Author: Taylor Armerding / Source: CSO Online
Whatever the role, good communication regarding the duties and expectations of a security professional is key to that person’s success. That communication starts with a solid, thorough job description. It will be an important benchmark when hiring for the role, and a touch point for performance once the candidate is on board. The job description is also a baseline that helps security team managers keep pace as many roles evolve.
A good job description will spell out the role’s duties and priorities. It also outlines where the role falls in the reporting structure. It should also provide the role’s requirements, which could include certifications, skills, experience and education. This series focuses on the duties and requirements, because the priorities and reporting structure will be unique to each company.
A chief information security officer (CISO) is a C-level management executive responsible to oversee the general operations of an organization’s IT security department and related staff. The CISO directs and manages strategy, operations and the budget for the prime mission: protection of an organization’s information assets.
The job requires a strong background and experience in IT strategy and security architecture, along with the high-level communication and people skills needed to assemble and manage an IT security team and to consult with internal and third-party executives and government agencies.
As a C-level position, it requires more than technical knowledge and skills. A good CISO must be able to, “speak the language of business,” if he or she is to be a successful strategic partner in the executive suite. Different titles for the same, or similar, duties include chief security architect, security manager, corporate security officer or information security manager, depending on the company’s structure and existing titles.
The duties outline the tasks and goals for which the CISO is responsible. That may vary depending on your company’s needs or industry. They include:
- Direct and approve the design of security systems. Update as necessary.
- Ensure that disaster recovery and business continuity plans are in place and tested.
- Review and approve security policies, controls and cyber incident response planning.
- Approve and oversee identity and access management (IAM) policies.
- Understand the IT threat landscape for the industry.
- Ensure continued compliance with laws and applicable regulations.
- Schedule periodic security audits.
- Conduct security awareness training to all personnel and enforce compliance.
- Manage all teams, employees and third parties involved in IT security, which may include hiring.
- Hire, train and mentor security team members.
- Become a trusted business adviser. Brief the executive team on risk management, including strategy and necessary budget.
- Choose and purchase security products from vendors.
- Conduct electronic discovery and digital forensic investigations.
Skills and competencies
This section outlines the technical and general skills required, as well as any certificates or degrees that a company might expect an information security architect to have.
Key technical skills include:
- The ability to quantify the risks different IT architectures, and then communicate to other executives how to manage that risk.
- The ability to work with data scientists to detect and respond to threats.
- The ability to oversee pen testing to find vulnerabilities in all elements of a security system.
- Disaster recovery, including detecting an intrusion, isolating it and neutralizing it before it can cause…
Click here to read more