Information security is a very broad field. It spans across misuse of enterprise information, disruption, unauthorised access, and covers both physical aspects of security as well as cyber security. Technologies used include endpoint protection and response (EDR), vulnerability management tools, and security information and event management (SIEM) tools. All these areas of security therefore require some form of management- reporting on data generated by the many tools available and suggesting improvements. Overall, these security facets require someone who can provide a holistic view on a company's security and can see it from the various angles it presents.
This is where the role of an Information Security Manager (ISM) becomes necessary.
What is an Information Security Manager?
To help give a better understanding of the role of an information security manager, here is a breakdown of the typical core responsibilities. These will vary based on the organisation, however, the below are a good baseline:
- General Security Management
- Security Reporting
- Security Documentation
- Security Project Management
- "Bridging the Gap" - Communication skills at technical and managerial levels
General Security Management: This includes overseeing general day-to-day security operations and tracking the different areas of security relevant to the organisation. ISM's will routinely review systems like the EDR tool in place, network security systems monitoring network traffic and alerts, and DLP tools tracking user activity related to data sharing. The purpose is to better understand the business's current security posture, and to look for indicators of future cyber security risks.
Security Reporting: Security reporting can include many areas. Security incident reporting, weekly and monthly alert reporting and vulnerability reporting are a few of the many reports important to share within your organisation. Through this constant awareness and visibility comes one of the greatest benefits of reporting: encouraging the culture of security. Having security at the forefront and within the minds of your employees is a key performance indicator that any professional in security will share.
Security Documentation: Managing your organisation’s security documentation and policies is easily one of your most important tasks as an ISM. These policies and documents will create the foundation for you to build a secure working environment, guiding conversation around the future of security within your organisation and setting the benchmark for any company or external business that you work with. They are also critical to regulation and compliance standards (ISO27001, Cyber Essentials etc..).
Security Project Management: Any security-conscious organisation will always be looking to improve and proactively monitor their estate to ensure they are reducing their vulnerabilities as much as possible. This takes the form of regular penetration tests, as well as audits of systems and business processes, to ensure business operation is as secure as it can be. It's the role of an ISM to manage these projects as they will require resources to be aligned internally and externally to ensure they are completed.
"Bridging the Gap": The final role is more general in nature, as opposed to the specific roles described previously. ISM's usually sit between the technical IT and security teams, and the less-technical upper management and general staff members. This position is particularly important as it is the role of an ISM to be able to "bridge the gap" by connecting the more technical staff with the less technical staff. The best way to describe this is to use an example: Let's say you have a group of users who prefer to share data through a 3rd party software (e.g. Dropbox) rather than the company's SharePoint site. The security team are advising that users should be using the dedicated SharePoint sites for sharing information as it's more secure and can be tracked. However, the group of users using the 3rd party application don’t want to switch as they are used to using other software, and don’t see the need to switch over to a more secure method. It's the duty of an ISM to explain the importance of the move and to be able to communicate it in terms that all the users will be able to understand. Clearer communication between these two areas increases understanding and awareness of security and will see your organisation better secured.
What can you do?
Depending on the size of your organisation, having a dedicated ISM within your business may be out of the question when considering available resources. This is where you tend to find the responsibilities of an ISM passed on to other team members (like IT Managers or the Head of Finance), which can both take away from their current roles and lessen the importance of security within the organisation as a result. This is where a Virtual Information Security Manager (vISM) can step in to fill the gap. A vISM is a dedicated ISM who can be contracted to work a specific number of days a year, or by month, to review your security posture, generate reports or assist in policy and document creation. A vISM can be an extension of an existing security or IT team, or can simply be called-on when needed to offer guidance or advice.
Conclusion
The role of an ISM is essential within a security-conscious organisation. Ranging from areas like vulnerability management to security documentation / policy, ISM's have a responsibility to constantly review the cybersecurity landscape to ensure their organisation is as secure as possible. If an organisation doesn't have the capacity for an ISM full-time, they can opt for a vISM on a day-rate basis to fill the gap and provide a clear insight into what security should look like for your organisation.
If you want to find out more about what a vISM can do for your organisation, or if it would be suitable fit, please Contact Us