After several years of job progression through an organization’s IT and information security chain of command, many will land many at the doorstep of what they were building their respective careers for – a managerial role. In this industry, the job title is Information Security Manager.
Information security managers play a necessary, pivotal role in the IT and information security departments of the organizations they serve. They operate as the brains of the organization’s IT and information security teams and manage the overall operations and direction of their departments. This article will detail the roles and responsibilities of this profound position and will leave you with a better understanding of the part they play in an organization.
The Roles of the Information Security Manager
You may think that information security managers have only one role, but the signpost of this section is pluralized for a reason. Simply put, information security managers wear many hats when they take on this position. Managing an information security team, let alone an entire department, takes an acute big-picture-oriented mind that has the brainpower required to make the higher-level decisions while having the foresight to assemble a strong team of information security experts that can be trusted to handle the lower-level, hands on tasks and changes that their information security landscape calls for.
The primary role of the information security manager is to manage the IT and information security department’s team and personnel. With that said, managerial positions such as this require a certain intangible skill set: managerial people skills. Some have it and are cut out for the position, while a majority of people do not. Keep this in mind as you move toward familiarity with this position.
Another role of the information security manager is what I like to call “Analyst-in-Chief,” meaning that the buck stops with them when it comes to analytically assessing an information security situation and then reacting appropriately. This is not limited to simply responding to events if needed – any incident responder does that on a daily basis. Rather, information security managers assess security plans for existing vulnerabilities, prioritize security strategies to best cover strategically important data, analyze reports generated by their threat monitoring systems and even run testing where they anticipate future issues to pop up.
Being a strong communicator is another role that information security managers have to play to successfully perform at their job. Communication is key for managing personnel in general, but the nature of information security gives it a heightened importance. Information security can potentially involve any department in the organization, and communication is the medium by which security issues can be taken care of quickly and effectively. This position also will be required to successfully communicate with managerial staff from other organization departments, to help ensure all follow information security policies and procedures and to keep abreast of the current information security landscape of the organization.
The last important role, and from an operations perspective the most important one information security managers must play, is that of director. Much like a movie director, information security managers (especially in the absence of a CIO) have to direct the most important actions of their departments. Typical duties include creating and maintaining information security policies and procedures, selecting and implementing new information security technologies, creating information security training programs and interviewing potential information security team personnel. This position is also deemed to be the highest tier of escalation if particularly difficult information security issues emerge.
Information Security Manager Responsibilities
No matter what hat the information security manager is wearing at the moment, he or she is responsible for much of the higher-level information security actions and tasks. This stands in contrast to the other information security staff, who typically perform the more hands-on, technical changes and tasks.
Although this is a pretty clean-cut division of responsibilities, the range of responsibilities expected of an information security manager is quite diverse. A non-exhaustive list of responsibilities is listed below:
- Provide information security awareness training to organization personnel
- Creating and managing security strategies
- Oversee information security audits, whether by performed by organization or third-party personnel
- Manage security team members and all other information security personnel
- Provide training to information security personnel during onboarding
- Evaluate department budget and costs associated with technological training
- Assess current technology architecture for vulnerabilities, weaknesses and for possible upgrades or improvement
- Implement and oversee technological upgrades, improvements and major changes to the information security environment
- Serve as a focal point of contact for the information security team and the customer or organization
- Manage and configure physical security, disaster recovery and data backup systems
- Communicate information security goals and new programs effectively with other department managers within the organization
As demonstrated above, information security managers play an incredibly vital role in the information security department of an organization. Aside from the obvious managerial leadership that an information security manager brings to the table, this position also brings analytical, high-level problem-solving skills that allow for effective and efficient resolution to many high-level information security Issues.
This position comes with its fair share of responsibilities – from assessing and managing the information security environment to implementing new technologies (within reasonable budgetary boundaries) and serving as a communication liaison between the information security team or department and other department managers within the organization. But this position is nearly the highest level available to an information security professional, and if you are cut out to be an information security manager you will find yourself both challenged and rewarded well.