6 free templates across general, mid-market, virtual/fractional, security manager, deputy, and enterprise roles, with the CISO-versus-manager-versus-analyst distinction most templates skip. Download as DOCX.
A CISO job description has a question worth settling before you write a word: do you actually need a CISO, or a security manager, an analyst, or a fractional vCISO? CISO is a C-suite title that sits at the top of a ladder, and most companies, especially smaller ones, need a rung lower down. The generic templates skip that distinction entirely and post a C-suite executive role to companies that need an operational hire.
At FirstHR, we build templates that name the level clearly, add the FLSA and compliance context the boilerplate skips, and tell you honestly who hires a CISO and what a smaller company should do instead. The six below cover general, mid-market, vCISO, security manager, deputy, and enterprise versions. The guide to writing a job description covers the fundamentals.
TL;DR
A CISO (Chief Information Security Officer) is the C-suite executive who owns security strategy, risk, compliance, and board reporting. A full-time CISO is an exempt, six-figure-plus role hired by mid-market and enterprise companies. A smaller company usually needs an information security manager or analyst, or a part-time vCISO, instead. Pick the right level and download six templates as DOCX.
What a CISO Does
A CISO is the senior executive responsible for information and cyber security: setting the security strategy, managing risk, ensuring compliance, leading incident response, building the security team, and reporting the organization's security posture to leadership and the board.
There is no dedicated federal occupation code for CISO; the Bureau of Labor Statistics groups C-level roles under chief executives, while the nearest operational benchmarks are computer and information systems managers and information security analysts. The full-time title concentrates at mid-market and larger organizations.
CISO vs CIO vs Security Manager
Before writing anything, make sure CISO is the level you mean, because it is easily confused with adjacent C-suite roles and with the operational roles a growing company more often needs.
CISO
Security at the C-suite
The senior executive who owns information security strategy, risk, compliance, and incident response, and reports to leadership or the board. The role these job descriptions mean.
CIO vs CSO
Adjacent C-suite roles
A CIO owns all of IT and infrastructure; a CISO owns security specifically. A CSO may also cover physical security and is sometimes used as a synonym. In small companies one person often wears several of these hats.
Security manager or director
Below the C-suite
An information security manager or director of security runs security day to day at a level below the CISO. In a growing company without a CISO, this is usually the role you actually need.
Match the Title to the Work
If you need someone to set security strategy and answer to the board, that is a CISO. If you need someone to run security day to day, that is an information security manager. If you need hands-on monitoring and defense, that is an analyst. And if you need executive strategy part-time, that is a vCISO. The title should follow the work and your stage.
CISO Duties and Responsibilities
A CISO's duties cluster into four areas: strategy and risk, compliance and governance, operations and response, and leadership and reporting. At a first or mid-market CISO level the role is more hands-on; at enterprise scale it is more about leading an organization and the board relationship.
The most useful thing a security job description can do is be honest about which rung of the ladder it is. Here is how the three levels compare across what matters for hiring.
CISO
Security manager
Security analyst
Level
C-suite executive
Management
Individual contributor
Owns
Strategy, risk, the board
Day-to-day operations
Hands-on monitoring and defense
Hired by
Larger and mid-market firms
Growing companies
Companies of many sizes
Pay (national reference)
Six figures, often $300k+
Near $171,200 (IT managers)
About $124,910 median
First security hire?
Rarely
Sometimes
Often
The takeaway: a growing company that needs security done, rather than reported to a board, usually needs a manager or an analyst first. Reserve the CISO title for when scale and risk genuinely call for a security executive.
Which Template Should You Use?
Pick the template by level and stage: general for a full-time CISO, mid-market for a first security leader, vCISO for part-time contractor leadership, security manager for the operational lead, deputy for a senior leader below the CISO, and enterprise for a large organization. Use this guide to choose.
CISO
General baseline
The general full-time CISO version, owning security strategy across the organization, with the FLSA and contract note built in.
Mid-Market / First CISO
Build role
For a growing company's first security leader, balancing strategy with hands-on program building and compliance.
Virtual / Fractional (vCISO)
Contractor, scope of work
For part-time executive security leadership, usually a contractor or service. The model most small companies actually use.
Information Security Manager
De-facto security lead
For the operational security leader below the C-suite. Often the right role for a growing company without a CISO.
Deputy CISO / Director
Senior, below CISO
For a senior leader who owns major security domains and deputizes for the CISO.
Enterprise CISO
Large organization
For a large company, leading the enterprise security organization and board-level obligations.
Match the Template to the Stage
A growing company's first security leader: Mid-Market. Part-time strategy without a full-time hire: vCISO. The operational security lead you actually need: Information Security Manager. A senior leader below the CISO: Deputy / Director. A large company: Enterprise. A standard full-time C-suite role: the general CISO. Classify a full-time CISO as exempt; classify a vCISO carefully as a contractor.
6 Free CISO Job Description Templates
Download all six as a single Word document or copy individual templates. Each follows the same structure: company overview, summary, responsibilities or scope of work, qualifications, a compliance note, and how to apply or engage. Fill in the brackets, set the reporting line, and post.
Download All 6 Job Description Templates
General, mid-market, vCISO, security manager, deputy, and enterprise. All in one DOCX.
Template 1: CISO (General)
The general full-time CISO version, owning security strategy across the organization, with the FLSA and contract note built in.
CISO Job Description
CHIEF INFORMATION SECURITY OFFICER (CISO) JOB DESCRIPTION
Company: __ ([City, State])
Reports to: [CEO / CIO / Board]
Employment type: Full-time
FLSA status: Exempt (salaried)
Compensation: $_____ per year [plus equity and bonus]
ABOUT [COMPANY NAME]
[Company Name] is a [industry] company in [City, State]. We are hiring a Chief
Information Security Officer to own and lead our information security strategy
and program.
POSITION SUMMARY
The Chief Information Security Officer (CISO) is the senior executive
responsible for the organization's information and cyber security: setting the
security strategy, managing risk, ensuring compliance, leading incident
response, and reporting on security posture to leadership and the board.
KEY RESPONSIBILITIES
•Set and lead the information security strategy and roadmap
•Own enterprise security risk management
•Ensure compliance with relevant frameworks and regulations
•Lead incident response and breach preparedness
•Build, lead, and develop the security team
•Set security policies, standards, and awareness training
•Oversee security architecture and controls
•Report security posture and risk to leadership and the board
REQUIRED QUALIFICATIONS
•Extensive senior information security leadership experience
•Deep knowledge of security frameworks and risk management
•Experience with compliance (such as SOC 2, ISO 27001, NIST)
•Proven leadership of security teams and incident response
•Bachelor's degree; advanced degree and certifications common (CISSP, CISM)
COMPLIANCE NOTE (read before posting)
A CISO is exempt (salaried) under the FLSA executive exemption and, at typical
pay, the highly compensated employee test. Because the role has deep access to
systems and sensitive data, executive contracts commonly include confidentiality
and restrictive covenants, and equity is often part of the package. Handle the
agreement with counsel. This is general information, not legal advice.
EEO STATEMENT
[Company Name] is an equal opportunity employer and provides reasonable
accommodations for the essential functions of this role.
COMPENSATION AND HOW TO APPLY
Compensation: $_____ per year [plus equity and bonus]
To apply, email __ with your resume.
Template 2: Mid-Market / First CISO
For a growing company's first security leader, balancing strategy with hands-on program building and compliance.
For a large company, leading the enterprise security organization and board-level obligations.
Enterprise CISO Job Description
ENTERPRISE CHIEF INFORMATION SECURITY OFFICER JOB DESCRIPTION
Company: __ ([City, State])
Reports to: [CEO / Board]
Leads: [the global information security organization]
Employment type: Full-time
FLSA status: Exempt (salaried)
Compensation: $_____ per year plus equity and bonus
ABOUT [COMPANY NAME]
[Company Name] is a large [industry] organization in [City, State]. We are
hiring a Chief Information Security Officer to lead enterprise information
security across the organization.
POSITION SUMMARY
The Enterprise CISO leads information security at scale: setting the enterprise
security strategy, leading a large security organization, owning regulatory and
board-level security obligations, managing enterprise risk, and representing
security to regulators, customers, and the board.
