## JOB ARCHITECTURE AND GRADE FRAMEWORK
### Grade Definitions · Progression Ladders · Leveling Guide · Career Pathing

---

| | |
|---|---|
| **Document ID** | CERG-GOV-JA-001 |
| **Version** | 1.0 |
| **Status** | Approved |
| **Classification** | Public |
| **Owner** | Governance Pillar Leader (Policy & Standards) |
| **Parent Policy** | [`CERG-POL-001`](CERG-POL-001_Cybersecurity_Policy.md) - Cybersecurity Policy |
| **Supporting Documents** | [`CERG-GOV-OM-001`](CERG-GOV-OM-001_CERG_Operating_Model.md) · [`CERG-GOV-RAC-001`](CERG-GOV-RAC-001_Consolidated_Roles_and_RACI_Instrument.md) · [`CERG-GOV-FRM-001`](CERG-GOV-FRM-001_CERG_Framework.md) · [`CERG-GOV-JD-001`](CERG-GOV-JD-001_CERG_Job_Descriptions.md) |
| **Review Cycle** | Annual / On any change to the canonical role roster or organizational design |
| **Frameworks** | [NIST CSF 2.0](https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final) (GOVERN) · [NIST NICE Workforce Framework](https://www.nist.gov/itl/applied-cybersecurity/nice) (SP 800-181r1) · ISO/IEC 27001 A.7.2 |
| **Regulations** | Cross-cutting |
| **Environments** | Program-wide |

---

## Table of Contents

1. [Purpose and Scope](#1-purpose-and-scope)
2. [Design Principles](#2-design-principles)
3. [The Two-Track Model](#3-the-two-track-model)
4. [SME Progression: Grade Definitions](#4-sme-progression-grade-definitions)
5. [Management Progression: Grade Definitions](#5-management-progression-grade-definitions)
6. [Leveling Guide: Dimensions of Growth](#6-leveling-guide-dimensions-of-growth)
7. [Role-to-Grade Mapping](#7-role-to-grade-mapping)
8. [Career Pathing: Moving Between Tracks and Pillars](#8-career-pathing-moving-between-tracks-and-pillars)
9. [Span of Control and Team Design](#9-span-of-control-and-team-design)
10. [Compensation Philosophy](#10-compensation-philosophy)
11. [Adapting Grade Titles to Your Organization](#11-adapting-grade-titles-to-your-organization)
12. [Document Control](#12-document-control)

---

## 1. Purpose and Scope

The CERG Framework, the Operating Model, and the RACI Instrument define what work gets done, who is accountable, and how the pillars hand off to one another. What those documents do not answer is how the people doing the work grow, how a hiring manager knows which grade to open a requisition at, or how a team member understands what the next level looks like.

This document answers those questions. It establishes the two-track grade structure (SME and Management), defines the expectations at each grade, maps every canonical CERG role to its grade range, and provides the leveling guide a manager uses to calibrate performance and promotion decisions.

It applies to every canonical CERG role defined in [`CERG-GOV-OM-001`](CERG-GOV-OM-001_CERG_Operating_Model.md) §6.1, excluding the two Adjacent Incident Response roles (Incident Commander, Lead Investigator) which belong to the standing IR team. It does not create new roles. It layers progression structure onto the canonical roster established in the Operating Model.

> **Architecture Before Requisitions**
>
> A CISO who opens a requisition for a "senior security person" without a grade framework will calibrate every offer against the last person hired, not against a defined standard. The result is compression, inequity, and a team where nobody can explain what it takes to reach the next level. This document is the antidote. Read it before you write your first job description. Use it to calibrate every offer, every promotion, and every development conversation.

---

## 2. Design Principles

1. **Two tracks, equal ceiling.** The SME track and the Management track carry equivalent organizational weight. A Sr. Advisor and a Senior Manager sit at comparable levels of influence, compensation, and expectations. No one is forced into management to advance.

2. **Role titles and grade titles are separate.** A "Cloud Security Engineer" is a role. "Specialist" is a grade. The same role may be filled at Specialist, Sr. Specialist, Advisor, or Sr. Advisor, depending on the person's experience and capability. The role title answers "what domain do you work in?" The grade title answers "at what level do you operate?"

3. **Progression is earned, not tenured.** Years of experience is an input to grade placement, not a guarantee of it. Progression requires demonstrated growth across defined dimensions: scope, autonomy, influence, and craft mastery.

4. **Span of control is explicit.** Management grades define the scope a manager is expected to lead. A Manager running a 15-person team without the title or compensation to match is a retention risk. This framework makes that mismatch visible.

5. **Scales down without breaking.** A 5-person CERG team has no Principal Managers and probably no Managers at all. The grade definitions still hold: the CISO knows that the person running all of Risk is performing at a Director-level scope and should be treated accordingly, even if the organization uses a flat title.

