Whatever the role, good communication regarding the duties and expectations of a security professional is key to that person’s success. That communication starts with a solid, thorough job description. It will be an important benchmark when hiring for the role, and a touch point for performance once the candidate is on board. The job description is also a baseline that helps security team managers keep pace as many roles evolve.
A good job description will spell out the role’s duties and priorities. It also outlines where the role falls in the reporting structure. It should also provide the role’s requirements, which could include certifications, skills, experience, and education.
As companies face mounting cyber threats, the status of the chief information security officer (CISO) role is rising. Today’s CISO needs to stay current with the threat landscape and the technologies used to defend corporate assets. The CISO must also communicate with stakeholders and corporate boards, putting those threats into a business context. Organizations want their CISOs to sell security to the organization, raising security awareness among employees and getting them to carry out best practices.
Ask any recruiter or corporate executive and they will tell you it’s hard to find an effective CISO who is a good match for the organization. Having a strong, clearly written CISO job description is the essential first step to landing the best person for the role.
“[The CISO] is such critical role for companies today,” says Kelly Doyle, managing director at Heller Search Associates, a firm that specializes in recruiting CISOs, CIOs, and other IT leaders. “Being prepared with the right position description that targets all the key attributes is really important. It ensures that the company is thinking about the right things to protect the company.”
It pays to maintain a good CISO job description even if you have someone in the job. “If you unexpectedly need to hire a new information security leader—someone leaves or you decide to upgrade—then you have a strong up-to-date job description ready. You don’t want to delay your ability to start recruiting quickly,” says Doyle.
The CISO job description as a recruiting tool
Prospects will use the job description to determine whether your need matches their own. It’s an important first impression of the role, your expectations, and the organization. A poorly written job description will limit your candidate pool.
“If you don’t have a strong job description, you may miss out on hiring the right CISO or leader for your organization,” says Doyle. “A big consequence would be missing out on attracting a passive seeker.” The goal is to get the candidate excited about the role and the company’s commitment to security. A well-written job description shows potential candidates that you’ve put a lot of thought around the importance of this role to the organization, says Doyle.
Candidates will want to see clearly defined responsibilities for the role and indicators that the organization will support the CISO in carrying out those responsibilities. Board-level interaction is one such indicator, as is a description of how the CISO works with other key stakeholders. Focus and clarity are important, too, as is background on the organization.
“If a job description is poorly written, candidates will sometimes self-select out,” says Doyle. If the role doesn’t clearly articulate the duties or the strategic nature of the role and doesn’t really focus on what makes for a good CISO, you could miss out on candidates.”
Constructing a CISO job description
The structure of a good CISO job description is simple. The following is summarized from Heller Search’s Ultimate CISO Job Description, a complimentary template you can download at the end of this article. These are the basic elements:
Position title and summary
State the full, exact title. Although referred to as a CISO in this article, this template applies to any top-level security role in your organization, including chief security officer (CSO), and either vice president, director or head of information security.
The section briefly explains the type of security leader you want in the role. It might refer to experience level, particular areas of expertise, or broad expectations. Don’t bog down in details here; they will be described in other sections.
About the company and hiring manager
Include a brief overview of your company with a link to your website. Your marketing communications group likely has boilerplate copy you can use here.
Similarly, provide background on the hiring manager—the person to whom the CISO will report. Include job title and a brief bio.
Register now to read more about key responsibilities, qualifications and other requirements and to download The Ultimate CISO Job Description eBook from Heller Search Associates.
To continue reading this article register now