“I Want It in My Offer Letter That My Job Description Gets Updated Every Six Months.”
One of our talent acquisition specialists recently had a conversation with a cybersecurity professional who said something I have not been able to stop thinking about.
He said:
“I want it in my offer letter that my job description gets updated every six months.”
That is different from simply saying, “I want my job description updated.”
He wanted it documented in the offer letter.
That detail matters.
He was not just asking for a nice management practice. He was asking for accountability. He wanted the organization to commit, in writing, that his role would be reviewed and updated regularly so the official record of his work would not become outdated, inaccurate, or disconnected from reality.
I love this.
Not because I think employees should have to ask for it.
I actually wish we lived in a world where people did not have to manage up so much. I wish every manager, every HR team, and every executive had an accurate understanding of what people actually do every day.
But that is not the world we live in.
The truth is, we all have to manage up. We have to help the people above us understand what is happening, what has changed, what work is being done, what risks exist, and what support is needed.
That has always been true, but it feels even more important now.
This professional understood something many people miss: if your work is not documented accurately, you are exposed. Your manager may value you. Your peers may know what you do. Your team may depend on you. But if the official record of your role is outdated, incomplete, or wrong, then the business does not really know what you do.
That is a problem.
He Was Managing Up
This individual had been working at the Department of Justice and had seen people impacted by workforce cuts.
What stood out to him was not just that people were losing jobs. It was how disconnected many titles and job descriptions were from the work people were actually doing.
He estimated that as many as 80% of the job titles he saw did not accurately reflect the work people were performing day to day.
That number hit me, but the bigger point hit me harder.
He was not waiting for the system to get better.
He was not assuming leadership had perfect information.
He was not assuming HR knew how his role had changed.
He was not assuming his title told the story.
He looked at the reality of how people are managed in business and said, “I need this documented.”
Not casually mentioned.
Not verbally promised.
Documented.
That is managing up.
And honestly, it is smart.
More than 20 years ago, I went through situational leadership training, and it changed how I thought about work, communication, and accountability. One of the biggest lessons I took from it is that leadership does not only move down the org chart.
Great employees manage up.
They communicate reality. They document what has changed. They make risks visible. They help leaders make better decisions. They do not assume the people above them have all the information they need.
And as much as we may wish that were not necessary, it is.
Job Descriptions Are Not Just for Hiring
Most organizations still treat job descriptions like paperwork.
You need one to open a role. You need one to post a job. You need one to make an offer. You need one for HR.
Then it gets filed away somewhere and everyone moves on.
But the work does not stop changing.
The person gets pulled into a new project. A tool gets added. A vendor changes. A business unit needs support. A compliance requirement shows up. Someone leaves, and their work gets absorbed by the team. A contractor starts owning a critical function. An MSP takes on more than originally planned. AI tools enter the environment. Cloud work expands. Risk priorities shift.
And through all of that, the job description usually stays the same.
That makes no sense.
A job description should be a living record of the work being performed, the capabilities required, the outcomes expected, and the role that person plays inside the broader workforce ecosystem.
And when I say workforce ecosystem, I mean FTEs, contractors, consultants, MSPs, interns, and any other resource contributing to cybersecurity and IT outcomes.
If that record is wrong, leaders are making decisions with bad data.
Titles Are Usually Worse
Titles are often even less accurate than job descriptions.
A “Security Analyst” in one company may be doing incident response, threat hunting, vulnerability management, compliance evidence collection, identity work, vendor management, or all of it.
A “Program Manager” may be managing cyber risk, product security, GRC, cloud transformation, third-party risk, security operations, or a combination of all of those things.
A “Manager” may be carrying the work of three functions.
A “Director” may have no team.
A “Cybersecurity Engineer” may be doing architecture, operations, tooling, automation, implementation, and support.
The title alone tells you very little.
And yet titles are used constantly to make decisions about hiring, compensation, promotions, restructuring, succession planning, workforce planning, and layoffs.
That is dangerous.
Especially in cybersecurity and IT, where the work changes constantly.
Every Workforce Change Changes Capability
This is one of the biggest points I want leaders to understand.
Every workforce change changes capability. When someone leaves, joins, takes on a new project, or gets reassigned, capability changes. When a contractor starts doing work that used to be done by an FTE, capability changes. When an MSP takes over a function, capability changes. Most organizations have no way to see that change clearly.
When someone leaves, capability changes.
When someone joins, capability changes.
When someone takes on a new project, capability changes.
When a contractor starts doing work that used to be done by an FTE, capability changes.
When an MSP takes over a function, capability changes.
When someone is reassigned, promoted, burned out, overloaded, or quietly doing work no one has documented, capability changes.
The problem is that most organizations do not have a way to see that change clearly.
They may believe they have incident response coverage, but the person with that experience has moved into cloud security.
They may believe they have GRC coverage, but that person is spending most of their time on customer audits.
They may believe a team has engineering depth, but the engineers are really doing tool administration and ticket work.
They may believe a role is no longer critical because the title looks generic, when the person in that role is holding together something the business depends on.
This is how organizations lose capability without realizing it.
Outdated Job Descriptions Hurt People
This is not just a business issue. It is a human issue.
People want to be seen for the work they are actually doing.
When someone's job description is outdated, the message is pretty clear:
We do not really know what you do.
That impacts compensation.
