As I am currently in the market for a new position I am faced with how bad IT and security job descriptions are. A director level position that is required to code! That's not right! I am just going to put this out there and see if others support the idea and if enough people to maybe ISC2 will consider it.
I would be interest to see ISC2 come out with a list of job descriptions and the tasks that should be expected of those positions. This can also be a tier list, which would be a good thing, if your company it this size this applies, but as you get bigger move to this model. Some level of standardization on titles and duties I feel would help greatly with the hiring confusion that exists.
On the very basic structure.. wait what, the CISO reports to the CIO or CFO... and the problems begin!
I think having kind of a basic org chart and task chart that can be referenced would go a long way.
Am surprised no one mentioned NIST's NICE framework (NATIONAL INITIATIVE FOR CYBERSECURITY EDUCATION) which combines an integrated ecosystem of cybersecurity education, training, and workforce development.