Re: Security positions, organizational structures and job descriptions

[Shirley Payne <payne () VIRGINIA EDU>]

Curt,

This is doesn't answer all your questions, but you might find
information at the link below very useful, as I have. UC Berkley has
done excellent work developing descriptions for various levels of IT
security positions.

http://careercompass.berkeley.edu/jobstandards/mappingtool/infotech/security.html

Shirley

Shirley C. Payne
Director for IT Security & Policy
University of Virginia

Curt Wilson wrote:
> Dear EDUCAUSE Colleagues -
>
> My team has an opportunity to restructure to some degree. In light of
> this, would anyone be so kind as to provide job descriptions for your
> security staff, both technical and executive? Any information shared
> would be considered confidential unless you determine otherwise. A link
> to my PGP key is below.
>
> In particular, I'm wanting to learn the following:
>
> 1) Are there existing civil service positions that are already scoped as
> technical security positions? I guess each state might be different.
> (not sure) If not, how are other .edus getting security positions passed
> through HR in a timely manner that reflect real-world security concerns
> and can draw qualified staff?
>
> 2) How other .edu's are structuring their positions in terms of
> responsibilities, pay and organizational structure.
>
> 3) Are you dividing up the workload in terms of positions such as
> "security engineer", "security officer", "security operations" or
> perhaps roles such as "incident response", "identity manager", "data
> protection/encryption manager", "firewall engineer", "IPS engineer" or
> some other scheme? Do you have graduated "I, II, III" positions such as
> Security Engineer I, II, and III. etc. (how about
> "PersonWhoWearsManyHats I,II,and III")
>
> 4) How many of you might have CISO positions, and what the duties and
> compensation of those positions are and where they are in the
> organizational chart. If you have a CIO that doubles as a CISO I'd love
> to learn about that as well.
>
> Maybe some of us don't even have the luxury of having multiple security
> related positions on our campuses.
>
> One scenario I've thought of, and is probably being used by some of you,
> involves the presence of a CIO, and a CISO (and perhaps a CPO as well).
> The CISO, at the executive level, has security oversight for all of
> campus (or all campuses) across multiple domains. Technical security
> teams within the various areas might report to a middle manager who
> understands both technology and business. The middle manager then
> reports to the CISO. Or perhaps security is well-integrated into your
> environment in such a manner that a person does not need "security" in
> their title, yet they have this clear responsibility and report to some
> security presence on your campus. I'm sure there are a variety of
> scenarios at play - please help educate me if you can.
>
> In todays world, with security challenges flying at us left and right,
> increased audit and compliance issues appearing frequently, a rich
> attack surface, and increasingly sophisticated and well-resourced
> attackers going after data and financial resources, it seems ever more
> pressing to implement executive level security oversight if it's not
> already in existence. In the absence of such oversight, such as an
> environment where security reports to IT, how might a public university
> best structure what it does have to provide the maximum payoff?
>
> Your thoughts appreciated as time allows. I know we are all busy with
> our fall semesters!
>
>
> Thank you for any responses.