CISO / Cybersecurity Leader Job Description
- Phil Venables
- May 31
- 3 min read
There is a plethora of sample job descriptions for security leaders that are often strictly correct but can also be uninspiring or too detailed to capture the actual essence of the role. I developed this role description a while ago to try and address that. It's mainly designed for growing companies rather than more established organizations but the more I look at it the more I think it's applicable to all. It's not meant to be a long list of attributes or specific tasks but, rather, something that makes the security leadership role seem more of what it is - a transformational business executive position intended to not just protect an organization and its customers but to also drive an ongoing digital transformation. It’s based on a framework of Mission, Objectives and Competencies that Andreessen Horowitz uses.
MISSION
Maximize the safe use of our digital assets and maintain our freedom to operate.
Protect our customers while maintaining a great customer experience.
Protect our business and speed of execution while sustaining employee engagement and morale.
Ensure security objectives are sufficient to mitigate evolving risks - achieve those objectives by embedding security into the business and engineering lifecycle of the company.
Ensure we have ways of safely tapping into new technologies and business capabilities to deliver competitive advantage.
Engage with customers, regulators and other stakeholders to promote security benefits.
OUTCOMES
Build a great security team ensuring that every role/hire reflects the mission.
Establish a customer outreach and advocacy program for security.
Define a set of Key Risk and Performance Indicators (KRIs and KPIs) that encode the mission and security goals – and constantly adjust those goals in light of new business structure, threats, risks and opportunities.
Implement projects and processes that sustain conformance to KRIs and KPIs.
Define and implement a security engineering tooling and automation strategy that continuously increases efficiency (time, people, and budget).
Make the secure path the easiest path.
Enterprise Integration: systematically, integrate security objectives into all the companies’ business processes and products – tracked by agreed OKRs (Objectives and Key Results).
Engineering Integration: systematically integrate security objectives into all the engineering processes and product lifecycle – tracked by agreed OKRs.
Resilience and Recovery: establish resiliency practices to ensure failures of any sort are managed well, including a rigorous process for incident and close-call analysis to apply lessons learnt.
Establish a rigorous process of continuous control monitoring to assure ongoing implementation of controls to meet security objectives and, additionally, to ensure adherence to chosen audit frameworks (for example, SOC2).
Increase the capability of the whole company and surrounding customer eco-system to achieve collective security objectives – through training, education and process integration.
COMPETENCIES
We want experience measured in success and professional development not necessarily measured in years of “time served”.
We expect strong problem solving and analytical skills – but above all the ability to apply systems-thinking as to how problems and their solutions fit with the wider organization and ecosystem dynamics.
We expect strong customer engagement and communication skills and evidence of your having partnered with peer executives to achieve commercial (or mission) goals.
We expect strong intellectual curiosity evidenced by past results, for example: where you have gone beyond the call of duty to innovate in the context of your past jobs or in support of open-source or other community projects.
We expect you to evidence a relentless desire for automation, process improvement and solving security problems through highly leveraged tools as well as people and process.
You should be a humble (support your team) yet inspirational (mission centric) leader that can evidence an ability to attract talent from multiple disciplines and develop those people to higher levels.
You should be able work across other control teams (like Legal and Compliance) with a shared sense of purpose to achieve desired risk outcomes.
There is no room for ego here. People should want to work with you.
While you should have a zeal to protect the company, our customers and people you should be very comfortable in dealing with degrees of risk, not absolutes, to deliver the right commercial outcomes.
You should be a great communicator (written, verbal and influential) and remain calm under pressure during events or when juggling multiple priorities.
You should run toward problems and reach for accountability.
Comments