Competency Profile for the Role of the Chief Security Officer
Role of the Chief Security Officer
Chief Security Officers (CSOs) are at the forefront of departmental security, and act as strategic security risk advisors to the Deputy Head of an organization. The variety of security experience is particularly beneficial for aspiring managers and or executives.
The CSO of an organization is responsible for establishing a security program to ensure the security and integrity of people, information1, individuals and assets from perceived and/or known risks, threats, and actions that could prevent the effective and secure functioning of an organization. To do so, the CSO plays a lead role in advising senior management on security compliance with government legislation, policies and strategies. Additionally, CSOs bring forward proposals to strengthen the security culture and program of an organization, rooted in the sound and effective implementation of the Policy on Government Security and its eight (8) controls2. A strong security program is one that is integrated into all the business lines of an organization to ensure that security risk management is entrenched at the base of its decision-making process, operations and service delivery.
Competency profile
Key activities
This section provides suggested key activities of a Chief Security Officer. Level of responsibilities and implication in any of these activities or others will be determined by the hiring organization based on its mandate, key business lines and other factors specific to the organization:
- Lead the security function of an organization by building and managing a solid security program, including a well-defined governance structure that clearly identifies roles and responsibilities and decision-making processes for security risk management; and appropriate planning, monitoring and reporting activities that is aligned with the Treasury Board Secretariat of Canada (TBS) policies, directives and standards. As applicable and when appropriate, contribute to strategic security intergovernmental discussions and/or initiatives to support broader Government of Canada security objectives.
- Based on a thorough understanding of an organization’s mandate, business lines and risks, and through overarching leadership and collaboration, for each security control under the Policy on Government Security:
- Ensure requirements, practices, and controls are defined, documented, implemented, assessed, monitored and maintained to adequately protect information, individuals and assets, and support government programs, services and activities; and,
- Oversee the establishment of organization-wide processes to assess and document actions taken regarding residual security risks of an organization’s programs and services and their supporting resources.
- Through continuous and strong collaboration with the organization’s executive community, including those responsible for programs and service delivery and policy development, oversee the development, implementation, maintenance and assessment of an organization’s Departmental Security Plan (DSP) which aligns and supports its programs and their safe and effective delivery. The DSP should:
- Provide a thorough assessment of risks to the organization based on the effectiveness of security controls that are in place and the overall management of the security program;
- Include strategies to implement further safeguards to address identified gaps;
- Define and document security requirements, practices and controls; and,
- Be well integrated with departmental and governmental strategic objectives and outcomes.
- In support of a solid, efficient and effective security program and a comprehensive DSP, ensure that the proper mechanisms to monitor and report on the status of security activities and DSP priorities are well established. These should include processes to monitor any change in risk levels, emerging or evolving threats, drivers and vulnerabilities involved while learning from events/incidents and making required adjustments to the security program and the DSP.
- Collaborate as appropriate with cross-functional teams, including GC security agencies, other organizations, external stakeholders and other levels of government, on the conceptualization and/or implementation of key transformation initiatives to ensure the identification, prevention, detection of vulnerabilities and risks, and the development and/or implementation of prevention and mitigation, recovery and/or response strategies to events that could compromise the security and safety of information, individuals, and assets.
- When a security event occurs, immediately share the appropriate information necessary for the effective management of the situation internally to the organization, with lead security agencies, and with other implicated organizations as appropriate, including external stakeholders and other levels of government. Test internal processes to achieve situational awareness and to ensure that the security and emergency management communities are informed as quickly as possible. In case of a significant event affecting multiple organizations, collaborate interdepartmentally to enable a coordinated enterprise response.
- In collaboration with appropriate stakeholders, including GC security and intelligence agencies, other organizations, external stakeholders and other levels of government, develop process to remain abreast of trends, threats, drivers, vulnerabilities and risks in the security context, including national and global security issues; and how they intersect with an organization’s security program and the broader security objectives of the Government of Canada while contributing to Canada’s global security posture.