---

## 3. The Two-Track Model

CERG recognizes two parallel progression tracks. Every role in the Operating Model falls onto one of them, and the majority of roles can be filled on either track depending on the person and the team's needs.

| **Track** | **Grades (ascending)** | **Typical Roles** | **Core Question** |
|---|---|---|---|
| **SME (Individual Contributor)** | Specialist, Sr. Specialist, Advisor, Sr. Advisor | Engineers, Analysts, the Evidence Librarian | How deep and how broad is your influence without direct authority? |
| **Management** | Manager, Senior Manager, Principal Manager, Director | Pillar Leaders, functional leads, team supervisors | How many people and how much scope do you lead, and at what level of abstraction? |

The two tracks intersect at the Director level. A Director may rise through either track. A Sr. Advisor who has led major cross-pillar initiatives, shaped reference architecture, and influenced executive decisions is operating at the same altitude as a Director who rose through management. The expectations converge.

> **Not Up-or-Out**
>
> The SME track is a career, not a waiting room for management. An Advisor who stays at Advisor for a decade, deepening their craft and mentoring every new engineer who comes through the pillar, is a success story, not a stagnation case. The grade framework defines what each level looks like so that staying at a level is a deliberate choice, not an unexplained ceiling.

---

## 4. SME Progression: Grade Definitions

The SME track is for individual contributors who deliver through expertise, not through managing people. An SME may lead projects, mentor, set technical direction, and represent CERG in senior forums, but they do not carry formal people-management accountability.

### 4.1 Specialist (Grade S1)

The entry and early-career grade. A Specialist delivers defined work with guidance.

| Dimension | Expectation |
|---|---|
| **Scope** | A single domain within one pillar. Executes assigned tasks. Works from established procedures. |
| **Autonomy** | Requires regular direction from a senior team member or manager. Task-level decisions are made independently; approach-level decisions are reviewed. |
| **Influence** | Influences their immediate team through the quality of their work. Not expected to represent the pillar externally. |
| **Craft Mastery** | Developing competence in one security domain. Knows the relevant CERG standards and procedures. Can execute the procedures with minimal error. |
| **Typical Experience** | 0-3 years in cybersecurity or a related technical field. |

**What growth to Sr. Specialist looks like:** The Specialist begins to own outcomes, not just tasks. They complete a procedure and recognize when the procedure's output needs interpretation. They start to see patterns across their work and raise them. They need less direction on approach.

### 4.2 Sr. Specialist (Grade S2)

The competent, independent practitioner. A Sr. Specialist owns defined work streams end to end.

| Dimension | Expectation |
|---|---|
| **Scope** | A primary domain plus familiarity with adjacent domains in the same pillar. Owns a work stream (e.g., cloud posture management, vendor assessments for a business unit, a set of detection rules). |
| **Autonomy** | Works independently day to day. Escalates appropriately. Chooses their own approach within established boundaries. |
| **Influence** | A recognized expert within their pillar on their domain. Other team members seek their input. May represent the pillar in cross-functional working groups. |
| **Craft Mastery** | Deep competence in their primary domain. Can author new procedures and improve existing ones. Can onboard a new Specialist without assistance. |
| **Typical Experience** | 3-7 years in cybersecurity or a related technical field. |

**What growth to Advisor looks like:** The Sr. Specialist expands beyond their home pillar. A Risk Sr. Specialist begins to understand how Engineering consumes their output. A Governance Sr. Specialist begins to anticipate what Engineering and Risk will need from a standard before they ask. They start to lead initiatives, not just execute them.

### 4.3 Advisor (Grade S3)

The cross-pillar expert and organizational resource. An Advisor shapes how work is done, not just how well it is executed.

| Dimension | Expectation |
|---|---|
| **Scope** | Deep expertise in their primary domain with working knowledge across all three pillars. Shapes the approach for major initiatives. Anticipates cross-pillar impacts of decisions in their domain. |
| **Autonomy** | Operates with minimal direction. Defines their own work priorities in alignment with pillar objectives. Their manager sets outcomes; the Advisor determines the path. |
| **Influence** | A trusted advisor to pillar leaders and to adjacent functions. Represents CERG in senior technical forums. Mentors Specialists and Sr. Specialists across pillars. Their technical recommendations are rarely overruled. |
| **Craft Mastery** | Authority in their domain. Contributes to the CERG standards and procedures as an author, not just a user. Can design new procedures and lead their adoption. Recognized outside the immediate team for their expertise. |
| **Typical Experience** | 7-12 years in cybersecurity, with meaningful cross-pillar exposure. |

**What growth to Sr. Advisor looks like:** The Advisor begins to operate at the organizational level. They do not just anticipate cross-pillar impacts; they shape the organization's response to them. They are the person a pillar leader calls when a novel problem does not fit any existing procedure. Their written analysis is treated as authoritative. They influence budget, strategy, and organizational design.

### 4.4 Sr. Advisor (Grade S4)

The organizational authority. A Sr. Advisor operates at the level of a pillar leader without carrying management accountability. They are the person the CISO calls for an independent technical assessment.

| Dimension | Expectation |
|---|---|
| **Scope** | Organization-wide. Shapes strategy across all three pillars. Called upon for the hardest problems that span domains, pillars, and organizational boundaries. May lead major cross-functional initiatives. |
| **Autonomy** | Self-directed against organizational objectives. Defines what problems are worth solving, not just how to solve them. Their manager reviews outcomes; the Sr. Advisor sets the agenda. |
| **Influence** | Influences CISO-level decisions. Represents the organization externally (industry working groups, regulatory forums, conference presentations). Shapes the development of the entire CERG team through mentoring, standards authorship, and by setting the technical bar. |
| **Craft Mastery** | Broad and deep. Can step into any pillar's domain and contribute meaningfully within days. Writes the standards and procedures others follow. Their judgment on technical risk is treated as equivalent to a pillar leader's. |
| **Typical Experience** | 12+ years in cybersecurity, with demonstrated cross-pillar and organizational impact. |

> **The Sr. Advisor Is Not a Manager-in-Waiting**
>
> A Sr. Advisor who transitions to management starts at a management grade commensurate with their demonstrated leadership scope, not at the bottom. The skills are different, but the altitude is not. A Sr. Advisor moving into a Director role is a lateral move in organizational weight, not a promotion. The compensation and title should reflect that.

---

## 5. Management Progression: Grade Definitions

The Management track is for leaders who deliver through other people. A CERG manager is accountable for their team's output, their team's development, and the health of their pillar's operations. CERG managers are expected to retain technical fluency: a manager who cannot read a vulnerability report or evaluate an architecture decision cannot effectively lead a CERG team.

### 5.1 Manager (Grade M1)

The first-line people leader. A Manager leads a small team of individual contributors within a single domain.

| Dimension | Expectation |
|---|---|
| **Span of Control** | 3-8 direct reports. All reports operate within the same functional domain (e.g., a Exposure Management team, a Cloud Security Engineering team). |
| **Scope** | Accountable for the team's delivery against defined objectives. Translates pillar goals into team tasks. Runs team rituals (standups, retrospectives, 1:1s). |
| **People Leadership** | Hires, onboards, develops, and performance-manages their team. Conducts regular 1:1s with meaningful development conversations. Manages performance issues promptly. |
| **Technical Fluency** | Retains working knowledge of their team's domain. Can review and approve the team's technical output. Does not need to be the deepest expert on the team, but must be capable of evaluating expert work. |
| **Operational Accountability** | Escalates risks and blockers to their Senior Manager or Director. Ensures their team's procedures are followed and their evidence is collected. Represents the team in cross-functional forums. |
| **Typical Experience** | 5-10 years in cybersecurity, including 1-3 years of demonstrated people leadership or equivalent team-lead experience. |

**What growth to Senior Manager looks like:** The Manager develops their team to the point where daily operations run without the manager's direct intervention. They begin to influence how other teams in the pillar operate. They take on cross-team initiatives. Their team's output is consistently strong and their retention is healthy.

### 5.2 Senior Manager (Grade M2)

The multi-team leader. A Senior Manager leads a function that may span multiple related domains, with other managers or team leads reporting to them.

| Dimension | Expectation |
|---|---|
| **Span of Control** | 8-20 people, typically through 1-3 Managers or team leads. |
| **Scope** | Accountable for a function within a pillar (e.g., all of Exposure Management and Adversarial Testing within Risk, all Cloud and Identity Engineering within Engineering). Defines the function's strategy and roadmap. |
| **People Leadership** | Develops the Managers reporting to them. Ensures consistent people-management practices across the function. Owns workforce planning: headcount requests, role design, succession planning. |
| **Technical Fluency** | Broad understanding across the function's domains. Can evaluate technical trade-offs between teams. Represents the function's technical position to pillar leadership and to other pillars. |
| **Operational Accountability** | Accountable for the function's KPIs. Owns the function's budget input. Represents the function in pillar-leadership forums. Manages cross-functional dependencies. |
| **Typical Experience** | 10-15 years in cybersecurity, including 3-5 years of people management. |

**What growth to Principal Manager looks like:** The Senior Manager runs a function that operates with minimal escalation. Their Managers are themselves developing into Senior Managers. The function's strategy is aligned with organizational strategy without constant translation. They begin to contribute to pillar-wide decisions that go beyond their function.

### 5.3 Principal Manager (Grade M3)

The pillar-wide leader or multi-function executive. A Principal Manager leads a substantial portion of a pillar or a cross-pillar program with organizational-level impact.

| Dimension | Expectation |
|---|---|
| **Span of Control** | 15-40 people, typically through 2-4 Senior Managers or Managers. May also directly lead senior individual contributors. |
| **Scope** | Accountable for a major segment of a pillar or a cross-pillar program (e.g., all of Engineering Operations, all of Risk Assessment and Testing, all of Governance Compliance). Contributes to pillar strategy and organizational design. |
| **People Leadership** | Shapes the people strategy for their scope: hiring profile, retention approach, development pathways. Builds a leadership bench. Ensures the management culture under them reflects CERG values. |
| **Technical Fluency** | Broad understanding across the pillar. Can represent the pillar's technical position to the CISO, to other pillars, and to external stakeholders. Does not need depth in every domain but must know enough to evaluate the people who do. |
| **Operational Accountability** | Accountable for pillar-level outcomes within their scope. Owns significant budget lines. Represents CERG to executive stakeholders for their domain. Contributes to organizational risk decisions. |
| **Typical Experience** | 12-18 years in cybersecurity, including 5-10 years of people management at increasing scope. |

**What growth to Director looks like:** The Principal Manager operates at a scope where the CISO delegates significant authority. They run their portion of the pillar with minimal oversight. They are a peer to pillar leaders in other functions. Their judgment on major decisions is trusted without review. They are ready for Director when their scope expands to include the full pillar or a cross-pillar mandate.

### 5.4 Director (Grade M4)

The pillar leader or cross-functional executive. A Director is accountable for an entire pillar or a cross-cutting organizational function. In the CERG model, each pillar leader is a Director reporting to the CISO.

| Dimension | Expectation |
|---|---|
| **Span of Control** | 10-60+ people, depending on organizational scale. The full Engineering, Risk, or Governance pillar. |
| **Scope** | Full accountability for a pillar: strategy, delivery, budget, talent, and stakeholder relationships. Sets the pillar's multi-year direction. Represents the pillar to the CISO, the board (as requested), regulators, and industry peers. |
| **People Leadership** | Accountable for the entire pillar's talent health. Owns the pillar's organizational design. Develops the next generation of CERG leaders. Builds a culture of cross-pillar collaboration and continuous improvement. |
| **Technical Fluency** | Authoritative understanding of the pillar's domains. Can engage credibly with senior individual contributors on technical matters. Represents the organization's security posture to non-technical executives and to technically sophisticated regulators. |
| **Operational Accountability** | Accountable for all pillar outcomes. Owns the pillar's budget. Makes or concurs on risk acceptance decisions per the authority table in [`CERG-GOV-RMF-001`](CERG-GOV-RMF-001_Risk_Management_Framework.md) §9.7. Accountable for the pillar's contribution to CISO and board reporting. |
| **Typical Experience** | 15+ years in cybersecurity, including 8+ years of progressive management experience. |

> **Director Is Not a Reward for Tenure**
>
> The Director grade is the narrowest gate in the framework. It requires demonstrated ability to lead at organizational scale, to manage budgets, to represent the organization externally, and to develop other leaders. A Principal Manager who has never managed a budget, never hired and developed another manager, or never represented the organization to a regulator or auditor is not ready for Director regardless of years of service.

---

## 6. Leveling Guide: Dimensions of Growth

Progression across grades is evaluated along five dimensions. A person does not need to demonstrate every dimension at the target grade to be promoted, but a promotion case should address each dimension honestly. The dimensions are cumulative: what distinguished a Sr. Specialist from a Specialist remains true at Advisor, but new capabilities are added.

### 6.1 The Five Dimensions

| **Dimension** | **What It Measures** |
|---|---|
| **Scope** | The breadth and complexity of the work you own. From a single task to an organizational function. |
| **Autonomy** | How much direction you need and how much you provide to others. From "tell me what to do" to "I set the agenda." |
| **Influence** | Who listens to you and on what topics. From your immediate team to the CISO and the industry. |
| **Craft Mastery** | The depth and breadth of your technical or domain expertise. From learning the procedures to writing them. |
| **Organizational Impact** | The material consequence of your work. From task completion to organizational strategy. |

### 6.2 The Dimension Matrix

| Grade | Scope | Autonomy | Influence | Craft Mastery | Organizational Impact |
|---|---|---|---|---|---|
| **Specialist** | Single domain, assigned tasks | Needs direction on approach | Immediate team | Learning the craft | Task completion |
| **Sr. Specialist** | Primary domain plus awareness of adjacencies | Independent day to day; escalates appropriately | Recognized within pillar | Deep in one domain | Work stream ownership |
| **Advisor** | Cross-pillar awareness; shapes approach | Self-directed against objectives | Trusted by pillar leaders | Authority in domain; authors standards | Initiative leadership |
| **Sr. Advisor** | Organization-wide; sets agenda | Defines what problems matter | Influences CISO decisions | Broad and deep; sets the bar | Organizational strategy |

| Grade (Mgmt) | Scope | Autonomy | Influence | Craft Mastery | Organizational Impact |
|---|---|---|---|---|---|
| **Manager** | Single team, single domain | Translates goals into team tasks | Team and peer managers | Working knowledge of team's domain | Team delivery |
| **Senior Manager** | Multi-team function | Defines function strategy | Function and pillar leadership | Broad across function's domains | Function outcomes and KPIs |
| **Principal Manager** | Major pillar segment or cross-pillar program | Contributes to pillar strategy | Executive stakeholders | Broad across pillar | Pillar-level outcomes |
| **Director** | Full pillar or cross-cutting function | Sets multi-year direction | CISO, board, regulators, industry | Authoritative in pillar domains | Organizational strategy and risk |

---

## 7. Role-to-Grade Mapping

Every canonical CERG role maps to a grade range. The range defines the grades at which that role can be filled, from entry to terminal. The terminal grade is the highest level at which a person can remain in that role without transitioning to a different role or to management.

Roles are not locked into a single grade. A "Threat Intelligence Analyst" can be a Specialist learning the craft or a Sr. Advisor whose assessments shape organizational strategy. The role title stays the same; the grade changes.

### 7.1 Executive

| Canonical Role | Job Family | Track | Grade Range | Terminal Grade | NICE Work Role | Notes |
|---|---|---|---|---|---|---|
| Chief Information Security Officer (CISO) | JF-EXEC | Executive | Above grade structure | N/A | Executive Cyber Leader (OG-WRL-001) | Reports to CEO/board. Not mapped to the CERG grade framework. |
| Executive Sponsor | JF-EXEC | Business | N/A | N/A | Business-side role outside CERG grade model | Business-side role. Not a CERG employee. |

### 7.2 Engineering Pillar

| Canonical Role | Job Family | Track | Grade Range | Terminal Grade | NICE Work Role | Notes |
|---|---|---|---|---|---|---|
| Engineering Pillar Leader | JF-SECENG | Management | M4 (Director) | M4 | Exec Cyber Leader / Security Architect (OG-WRL-001 / SP-ARC-001) | Full pillar accountability. Reports to CISO. |
| Cloud Security Engineer | JF-SECENG | SME | S1-S4 | S4 | Security Architect (SP-ARC-001) | May specialize further (AWS, Azure, SaaS). |
| Identity Engineer | JF-SECENG | SME | S1-S4 | S4 | Systems Security Analyst (OM-ANA-001) | May specialize in IGA, PAM, or federation. |
| OT Security Engineer | JF-SECENG | SME | S2-S4 | S4 | Security Architect (SP-ARC-001) | Requires OT/ICS experience. Rarely filled below S2. |
| Application Security Engineer | JF-SECENG | SME | S1-S4 | S4 | Secure Software Assessor (SP-DEV-001) | May specialize in SAST/DAST tooling or secure code review. |
| Endpoint Engineer | JF-SECENG | SME | S1-S3 | S3 | Systems Security Analyst (OM-ANA-001) | Broader scope at S4 would typically transition to Cloud Security Engineer or a cross-domain Advisor role. |
| Cryptography Engineer | JF-SECENG | SME | S2-S4 | S4 | Security Architect (SP-ARC-001) | Requires cryptography expertise. Rarely filled below S2. |
| Pre-production Reviewer | JF-SECENG | SME (rotated) | S2-S4 | N/A | Security Control Assessor (OV-SCA-001) | A function, not a permanent role. Rotated among qualified Engineers. |

### 7.3 Risk Pillar

| Canonical Role | Job Family | Track | Grade Range | Terminal Grade | NICE Work Role | Notes |
|---|---|---|---|---|---|---|
| Risk Pillar Leader | JF-RISKOPS | Management | M4 (Director) | M4 | Exec Cyber Leader / Vuln Assessment Analyst (OG-WRL-001 / PR-VAM-001) | Full pillar accountability. Reports to CISO. |
| Exposure Management Lead | JF-RISKOPS | Management | M1-M3 | M3 | Vulnerability Assessment Analyst (PR-VAM-001) | Leads VM operations. In a small team, may be an SME at S3-S4. |
| Adversarial Testing Lead | JF-RISKOPS | Management | M1-M3 | M3 | Vulnerability Assessment Analyst (PR-VAM-001) | Leads pen test, red team, purple team. In a small team, may be an SME at S3-S4. |
| Threat Intelligence Analyst | JF-RISKOPS | SME | S1-S4 | S4 | Threat/Warning Analyst (AN-TWA-001) | May specialize in geopolitical, criminal, or ICS threat actors. |
| Vendor Risk Analyst | JF-RISKOPS | SME | S1-S4 | S4 | Security Control Assessor (OV-SCA-001) | May specialize in SaaS, critical suppliers, or supply chain. |
| OT Risk Analyst | JF-RISKOPS | SME | S2-S4 | S4 | Threat/Warning Analyst (AN-TWA-001) | Requires OT/ICS risk assessment experience. |
| Identity Risk Analyst | JF-RISKOPS | SME | S1-S4 | S4 | Cyber Defense Analyst (PR-CDA-001) | Requires UEBA, identity threat detection expertise. |
| Detection Engineer | JF-RISKOPS | SME | S1-S4 | S4 | Cyber Defense Analyst (PR-CDA-001) | Detection content authoring and tuning. |

### 7.4 Governance Pillar

| Canonical Role | Job Family | Track | Grade Range | Terminal Grade | NICE Work Role | Notes |
|---|---|---|---|---|---|---|
| Governance Pillar Leader | JF-GOVCOMP | Management | M4 (Director) | M4 | Exec Cyber Leader / Security Control Assessor (OG-WRL-001 / OV-SCA-001) | Full pillar accountability. Reports to CISO. |
| NERC-CIP Compliance Manager | JF-GOVCOMP | Management or SME | M1-M3 or S3-S4 | M3 / S4 | Security Control Assessor (OV-SCA-001) | In a large org, leads a compliance team (M track). In a small org, an expert IC (SME track). |
| CMMC / Federal Compliance Manager | JF-GOVCOMP | Management or SME | M1-M3 or S3-S4 | M3 / S4 | Security Control Assessor (OV-SCA-001) | Same dual-track pattern as NERC-CIP. |
| SOX ITGC Lead | JF-GOVCOMP | Management or SME | M1-M2 or S3-S4 | M2 / S4 | Security Control Assessor (OV-SCA-001) | Typically an IC role except in heavily regulated orgs. |
| Policy & Standards Manager | JF-GOVCOMP | Management or SME | M1-M2 or S3-S4 | M2 / S4 | Cyber Policy and Strategy Planner (OV-PSP-001) | Owns the document library. May lead a small team in large orgs. |
| Risk Register Owner | JF-GOVCOMP | SME or Management | S2-S4 or M1 | S4 / M1 | Information Systems Security Manager (OV-ISSN-001) | Curates the risk register. Management track only if leading a team of risk analysts. |
| Evidence Librarian | JF-GOVCOMP | SME | S1-S3 | S3 | Security Control Assessor (OV-SCA-001) | A specialized IC role. At S4, transitions to a broader Governance Advisor role. |

### 7.5 Reading the Mapping

**Range means flexibility.** A role showing S1-S4 can be filled at any grade. A CISO hiring for a Cloud Security Engineer may open the requisition at S2 and consider candidates from S1 to S3 depending on the team's composition and budget.

**Terminal grade means ceiling.** A Detection Engineer at S4 who wants to grow further has two paths: transition to a broader Advisor role that spans multiple Risk domains, or move to the Management track by leading a detection engineering team.

**Dual-track roles flex with the organization.** Several Governance roles show both SME and Management tracks. In a 5-person CERG, the NERC-CIP Compliance Manager is an individual contributor. In a 60-person CERG, that same role may lead a team of three compliance analysts. The role title is the same; the grade and track reflect the scope.

---

## 8. Career Pathing: Moving Between Tracks and Pillars

### 8.1 SME to Management Transition

The most common career move in a growing CERG organization. A Sr. Specialist or Advisor who demonstrates aptitude for people leadership may transition to Manager.

**Readiness indicators:**
- Consistently sought out by junior team members for guidance (informal mentoring before formal management)
- Has led cross-functional initiatives without formal authority
- Communicates clearly with non-technical stakeholders
- Shows interest in organizational design, process improvement, and team health, not just technical problems
- Their manager and a peer manager agree they are ready

**The transition is not a promotion in grade altitude.** An S3 Advisor moving to M1 Manager is a track change. Their compensation may increase to reflect new accountability, but their organizational influence does not reset. They carry their technical credibility into the management role.

**The first management role should be small.** A new Manager should start with 3-5 direct reports in a domain they know well. A new Manager assigned 10 reports across three unfamiliar domains is being set up to fail.

### 8.2 Management to SME Transition

Less common but equally legitimate. A Manager who discovers they prefer deep technical work to people management may return to the SME track.

**The return is grade-preserving.** An M2 Senior Manager returning to the SME track should slot at S3 Advisor or S4 Sr. Advisor, depending on their technical currency. The management experience is not wasted: it produces an IC who understands budgeting, stakeholder management, and organizational dynamics.

### 8.3 Cross-Pillar Movement

Movement between Engineering, Risk, and Governance is encouraged within limits. It builds the cross-pillar fluency that the Framework's left-right knowledge model depends on.

**Guidelines:**
- A Specialist moving pillars typically remains at S1 or S2 while they build domain expertise in the new pillar
- A Sr. Specialist or above moving pillars may retain their grade if their craft mastery transfers. A Sr. Specialist Cloud Security Engineer moving to Vendor Risk Analyst is learning a new domain and should expect a temporary grade adjustment or a timeline to demonstrate competence at their current grade
- Cross-pillar movement at Advisor and above is valuable and should be supported. An Advisor who has worked in two pillars is more valuable than one who has worked in one
- Pillar leaders should actively identify candidates for cross-pillar exposure and rotational assignments

### 8.4 The Adjacent-Team Boundary

Movement between CERG and the adjacent teams (Security Awareness, Incident Response) is a career option, not a CERG framework concern. The CISO owns the full cybersecurity organization. CERG managers should support team members who want to explore the adjacent functions and should not block internal transfers that benefit the broader security organization.

