Perhaps you are thinking about the next step in your security career or the general trajectory of where you’d like to see yourself in a few years. Or, perhaps you’re curious about how your title compares with your peers in other sectors. Maybe you are overwhelmed by the breadth and variety of security job titles, and you struggle to understand which role is actually the senior-most security role within an organization.
In this industry, the level of variance among job titles for security executives is overwhelming. At a small company or within certain sectors, the top-level security executive may be a senior manager or manager. At some companies, a director may have more seniority than a vice president.
“In general, when you talk security positions, you’ll have your C-level titles such as chief security officer (CSO), followed by vice president (VP) and then director. The CSO is the thought leader and strategist; the VP and directors will be looking at strategy and overall areas of risk. Under that, you’ll typically have senior managers and managers, and these are often the more operational or technical positions,” explains Shunil Joseph, Managing Partner at First Arrow Executive Search.
While such a hierarchy can be thought of as a general guideline for those high-level security job titles, all security experts told Security magazine that the true hierarchy, along with that delineation between strategist and operationalist, can vary greatly from one organization to the next.
“It's very individual to each organization,“ says Co-Founder and Chief Executive of the Security Management Resources Group and Security magazine columnist Jerry Brennan. “There are senior directors and senior managers who report at very high levels and lead the global program. Some organizations avoid using chief security officer due to conflicts with the senior-most IT/cybersecurity head. The only thing that is linear is the individual organization structure, i.e. CEO, President, Exec VP, Senior VP, VP, Asst VP, Senior Director, Director, General Manager, Senior Manager, Manager.”
One of the challenges with titles, Brennan says, is that organizations may have constructed titles and personnel categories tied to compensation without regard to a single function such as security and, therefore, the title and responsibilities may not align in a traditional sense.
“I’ve worked with organizations where the vice president sits below the director or vice versa, but what I do see is that the point of change between technical jobs versus strategic is often seen in those positions managing teams — that’s often a director title or above,” says Owanate Bestman, Executive Recruiter at Bestman Solutions.
Indeed, the majority of organizations give their highest-level security role the title of CSO, Vice President, Director, or a combination — and, in general, even among smaller or start-up organizations, titles tend to be more stable among those senior-most ranks to reflect that accountability.
After all, a job title is most often driven by two important factors: culture and accountability.
“From a corporate standpoint, titles are driven based on corporate culture. That’s the first and foremost,” says Stephen W. Walker, Partner at Foushée Group, Inc. Walker’s company conducts annual research on titles and compensation within security.
Security Management Resources Group collected data from 359 companies on the title of their highest or senior-most security position within the organization. The chart above represents the diverse nature of the security industry and the variety of titles top-level executives in this industry have in their organization. An interesting note, 31% of respondents have “Global” as a part of their title for the highest security position at the organization. Titles that were included but were statistically less than 1% of responses include CEO, Assistant VP, Chief Resilience Officer and Chief Compliance Officer. Some respondents’ titles include more than one representation above (such as Senior Vice President and CSO) and are, therefore, included in multiple responses. Data courtesy of Security Management Resources Group
“The job title reflects how seriously security is taken within an organization,” says Deborah Page, Vice President at The McCormick Group. “Not only can the title reflect how the company feels about security, but it also reflects whether that role is a part of the executive team; it tells others if they have a voice within an organization and a seat at the table. At many companies, if you don’t have the right title, you just don’t have that voice.”
The significance of a security title can come into play when communicating internally within the organization to the C-suite, Board of Directors or other functions, but also externally with customers and vendors.
“It’s important for the security leader to have that influence and support from the Board or other executives, and at some organizations, a manager or a lead or head just doesn’t get that influence,” Bestman says.
Earlier this year, Security magazine polled security professionals on LinkedIn about the importance of job titles to advancing one’s security careers. The poll is based off of 553 votes. Data courtesy of LinkedIn, Security magazine, February 2022
On top of company culture, in broad-based terms, titles are often determined by accountabilities and influence of the position within the organization, Walker says. “That’s the start of saying that those top jobs signify a certain level of knowledge, experience, role complexity, supervision required and education,” he adds.
- The senior security titles within an organization are typically doing the following, according to Bestman:
- Managing teams (depending on the organization’s size);
- Translating the technical aspects of the security programs and risk mitigation to others in the organization;
- Understanding the true risk appetite of the overall organization.
The accountabilities are really what most organizations tie compensation to, not the title. “Titles don’t drive compensation per se, but accountabilities do. And, accountabilities certainly differentiate titles. Many companies use those titles, which are based on accountabilities, to define compensation levels, pay packages and bonus eligible positions,” Walker explains.
In addition, another clue into the level of influence and accountability a security position or job title has is the reporting structure, according to Brennan. At the end of the day, those factors combined are all arguably more important than an executive’s formal job title. “Those are the real questions,” Brennan says. “What they are responsible for and who that security executive ultimately reports to are key marks of their influence within the organization.”