The following is borrowed from www.hipaadvisory.com, in particular, from the section on Information Security Manager’s Role Description. Why from here? No reason….it covers it just as good as most other places.
Above all others, the information security manager’s primary goals are to protect the confidentiality and integrity of information, and maintain the technical mechanisms of legitimate access to it. To achieve these goals, the information security manager’s responsibilities typically include:
- Documenting the information security policies and procedures instituted by the organization’s Information Security Committee
- Implementing the organization’s information security policies and procedures
- Coordinating the activities of the Information Security Committee
- Providing direct information security training to all employees, contractors, alliances, and other third parties
- Monitoring compliance with the organization’s information security policies and procedures among employees, contractors, alliances, and other third parties, and referring problems to appropriate department managers or administrators
- Monitoring internal control systems to ensure that appropriate information access levels and security clearances are maintained
- Performing information security risk assessments and serving as the internal auditor for information security processes
- Preparing the organization’s disaster recovery and business continuity plans for information systems
- Serving as an internal information security consultant to the organization Monitoring advancements in information security technologies
- Monitoring changes in legislation and accreditation standards that affect information security
- Initiating, facilitating, and promoting activities to foster information security awareness within the organization
- Serving as the information security liaison for users of clinical, administrative, and behavioral systems
- Reviewing all system-related information security plans throughout the organization’s network, and acting as liaison to the Information Systems Department
Looks pretty standard for most IT Security Manager roles doesn’t it? Looks like a lot of ads placed for roles in organisations?
Why is then that when the IT Security Manager comes on board, the objectives/role changes and every step of progress made by the new guy in the organisation is as tough as pulling teeth. Why is that organisations post this as what they want to achieve but then don’t?
It’s no wonder most security dudes are cynical about the IT industry. It takes a special breed who can deal with the lip service day in and day out, listen to the latest company rants about how they take security seriously, read about the latest government initiatives on cybercrime etc etc etc…yet the realities as we know are far different.
As a community, we are too insular. We spend too much time ranting to each other and sharing war stories…….who wants to listen to a bunch of paranoid techs?
There’s enough posts in here that cover my thoughts on this but I’d be keen to hear from anyone that disagrees?