Top Job Roles in Information Security Management

By Peter H. Gregory

Some people are satisfied in an individual contributor role and have no interest in information security management. Others yearn to develop big visions, lead big teams, and do big things. Here are the pinnacle IT security roles in an organization, and the sensitivity and responsibility each entails.

Security manager

A security manager is a line manager who manages one or more individual contributors on a security team. Expected to have years of experience in one or more of these positions, a security manager assigns tasks, resolves disputes, and mentors his or her employees to further their professional growth. This role is like any other managerial in a technical organization.

For the right person, managing a team of security professionals can be the best job ever. As with most technology management jobs, you need to know how to do many of the tasks and jobs that you expect your staff to do because they’ll look to you to understand how to do their job even better. Establishing credibility in a technology management job requires the ability to show others how to do their job and inspiring them to do it well.

Security manager jobs can be gratifying for people who have vision but who lack the time to do all the work themselves.

Compliance officer

Usually found in organizations with industry regulations, a compliance officer ensures that the organization is compliant with applicable laws and regulations. Although this role is not a security position per se, it is included here because compliance is so often associated with information security.

Examples of industries and their applicable regulations follow:

  • Financial services: GLBA (Gramm Leach Bliley Act), NCUA (National Credit Union Association), FDIC (Federal Deposit Insurance Corporation), SSAE16 (Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization)

  • Public utilities: NERC (North American Electric Reliability Corporation) and FERC (Federal Energy Regulatory Commission)

  • Healthcare organizations: HIPAA (Health Insurance Portability and Accountability Act)

  • U.S. government agencies: FISMA (Federal Information Systems Management Act)

  • Merchants and other entities that process credit card data: PCI-DSS (Payment Card Industry Data Security Standard)

  • Organizations that write software for processing credit card data: PA-DSS (Payment Application Data Security Standard)

In addition, organizations voluntarily comply with other standards, including the following:

  • ISO27001 (Information technology – Security techniques – Information security management systems – Requirements)

  • SOC2 (Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy)

Privacy officer

A privacy officer (PO) or chief privacy officer (CPO) is typically found in organizations that store or process large amounts of sensitive data about individuals and is responsible for two primary aspects about that data:

  • Protection from disclosure: Protecting sensitive data from disclosure is really just about data security controls in the context of sensitive data about people. Like other sensitive data in the organization, this information must be adequately and effectively protected.

  • Assurance of proper handling: An organization must have proper practices regarding handling and possible onward distribution of a person’s sensitive information. For example, an organization that collects contact information from its customers is generally prohibited from selling that information to other companies for marketing.

Sensitive data includes names and contact information, financial information (including social security and other account numbers), and medical information. Each regulation or standard has its own definition of sensitive information and required protection and handling requirements.

Because a chief privacy officer is generally in an organization with a chief information security officer (CISO) or chief security officer (CSO), a CPO’s job typically will focus on business use and proper handling of customer sensitive information. The protection of that information is the job of the CISO or CSO.

Chief information security officer and chief security officer

The chief information security officer (CISO) and the chief security officer (CSO) are the top security jobs in government and industry.

The CISO and CSO typically report to the president or CEO of a corporation or to a cabinet member or department head in government.

The CISO deals primarily with the security of information systems and often with physical security. The CSO is concerned with security related to both technology and non-technology issues.

The CISO and CSO are typically responsible for the following:

  • Security policy

  • Risk management and risk treatment

  • Security architecture

  • Security operations

  • Security incident response

CISOs and CSOs operate in the rarefied air of corporate (or government) executive management, where the loftiest issues concerning the organization are discussed. Corporate or government politics deeply affect the CISO and CSO, and a lot of their time is spent negotiating with other executives to ensure that the organization is on the right footing for managing security and technology-related risk.