---

## 9. Span of Control and Team Design

### 9.1 Span-of-Control Guidelines

| Manager Grade | Minimum Span | Optimal Span | Maximum Span | Notes |
|---|---|---|---|---|---|---|
| Manager (M1) | 3 | 5-7 | 8 | Below 3, the role may not justify full-time management. Above 8, 1:1 frequency and quality degrade. |
| Senior Manager (M2) | 8 (total) | 12-16 (total) | 20 | Counts all reports, direct and indirect. A Senior Manager with 3 Managers each carrying 5 ICs is at 18 and well within range. |
| Principal Manager (M3) | 15 (total) | 25-35 (total) | 40 | At this scale, the Principal Manager's direct reports should be primarily M2s and senior ICs. |
| Director (M4) | Pillar-dependent | Pillar-dependent | Pillar-dependent | Director span is measured in organizational scope, not headcount. A 60-person Engineering pillar and a 13-person Governance pillar both require a Director. |

### 9.2 When to Create a Management Role

A management role should be created when one of the following is true, not before:

1. **Span-of-control pressure.** An existing manager carries more than 8 direct reports and adding more would degrade their effectiveness.
2. **Domain divergence.** A team has grown to cover two distinct domains that no single manager can credibly lead (e.g., Cloud Engineering and OT Engineering under one Manager).
3. **Succession need.** The organization needs to develop a successor for a critical management role and the candidate needs management experience.
4. **Geographic or temporal distribution.** A team is split across time zones or sites in a way that makes a single manager impractical.

**Anti-patterns to avoid:**
- Creating a "Manager of Cloud Security" title for a single Cloud Security Engineer to improve retention. Use the SME track instead: promote them to Advisor or Sr. Advisor with appropriate compensation.
- Creating management roles for every domain in a small team. A 6-person CERG may have zero Managers. The CISO manages everyone directly with pillar leads operating as player-coaches at S3-S4.

---

## 10. Compensation Philosophy

CERG does not prescribe salary bands: those are market-dependent, geography-dependent, and organization-dependent. It does prescribe the principles that should govern compensation decisions.

### 10.1 Principles

1. **Grade drives band.** Compensation bands are defined by grade, not by role title. A Sr. Specialist Cloud Security Engineer and a Sr. Specialist Threat Intelligence Analyst share a band. Role-specific market premiums are applied within the band.

2. **Tracks are equivalent at each level.** An S3 Advisor and an M2 Senior Manager occupy comparable compensation bands. The organization does not pay a premium for management simply because it is management.

3. **Market informs the band, not the individual offer.** CERG organizations should benchmark their bands against relevant cybersecurity compensation surveys annually. An individual candidate's market value does not reset the band; it determines where in the band the offer lands.

4. **Internal equity is maintained over time.** Two people at the same grade, in the same role family, with comparable performance and tenure should not have materially different compensation without a documented reason (e.g., a critical retention situation, a geography differential, a unique specialization).

5. **Progression within a grade is recognized.** Not every year of good performance results in a promotion. Between-grade progression should be recognized through within-band increases. A Specialist who has been at S1 for three years and is performing well but not yet ready for S2 should not be earning the same as a newly hired S1.

### 10.2 Grade-to-Band Guidance

| Grade | Market Positioning | Benchmark Target |
|---|---|---|
| S1 / Specialist | Developing | 25th-40th percentile of relevant market |
| S2 / Sr. Specialist | Competitive | 40th-60th percentile |
| S3 / Advisor / M1 Manager | Strong | 60th-75th percentile |
| S4 / Sr. Advisor / M2 Sr. Manager | Premium | 75th-85th percentile |
| M3 / Principal Manager | Leadership | 85th-90th percentile |
| M4 / Director | Executive Leadership | 90th+ percentile |
| CISO | Executive | Per executive compensation framework |

> **Percentiles Are a Starting Point, Not a Formula**
>
> A CERG organization in a high-cost geography, a competitive talent market, or an industry with acute cybersecurity talent shortages (utilities, healthcare, defense) will need to target higher percentiles to attract and retain. The principle is not "pay at the 50th percentile." The principle is "define your positioning deliberately and apply it consistently."

---

## 11. Adapting Grade Titles to Your Organization

The CERG grade titles (Specialist, Sr. Specialist, Advisor, Sr. Advisor) are deliberately chosen to be clear, descriptive, and free of the inflation that has made "VP" and "Director" nearly meaningless across organizations.

An adopting organization may need to map CERG grades to its existing title framework. The table below provides a translation layer.

