Job Description of the Chief Security Officer
Some clients of mine asked me to help them prepare a formal
job description for a CSO. Here’s what a
colleague of mine and I came up with. It’s more detailed than this one in CSOOnline.com, the e-zine of CSO Magazine, but roughly in the same spirit.
The Chief Security Officer is the leader of the corporate/physical
security function for Nirvana, to include responsibility for overall corporate
security strategy, security architecture development, and global function
oversight. The scope of this role covers all utilized security technologies and
services, including protection services, perimeter defenses, physical and
logical access control, and profile management of all employees, contractors
and visitors. As the company’s senior security officer, this person also has
enterprise-level responsibility for all data/information security policies, standards,
evaluations, roles, and corporate awareness.
This person will work with user and technical groups and
Internal Auditors in the development and implementation of a security strategy
designed to provide a high level of security over physical facilities and data
processing while preserving and enhancing facility and system usability. This
person must be able to develop and implement flexible security solutions, dictated
by the needs of a hybrid and rapidly evolving decentralized business
environment. The individual must be a results-oriented person who can achieve
tangible improvements in the corporate security arena. Excellent technical and
communications skills are a must, as well as proven security leadership
ROLE AND FUNCTION
The Chief Security Officer will be responsible for directing
the activities of the security function. Responsibilities will include:
• Work closely with
corporate executives, business managers, audit and legal counsel to understand
corporate requirements related to security and regulatory compliance, and to
map those requirements to current security projects.
• Develop, implement,
and manage the overall enterprise process for security strategy and associated
architecture and engineering standards.
• Develop and
implement policies, standards and guidelines related to corporate security.
• Oversee the
continuous monitoring and protection of facilities, personnel and information
systems. Evaluate suspected security breaches and recommend corrective actions (including
incidents involving outside vendors).
• Serve as the
enterprise focal point for security incident response planning and execution.
• Define and
implement an ongoing Nirvana Risk Assessment program, which will define, identify,
and classify critical assets, assess threats and vulnerabilities regarding
those assets, and implement safeguard recommendations.
• Assist Internal
Audits in the development of appropriate criteria needed to assess the level of
new/existing applications and/or technology infrastructure elements for
compliance with enterprise security standards.
• Establish and
monitor formal certification programs regarding enterprise security standards
relating to the planned acquisition and/or procurement of new applications or
• Assist in the
review of applications and/or technology environments during the development or
acquisitions process to (a) assure compliance with corporate security policies
and directions and (b) assist in the overall integration process regarding
Nirvana’s own technology environment.
• Oversee the
development of, and be the enterprise champion of, a corporate security
awareness and training program.
• Manage security
functions related to corporate information systems or data centers, working
closely with the VP of information security.
• Evaluate changes
to the corporate environment for security impact and present findings to
The Chief Information Security Officer will initially report
directly to the Chief Operating Officer, The Chief Financial Officer, or Legal
Counsel and will serve on Nirvana’s Executive Planning Council.
The CSO will have direct reports including an administrative
assistant, the manager of security architecture and engineering, and various
The CSO will have dotted line reports including the VP of
Information Security, The VP of Internal Audit
The candidate will have:
• A college degree (BA/BS),
or equivalent work experience.
• Excellent staff
• Ability to
interface with top management
• Eight to ten (8-10)
years of management experience at least five of which were in a security-related
area in a leadership capacity.
Other desired qualities include:
while still results-oriented and commitment focused
attitude; i.e., the recognition that no policies can be implemented w/o
demonstrable business benefit
• Customer service
• Awareness of and
strong experience in:
Vulnerability testing in addition
to penetration testing
security practices as a people problem versus a technical problem
architecture with an understanding of how to get there, including compliance
monitoring and enforceability
More than I want to pay and less than you want to earn.