As I am currently in the market for a new position I am faced with how bad IT and security job descriptions are. A director level position that is required to code! That's not right! I am just going to put this out there and see if others support the idea and if enough people to maybe ISC2 will consider it.
I would be interest to see ISC2 come out with a list of job descriptions and the tasks that should be expected of those positions. This can also be a tier list, which would be a good thing, if your company it this size this applies, but as you get bigger move to this model. Some level of standardization on titles and duties I feel would help greatly with the hiring confusion that exists.
On the very basic structure.. wait what, the CISO reports to the CIO or CFO... and the problems begin!
I think having kind of a basic org chart and task chart that can be referenced would go a long way.
Is it just me or do others feel my pain?
John-
We had this conversation on David Spark's and Hadas Cassorla's LinkedIn post and David turned it into a Defense in Depth podcast episode.
(11) How Can We Make Sense of Cybersecurity Titles? | LinkedIn
I suggested starting with the NICE Cybersecurity Workforce Framework, but others thought it was using language that wasn't used in the private sector very often and wouldn't translate well. I honestly think it's a good place to start though and for an org like (ISC)2 to pick up and create a standard for the private sector.
@JKWiniger wrote:As I am currently in the market for a new position I am faced with how bad IT and security job descriptions are.
This has been a problem for a long time, and it is only getting worse. Foremost, on this issue of CISO's and to which other CxO they report, these titles are often considered a matter of vanity or corporate cutesy (naming someone the "chief vision officer," etc.). The corporate officer title alters both the liability and indemnification of the individual. Board and senior management might not realize that since most of them are happily naked standing in front of the governance mirror, admiring their well-tailored arrogance, but likely under state law, their bylaws, and their directors and officers insurance, there is a huge factor in whether someone is designated an "officer" in their job title.
I would strongly encourage organizations to use the "officer" title sparingly. In a similar vein, don't call managers "directors" unless they are truly a director (i.e. have some strategic responsibility in addition to an executive one).
The problem is the title "manager" got too pedestrian for the workplace so we had to start creating these elaborate and amorphous titles, and then so as to not make decisions or hurt people's feelings, we started making dotted reporting lines, and you end up in the Office Space scenario where one person has five bosses.
When that one person leaves (due largely to burnout), HR asks for a job description, and it ends up reflecting the five departments to which the person "reported." These are not trivial issues. In addition to encouraging managerial bloat, if you don't define your roles, it's like drafting a football team of all quarterbacks. You need a structure, roles, and titles that reflect both so end up with a team that works well.
Ultimately, it all gets back to governance, which is to say it gets back to the board.
CIISec has a roles framework. See https://www.ciisec.org/Roles_Framework
Also take a look at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/8647...
Although generally how roles are defined is problematic, often with in compatible duties included in the same job description.
Agree with @Steve-Wilme a one-fits all job description is difficult to come by.
Most organisations typically write the 80% job description and then add a clause something "other duties as required" and most want to "customize" to their organisation. I have seen many job descriptions (even in the same organisation) that differ so dramatically that one wonders.
It would be great if someone ((ISC)2) could write very high level job descriptions (say at the 40 - 50 % level).
I also found these:
Analysts
https://hiring.monster.com/resources/job-descriptions/computer/information-security-specialist/
https://www.betterteam.com/information-security-analyst-job-description
CISO
https://www.betterteam.com/chief-information-security-officer-job-description
https://www.cybersecurityjobs.com/chief-information-security-officer-jobs/
Hope these help a little.
d
JKWinger;
IT in general has relied less and less on hierarchical management such as Directors and Managers in favor of titles reflecting pay grade and overall skill level. For example my title as the Senior Solutions Director for Engineering, Research and Development may sound cool but in reality I am but an architect, even with 1400 reports in my group I still do design and projects from simple analysis to designing billion dollar systems that you use today. Well, that is if you've been to any national pharmacy in the US.
Globally, business is catching on to the fact that we no longer need hierarchical management. Sorry if this fact isn't to your liking but this is the way of the future.
- B/Eads
@Beads Was there a Junior Solutions Director for Engineering, Research, and Development? Or even just a regular Director of Engineering, Research, and Development? Did you have 1400 people reporting directly to you or were there middle managers between them and you? I'm asking out of curiosity.
@Beads wrote:
Globally, business is catching on to the fact that we no longer need hierarchical management. Sorry if this fact isn't to your liking but this is the way of the future.
I suspect we may see an ebb and flow to this (for better or worse). A big factor may have been shifts in development/project management models. In the context of things like Agile and DevOps, there aren't defined boundaries between roles. Given how Agile and its variants have spread to management in general, very much the trend is toward looser, cross-functional roles and teams. However, internal governance and external regulation also tend to push toward more accountability. That's the one thing hierarchy delivers well. In blunt terms, organizational structure often is caught between two opposing philosophies - getting the job done or having someone to blame.
Sorry if this is confusing for you as not everyone still works under the American business model. Prefer to grab all my designers (aka "architects" into a meeting, present options, pros and cons, come to a decision and move forward. Done right brings an agile organization far better productivity and better design than presenting to an out of touch boss and everyone leaves feeling unheard. No need for Junior Directors, managers or other layers of management to slow things down. Its a waste of time and effort.
I am the only Senior Director with 1400 overall reports coming up through Project and Delivery Management (non technical folks). Technical people focus strictly on technical details so we have little need to promote into old fashioned supervisory roles as a reward. This is the quintessential, old school American business model.I may run as many as a dozen projects overseeing a variety of solutions but at the end of the day I am still a designer with some administrative duties. Never, would I want to go back to practicing in the American hierarchy system.
Globally, we see fewer hierarchical based organizations as it tends to slow decision making down for all the wrong reasons. If you feel the need to discuss business organization and communication I suggest a different forum.
By the way, in case you missed it, I do find this line of questioning to be more than a bit rude.
- B/Eads
@Beads wrote:By the way, in case you missed it, I do find this line of questioning to be more than a bit rude.
- B/Eads
It was genuine curiosity, sorry if it came off as rude. The original discussion was centered around job titles and responsibilities. When someone includes senior in a job title, I automatically assume there may be a junior role with a similar title for succession purposes. Which plays into our overall confusion with job titles.
Thanks for clarifying the 1400 indirect/direct reports. I was thinking whatever they are paying you, you deserve more!