It impacts promotions.
It impacts career pathing.
It impacts learning plans.
It impacts performance reviews.
It impacts internal mobility.
It impacts retention.
If someone has grown into a more advanced role but the job description has not changed, the company may be underpaying them or under-leveling them.
If someone is doing the work of multiple roles but the job description still reflects one role, burnout is being hidden.
If a contractor, consultant, or MSP is covering work no one has documented, dependency risk is being hidden.
If a leader cannot clearly explain what work is being done and why it matters, budget becomes harder to justify.
This is why updated job descriptions matter.
Not because paperwork matters.
Because people matter. Capability matters. Risk matters.
The Offer Letter Detail Matters
The part I keep coming back to is that he wanted this in his offer letter.
That is important.
An offer letter is where the organization documents the terms of the employment relationship. It says the role matters. The compensation matters. The start date matters. The reporting structure matters. The expectations matter.
So why shouldn't the accuracy of the job description matter too?
If the organization is making an offer based on a role, then the organization should also be willing to commit to keeping that role description accurate as the work changes.
That is not unreasonable.
It is responsible.
It protects the employee from being misrepresented.
It helps the manager lead with better information.
It helps HR keep records current.
It helps the business understand capability.
And it creates a shared expectation that the role will not be allowed to drift for years without anyone updating the official record.
In cybersecurity and IT, role drift is constant.
The offer letter request acknowledges that reality.
The Layoff Angle Makes This Even More Serious
I have talked about inaccurate job descriptions and titles for years.
Since CyberSN founded the cybersecurity job taxonomy in 2015, we have seen this problem everywhere. Job descriptions and titles do not accurately represent what people do, and they do not stay updated as the work changes.
I have usually talked about this through the lens of hiring, retention, capability gaps, workforce planning, and operational risk.
But this conversation added another angle.
When organizations reduce headcount, restructure, reorganize, or make decisions about roles, they often look at titles, levels, cost centers, reporting lines, and official documentation.
But what if that documentation is wrong?
What if the title does not reflect the person's current contribution?
What if the job description was written years ago, before the cloud migration, before new compliance requirements, before the latest reorg, before the MSP change, before the person took on incident response, product security, AI governance, customer audit support, or whatever else the business needed?
Then the organization is not just making a people decision.
It may be making a capability decision with inaccurate data.
That is bad for the employee.
It is bad for the manager.
It is bad for the business.
And in cybersecurity and IT, it can create real risk.
Six Months Is Not Too Much to Ask
I keep coming back to the simplicity of what this person asked for.
Put it in my offer letter that my job description gets updated every six months.
That is reasonable.
In cybersecurity and IT, six months is a long time.
Threats change. Tools change. Compliance changes. Business priorities change. Vendors change. Budgets change. Teams change. Work changes.
A job description that has not been reviewed in six months is probably already missing something.
This does not mean every job description needs to be rewritten from scratch twice a year. It means it should be checked against reality.
What work is this person actually doing now?
What percentage of time is going to each function?
What capabilities are being used?
What outcomes is this person accountable for?
What tools, systems, vendors, and business units do they support?
What work has been added?
What work has been removed?
What work is not documented anywhere?
What risk exists if this person leaves?
These are basic questions.
But most organizations do not have a consistent way to answer them.
This Is Workforce Intelligence
A job description should not be a stale document that only gets attention when someone resigns or a new role opens.
It should be part of workforce intelligence.
Workforce intelligence means having clear and ongoing visibility into the work being performed across the full workforce ecosystem, the capabilities that exist, the gaps that need to be closed, and the resources needed to execute the business strategy.
That means job descriptions need to connect to the real work.
They need to connect to taxonomy.
They need to connect to capabilities.
They need to connect to time allocation.
They need to connect to business outcomes.
They need to connect to workforce risk.
When job descriptions are current, leaders make better decisions about hiring, retention, budget, training, succession, restructuring, outsourcing, and managed services.
When they are not current, leaders are guessing.
And guessing is not a workforce strategy.
The New Standard
The professional who asked for a six-month job description update in his offer letter put words around something every worker deserves and every organization needs.
People deserve to have their work accurately represented.
Managers need accurate information to lead well.
Executives need accurate workforce data to make decisions.
Organizations need to know what capabilities they actually have before they hire, cut, restructure, outsource, or reorganize.
And employees need to understand that managing up is part of protecting themselves and helping the business operate better.
Again, I wish we did not have to manage up so much.
But we do.
And until organizations get much better at keeping workforce data current, smart professionals will keep asking for what this person asked for:
- Put it in writing.
- Document the work.
- Review it regularly.
- Update it when it changes.
- Do not let my title be the only story.
That should not be a radical request.
It should be the standard.
And for organizations that do not have the time, structure, taxonomy, or process to keep job descriptions and workforce data current, this is exactly why CyberSN built Workforce Intelligence.
Because this is not just a job description problem.
It is a workforce intelligence problem.
And in cybersecurity and IT, workforce intelligence is how leaders stop guessing and start managing capability with accuracy.
Keep your workforce data current, not years out of date
CyberSN helps CIOs and CISOs gain clear, ongoing visibility into how work is actually performed across their cyber and IT workforce ecosystem, so job descriptions, titles, and capability data reflect reality instead of drifting for years.
Request a Workforce Intelligence Briefing