Hiring a Security Manager and then not letting them do their job….

August 28th, 2007 Drazen Drazic Posted in Bad Stuff, Dumb Security, WTF, governance |

The following is borrowed from www.hipaadvisory.com, in particular, from the section on Information Security Manager’s Role Description. Why from here? No reason….it covers it just as good as most other places.

Above all others, the information security manager’s primary goals are to protect the confidentiality and integrity of information, and maintain the technical mechanisms of legitimate access to it. To achieve these goals, the information security manager’s responsibilities typically include:

  • Documenting the information security policies and procedures instituted by the organization’s Information Security Committee
  • Implementing the organization’s information security policies and procedures
  • Coordinating the activities of the Information Security Committee
  • Providing direct information security training to all employees, contractors, alliances, and other third parties
  • Monitoring compliance with the organization’s information security policies and procedures among employees, contractors, alliances, and other third parties, and referring problems to appropriate department managers or administrators
  • Monitoring internal control systems to ensure that appropriate information access levels and security clearances are maintained
  • Performing information security risk assessments and serving as the internal auditor for information security processes
  • Preparing the organization’s disaster recovery and business continuity plans for information systems
  • Serving as an internal information security consultant to the organization Monitoring advancements in information security technologies
  • Monitoring changes in legislation and accreditation standards that affect information security
  • Initiating, facilitating, and promoting activities to foster information security awareness within the organization
  • Serving as the information security liaison for users of clinical, administrative, and behavioral systems
  • Reviewing all system-related information security plans throughout the organization’s network, and acting as liaison to the Information Systems Department

Looks pretty standard for most IT Security Manager roles doesn’t it? Looks like a lot of ads placed for roles in organisations?

Why is then that when the IT Security Manager comes on board, the objectives/role changes and every step of progress made by the new guy in the organisation is as tough as pulling teeth. Why is that organisations post this as what they want to achieve but then don’t?

It’s no wonder most security dudes are cynical about the IT industry. It takes a special breed who can deal with the lip service day in and day out, listen to the latest company rants about how they take security seriously, read about the latest government initiatives on cybercrime etc etc etc…yet the realities as we know are far different.

As a community, we are too insular. We spend too much time ranting to each other and sharing war stories…….who wants to listen to a bunch of paranoid techs?

There’s enough posts in here that cover my thoughts on this but I’d be keen to hear from anyone that disagrees?

4 Responses to “Hiring a Security Manager and then not letting them do their job….”

  1. Big Galoot Says:
    August 31st, 2007 at 11:24 am

    Here’s a headline that I doubt we’ll ever see in Australia:

    “CIO jailed for serious privacy laws breach”.

    And until this happens, I suspect we will all still be ranting and sharing war stories for some considerable time into the future.

  2. Drazen Drazic Says:
    August 31st, 2007 at 10:59 pm

    We will be mate…..and it will be a long time until Australian “regulators” even come close to the likes of the Japanese regulators who will lock them up! I know….they will do it!

  3. Glenn Says:
    September 22nd, 2007 at 1:52 pm

    With the introduction of the new legislation in Australian Parliament recently, opinions may shift….not immediately, but over the next 12-18 months management may become more concerned.

    It is the same approach already elsewhere in the world. “Disclose breaches or face prosecution”. We know that PCI has driven significant change, this hopefully is one more step forward in Australia.

    I guess there is one potential positive angle, the hidden crimes, malicious activities by staff and the other “bad stuff” which has been surveyed over the last 5 years by every analyst and crime focused agency in the world may be validated. And WOW with Australian based data rather than US or Europe.

    We can only hope that the CIO, CFO, CEO do not want their company name dragged through the mud (for fear of EPS or revenue implications as well as their personal plight). It is however a matter of their perception of “risk”. For each $1 I spend what do I gain. Which leads me onto another topic which is communicating IT and Security to executive in a language they understand….but this discussion is for another day.

    Best of luck to all the IT Security Managers out there!

  4. Beast Or Buddha » Blog Archive » The role of IT Security people…..are things getting worse? Says:
    October 21st, 2007 at 4:26 pm

    [...] http://beastorbuddha.com/2007/08/28/hiring-a-security-manager-and-then-not-letting-them-do-their-job... http://beastorbuddha.com/2007/09/02/cios-spooked-about-talking-about-it-security/ Leave a Reply [...]

Leave a Reply