Chief Information Security Officer (CISO)

Job Family: JF-EXEC — Executive Leadership Job Level Range: L1-L4 (CERG Grade Executive) CERG Canonical Role: Chief Information Security Officer (CISO) (CERG-GOV-OM-001 §6.1)

1. Role Summary

The CISO is the senior-most cybersecurity executive, accountable for the organization’s cybersecurity program as a whole. They set strategy, report posture and material risk to executive leadership and the board, hold final authority on High and Critical risk acceptance, and lead the CERG, Security Awareness, and Incident Response functions. The CISO ensures that cybersecurity enables the business to move with confidence, not slows it with reflexive refusal.

2. NICE Workforce Framework Mapping

NICE Work Role Definition: See JF-002 for the official NICE Work Role definition and complete CERG-to-NICE mapping. The NICE TKS database is available at https://www.nist.gov/nice/framework/.

3. Job Family & Level Placement

4. Key Responsibilities

4.1 Core Responsibilities (All Grades)

• Set the cybersecurity strategy and multi-year roadmap, aligned to business objectives and the threat landscape - Report cybersecurity posture, material risks, and program health to executive leadership and the board at least quarterly - Hold final approval authority on High and Critical risk acceptance decisions per the Risk Management Framework - Lead the CISO organization: CERG (Engineering, Risk, Governance), Security Awareness, and Incident Response - Own the Cybersecurity Policy and the CERG Framework, ensuring they remain current and authoritative - Approve the cybersecurity budget and resource allocation across all functions - Represent the organization’s cybersecurity posture to regulators, auditors, industry peers, and public stakeholders - Chair the Cyber Oversight Group and ensure cross-functional risk treatment alignment - Develop the cybersecurity leadership bench and ensure succession readiness for critical roles - Serve as the ultimate escalation point for cybersecurity incidents, regulatory findings, and unresolved cross-pillar disputes

4.2 Grade-Level Responsibility Differentiation

Grade-level responsibility differentiation for this role is defined in JA-001 §7 (Role-to-Grade Mapping). The grade definitions (S1-S4 SME Track, M1-M4 Management Track) and leveling dimensions are in CERG-GOV-JA-001 §4-5. Behavioral anchors at each grade are in CMP-001.

5. Required Knowledge, Skills, and Abilities (KSAs)

5.1 Domain Expertise

• Deep understanding of cybersecurity risk management, governance, and operational models - Executive communication: ability to translate technical risk into business terms for boards, regulators, and non-technical executives - Strategic leadership: demonstrated ability to build and lead multi-function cybersecurity organizations - Regulatory fluency across the frameworks in the organization’s scope (e.g., NIST, NERC-CIP, CMMC, SOX, ISO 27001) - Budget and resource management at organizational scale - Crisis leadership: ability to guide the organization through significant security incidents - Industry engagement: active in cybersecurity leadership forums, threat-sharing communities, or regulatory working groups

5.2 Technical Skills

Technical skills for this role are documented in the original JD-001 content extracted into this file (see §5.1 Domain Expertise). Additional technical skill definitions aligned to NICE Skill Statements are maintained in JF-002.

5.3 CERG-Specific Knowledge

CERG-specific knowledge requirements for this role are defined in OM-001 §6 (Canonical Role Roster) and RAC-001 §7 (Role Descriptions). See §12 (Related CERG Documents) for the complete list of standards and procedures relevant to this role.

6. NICE TKS Statement References

The following Task, Knowledge, and Skill statements are extracted from the NIST NICE Framework v2.2.0 Work Role [OG-WRL-007 — Chief Information Security Officer (CISO) primary mapping] and filtered by relevance to this CERG role. The full TKS database is maintained at https://www.nist.gov/nice/framework/.

Full TKS Reference: The complete TKS statement set for the primary NICE Work Role (OG-WRL-001 → OG-WRL-007) is in the NICE Framework Components v2.2.0 dataset (download). JF-002 contains the complete CERG-to-NICE crosswalk with secondary role mappings.

