Whatever the role, good communication regarding the duties and expectations of a security professional is key to that person’s success. That communication starts with a solid, thorough job description. It will be an important benchmark when hiring for the role, and a touch point for performance once the candidate is on board. The job description is also a baseline that helps security team managers keep pace as many roles evolve.
A good job description will spell out the role’s duties and priorities. It also outlines where the role falls in the reporting structure. It should also provide the role’s requirements, which could include certifications, skills, experience, and education.
Heller Search Associates
This ebook provides a template for writing an effective job description for top security executives. Download your copy now.
As companies face mounting cyber threats, the status of the chief information security officer (CISO) role is rising. Today’s CISO needs to stay current with the threat landscape and the technologies used to defend corporate assets. The CISO must also communicate with stakeholders and corporate boards, putting those threats into a business context. Organizations want their CISOs to sell security to the organization, raising security awareness among employees and getting them to carry out best practices.
Ask any recruiter or corporate executive and they will tell you it’s hard to find an effective CISO who is a good match for the organization. Having a strong, clearly written CISO job description is the essential first step to landing the best person for the role.
“[The CISO] is such critical role for companies today,” says Kelly Doyle, managing director at Heller Search Associates, a firm that specializes in recruiting CISOs, CIOs, and other IT leaders. “Being prepared with the right position description that targets all the key attributes is really important. It ensures that the company is thinking about the right things to protect the company.”
It pays to maintain a good CISO job description even if you have someone in the job. “If you unexpectedly need to hire a new information security leader—someone leaves or you decide to upgrade—then you have a strong up-to-date job description ready. You don’t want to delay your ability to start recruiting quickly,” says Doyle.
The CISO job description as a recruiting tool
Prospects will use the job description to determine whether your need matches their own. It’s an important first impression of the role, your expectations, and the organization. A poorly written job description will limit your candidate pool.
“If you don’t have a strong job description, you may miss out on hiring the right CISO or leader for your organization,” says Doyle. “A big consequence would be missing out on attracting a passive seeker.” The goal is to get the candidate excited about the role and the company’s commitment to security. A well-written job description shows potential candidates that you’ve put a lot of thought around the importance of this role to the organization, says Doyle.
Candidates will want to see clearly defined responsibilities for the role and indicators that the organization will support the CISO in carrying out those responsibilities. Board-level interaction is one such indicator, as is a description of how the CISO works with other key stakeholders. Focus and clarity are important, too, as is background on the organization.
“If a job description is poorly written, candidates will sometimes self-select out,” says Doyle. If the role doesn’t clearly articulate the duties or the strategic nature of the role and doesn’t really focus on what makes for a good CISO, you could miss out on candidates.”
Constructing a CISO job description
The structure of a good CISO job description is simple. The following is summarized from Heller Search’s Ultimate CISO Job Description, a complimentary template you can download at the end of this article. These are the basic elements:
Position title and summary
State the full, exact title. Although referred to as a CISO in this article, this template applies to any top-level security role in your organization, including chief security officer (CSO), and either vice president, director or head of information security.
The section briefly explains the type of security leader you want in the role. It might refer to experience level, particular areas of expertise, or broad expectations. Don’t bog down in details here; they will be described in other sections.
About the company and hiring manager
Include a brief overview of your company with a link to your website. Your marketing communications group likely has boilerplate copy you can use here.
Similarly, provide background on the hiring manager—the person to whom the CISO will report. Include job title and a brief bio.
Key responsibilities
List the areas for which you will hold the CISO accountable here. The list will vary widely from company to company, but typical areas include developing a security strategy, risk assessment, staff development, regulatory compliance, security technology assessment and deployment, and establishing metrics for security effectiveness.
CISOs working in industries such as health care, manufacturing, or financial services will have responsibilities specific to those verticals. “Every description will be slightly different. If you’re hiring for a health care company, there’s HIPAA compliance. There’s PCI compliance in retail,” says Doyle.
Manufacturing, in particular, will place unique responsibilities on CISOs as they shift to digital. “Some companies are, for example, collecting sensitive information with sensors,” says Doyle. “To make sure those products are secure, [the CISO] needs to be involved at the inception. You don’t want to create or modify a product without taking the right precautions to secure critical data.”
CISO qualifications
Here, your organization will spell out what it expects a CISO to possess in terms of experience, technical and management skills, education, and certifications. “Designations such as CISSP show that a candidate is committed to and invested in security, and to being an expert in the domain,” says Doyle. “Some companies may pass on candidates who don’t have the certifications to show that they are keeping up with changes in security and technology.”
You should also outline leadership and influence abilities here as well. “A key goal on the searches we have recently completed was finding candidates with the ability to articulate security in business terms for stakeholders,” says Doyle. “It’s the ability to take technical security terms and turn them into business and board level communications. That’s a key success factor—communication at all levels.”
Another key qualification is the proven ability to implement security strategy and best practices across a company. “[You want] someone who is able to evangelize your cybersecurity policies across the business and drive adoption,” says Doyle. “You can implement changes to security, but if there is no adoption, the risk remains.”
Location and travel requirements
This might seem simple, but for a large organization with many divisions and locations, it’s not. Define your expectations for how much time you expect the CISO to spend in each location each year. For some industries, such as those that provide technical services with a security expectation, the CISO might interface with customers as well. Include travel time to customer sites here, too.
Keep the job description fresh
Again, change is a constant for the CISO with new types of threats emerging constantly, along with new technology and methods for addressing them. Turnover in the role is high, too, as organizations compete heavily for the best talent. This makes it imperative to keep your CISO job description current so that everyone understands the expectations and purpose of the role, and the organization is prepared if it unexpectedly has to launch a new CISO search.
Sometimes, certain events can trigger a review of the CISO job description, too. “If there is a breach that is widely publicized in the news, other organizations tend to become more focused and serious about their own security posture,” says Doyle.
If an incumbent security leader leaves, a company might consider upgrading the position or looking for a different type of security leader. That might trigger a revision of the job description as well. “The last two CISO roles that Heller Search filled were upgrades to the position. These clients seized on the opportunity to bring in a security leader with board-level focus and increase security awareness within the company,” says Doyle.
Who writes the CISO job description?
The hiring manager, typically the CIO, is usually the person responsible for writing the CISO job description, according to Doyle. “It’s important [for the hiring manager] to get input from other key stakeholders who work closely with the individual in this role. It’s good to have a few sets of eyes on this--HR, legal, audit.” She adds that executive search teams can be a big help if you partner with one.