Large IT security departments will typically employ an Information System Security Manager who fills a supervisory role and shoulders management and training responsibilities for the rest of security staff.
The ISSM's overall responsibilities are:
- to manage the implementation and development of an organization's IT security;
- to make sure security policies, standards and procedures are established and enforced; and
- to coordinate information security inspections, tests and reviews.
The Big Picture - Designing a Security Policy:
To design a security policy, the Information Systems Security Manager will likely gather and organize technical information about the company's mission, goals and needs, as well as its existing security products and its ongoing programs and activities. He or she will also conduct risk analyses and assessments and then make sure there are solutions in place to mitigate those risks.
This background work goes toward creating the organization's information security plans and policies. The Information Systems Security Manager helps identify the organization's current security infrastructure and define what kind of security must be designed and implemented in order to meet the organization's requirements. Then he or she oversees the rest of the security team members as they design and implement the solutions according to security requirements.
Information Systems Security Managers also provide guidance when it comes to analyzing and evaluating networks and security vulnerabilities, and managing security systems such as anti-virus, firewalls, patch management, intrusion detection and encryption on a daily basis.
Sometimes the Information Systems Security Manager is required to interact with and advise the organization's non-technical employees, such as during staff meetings, teleconferences or other situations in which security issues need to be addressed.
An Information Systems Security Manager will typically require knowledge of several areas, including:
- security tools that are currently available;
- business security practices and procedures;
- hardware/software security implementation;
- encryption techniques/tools; and
- various communication protocols.
Training and Certification:
While requirements range, depending on the organization that's hiring, I've come across some Information Systems Security Manager postings that state that you need a Bachelor's degree in a related computer field plus up to nine years of experience. Otherwise the employer may ask for more years of experience in lieu of the desired university degree.
The following certifications may also be required: