Security Manager

MitMMitM Member Posts: 622 ■■■■□□□□□□
I've been with my company a long time in different roles from Server Administration to Network Engineer (current). There is now an opening for a Security Manager and I'm up for consideration for it. My focus job wise has mostly been on network security and vulnerability management. It's not your typical security manager role though. This position will be hands on and responsible for everything from compliance, awareness, vulnerability management, and installing patches. The installing patches is a main responsibility.

For my next role, I was leaning more towards a network security or security engineer role, but if this is offered to me, it might be good for my resume. My hesitation relates to the installing patches. Installing patches to resolve vulnerabilities is one thing, but just to install your typical windows updates or cisco IOS updates doesn't really seem like a security role to me. Also seems to go against some security principals by 1 person having access to all systems. The plus side is I can really focus on security.

Any thoughts or opinions? I haven't been offered the role yet, but it's definitely a possibility.

Comments

  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    Guessing this is a smaller company...best practice such as fully separating duties isn’t always possible...enter compensating controls like multiple accounts for example.

    Honestly it’s a decent chance to transition over to security...gotta take the chance if it’s right. Installing patches is kind of a meh task but you will get more exposure in the other areas too...hopefully they let you bring in people below you to make the position look even better.
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    It's a mid-size (1000+ employees),but yes, full separation of duties wouldn't be possible.

    I'm thinking career wise, it's probably a smart move if offered
  • Danielm7Danielm7 Member Posts: 2,310 ■■■■■■■■□□
    The manager title is thrown around a lot, are you actually managing people or just a process? If you want to be a security engineer next, at least this gets you the word "security" in your title, but I don't see a ton of other benefits if the bulk of the job is just running windows patches. It's unfortunate that the patching of the network and servers doesn't fall on the actual network and server staff, logically it makes more sense for them to do it.
  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    I'm doing exactly what you described as the job responsibilities at my current job with the exception I have a manager that is a local CISO and also we dont do the installs for the patches. We do however research and find how the fixes should be implemented and prioritize them. Testing and deployment is done by IT. If you going to manage a team do it, it will open many doors.
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    Danielm7 wrote: »
    The manager title is thrown around a lot, are you actually managing people or just a process? If you want to be a security engineer next, at least this gets you the word "security" in your title, but I don't see a ton of other benefits if the bulk of the job is just running windows patches. It's unfortunate that the patching of the network and servers doesn't fall on the actual network and server staff, logically it makes more sense for them to do it.

    For now, it's a manager of a process, that may change. I need clarification on the "patching" requirements. From a network perspective, I never needed help patching anything. When I was a server admin, I always handled that with no problem either, so idk what the deal is. As TheFORCE said, testing and deployment should be done by IT.

    I'd be pushing to take firewalls with me. I'm thinking Endpoint products (like AV, CyberArk) will go to me. Overseeing pen tests. We did briefly look at Core Impact.

    The big thing for me is with "security" in the title, I'm hoping I'd be more eligible for security training
  • LordQarlynLordQarlyn Member Posts: 693 ■■■■■■□□□□
    It sounds like a good move. Myself I would jump at it and make the most of out it.
  • UnixGuyUnixGuy Mod Posts: 4,564 Mod
    Take it if it comes, and slowly add more responsibilities as you see fit
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Check out my YouTube channel: https://youtu.be/DRJic8vCodE 


  • McxRisleyMcxRisley Member Posts: 494 ■■■■■□□□□□
    I would jump all over the opportunity to rack up some management experience in security if I were you. I also agree with UnixGuy, try to add more responsibility as you see fit.

    I have one comment about Testing and Deployment being handled by IT. Here those things are mainly handled by tier 2 BUT we (network security) do have a hand in the process due to our programs and software needing to be configured properly to play well with new deployments.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    Update: After getting some clarification, I was offered and accepted the position of Cyber Security Manager.

    It's a really good opportunity for me career wise and the near 20% increase helped :)

    Since all my experience has really been network security, it's going to be a huge challenge, but I'm up for it.
  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    MitM wrote: »
    Update: After getting some clarification, I was offered and accepted the position of Cyber Security Manager.

    It's a really good opportunity for me career wise and the near 20% increase helped :)

    Since all my experience has really been network security, it's going to be a huge challenge, but I'm up for it.

    Congratulations man thats a good deal. Try not to lose the technical skills now that you are going in all those meetings to present all those KPIs and KRIs.
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    TheFORCE wrote: »
    Congratulations man thats a good deal. Try not to lose the technical skills now that you are going in all those meetings to present all those KPIs and KRIs.

    That’s the plan! I will remain hands on in some aspects, which was part of the negotiations.

    I will need to learn how to put together user awareness trainings. If anyone has some good resources to point me to, I’d appreciate it
Sign In or Register to comment.