KEY RESPONSIBILITIES
•Set the enterprise, multi-year security strategy
•Lead a large, multi-disciplinary security organization
•Own enterprise security risk and governance
•Ensure compliance across multiple frameworks and regulations
•Lead enterprise incident response and crisis management
•Manage the security budget and portfolio
•Brief and report to the board and regulators
•Represent security to customers and partners
REQUIRED QUALIFICATIONS
•Extensive executive security leadership at enterprise scale
•Track record leading large security organizations
•Deep regulatory, governance, and board-reporting experience
•Strategic, financial, and risk-management depth
•Advanced degree and senior certifications common (CISSP, CISM)
COMPLIANCE NOTE
Exempt (salaried) under the FLSA executive exemption and well within the highly
compensated employee threshold. Enterprise packages include equity and
restrictive covenants, and public companies face board-level security disclosure
obligations. Structure the agreement with counsel. This is general information,
not legal advice.
EEO STATEMENT
[Company Name] is an equal opportunity employer and provides reasonable
accommodations for the essential functions of this role.
COMPENSATION AND HOW TO APPLY
Compensation: $_____ per year plus equity and bonus
To apply, email __ with your resume.
FLSA, vCISO, and Frameworks
The compliance picture for a security hire has a few pieces the generic templates skip: overtime classification across the security ladder, the contractor question for a vCISO, the frameworks that actually apply, and the confidentiality that system access demands. Four points belong in the decision.
A CISO is exempt; the role below it usually is too
A full-time CISO is exempt from overtime, meaning salaried and not entitled to overtime pay, under the FLSA executive exemption: the primary duty is management of the security function, the role directs the work of others, and it carries authority over strategy and hiring. At C-suite pay it also clears the highly compensated employee threshold, which simplifies the analysis. The roles below it (director, manager, and analyst) are generally exempt too, under the executive, administrative, or computer-employee exemption depending on the actual duties, but the analysis is closer at lower pay and a title alone never decides it. Classify each security role by its real duties and pay rather than by the seniority of the title. This is general information, not legal advice.
A vCISO is usually a contractor, so classify the engagement
Most small and growing companies that want senior security leadership engage a virtual or fractional CISO rather than hiring a full-time one, and a vCISO is normally an independent contractor or a service provider, not an employee. That classification must reflect the real relationship: under the federal economic-realities test, and stricter ABC tests in states like California, a worker you direct day to day and who is economically dependent on your business may be an employee regardless of what the agreement says. A genuine part-time advisory engagement across multiple clients is typically a contractor, but a fractional security leader who effectively runs your program full time under your direction may not be. Confirm the relationship fits the label. This is general information, not legal advice.
Match the compliance framework to your business
Security roles exist largely to meet compliance and risk obligations, and the relevant frameworks depend on your industry: SOC 2 for many software and service companies, the HIPAA Security Rule for healthcare, PCI-DSS for card payments, CMMC for defense contractors, and ISO 27001 or the NIST frameworks more broadly. A small or growing company does not need to meet all of them; it needs to identify which ones its customers, regulators, and contracts actually require, and scope the security role to those. Naming the specific frameworks your business must satisfy in the job description helps you attract a candidate with the right experience rather than a generalist. This is general information, not legal advice.
System access makes confidentiality and covenants matter
Anyone in a senior security role has deep access to systems, credentials, customer data, and the organization's defensive plans, which makes confidentiality and conflict-of-interest expectations important to set from the start. Executive security contracts commonly include confidentiality, non-solicitation, and, where enforceable, non-compete provisions, along with clear terms on handling of credentials and data on departure; enforceability of non-competes varies by state, so draft to your state's current law. For any security hire, a signed confidentiality agreement and a clean, documented offboarding process for access and credentials are good practice, not optional. This is general information, not legal advice.
For the underlying rules, the DOL covers the executive exemption that applies to a CISO, and the exempt versus non-exempt guide explains how to confirm classification for the manager and analyst roles below it.
The Security Role Most Small Companies Actually Need
For a small or growing company, the realistic security hire is usually an information security analyst (the hands-on first hire, a fast-growing role) or an information security manager (the de-facto security lead), supported by a vCISO for strategy. A full-time CISO is a later-stage, mid-market-and-up role. Match the hire to your size and risk rather than to the most senior title. This is general information, not legal advice.
