Career Ladders: Part 3

Marc French
Marc French Jan 27, 2020

Harry, I’ve Reached the Top.

Welcome to the last installment of the career ladders blog series. Here we go.

If you missed it, here's the link to our Git repo: PSG Career Ladders

Physical Security Ladder

Why is this here? It is called convergence. Once upon a time, a decade or so ago, the idea that all security should work for the same person was hatched. It has been slow to take up, but ironically I see it more and more today amongst my peers, as tech crept into the physical security space and some of the cyber-attack vectors became kinetic (plus that physical penetration testing/social engineering thing). Therefore, it is important we include it in. If you are not in a converged team, go ahead and skip this part (like we did in the SOC discussion in Part 2).

  • YS_Generalist.MD

    Whew. There is a lot of stuff in here. Same reason as some of the other ladders. Most of the converged teams I know of – especially in the tech space – have a physical team member as part of the group. Yeah, that was not a typo. I said member – singular. That person has a huge remit, and not a lot of support. These people can be hired – so try and recognize you may not get or even need all these skills in your org. Eventually, we will likely create unique ladders for some of these skill tracks as well.

    • Physical Systems – Got to run the gear and make badges (see Part 1 of our ladders series).
    • Crisis Management – I struggled with this a bit. The tasks could have easily merged with the SOC incident management and in a shop where the SOC is converged, we would have merged this skill in and operated as an ‘all hazards’ response process.
    • Guard Operations – This is the “Triple G” as we call it (Gates, Guards, and Guns). It is what most people think of as physical security, but it actually comprises only a fraction of the tasks.
    • Environmental Health & Safety – Yikes. What is this? Yup, this could be its own ladder, but let me tell you a story of why this is here. I was working at that same large hosting provider I mentioned in post #2. We owned our data centers and I was responsible for physical security. One of techs was running cable on the rack overhead run and fell off the ladder. Guard does his patrol and finds tech. A ladder safety program was born and who better to check/implement but the folks that are there 24×7. This is IMPORTANT for your people and needs to be done by someone. Step up and own it if you can.
    • Special Services – There is a diverse set of skills here. I would tailor your requirements to what is necessary for your org. If you don’t have that company jet, then maybe aviation security is not important. (Side note – If you do have a jet, don’t be surprised if they don’t ask you to run the aviation program. It frequently is a function looking for a home.)
    • Investigations – This complements the investigations that might occur in the SOC, but it requires an almost completely different skill set so shouldn’t be merged together.
  • YS_Boston_Ladders.MD

    You will quickly notice the big difference in pay. It is the way it is, and you as the leader will need to manage that message in the converged team.

  • YS_NICE_Mapping.MD

    NICE doesn’t actually map these skills, so we are looking for another provider at this time. If you know of one, drop me a note.

Information Risk Ladder

This goes by many titles. GRC. Risk. Security Compliance. Call it whatever you like. It is the process and review side of the practice.

  • IR_Generalist.MD

    As in other ladders, this is a generalist role that could easily be split into many specialized roles. We provided the generalist set of skills for those orgs that need to have one role due to resource constraints.

    • Risk Management – It’s in the title. I have seen this be a specific role in larger organizations (especially ones with a Chief Risk Officer).
    • Additional Practice Area – Similar to the product security ladder, you will run into these (and may actually own them). In my past two gigs, we executed the next level of convergence and had the privacy function work in my team. A story for another blog post.
    • Controls/Compliance – This is what traditionally is thought of as the IR role.
    • Audits – In many smaller orgs, they perform the audit function. In larger orgs, this may fall to the internal audit function in finance.
    • Policies – Yup, paperwork is what you will do in this role.
    • Sales Support – Wow. I am impacting top line revenue. Yup, in many cases, customers and suppliers want assurance that your team’s security practices are good. This falls to this team (or a subset of this team). We have had an active debate amongst my peers if security should have a marketing person on staff. Again, a story for another blog post.
    • Training – Teaching is one of the most important roles for this program.
  • IR_Boston_Mapping.MD

    Similar to physical security, these folks will make a little less than your more technical folks.

  • IR_NICE_Mapping.MD

    Nothing too interesting in here.

Business Security Manager Ladder

What is this? I like to call it scale. In larger organizations, the need to distribute security expertise to specific functions and/or geographies is a must. This is the role of a BSM. To liaison with your business stakeholders and give them a point of contact into the larger centralized security team. I think this is a critical role for any large org, and to be honest, it is sometimes seen as the gateway to the top spot (as you see by the titles). Additionally, like the Product Security career ladder, I don’t feel there is an entry level role in this ladder. You need a solid grounding in security first before you take this role as you will be seen as the expert to your stakeholders. On-the-job learning will not end well for folks.

  • BSM.MD

    • Core Practice Areas – To my point above, you must be a security professional before you jump into this role. It can be in any discipline, but you need one (and you will learn the others as you progress).
    • Adjacent Risk Practices – Like the information risk practice, you will interact with other functions and may own them in region/function.
    • Adjacent Business Practices – This role has a management feel to it, and as a result, requires many of the management skills you would find in the GK_Management.MD skill list.
    • Incident Response – Interesting, as the single point of contact for the function/region, you will be best positioned to respond to an incident if it occurs (think time zones, connectivity, proximity etc.).
    • Metrics – In many cases you will need demonstrate your value, as well as the broader security team’s value to your stakeholders.
    • Technical Currency – With a broad remit, you are going to still need to keep your tech up to function.
  • BSM_Boston_Mapping.MD

    The thing to note here is that technical track ends at level 2. Beyond that, it looks and feels more managerial.

  • BSM_NICE_Mapping.MD

    For CPA.1-3, use the skill mappings from the ladder that serves as the foundation to your skill level. So, if you transitioned from information risk, use that ladder to fill-in the skills you need here.


Well, we have reached the top of the org. Whether it is called Chief Information Security Officer, Chief Security Officer, Chief Trust Officer, or something else, the buck stops here. This is the only Level 6 role in these ladders (Vice President level). Some larger orgs may have VPs in the orgs disciplines, and this role as a Senior VP, but for most orgs, it stops at the VP level.

  • CSO.MD

    • Core Practice Area – You have to know a lot about a lot. Continuous learning is going to be key.
    • Adjacent Risk Practice – As I had mentioned in prior ladders, you will be partnering with these leaders, and many cases you will own some of these practices. Do not try to narrow your focus. Embrace your role as the main risk person in the org.
    • Adjacent Business Practices – At this level, you are expected to be a businessperson first, and a security person second. I am not saying you need an MBA, but you need to know the business side of the house.
    • Risk Management – In many cases, you will be the top risk person in the org. You need to know this inside and out.
    • Sales Support – Here it is again. People want confidence – and like it or not, you are in the confidence game. Be prepared to talk to customers/partner/vendors and be on a plane.
    • Incident Response/Investigations – You make the call (hopefully) in incidents. You need to have the confidence, connections, and courage to own this.
    • Metrics – This is how you prove your worth/value/ROI. You will live by this.
    • Technical Currency – Interesting debate about this. Do CISOs still need to be technical, or just business focused. My opinion is that your peers will still look at you as a technical resource (for better or worse) and if your skills are low/non-existent, it will work against you. Keep up that continuous learning.
  • CSO_Boston_Mapping.MD

    There is only one row. Word of advice: if you are taking this role, you deserve both a bonus plan and a pre-arranged severance package.

  • CSO_NICE_Mapping.MD

    Nothing too interesting here.

Well, this brings this series to a close. If you have any questions, post them here, DM me at @appsecdude or ping me on LinkedIn. Last question for folks – can you name the holiday themed movie this blog post title refers too? Drop your answer in the blog stream!

- Marc French