Infosec manager qualifications
My company is in serious need of an Infosec and Infosed manager. I believe I could fill the position, but what would help me to do so?
I am the network administrator for the company currently, which gives me an advantage of understanding the digital side. I also have a background in the military that gives me a "real" everyday understanding of infosec. This also gives me an advantage and the experience.
There are two distinct skill sets required for each position: one for the management opening and one for the technical/administrative opening.
Generally, the security manager should have a wide security experiential range over many different security areas; managing and implementing data security controls; an in-depth knowledge/understanding of Internal, national and local legislation affecting information security; the ability to develop business plans, develop and implement policies, architecture and strategies; an understanding of the political environment and work within its confines; and the ability to manage people and projects.
The security administrator would be responsible for the daily administration of user IDs, system controls, etc., and work primarily with the user community.
There are several issues not indicated by your question. Are these start-up positions within an established organization? What would the mission of your department be? You would need to define the department's goals and objectives. How are your company's information assets protected now? Who performs the function currently? It sounds as though there is definite fragmentation and decentralization of security within your organization. Have there been any internal or external audits performed to assist you in this? When audit findings identify security deficiencies, there is an opportunity.
Your biggest challenge is to convince your management that a dedicated security function is, indeed, necessary and to have them buy into that function. A selling point to management will probably be illustration that the function is necessary for due diligence and to meet their fiduciary/legal obligations. Depending upon what your industry is, there may also be PDD 63 Compliance and EU Directive issues.
This was first published in November 2001