7. Typical Qualifications

7.1 Education

• 15+ years in cybersecurity or IT risk management, with 8+ years in senior leadership roles - Bachelor’s degree in a relevant field; advanced degree (MBA, MS) preferred - Relevant certifications: CISSP, CISM, or equivalent - Experience reporting to a board or board committee - Experience with at least two of: NERC-CIP regulated environments, defense industrial base / CMMC, public company SOX ITGC, critical infrastructure

7.2 Certifications

Certifications for this role are defined in TRN-001 §3 (Certification Matrix). The matrix specifies Required, Recommended, and Aspirational certifications per role and grade.

7.3 Experience

Typical experience ranges by grade are defined in JA-001 §4-5. See §7.1 (Education) above for education requirements.

8. Key Performance Indicators (KPIs)

KPIs for this role are defined in MTR-001 (Metrics, Dashboard, and CISO/Board Reporting). KPI allocation by job family and grade-level thresholds are documented in PERF-001. Each role’s evaluation criteria are embedded in the per-role JD document structure defined by JF-001.

9. Competency Expectations by Grade

Competency expectations for this role follow the Management Track Competency Addendum (CERG-GOV-CMP-001 §7). The five management-specific domains are: People Leadership, Strategic Thinking, Resource and Budget Management, Stakeholder Management, and Organizational Development. Grade-level expectations (M1-M4) for each domain are in CERG-GOV-CMP-001 §7. This role is also expected to demonstrate SME competencies in the relevant home pillar at or above S2 level, as defined in CERG-GOV-CMP-001 §1.

Full Reference: See CERG-GOV-CMP-001 §7 for the complete Management Track Competency Addendum. Grade definitions (M1-M4) are in CERG-GOV-JA-001 §5. The role-specific SME competency matrix from the home pillar is available in CERG-GOV-CMP-001 §4-6 as applicable.

10. Success Profile

A CISO is successful when the organization’s cybersecurity risk is understood, accepted by leadership, and managed within appetite. Key indicators: the CISO has the confidence of the board and executive leadership; cybersecurity metrics are presented in business terms and drive decisions; the security program has adequate budget and resources; incident response is effective without requiring the CISO’s direct involvement in every call. The CISO builds a program that survives their departure and a culture where security is everyone’s business.

11. Career Path

11.1 Within-Family Progression

The CISO is the terminal executive role in CERG’s cybersecurity career architecture. Within-family progression is succession-based rather than grade-based: typical feeders include M4 pillar leaders, S4 senior advisors with executive readiness, or equivalent external cybersecurity executives. Growth within the role is measured by program maturity, board confidence, risk decision quality, budget and talent stewardship, and enterprise influence. Next-step movement is outside the CERG grade framework, such as enterprise risk executive, CIO/CTO/CRO path, or broader business executive accountability.

11.2 Cross-Family Movement

Cross-family movement options are defined in the Family-to-Family Career Lattice (JF-001 §4). The Left-Right Knowledge Model (FRM-001 §9.2) and cross-training expectations (OM-001 §10.4) operationalize cross-family career movement.

11.3 Management Track Option

The CISO is an organizational leadership role that sits above the standard SME/Management track duality. See CERG-GOV-JA-001 §5.4 (Director Grade M4) for the CISO level definition. Management competencies for leaders are documented in CERG-GOV-CMP-001 §7 (Management Track Competency Addendum), including People Leadership, Strategic Thinking, Resource and Budget Management, Stakeholder Management, and Organizational Development.

12. Related CERG Documents

13. Document Control

Revision History

Review Triggers

• Change to this role’s definition in CERG-GOV-OM-001 §6.1
• Change to this role’s NICE Work Role mapping in JF-002
• Change to this role’s grade range in CERG-GOV-JA-001 §7
• Direction from the CISO

Governance owns this document. The Governance Pillar Leader (Policy & Standards) is responsible for initiating reviews, managing the revision cycle, and obtaining approval for all changes.

Related Documents

Source: roles/jf-exec/CERG-GOV-JD-EXEC-001_Chief_Information_Security_Officer.md · Download .md · View on GitHub