JOB ARCHITECTURE AND GRADE FRAMEWORK

Grade Definitions · Progression Ladders · Leveling Guide · Career Pathing

Table of Contents

1. Purpose and Scope
2. Design Principles
3. The Two-Track Model
4. SME Progression: Grade Definitions
5. Management Progression: Grade Definitions
6. Leveling Guide: Dimensions of Growth
7. Role-to-Grade Mapping
8. Career Pathing: Moving Between Tracks and Pillars
9. Span of Control and Team Design
10. Compensation Philosophy
11. Adapting Grade Titles to Your Organization
12. Document Control

1. Purpose and Scope

The CERG Framework, the Operating Model, and the RACI Instrument define what work gets done, who is accountable, and how the pillars hand off to one another. What those documents do not answer is how the people doing the work grow, how a hiring manager knows which grade to open a requisition at, or how a team member understands what the next level looks like.

This document answers those questions. It establishes the two-track grade structure (SME and Management), defines the expectations at each grade, maps every canonical CERG role to its grade range, and provides the leveling guide a manager uses to calibrate performance and promotion decisions.

It applies to every canonical CERG role defined in CERG-GOV-OM-001 §6.1, excluding the two Adjacent Incident Response roles (Incident Commander, Lead Investigator) which belong to the standing IR team. It does not create new roles. It layers progression structure onto the canonical roster established in the Operating Model.

Architecture Before Requisitions

A CISO who opens a requisition for a “senior security person” without a grade framework will calibrate every offer against the last person hired, not against a defined standard. The result is compression, inequity, and a team where nobody can explain what it takes to reach the next level. This document is the antidote. Read it before you write your first job description. Use it to calibrate every offer, every promotion, and every development conversation.

2. Design Principles

1. Two tracks, equal ceiling. The SME track and the Management track carry equivalent organizational weight. A Sr. Advisor and a Senior Manager sit at comparable levels of influence, compensation, and expectations. No one is forced into management to advance.

2. Role titles and grade titles are separate. A “Cloud Security Engineer” is a role. “Specialist” is a grade. The same role may be filled at Specialist, Sr. Specialist, Advisor, or Sr. Advisor, depending on the person’s experience and capability. The role title answers “what domain do you work in?” The grade title answers “at what level do you operate?”

3. Progression is earned, not tenured. Years of experience is an input to grade placement, not a guarantee of it. Progression requires demonstrated growth across defined dimensions: scope, autonomy, influence, and craft mastery.

4. Span of control is explicit. Management grades define the scope a manager is expected to lead. A Manager running a 15-person team without the title or compensation to match is a retention risk. This framework makes that mismatch visible.

5. Scales down without breaking. A 5-person CERG team has no Principal Managers and probably no Managers at all. The grade definitions still hold: the CISO knows that the person running all of Risk is performing at a Director-level scope and should be treated accordingly, even if the organization uses a flat title.

3. The Two-Track Model

CERG recognizes two parallel progression tracks. Every role in the Operating Model falls onto one of them, and the majority of roles can be filled on either track depending on the person and the team’s needs.

The two tracks intersect at the Director level. A Director may rise through either track. A Sr. Advisor who has led major cross-pillar initiatives, shaped reference architecture, and influenced executive decisions is operating at the same altitude as a Director who rose through management. The expectations converge.

Not Up-or-Out

The SME track is a career, not a waiting room for management. An Advisor who stays at Advisor for a decade, deepening their craft and mentoring every new engineer who comes through the pillar, is a success story, not a stagnation case. The grade framework defines what each level looks like so that staying at a level is a deliberate choice, not an unexplained ceiling.

4. SME Progression: Grade Definitions

The SME track is for individual contributors who deliver through expertise, not through managing people. An SME may lead projects, mentor, set technical direction, and represent CERG in senior forums, but they do not carry formal people-management accountability.

4.1 Specialist (Grade S1)

The entry and early-career grade. A Specialist delivers defined work with guidance.

What growth to Sr. Specialist looks like: The Specialist begins to own outcomes, not just tasks. They complete a procedure and recognize when the procedure’s output needs interpretation. They start to see patterns across their work and raise them. They need less direction on approach.

