains. The modern CSO must evolve from cost center to trust center as the role has shifted to being a more integrated part of the overall business and associated with revenue. Security should be a reason a customer feels confident signing a contract, not the reason a product launch is delayed.”Focus on continuous assurance,” Breckenridge says. “At any given moment, you should be able to demonstrate that your controls are functioning as intended. That level of transparency transforms board conversations from reactive to strategic.”From a recruiting perspective, Breckenridge advises candidates not to pursue the title without the competence and real operating depth to back it up. Technology is evolving quickly, the regulatory environment is tightening, and this role carries genuine personal exposure.When candidates move between companies, they are evaluated on measurable scope, authority, and outcomes, Breckenridge adds. Boards and hiring committees look closely at what happened under your watch. If there were material incidents, weak controls, or inflated scope relative to your actual mandate, that becomes visible very quickly. Title inflation does not hold up under due diligence.”The successful leaders who build durable careers in this role align accountability with authority, speak fluently in both risk and revenue, and position security as an embedded strategic function of the business,” Breckenridge says. “When you do that well, you are not simply protecting the company. You are strengthening its resilience and long-term enterprise value.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4143208/what-it-takes-to-win-that-cso-role.html