Knowledge
This section provides suggested knowledge criteria required to perform the duties of Chief Security Officer. These knowledge criteria are provided as examples and can be used/modified as required by organizations to adequately support their respective work environment and mandate:
- In-depth3 knowledge of the Policy on Government Security and mandatory procedures on its eight (8) security controls, and supporting directives and standards: Directive on Security Management; Directive on Identity Management and the Standard on Identity Management and Credential Assurance; Standard on Security Screening; Standard on Security Event Reporting; and Standard on Security Categorization.
- In-depth knowledge of other acts, policies, directives and protocols intersecting with the Policy on Government Security, including: Access to Information Act; Privacy Act, Emergency Management Act, Policy on Service and Digital, Directive on Privacy Impact Assessment and, Significant Event Information Sharing Protocol.
- In-depth knowledge of the Government of Canada’s machinery in the context of government security and the roles and responsibilities of Leads Security Agencies (LSAs) and Internal Enterprise Service Organizations (IESOs) to ensure proper guidance is sought through the implementation of the Policy on Government Security and the security controls.
- In-depth knowledge of the organization’s programs, priorities and activities and how their security program supports them.
- In-depth knowledge of how an organization security program relates to the broader security objectives of the Government of Canada and contribute to the Canada’s global security posture.
- In-depth knowledge of other functions that intersect with security and their respective authorities and foundational framework of legislation, policies, directives and other instruments.
Skills
This section provides suggested skills required to perform the duties of Chief Security Officer. These skills are provided as examples and can be used/modified as required by organizations to adequately support their respective work environment and mandate:
- Ability to forge strong and effective working relationships with all program leaders within an organization, and understand how they intersect with security to build and implement an integrated security program; and ensure a coordinated risk management approach for security that is incorporated into an organization’s business processes. This includes strong collaboration with:
- All programs to understand their business lines and the context in which they operate, as well as the processes for planning, delivering and monitoring on their business lines to support a strong risk management function and ensure adequate, timely and relevant support from the security team;
- Emergency Management as it relates to the intersecting elements of the security event management and business continuity management controls in order to prepare for, and coordinate a concerted response to disruptive events or incidents;
- Information Technology (IT) functions via the Chief Information Officer and the Designated Official for Cyber Security to help ensure that security requirements and appropriate IT security and information management controls are applied continuously; that when a significant cyber incident occurs, potential damage to infrastructure and/or loss, theft, manipulation or damage to GC information is assessed, an investigation report is prepared, and appropriate mitigation measures to recover from the incident are implemented;
- Occupational Health and Safety intersecting with security event management and the physical security controls;
- Security and Intelligence to access relevant intelligence and adequately inform security risk management and related plans;
- Human Resources intersecting with the security screening control as it plays a valuable role in the coordination and management of administrative investigations that may impact an employee’s security status or clearance;
- Internal Communications intersecting with the security awareness and training control by assisting with communications strategies for security awareness activities;
- Access to Information and Privacy intersecting with security event management, information management and IT security controls in response to Privacy breaches and leaks of sensitive and/or classified information; and.
- Ability to forge strong and effective working relationships across the CSO community, and with GC security agencies (including LSAs and IESOs), other organizations, external stakeholders and other levels of government to collaborate on the establishment of national and/or government-wide processes to monitor and ensure a coordinated security program and response to a security event.
- Ability to manage multiple crises, report on progress and resolution, and promptly return an organization to an acceptable state of operations through a thorough risk management process.
- Ability to understand and review security audits, risk assessments and managing incident response processes.
Attributes
This section provides a link to the Federal Public Service Key Leadership Competencies, as well as additional attributes that may be added to the role of Chief Security Officer as required by organizations to adequately support their respective work environment and mandate:
- Engagement, collaboration and client-focus - Build and sustain strong and effective working relationships across an organization and with key stakeholders to ensure security is woven into all programs, processes and procedures of an organization to support their effective and efficient delivery, and that it is also incorporated and considered at the onset in an organization’s risk assessment and resulting plans. Translate security requirements into corporate language to achieve buy-in and collaboration to implement effective security strategies.
- Strategic and analytical thinking and creative problem solving - Assess risks, analyze complex security issues and develop appropriate solutions to develop, implement and manage a solid security program based on the broader impact and alignment with organizational and Government of Canada priorities, and based on strong knowledge of the machinery of government.