### 11.1 Common Title Translations

| CERG Grade | Common Industry Equivalent | Government / Military Equivalent | Consulting Equivalent |
|---|---|---|---|
| Specialist | Associate, Analyst I, Engineer I | GS-7 to GS-9 | Analyst, Consultant |
| Sr. Specialist | Analyst II, Engineer II, Senior Analyst | GS-9 to GS-11 | Senior Consultant |
| Advisor | Staff Engineer, Principal Analyst, Lead | GS-12 to GS-13 | Manager, Associate Director |
| Sr. Advisor | Senior Staff Engineer, Distinguished Engineer, Fellow | GS-14 to GS-15 | Senior Manager, Director |
| Manager | Manager, Team Lead | GS-13 to GS-14 (supervisory) | Manager |
| Senior Manager | Senior Manager, Associate Director | GS-14 to GS-15 (supervisory) | Senior Manager |
| Principal Manager | Director, Senior Director | SES / SL | Director, Managing Director |
| Director | Senior Director, VP | SES | Partner, Managing Director |

### 11.2 What Not to Change

The CERG role titles from [`CERG-GOV-OM-001`](CERG-GOV-OM-001_CERG_Operating_Model.md) §6.1 are canonical and should not be altered. "Cloud Security Engineer" is a Cloud Security Engineer whether the organization's title framework calls engineers "analysts," "architects," or "specialists."

The grade title is separate. An organization may call an S3 Cloud Security Engineer a "Staff Cloud Security Engineer" internally while the CERG role remains "Cloud Security Engineer" in all framework documents. The adaptation is cosmetic; the grade expectations do not change.

---

## 12. Document Control

| Field | Value |
|---|---|
| **Document ID** | CERG-GOV-JA-001 |
| **Version** | 1.0 |
| **Status** | Approved |
| **Effective Date** | 2026-05-27 |
| **Classification** | Public |
| **Owner** | Governance Pillar Leader (Policy & Standards) |
| **Approved By** | CISO |
| **Parent Policy** | [`CERG-POL-001`](CERG-POL-001_Cybersecurity_Policy.md) - Cybersecurity Policy |
| **Review Cycle** | Annual; and on any change to the canonical role roster, organizational design, or compensation philosophy |
| **Next Scheduled Review** | 2027-05-27 |
| **Frameworks** | NIST CSF 2.0 (GOVERN); NIST NICE SP 800-181r1; ISO/IEC 27001 A.7.2 |
| **Regulations** | Cross-cutting |
| **Environments** | Program-wide |

### Revision History

| **Version** | **Date** | **Author** | **Change Summary** |
|---|---|---|---|
| 1.0 Draft | 2026-05-27 | Cyber Governance | Initial release. Establishes the two-track grade structure for CERG: SME progression (Specialist, Sr. Specialist, Advisor, Sr. Advisor) and Management progression (Manager, Senior Manager, Principal Manager, Director). Defines expectations at each grade across five dimensions. Maps every canonical CERG role to its grade range and terminal grade. Provides career pathing guidance for cross-track and cross-pillar movement. Establishes span-of-control guidelines, compensation philosophy, and grade-title adaptation guidance. |

### Review Triggers

- Change to the canonical role roster in [`CERG-GOV-OM-001`](CERG-GOV-OM-001_CERG_Operating_Model.md) §6.1
- Material change to the organizational design or team structure
- Change to the compensation philosophy or market conditions warranting band revision
- Addition or retirement of a grade or track
- Direction from the CISO

### Related Documents

| **Document** | **ID** | **Relationship** |
|---|---|---|
| Cybersecurity Policy | [`CERG-POL-001`](CERG-POL-001_Cybersecurity_Policy.md) | Parent policy |
| CERG Operating Model | [`CERG-GOV-OM-001`](CERG-GOV-OM-001_CERG_Operating_Model.md) | Authoritative canonical role roster |
| CERG Framework | [`CERG-GOV-FRM-001`](CERG-GOV-FRM-001_CERG_Framework.md) | Organizational design and talent model |
| Consolidated Roles and RACI Instrument | [`CERG-GOV-RAC-001`](CERG-GOV-RAC-001_Consolidated_Roles_and_RACI_Instrument.md) | Role descriptions and scaling map |
| Risk Management Framework | [`CERG-GOV-RMF-001`](CERG-GOV-RMF-001_Risk_Management_Framework.md) | Risk acceptance authority references |
| CERG Job Descriptions | [`CERG-GOV-JD-001`](CERG-GOV-JD-001_CERG_Job_Descriptions.md) | Full job descriptions per role |
| Document Catalog and Naming Convention | [`CERG-GOV-CAT-001`](CERG-GOV-CAT-001_Document_Catalog_and_Naming_Convention.md) | Registers this artifact and the JA domain |

Governance owns this document. The Governance Pillar Leader (Policy & Standards) is responsible for initiating reviews, managing the revision cycle, and obtaining CISO endorsement for all changes.