4.2 Sr. Specialist (Grade S2)

The competent, independent practitioner. A Sr. Specialist owns defined work streams end to end.

What growth to Advisor looks like: The Sr. Specialist expands beyond their home pillar. A Risk Sr. Specialist begins to understand how Engineering consumes their output. A Governance Sr. Specialist begins to anticipate what Engineering and Risk will need from a standard before they ask. They start to lead initiatives, not just execute them.

4.3 Advisor (Grade S3)

The cross-pillar expert and organizational resource. An Advisor shapes how work is done, not just how well it is executed.

What growth to Sr. Advisor looks like: The Advisor begins to operate at the organizational level. They do not just anticipate cross-pillar impacts; they shape the organization’s response to them. They are the person a pillar leader calls when a novel problem does not fit any existing procedure. Their written analysis is treated as authoritative. They influence budget, strategy, and organizational design.

4.4 Sr. Advisor (Grade S4)

The organizational authority. A Sr. Advisor operates at the level of a pillar leader without carrying management accountability. They are the person the CISO calls for an independent technical assessment.

The Sr. Advisor Is Not a Manager-in-Waiting

A Sr. Advisor who transitions to management starts at a management grade commensurate with their demonstrated leadership scope, not at the bottom. The skills are different, but the altitude is not. A Sr. Advisor moving into a Director role is a lateral move in organizational weight, not a promotion. The compensation and title should reflect that.

5. Management Progression: Grade Definitions

The Management track is for leaders who deliver through other people. A CERG manager is accountable for their team’s output, their team’s development, and the health of their pillar’s operations. CERG managers are expected to retain technical fluency: a manager who cannot read a vulnerability report or evaluate an architecture decision cannot effectively lead a CERG team.

5.1 Manager (Grade M1)

The first-line people leader. A Manager leads a small team of individual contributors within a single domain.

What growth to Senior Manager looks like: The Manager develops their team to the point where daily operations run without the manager’s direct intervention. They begin to influence how other teams in the pillar operate. They take on cross-team initiatives. Their team’s output is consistently strong and their retention is healthy.

5.2 Senior Manager (Grade M2)

The multi-team leader. A Senior Manager leads a function that may span multiple related domains, with other managers or team leads reporting to them.

What growth to Principal Manager looks like: The Senior Manager runs a function that operates with minimal escalation. Their Managers are themselves developing into Senior Managers. The function’s strategy is aligned with organizational strategy without constant translation. They begin to contribute to pillar-wide decisions that go beyond their function.

5.3 Principal Manager (Grade M3)

The pillar-wide leader or multi-function executive. A Principal Manager leads a substantial portion of a pillar or a cross-pillar program with organizational-level impact.

What growth to Director looks like: The Principal Manager operates at a scope where the CISO delegates significant authority. They run their portion of the pillar with minimal oversight. They are a peer to pillar leaders in other functions. Their judgment on major decisions is trusted without review. They are ready for Director when their scope expands to include the full pillar or a cross-pillar mandate.

5.4 Director (Grade M4)

The pillar leader or cross-functional executive. A Director is accountable for an entire pillar or a cross-cutting organizational function. In the CERG model, each pillar leader is a Director reporting to the CISO.

Director Is Not a Reward for Tenure

The Director grade is the narrowest gate in the framework. It requires demonstrated ability to lead at organizational scale, to manage budgets, to represent the organization externally, and to develop other leaders. A Principal Manager who has never managed a budget, never hired and developed another manager, or never represented the organization to a regulator or auditor is not ready for Director regardless of years of service.

6. Leveling Guide: Dimensions of Growth

Progression across grades is evaluated along five dimensions. A person does not need to demonstrate every dimension at the target grade to be promoted, but a promotion case should address each dimension honestly. The dimensions are cumulative: what distinguished a Sr. Specialist from a Specialist remains true at Advisor, but new capabilities are added.

6.1 The Five Dimensions

6.2 The Dimension Matrix

7. Role-to-Grade Mapping

Every canonical CERG role maps to a grade range. The range defines the grades at which that role can be filled, from entry to terminal. The terminal grade is the highest level at which a person can remain in that role without transitioning to a different role or to management.

Roles are not locked into a single grade. A “Threat Intelligence Analyst” can be a Specialist learning the craft or a Sr. Advisor whose assessments shape organizational strategy. The role title stays the same; the grade changes.

7.1 Executive

7.2 Engineering Pillar

7.3 Risk Pillar

7.4 Governance Pillar

7.5 Reading the Mapping

Range means flexibility. A role showing S1-S4 can be filled at any grade. A CISO hiring for a Cloud Security Engineer may open the requisition at S2 and consider candidates from S1 to S3 depending on the team’s composition and budget.

Terminal grade means ceiling. A Detection Engineer at S4 who wants to grow further has two paths: transition to a broader Advisor role that spans multiple Risk domains, or move to the Management track by leading a detection engineering team.

Dual-track roles flex with the organization. Several Governance roles show both SME and Management tracks. In a 5-person CERG, the NERC-CIP Compliance Manager is an individual contributor. In a 60-person CERG, that same role may lead a team of three compliance analysts. The role title is the same; the grade and track reflect the scope.

8. Career Pathing: Moving Between Tracks and Pillars

8.1 SME to Management Transition

The most common career move in a growing CERG organization. A Sr. Specialist or Advisor who demonstrates aptitude for people leadership may transition to Manager.

Readiness indicators: - Consistently sought out by junior team members for guidance (informal mentoring before formal management) - Has led cross-functional initiatives without formal authority - Communicates clearly with non-technical stakeholders - Shows interest in organizational design, process improvement, and team health, not just technical problems - Their manager and a peer manager agree they are ready

The transition is not a promotion in grade altitude. An S3 Advisor moving to M1 Manager is a track change. Their compensation may increase to reflect new accountability, but their organizational influence does not reset. They carry their technical credibility into the management role.

The first management role should be small. A new Manager should start with 3-5 direct reports in a domain they know well. A new Manager assigned 10 reports across three unfamiliar domains is being set up to fail.

8.2 Management to SME Transition

Less common but equally legitimate. A Manager who discovers they prefer deep technical work to people management may return to the SME track.

The return is grade-preserving. An M2 Senior Manager returning to the SME track should slot at S3 Advisor or S4 Sr. Advisor, depending on their technical currency. The management experience is not wasted: it produces an IC who understands budgeting, stakeholder management, and organizational dynamics.

8.3 Cross-Pillar Movement

Movement between Engineering, Risk, and Governance is encouraged within limits. It builds the cross-pillar fluency that the Framework’s left-right knowledge model depends on.

Guidelines: - A Specialist moving pillars typically remains at S1 or S2 while they build domain expertise in the new pillar - A Sr. Specialist or above moving pillars may retain their grade if their craft mastery transfers. A Sr. Specialist Cloud Security Engineer moving to Vendor Risk Analyst is learning a new domain and should expect a temporary grade adjustment or a timeline to demonstrate competence at their current grade - Cross-pillar movement at Advisor and above is valuable and should be supported. An Advisor who has worked in two pillars is more valuable than one who has worked in one - Pillar leaders should actively identify candidates for cross-pillar exposure and rotational assignments

8.4 The Adjacent-Team Boundary

Movement between CERG and the adjacent teams (Security Awareness, Incident Response) is a career option, not a CERG framework concern. The CISO owns the full cybersecurity organization. CERG managers should support team members who want to explore the adjacent functions and should not block internal transfers that benefit the broader security organization.

9. Span of Control and Team Design

9.1 Span-of-Control Guidelines

| Manager Grade | Minimum Span | Optimal Span | Maximum Span | Notes | |—|—|—|—|—|—|—| | Manager (M1) | 3 | 5-7 | 8 | Below 3, the role may not justify full-time management. Above 8, 1:1 frequency and quality degrade. | | Senior Manager (M2) | 8 (total) | 12-16 (total) | 20 | Counts all reports, direct and indirect. A Senior Manager with 3 Managers each carrying 5 ICs is at 18 and well within range. | | Principal Manager (M3) | 15 (total) | 25-35 (total) | 40 | At this scale, the Principal Manager’s direct reports should be primarily M2s and senior ICs. | | Director (M4) | Pillar-dependent | Pillar-dependent | Pillar-dependent | Director span is measured in organizational scope, not headcount. A 60-person Engineering pillar and a 13-person Governance pillar both require a Director. |

