top of page

CISO / Cybersecurity Leader Job Description

  • Phil Venables
  • May 31
  • 3 min read

There is a plethora of sample job descriptions for security leaders that are often strictly correct but can also be uninspiring or too detailed to capture the actual essence of the role. I developed this role description a while ago to try and address that. It's mainly designed for growing companies rather than more established organizations but the more I look at it the more I think it's applicable to all. It's not meant to be a long list of attributes or specific tasks but, rather, something that makes the security leadership role seem more of what it is - a transformational business executive position intended to not just protect an organization and its customers but to also drive an ongoing digital transformation. It’s based on a framework of Mission, Objectives and Competencies that Andreessen Horowitz uses.


MISSION 

  • Maximize the safe use of our digital assets and maintain our freedom to operate. 

  • Protect our customers while maintaining a great customer experience.   

  • Protect our business and speed of execution while sustaining employee engagement and morale. 

  • Ensure security objectives are sufficient to mitigate evolving risks - achieve those objectives by embedding security into the business and engineering lifecycle of the company.  

  • Ensure we have ways of safely tapping into new technologies and business capabilities to deliver competitive advantage. 

  • Engage with customers, regulators and other stakeholders to promote security benefits. 


OUTCOMES 

  • Build a great security team ensuring that every role/hire reflects the mission.

  • Establish a customer outreach and advocacy program for security.  

  • Define a set of Key Risk and Performance Indicators (KRIs and KPIs) that encode the mission and security goals – and constantly adjust those goals in light of new business structure, threats, risks and opportunities. 

  • Implement projects and processes that sustain conformance to KRIs and KPIs. 

  • Define and implement a security engineering tooling and automation strategy that continuously increases efficiency (time, people, and budget). 

  • Make the secure path the easiest path.  

  • Enterprise Integration: systematically, integrate security objectives into all the companies’ business processes and products – tracked by agreed OKRs (Objectives and Key Results).  

  • Engineering Integration: systematically integrate security objectives into all the engineering processes and product lifecycle – tracked by agreed OKRs. 

  • Resilience and Recovery: establish resiliency practices to ensure failures of any sort are managed well, including a rigorous process for incident and close-call analysis to apply lessons learnt.  

  • Establish a rigorous process of continuous control monitoring to assure ongoing implementation of controls to meet security objectives and, additionally, to ensure adherence to chosen audit frameworks (for example, SOC2).

  • Increase the capability of the whole company and surrounding customer eco-system to achieve collective security objectives – through training, education and process integration.  


COMPETENCIES

  • We want experience measured in success and professional development not necessarily measured in years of “time served”. 

  • We expect strong problem solving and analytical skills – but above all the ability to apply systems-thinking as to how problems and their solutions fit with the wider organization and ecosystem dynamics.  

  • We expect strong customer engagement and communication skills and evidence of your having partnered with peer executives to achieve commercial (or mission) goals. 

  • We expect strong intellectual curiosity evidenced by past results, for example: where you have gone beyond the call of duty to innovate in the context of your past jobs or in support of open-source or other community projects.

  • We expect you to evidence a relentless desire for automation, process improvement and solving security problems through highly leveraged tools as well as people and process.  

  • You should be a humble (support your team) yet inspirational (mission centric) leader that can evidence an ability to attract talent from multiple disciplines and develop those people to higher levels.  

  • You should be able work across other control teams (like Legal and Compliance) with a shared sense of purpose to achieve desired risk outcomes. 

  • There is no room for ego here. People should want to work with you.  

  • While you should have a zeal to protect the company, our customers and people you should be very comfortable in dealing with degrees of risk, not absolutes, to deliver the right commercial outcomes.  

  • You should be a great communicator (written, verbal and influential) and remain calm under pressure during events or when juggling multiple priorities.

  • You should run toward problems and reach for accountability.

Recent Posts

See All
Scaling Security, AI and More....

I recently joined Clint Gibler (tl;dr sec) at RSA for a great discussion. In it we cover a wide array of topics from the challenge of...

 
 

Comments


Commenting on this post isn't available anymore. Contact the site owner for more info.
Subscribe for updates.

Thanks for submitting!

© 2020 Philip Venables. 

bottom of page