Executive Sponsor

Job Family: JF-EXEC — Executive Leadership Job Level Range: L1-L4 (CERG Grade Executive) CERG Canonical Role: Executive Sponsor (CERG-GOV-OM-001 §6.1)

1. Role Summary

The Executive Sponsor is the business voice in the cybersecurity program. They are a senior business or operational leader who provides concurrence for Critical risk acceptance, sits on the Cyber Oversight Group, and endorses the Cybersecurity Policy on behalf of the business. The Executive Sponsor is not a cybersecurity professional; they are the bridge that ensures cybersecurity risk decisions are made with business context.

2. NICE Workforce Framework Mapping

NICE Work Role Definition: See JF-002 for the official NICE Work Role definition and complete CERG-to-NICE mapping. The NICE TKS database is available at https://www.nist.gov/nice/framework/.

3. Job Family & Level Placement

4. Key Responsibilities

4.1 Core Responsibilities (All Grades)

• Concur on Critical risk acceptance decisions, providing the independent business view required by the Risk Management Framework - Serve on the Cyber Oversight Group as the business representative - Endorse the Cybersecurity Policy on behalf of the business - Escalate business concerns about cybersecurity controls, friction, or risk posture to the CISO - Ensure that cybersecurity risk decisions account for operational, financial, and strategic business impact - Advocate for cybersecurity investment with business-unit peers

4.2 Grade-Level Responsibility Differentiation

Grade-level responsibility differentiation for this role is defined in JA-001 §7 (Role-to-Grade Mapping). The grade definitions (S1-S4 SME Track, M1-M4 Management Track) and leveling dimensions are in CERG-GOV-JA-001 §4-5. Behavioral anchors at each grade are in CMP-001.

5. Required Knowledge, Skills, and Abilities (KSAs)

5.1 Domain Expertise

• Deep understanding of the organization’s business model, operations, and risk tolerance - Senior leadership credibility within the organization - Ability to evaluate risk in business terms: revenue impact, operational disruption, regulatory exposure, reputational harm - No cybersecurity expertise required; this is a business role, not a technical one

5.2 Technical Skills

Technical skills for this role are documented in the original JD-001 content extracted into this file (see §5.1 Domain Expertise). Additional technical skill definitions aligned to NICE Skill Statements are maintained in JF-002.

5.3 CERG-Specific Knowledge

CERG-specific knowledge requirements for this role are defined in OM-001 §6 (Canonical Role Roster) and RAC-001 §7 (Role Descriptions). See §12 (Related CERG Documents) for the complete list of standards and procedures relevant to this role.

6. NICE TKS Statement References

The following Task, Knowledge, and Skill statements are extracted from the NIST NICE Framework v2.2.0 Work Role [OG-WRL-007 — Executive Sponsor primary mapping] and filtered by relevance to this CERG role. The full TKS database is maintained at https://www.nist.gov/nice/framework/.

Full TKS Reference: The complete TKS statement set for the primary NICE Work Role (OG-WRL-001 → OG-WRL-007) is in the NICE Framework Components v2.2.0 dataset (download). JF-002 contains the complete CERG-to-NICE crosswalk with secondary role mappings.

7. Typical Qualifications

7.1 Education

• Senior business or operational leader (VP, SVP, or equivalent) - Accountable for business outcomes that depend on the systems and data CERG protects - Appointed by the CEO or COO in consultation with the CISO

7.2 Certifications

Certifications for this role are defined in TRN-001 §3 (Certification Matrix). The matrix specifies Required, Recommended, and Aspirational certifications per role and grade.

7.3 Experience

Typical experience ranges by grade are defined in JA-001 §4-5. See §7.1 (Education) above for education requirements.

8. Key Performance Indicators (KPIs)

KPIs for this role are defined in MTR-001 (Metrics, Dashboard, and CISO/Board Reporting). KPI allocation by job family and grade-level thresholds are documented in PERF-001. Each role’s evaluation criteria are embedded in the per-role JD document structure defined by JF-001.

9. Competency Expectations by Grade

Competency expectations for this role follow the Management Track Competency Addendum (CERG-GOV-CMP-001 §7). The five management-specific domains are: People Leadership, Strategic Thinking, Resource and Budget Management, Stakeholder Management, and Organizational Development. Grade-level expectations (M1-M4) for each domain are in CERG-GOV-CMP-001 §7. This role is also expected to demonstrate SME competencies in the relevant home pillar at or above S2 level, as defined in CERG-GOV-CMP-001 §1.

Full Reference: See CERG-GOV-CMP-001 §7 for the complete Management Track Competency Addendum. Grade definitions (M1-M4) are in CERG-GOV-JA-001 §5. The role-specific SME competency matrix from the home pillar is available in CERG-GOV-CMP-001 §4-6 as applicable.

10. Success Profile

An Executive Sponsor is successful when cybersecurity is resourced and governed as a business priority, not a technical cost center. Key indicators: the sponsor ensures that cybersecurity has a seat at the leadership table; budget requests are evaluated against risk, not against last year’s spend; the sponsor champions security culture from the top; the CISO has direct access to the sponsor without going through intermediaries. The sponsor’s success is measured by whether the organization’s security posture improves during their tenure, not by whether an incident occurred.

11. Career Path

11.1 Within-Family Progression

The Executive Sponsor is a business-side accountability, not a CERG employee progression path. Selection is based on executive authority over the affected business risk, ability to commit resources, and accountability for accepted risk. The role may rotate among senior business leaders as business scope, regulatory exposure, or transformation priorities change. No CERG grade promotion is attached to this role.

11.2 Cross-Family Movement

Cross-family movement options are defined in the Family-to-Family Career Lattice (JF-001 §4). The Left-Right Knowledge Model (FRM-001 §9.2) and cross-training expectations (OM-001 §10.4) operationalize cross-family career movement.

11.3 Management Track Option

The Executive Sponsor is a business leadership role outside the CERG grade structure. See CERG-GOV-OM-001 §5 for the Executive Sponsor’s role definition. CERG’s Management track for internal roles is documented in CERG-GOV-JA-001 §5 and CERG-GOV-CMP-001 §7.

12. Related CERG Documents

13. Document Control

Revision History

Review Triggers

• Change to this role’s definition in CERG-GOV-OM-001 §6.1
• Change to this role’s NICE Work Role mapping in JF-002
• Change to this role’s grade range in CERG-GOV-JA-001 §7
• Direction from the CISO

Governance owns this document. The Governance Pillar Leader (Policy & Standards) is responsible for initiating reviews, managing the revision cycle, and obtaining approval for all changes.

Related Documents

Source: roles/jf-exec/CERG-GOV-JD-EXEC-002_Executive_Sponsor.md · Download .md · View on GitHub