There is a plethora of sample job descriptions for security leaders that are often strictly correct but can also be uninspiring or too detailed to capture the actual essence of the role. I developed this role description a while ago to try and address that. It's mainly designed for growing companies rather than more established organizations but the more I look at it the more I think it's applicable to all. It's not meant to be a long list of attributes or specific tasks but, rather, something that makes the security leadership role seem more of what it is - a transformational business executive position intended to not just protect an organization and its customers but to also drive an ongoing digital transformation. It’s based on a framework of Mission, Objectives and Competencies that Andreessen Horowitz uses.

MISSION 

• Maximize the safe use of our digital assets and maintain our freedom to operate. 
  

• Protect our customers while maintaining a great customer experience.   

• Protect our business and speed of execution while sustaining employee engagement and morale. 
  

• Ensure security objectives are sufficient to mitigate evolving risks - achieve those objectives by embedding security into the business and engineering lifecycle of the company.  
  

• Ensure we have ways of safely tapping into new technologies and business capabilities to deliver competitive advantage. 
  

• Engage with customers, regulators and other stakeholders to promote security benefits. 

OUTCOMES 

• Build a great security team ensuring that every role/hire reflects the mission.
  

• Establish a customer outreach and advocacy program for security.  
  

• Define a set of Key Risk and Performance Indicators (KRIs and KPIs) that encode the mission and security goals – and constantly adjust those goals in light of new business structure, threats, risks and opportunities. 
  

• Implement projects and processes that sustain conformance to KRIs and KPIs. 
  

• Define and implement a security engineering tooling and automation strategy that continuously increases efficiency (time, people, and budget). 
  

• Make the secure path the easiest path.  
  

• Enterprise Integration: systematically, integrate security objectives into all the companies’ business processes and products – tracked by agreed OKRs (Objectives and Key Results).  
  

• Engineering Integration: systematically integrate security objectives into all the engineering processes and product lifecycle – tracked by agreed OKRs. 
  

• Resilience and Recovery: establish resiliency practices to ensure failures of any sort are managed well, including a rigorous process for incident and close-call analysis to apply lessons learnt.  
  

• Establish a rigorous process of continuous control monitoring to assure ongoing implementation of controls to meet security objectives and, additionally, to ensure adherence to chosen audit frameworks (for example, SOC2).
  

• Increase the capability of the whole company and surrounding customer eco-system to achieve collective security objectives – through training, education and process integration.  

COMPETENCIES

• We want experience measured in success and professional development not necessarily measured in years of “time served”. 
  

• We expect strong problem solving and analytical skills – but above all the ability to apply systems-thinking as to how problems and their solutions fit with the wider organization and ecosystem dynamics.  
  

• We expect strong customer engagement and communication skills and evidence of your having partnered with peer executives to achieve commercial (or mission) goals. 
  

• We expect strong intellectual curiosity evidenced by past results, for example: where you have gone beyond the call of duty to innovate in the context of your past jobs or in support of open-source or other community projects.
  

• We expect you to evidence a relentless desire for automation, process improvement and solving security problems through highly leveraged tools as well as people and process.  
  

• You should be a humble (support your team) yet inspirational (mission centric) leader that can evidence an ability to attract talent from multiple disciplines and develop those people to higher levels.  
  

• You should be able work across other control teams (like Legal and Compliance) with a shared sense of purpose to achieve desired risk outcomes. 
  

• There is no room for ego here. People should want to work with you.  
  

• While you should have a zeal to protect the company, our customers and people you should be very comfortable in dealing with degrees of risk, not absolutes, to deliver the right commercial outcomes.  
  

• You should be a great communicator (written, verbal and influential) and remain calm under pressure during events or when juggling multiple priorities.
  

• You should run toward problems and reach for accountability.