9.2 When to Create a Management Role

A management role should be created when one of the following is true, not before:

1. Span-of-control pressure. An existing manager carries more than 8 direct reports and adding more would degrade their effectiveness.
2. Domain divergence. A team has grown to cover two distinct domains that no single manager can credibly lead (e.g., Cloud Engineering and OT Engineering under one Manager).
3. Succession need. The organization needs to develop a successor for a critical management role and the candidate needs management experience.
4. Geographic or temporal distribution. A team is split across time zones or sites in a way that makes a single manager impractical.

Anti-patterns to avoid: - Creating a “Manager of Cloud Security” title for a single Cloud Security Engineer to improve retention. Use the SME track instead: promote them to Advisor or Sr. Advisor with appropriate compensation. - Creating management roles for every domain in a small team. A 6-person CERG may have zero Managers. The CISO manages everyone directly with pillar leads operating as player-coaches at S3-S4.

10. Compensation Philosophy

CERG does not prescribe salary bands: those are market-dependent, geography-dependent, and organization-dependent. It does prescribe the principles that should govern compensation decisions.

10.1 Principles

1. Grade drives band. Compensation bands are defined by grade, not by role title. A Sr. Specialist Cloud Security Engineer and a Sr. Specialist Threat Intelligence Analyst share a band. Role-specific market premiums are applied within the band.

2. Tracks are equivalent at each level. An S3 Advisor and an M2 Senior Manager occupy comparable compensation bands. The organization does not pay a premium for management simply because it is management.

3. Market informs the band, not the individual offer. CERG organizations should benchmark their bands against relevant cybersecurity compensation surveys annually. An individual candidate’s market value does not reset the band; it determines where in the band the offer lands.

4. Internal equity is maintained over time. Two people at the same grade, in the same role family, with comparable performance and tenure should not have materially different compensation without a documented reason (e.g., a critical retention situation, a geography differential, a unique specialization).

5. Progression within a grade is recognized. Not every year of good performance results in a promotion. Between-grade progression should be recognized through within-band increases. A Specialist who has been at S1 for three years and is performing well but not yet ready for S2 should not be earning the same as a newly hired S1.

10.2 Grade-to-Band Guidance

Percentiles Are a Starting Point, Not a Formula

A CERG organization in a high-cost geography, a competitive talent market, or an industry with acute cybersecurity talent shortages (utilities, healthcare, defense) will need to target higher percentiles to attract and retain. The principle is not “pay at the 50th percentile.” The principle is “define your positioning deliberately and apply it consistently.”

11. Adapting Grade Titles to Your Organization

The CERG grade titles (Specialist, Sr. Specialist, Advisor, Sr. Advisor) are deliberately chosen to be clear, descriptive, and free of the inflation that has made “VP” and “Director” nearly meaningless across organizations.

An adopting organization may need to map CERG grades to its existing title framework. The table below provides a translation layer.

11.1 Common Title Translations

11.2 What Not to Change

The CERG role titles from CERG-GOV-OM-001 §6.1 are canonical and should not be altered. “Cloud Security Engineer” is a Cloud Security Engineer whether the organization’s title framework calls engineers “analysts,” “architects,” or “specialists.”

The grade title is separate. An organization may call an S3 Cloud Security Engineer a “Staff Cloud Security Engineer” internally while the CERG role remains “Cloud Security Engineer” in all framework documents. The adaptation is cosmetic; the grade expectations do not change.

12. Document Control

Revision History

Review Triggers

• Change to the canonical role roster in CERG-GOV-OM-001 §6.1
• Material change to the organizational design or team structure
• Change to the compensation philosophy or market conditions warranting band revision
• Addition or retirement of a grade or track
• Direction from the CISO

Related Documents

Governance owns this document. The Governance Pillar Leader (Policy & Standards) is responsible for initiating reviews, managing the revision cycle, and obtaining CISO endorsement for all changes.

Source: governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md · Download .md · View on GitHub