CISO vs Information Security Manager

t93cobra

Wondering if anyone has come across a job, particularly in the financial services industry, where an employer is advertising a position as Information Security Manager instead of CISO. The benefit to the employer is they can offer a much lower salary but in all reality the position is still the Information Security Officer for the organization, which is required by FDIC for banks.

Anybody have any thoughts on this? 

cyberguypr

FDIC and Federal Reserve just say that a security officer should be designated to ensure a security program is put in place. FFIEC I.A.2(c) is the one that expands on a CISO as a strategic asset for big entities, but leaves smaller ones off the hook by allowing a lower Infosec Officer take on the CISO responsibilities while reporting to upper management. So a smaller financial institution posting a role with a CISO description would technically be fair game assuming the reporting component is high enough. Now, if you see BOA or Chase doing it, I would be worried.

t93cobra

cyberguypr said:

FDIC and Federal Reserve just say that a security officer should be designated to ensure a security program is put in place. FFIEC I.A.2(c) is the one that expands on a CISO as a strategic asset for big entities, but leaves smaller ones off the hook by allowing a lower Infosec Officer take on the CISO responsibilities while reporting to upper management. So a smaller financial institution posting a role with a CISO description would technically be fair game assuming the reporting component is high enough. Now, if you see BOA or Chase doing it, I would be worried.

The FDIC is part of the FFIEC council, so...in essence the FDIC is requiring an Information Security Officer. Anyway, I was hoping the discussion would steer more towards companies posting the position as Information Security Manager vs Chief Information Security Officer / Information Security Officer. The only difference I see is salary. There can be quite a big difference when I research salary on Salary.com or Payscale.com and the employer gets the same type of work performed by whatever title they give.

NetworkNewb

I know at my company my boss is the Cyber Security Manager and reports to the CIO... Assuming it just how each organization structures themselves and a lot of smaller companies probably don't even have CISO positions.

t93cobra

NetworkNewb said:

I know at my company my boss is the Cyber Security Manager and reports to the CIO... Assuming it just how each organization structures themselves and a lot of smaller companies probably don't even have CISO positions.

I’ve seen companies with 600 employees have a CISO with one other security team member.  I’ve also seen a company with over 3,000 employees not have a CISO even with a team of 5 security professionals. In the latter, the CIO was designated as the CISO on paper. 

nevermore

I work in the financial services industry and we have VP-level position that is designated as Information Security Officer (ISO) but that individual has the level of responsibility is that of a CISO or CSO position.   I am sure some organizations do this in attempt to reduce the salary requirements for the position or reduce some conflict with the rest of the C-suite.  I think it is most important to look where the ISO function is reporting to.  If the the position reports directly to the CEO or maybe CIO, it may have decent shot of being successful.  If the position is placed a couple layers down or reporting in some division that reduces the visibility and power of the ISO function then probably consider keeping away...