Security position questons

datschmo · August 2014

For you folks already in InfoSec, hope you might be able to answer a couple of questions.

I'm interested in a InfoSec position, but cannot find a lot about it..just a few results on google. What exactly is an IT Security Officer? I'm certain this specific position is different than an ISO, as it states "reports to the CISO" and the job description is definitely not ISO. Where exactly does a IT Security Officer fall into the InfoSec hierarchy (above/below ISM, above a security analyst??)

Also, the salary isn't published, results on google again are limited and vary due to the ISO similarity...any ideas of what the salaray range might be for the mid-Atlantic region?

Thanks

cyberguypr · August 2014

Remember that titles mean nothing. We have thousands of "helpdesk" people doing sysadmin work and we also a ton of people being called Network Administrators when all they administer is PCs. You'll need to look at the duties and responsibilities of the position. An IT Security Officer can be anything from a person who looks at logs all day to someone in charge of all things related to governance and compliance.

If you share that job description we can provide some insight.

datschmo · August 2014

cyberguypr wrote: »

If you share that job description we can provide some insight.

Here is the job description.

Interfaces with various business units and compliance partners which include; Legal, Program Management Office, IS Customer Services, Information Security, and Management Audit. Manages improvements in information security compliance program and develops new security processes and standards as needed. Is responsible for the maintenance of a control framework, reporting on the current state of compliance, and building a corporate culture of information security through the planning and delivery of the necessary standards and processes to incorporate information security into business practices.

kurosaki00 · August 2014

Sounds like some Assurance Analyst of some sort of?

SephStorm · August 2014

Yep, definatly IA. Something you could use your CISSP in.

5502george · August 2014

Sounds like an ISSO role to me, falls under the site IAM.

Job Description of an Information Systems Security Officer

I was an ISSO for sometime and the PD you posted was very close to what I did.

datschmo · August 2014

I did finally receive some more information from the company about the position and it did sound similar to the ISSO JD link 5502george found.

Things progressed rather quickly, as my phone interview was yesterday. The four main areas of the job are: Managing security policy program, managing audit/risk assessment processes, conduct investigations w/ IS, compliance and privacy depts and creating/maintaining security awareness training program.

These all sound good, however, my current duties as an IT manager give me a 40% technical & 60% management split. If they offer me the position...I will have a big decision to make, as I really enjoy the technical side of IT. The offset is I've been trying to break into InfoSec for a couple years and this sounds like a great opportunity...unfortunately, it may be the demise of my being technical.

Anyone ever move away from the technical side and REGRET their decision?

5502george · August 2014

“My experience” in an ISSO role was about 60% technical and 40% managerial.

I managed the security policies which did not change very often unless there was a new config or change in the operating environment.

I did a ton of IT engineering solutions because the work environment was very tech based. This was a mix of install, aquire, recommend, and audit various IT solutions.

I had tonz of meetings (most of them change control boards) with upper mngmt to ensure security was involved in almost every major change.

…Having said that, you will lose some of your knowledge. But you will gain it in another IT based realm.

pinkydapimp · August 2014

I say give it a go. i think you will find its still technical enough. and you will additionally gain some very valuable experience on the business side! Worst case, you switch later to a more technical role. You knowledge from the business side will still be valuable.

datschmo · August 2014

I appreciate everyone's input, now I'm really stuck on what to do.

My current position is: IT Manager with about a 10 minute (tops)/5 mile commute to work, beyond that I have some light travel during the week to meetings (maybe 15/20 minutes to different offices 1-3 times a week). [Current job: I'm maxed out salary-wise and there is no room for advancement (already at the top for IT).]

The company did offer me the IT Security Office position this morning, however, it would involve a commute for 2-3 months of 4 days a week, 44 miles (each way). The commute is horrible due to traffic volume, will likely take me 60-90 minutes each way. After the initial 2-3 months, it's likely I would only have to do that commute 2 days a week, then 3 days a week would be 10 miles to work. No mileage for the travel with new job, current job I receive a monthly auto allowance. The position only pays $6000 more than my current salary.

While a job in InfoSec is all I've wanted for the last few years, I'm having a tough time making a decision. Moving is not an option, as I just bought the house I'm in less than 2 years ago (my family is pretty locked into everything, family close, schools, jobs, etc...) I've done the usual PRO's/CON's list and it's about equal. I have to get back to them by Tuesday COB with my decision.

Anyone have any words of wisdom?

Thanks

EngRob · August 2014

Getting into Security was the hardest thing I had to go through. Took me over 4 years and I too gave up a manager position to take a Security position, although it was on the technical engineering side.

Once you're in and gain some experience you can always transfer to a more technical side of Security.

Security position questons

Comments