Requirements and Qualifications
A CISO is a senior executive role, so the baseline is extensive security leadership plus the certifications that carry weight in the field, with the specifics shifting by level. Match the requirements to what you are hiring.
Requirement
What to know
Experience
Extensive senior information security leadership
Frameworks
SOC 2, ISO 27001, NIST, plus industry-specific rules
Certifications
CISSP and CISM common at leadership level
Core skills
Strategy, risk, incident response, leadership
Education
Bachelor's expected; advanced degree common
Classification
Full-time exempt; vCISO usually a contractor
Keep the posting neutral and inclusive, since the EEOC prohibits job advertisements that show a preference based on protected characteristics, and the SHRM guide covers the standard sections of a job description.
How to Write a CISO Job Description
A strong security posting starts by confirming the level you need, picks the version, names the real frameworks, and classifies the role correctly. Here is the process the templates are built around.
1
Confirm you need a CISO
A CISO is a C-suite executive. If you need someone to run security day to day, that is a security manager or analyst; for part-time strategy, a vCISO. Decide the level first.
2
Pick the version and stage
General, mid-market, vCISO, security manager, deputy, or enterprise. Pick the matching template and describe your company and security needs plainly.
3
List the real duties
Strategy and risk, compliance and governance, operations and response, and leadership and reporting, scaled to the stage: hands-on for a first CISO, organization-leading for enterprise.
4
Name your compliance frameworks
State which frameworks actually apply (SOC 2, HIPAA, PCI-DSS, CMMC, ISO 27001, NIST) so you attract relevant experience rather than a generalist.
5
Classify and structure the offer
A full-time CISO is exempt under the executive exemption; a vCISO is usually a contractor, so confirm the relationship. Document equity and any restrictive covenants with counsel.
For the classification rules that decide exempt status across the security ladder, the DOL executive exemption fact sheet is the authoritative reference.
CISO and Security Pay
A CISO is among the highest-paid roles in technology, and the security roles below it are well paid too, which is part of why matching the level to the need matters.
A Ladder of Six-Figure Roles
There is no federal wage code for CISO; the nearest operational benchmarks are computer and information systems managers at a median near $171,200 and information security analysts at about $124,910 a year as of May 2024, with the analyst role projected to grow 29 percent through 2034 (BLS). CISO total compensation runs well above these.
Market estimates put CISO total compensation in the low-to-mid six figures at typical employers, considerably higher at large enterprises once equity and bonus are included, and into seven figures at the very top, while the lower reported figures tend to reflect smaller-company or title-inflated roles. For a posting, benchmark to your company size, industry, and location, account for equity separately, and provide a good-faith range where pay transparency rules apply. National compensation surveys are a useful reference for detail.
Do You Need a CISO?
The CISO hire turns on three questions the generic templates never raise: is a CISO the right level, is your company at the stage that hires one, and would a vCISO or a security manager fit better? Here is what actually matters.
First, decide whether you need a CISO at all, or a manager, an analyst, or a vCISO
The most useful thing to settle before writing a CISO job description is whether a CISO is actually the role you need, because the title sits at the top of a ladder and most companies need a rung lower down. A CISO is a C-suite executive who owns security strategy, enterprise risk, and board reporting, and the title typically appears once a company is large enough to justify a dedicated security executive with a team and a budget. Below the CISO sit a director of security, an information security manager (the person who runs security day to day), and an information security analyst (the hands-on individual contributor who monitors and defends systems). A growing company that needs to actually do security, rather than report it to a board, usually needs a security manager or an analyst first, and the title CISO can attract overqualified, expensive candidates for what is really an operational role. Match the title to the work and the stage before you post.
A full-time CISO is an enterprise and mid-market role, not a small-business hire
It is worth being honest about who hires a full-time CISO, because it shapes whether the role fits your company. The title concentrates at mid-market and larger organizations, commonly those past several hundred employees, and in regulated industries like finance, healthcare, and defense that hire earlier, and the compensation reflects that, running well into the six figures and often far higher at large enterprises. A company of a handful of people does not hire a full-time CISO; at that scale security is usually owned by the founder, an IT lead, or an outside provider. That does not mean small companies can ignore security, because regulatory pressure and attacks on small businesses are both real, but the answer at small scale is rarely a full-time C-suite security hire. If you find yourself writing a full-time CISO job description for a very small company, it is worth pausing to ask whether what you need is a security manager, an analyst, or a fractional vCISO.
If you are small and need senior security help, a vCISO or a security manager fits better
There is a real and common way for a smaller company to get senior security leadership without a full-time CISO: engage a virtual or fractional CISO, or hire a security manager or analyst. A vCISO provides executive-level security strategy and oversight part-time, usually as a contractor or through a service provider, which gives a small company senior judgment and compliance guidance without a full-time C-suite salary; if you go this route, classify the engagement correctly, since a genuine part-time advisory arrangement is typically a contractor but a fractional leader you direct day to day may be an employee. The alternative is to hire in-house at the level you actually need: an information security manager to run security operations and compliance, or an information security analyst as your first hands-on security hire. For most growing companies, one of these, a vCISO, a manager, or an analyst, is the realistic path, and each is far easier to scope, onboard, and manage than a full-time CISO the company has not yet grown into.
Key Takeaways
A CISO is a C-suite executive who owns security strategy, risk, compliance, and board reporting; it sits at the top of a ladder above a director, a manager, and an analyst.
A full-time CISO concentrates at mid-market and larger organizations (commonly past several hundred employees, earlier in regulated industries), with six-figure-plus pay; it is not a typical small-business hire.
A growing company that needs security done, rather than reported to a board, usually needs an information security manager or analyst first.
A virtual or fractional CISO (vCISO) gives a smaller company executive-level security strategy part-time, usually as a contractor; classify the engagement by the real relationship.
A full-time CISO is exempt under the FLSA executive exemption; the manager and analyst roles below are generally exempt too, but confirm by duties and pay.
Name the compliance frameworks that actually apply to your business (SOC 2, HIPAA, PCI-DSS, CMMC, ISO 27001, NIST) so the posting attracts the right experience.
Frequently Asked Questions
What does a CISO do?
A CISO (Chief Information Security Officer) is the senior executive responsible for an organization's information and cyber security. The duties cluster into four areas: strategy and risk (setting the security strategy and roadmap, owning enterprise security risk, prioritizing against business needs), compliance and governance (ensuring framework and regulatory compliance, running audits, setting policies and standards), operations and response (overseeing security controls and architecture, leading incident response, managing vendor and access risk), and leadership and reporting (building and leading the security team, running awareness training, reporting security posture to leadership and the board). The CISO typically reports to the CEO, CIO, or board and is accountable for the organization's overall security posture rather than for hands-on monitoring, which sits with security analysts. This page includes general, mid-market, vCISO, security manager, deputy, and enterprise templates. This is general information, not legal advice.
What is the difference between a CISO, a security manager, and a security analyst?
The three are different rungs on a ladder. A CISO is a C-suite executive who owns security strategy, enterprise risk, compliance, and board reporting; the role appears at larger and mid-market companies with a dedicated security function. An information security manager sits below the C-suite and runs security day to day: operations, controls, compliance, and incident coordination, often leading a small team; in a growing company without a CISO, the manager is frequently the de-facto security lead. An information security analyst is an individual contributor who does the hands-on work of monitoring systems, investigating alerts, testing for vulnerabilities, and defending the network; it is the most common first security hire and one many companies of all sizes make. The pay reflects the ladder, with analysts around a national median of $124,910, IT managers around $171,200, and CISOs well into the six figures and often higher. For hiring, match the title to the actual work and your company's stage. This is general information, not legal advice.
Do small businesses need a CISO?
Rarely as a full-time hire. A full-time CISO concentrates at mid-market and larger organizations, commonly past several hundred employees, with regulated industries like finance, healthcare, and defense hiring earlier, and the compensation runs well into the six figures and often higher. A company of a handful of people does not hire a full-time CISO; security at that scale is usually owned by the founder, an IT lead, or an outside provider. That does not mean small businesses can ignore security, because regulatory requirements and cyberattacks on small businesses are both real and growing, but the practical answer at small scale is usually one of three things: engage a virtual or fractional CISO (vCISO) for part-time executive guidance, hire an information security manager to run security operations, or hire an information security analyst as a first hands-on security hire. Each of these fits a small or growing company far better than a full-time C-suite security executive. Match the solution to your size and risk. This is general information, not legal advice.
What is a virtual or fractional CISO (vCISO)?
A virtual or fractional CISO, often called a vCISO, provides executive-level security leadership on a part-time basis, typically a few days a month or on a retainer, rather than as a full-time hire. The model gives a smaller or growing company access to the strategic judgment of an experienced security executive, setting the security strategy, guiding compliance efforts like SOC 2 or HIPAA, advising leadership on risk, and overseeing the security program, without committing to a full-time C-suite salary. vCISOs usually work across several clients at once and are engaged as independent contractors or through a service provider such as a managed security firm. This is the model most small and growing companies actually use instead of hiring a full-time CISO, and it is a legitimate way to get senior security guidance early. The one thing to get right is classification: a genuine part-time advisory engagement across clients is typically a contractor, but if a vCISO effectively runs your program full time under your direction, the law may treat the person as an employee. This is general information, not legal advice.
Is a CISO exempt or non-exempt from overtime?
A full-time CISO is exempt, meaning salaried and not entitled to overtime, under the FLSA executive exemption: the primary duty is management of the security function, the role directs the work of others, and it carries authority over strategy and hiring. At C-suite pay the role also clears the highly compensated employee threshold, which makes the analysis straightforward. The security roles below the CISO are generally exempt as well: a director or manager of security usually qualifies under the executive or administrative exemption, and a security analyst may qualify under the administrative or computer-employee exemption, though the analysis is closer at lower pay levels and depends on the actual duties rather than the title. The separate classification question is the vCISO, which is usually an independent contractor rather than an employee; that turns on whether the working relationship genuinely fits contractor rules. Classify every security role by its real duties, pay, and relationship, not by the title. This is general information, not legal advice.
What qualifications and certifications does a CISO need?
A CISO is a senior executive role, so the baseline is extensive information security leadership experience, deep knowledge of security frameworks and risk management, and a proven track record leading security teams and incident response. A bachelor's degree is expected and an advanced degree is common, and certifications carry real weight in this field: the CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager) are the most recognized at the leadership level, with others like CRISC or cloud-specific credentials adding value. The requirements shift by version: a first or mid-market CISO needs to be hands-on as well as strategic, an enterprise CISO needs experience leading large organizations and board reporting, and a security manager or analyst needs more operational and technical depth (where credentials like Security+ also fit) than executive breadth. Match the qualifications and certifications to the specific role and level you are hiring rather than listing every credential, which can deter good candidates. This is general information, not legal advice.
How much does a CISO make?
A CISO is among the highest-paid roles in technology, and the pay varies widely by company size, industry, and how much of the package is equity. Market estimates commonly put CISO total compensation in the low-to-mid six figures at typical employers, with figures at large enterprises running considerably higher once equity and bonus are included, and the very top of the market reaching into seven figures. The lower end of reported ranges tends to reflect smaller-company or title-inflated roles. There is no dedicated federal wage code for CISO; the Bureau of Labor Statistics groups C-level executives under chief executives, and the nearest operational benchmarks are computer and information systems managers at a median of about $171,200 a year and information security analysts at about $124,910 as of May 2024. For a posting, benchmark to your company size, industry, and location, account for any equity component separately, and provide a good-faith range where pay transparency rules apply. National compensation surveys are a useful reference. This is general information, not legal advice.
Should a growing company hire a CISO or a security manager?
For most growing companies, a security manager or analyst is the more fitting hire than a full-time CISO, with a vCISO as a third option for strategic guidance. An information security manager runs security day to day, owning operations, controls, compliance, and incident coordination, and is the right hire when a company needs someone to actually do and lead security rather than report it to a board. An information security analyst is the hands-on individual contributor and is often the very first security hire. A full-time CISO makes sense once a company is large enough or regulated enough to need a dedicated security executive with a team, a budget, and board-level accountability, which is typically a mid-market or enterprise stage. If a growing company wants executive-level strategy without a full-time hire, a fractional vCISO bridges the gap. The practical sequence for many companies is an analyst or manager first, supported by a vCISO if needed, and a full-time CISO only once scale and risk justify it. Match the role to your stage. This is general information, not legal advice.