Below are the top five considerations when developing a roles & responsibilities for your security program:
1. Ensure your Roles & Responsibilities Incorporates Your Security Program Strategy & Mission: Build your security program strategy, articulate it within your mission & mandate, and then implement that mission by the roles and responsibilities of your security program members.
2. Document your Roles & Responsibilities: Bottom-line, if you cannot document what it is you and your team are doing, then you do not know what you are doing.
3. Be Specific: A vague presentation of the roles & responsibilities of your security program team will lead to confusion and potential angst by those outside of your program.
4. Measure If your Team is Performing Their Documenting Role: Another item that leads to angst by the rest of the organization. If one of the members of your team is supposed to be in a penetrations tester role, yet they are writing security policies for the organization, people are going to get confused.
5. Educate Others on Your Teams Role: Do not assume those outside of your security program understand what a "Security Analyst" or "Security Architect" are, make sure to actively educate others what the members of your team do.