- Self-management - Remain reliable, flexible, and calm to be effective in the face of stress factors, and maintain focus on, and be cognizant of, all aspects of a given situation, while considering the impact of any actions taken when leading a team to achieve a common goal.
- Living the values of integrity, respect and trust - Be an agent-of-change who promotes and embraces diversity and inclusion, and works to eliminate barriers; and treats every person with respect, dignity, and fairness, and in so doing help build and maintain trust in GC security, and a strong security culture.
- Judgment – Understand the risks facing the organization and the delivery of its services to Canadians, and act accordingly to minimize their impacts.
- Ability to hold a Government of Canada security clearance.
As leaders in the Public Service, CSOs are also expected to demonstrate the Federal Public Service Key Leadership Competencies.
Notice to users
In using this competency profile, officials should consider their organization's mandate, key business lines, risk profile, response capabilities, location, and other factors specific to their organization.
As per the Policy on Government Security (PGS), a Deputy Head is required to designate a Chief Security Officer to provide leadership, coordination and oversight for departmental security management and related security controls. It should be noted that Chief Security Officer is not a position, but a role that is often assigned to an executive responsible for corporate functions, including departmental security. Although this competency profile may be leveraged by organizations as required to define the role of executive positions responsible for departmental security, it is not intended to constitute an official job description and/or statement of merit criteria.
The profile was produced in consideration of the Policy on Government Security (PGS) of the Government of Canada (GC), and other related policies as they pertain to the GC security career paths such as the Policy on Service and Digital for the information technology security sub-group. Where required, provisions of the Privacy Act have been considered. In case of any discrepancy between the content of the profile and the Privacy Act, the PGS or any other applicable policy or legislation, the latter prevails. It is the responsibility of users to perform the due diligence necessary to ensure that their use of the profiles is compliant with applicable legislation and GC policies, at the time of use. This profile is intended to remain evergreen. If you identify any elements that should be updated or corrected, please contact the Security Centre of Excellence.
As it pertains to the Information Technology Security control of the Policy on Government Security, and given its complementary, and sometimes overlapping nature with cyber security, this competency profile should be used in conjunction with the Canadian Cyber Security Skills Framework. Distinction between ‘information technology security’ and ‘cyber security’ is understood to be, in the GC, as follows:
- Information technology (IT) security is the discipline of applying security controls, security solutions, tools and techniques to protect IT assets against threats from compromises throughout their lifecycle. IT security focuses on the security of both electronic data assets and physical IT assets.
- Cyber security refers to the security of the transmission of electronic data and information across cyberspace. It covers the technology, processes, practices, and response and mitigation measures designed to protect electronic information, data and information infrastructure from mischief, unauthorized use or disruption in cyberspace. Cyber security complements IT security, and operationalizes the IT security controls set out in subsection B.2.3 of Appendix B of the Directive on Security Management.
Ultimately, the goal of both cyber security and IT security is to preserve the confidentiality, integrity, availability, intended use, and value of electronically stored, processed, or transmitted data and information.
To note: As part of the Departmental Security Career Paths initiative of the Professionalization Framework, the first tranche of work consists in establishing four (4) departmental security career paths and their respective sub-groups, and showcase their many career opportunities, from entry-level to chief security officer positions, through diversification and/or specialization of experience. This information is now housed on the SCoE webpage of the Privy Council Office (PCO) website, as well as on the Jobs in National Security and Defence webpage, and links to the related job postings across the public service. The second tranche of work consists in the development of competency profiles for each security career path and their respective sub-groups. This includes the identification of key activities, knowledge, skills, and attributes required to pursue a successful career in departmental security. The third tranche of work consists in a Learning Inventory to identify existing developmental and accreditation programs for each security career path and their respective sub-groups (available only to public servants). This competency profile and fourth tranche of work consists in establishing a Chief Security Officer (CSO) Competency Profile to provide suggested key activities, knowledge, skills, attributes and suggested learning tools and resources to support CSOs in the successful delivery of a solid security program.
Page details
- Date modified: