6

I work in a growing, family owned business. The company has 300 employees and has landed some big clients who require major policy changes in order to give us their continued business. Among those changes is the development and implementation of a security policy.

I work the IT help desk and since I just took and passed the Security+ examination, management thought I was the best qualified person to take up this initiative. I received the title of Security Manager and have to come up with my own job description to present to the company, in order to discuss compensation.

I have checked out what is available through a Google search but was wondering if there might be a SANS template somewhere or some other such document, from a reputable institution.

Any suggestions are greatly appreciated.

Improve this question
3
  • What are you main responsibilities? Security manager is just as vague as "I am an Engineer".
    – M'vy
    Commented Aug 5, 2011 at 14:32
  • I guess that is what I am trying to figure out. This whole thing is very much of its own making. I will present something and they will approve or disapprove of line items. Company-wide, pay is below industry standard and having me do it for them is a way to get something without having to hire someone with more experience and paying them what they are worth. I am looking for a template so I can craft something from that. A baseline if you will. The responsibilities will stem from exactly what the company would implement. I don't know if that helps. Right now, I have no responsibilities.
    – mipnix
    Commented Aug 5, 2011 at 15:11
  • 2
    Welcome to IT Security. Security is a broad an nuanced topic. We can help you better with a little more information. To start with, what policy changes are your clients asking for? A useful definition here is risk = threat x vulnerability x exposure. Security profesionals want to reduce the risk of bad things happening. To do that we can attempt to mitigate any or all of the three right hand factors. Risk is applied to assests you have. So, what assets are you protecting? Who are your potential threats? What industry are you in?
    – this.josh
    Commented Aug 5, 2011 at 17:00

2 Answers 2

Reset to default
4

I just had a flashback to the A+ and NT MCSE days.. back to the topic at hand. Information security tends to fall on two sides: either you do the technical side (aka analyst or engineer ) or the policy side (aka auditor or manager). In a 300 person company I would suspect that you are going to need to do both the technical and policy side. Do a search for information security on indeed.com. The indeed.com listings can give you an idea of typical information security job descriptions and salaries.

Improve this answer
1
  • 1
    Thank you. That set me off in the right direction. I don't have enough rep to vote you up.
    – mipnix
    Commented Aug 5, 2011 at 16:15
4

A core element of a security professional's job is to protect the integrity and confidentiality of systems. You can write your description up in many ways. I suggest the following: You know security and you dedicate yourself to that. Because this is a smaller company, you may sometimes do hands-on ops work as a backup, but your primary focus should be staying your knowledge about security fresh -- the threats outside, the technologies to deal with them, and the evolving structure of your company's technical assets. Be strong on your communication skills -- you're going to need to justify your position to the CxOs. That will require taking some complex concepts and explaining them to non-technical folks who hold the purse strings. You should understand the business as a whole and the operational goals of the CxOs. Write your own goals to match them (CxO goal: increase revenue from clients. Your goal: Provide cost-effective security that meets clients' needs to accept you as a vendor). You write all the policies and your existing team of ops folk implement them.

That's the high-level view of it. Knock the above out as a bullet list. Whether you keep it high-level or add low-level detail is going to be your call based on how you perceive managent's reaction and whether you want to go in the hands-on or hands-off role. Your company may greatly value technical skill, but most value the management aspect. In most places, the one who decides how something will be affected gets more money than the one who makes it happen. Writing your job description is as much about their view as it is defining you and the next one to have the job.

Improve this answer
1
  • Your point of defining the role for the next guy is an excellent one and one I will implement. Thank you.
    – mipnix
    Commented Aug 5, 2011 at 17:06

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .