Educause Security Discussion mailing list archives
Re: Security positions, organizational structures and job descriptions
From: Shirley Payne <payne () VIRGINIA EDU>
Date: Thu, 6 Sep 2007 18:11:44 -0400
Curt, This is doesn't answer all your questions, but you might find information at the link below very useful, as I have. UC Berkley has done excellent work developing descriptions for various levels of IT security positions. http://careercompass.berkeley.edu/jobstandards/mappingtool/infotech/security.html Shirley Shirley C. Payne Director for IT Security & Policy University of Virginia Curt Wilson wrote:
Dear EDUCAUSE Colleagues - My team has an opportunity to restructure to some degree. In light of this, would anyone be so kind as to provide job descriptions for your security staff, both technical and executive? Any information shared would be considered confidential unless you determine otherwise. A link to my PGP key is below. In particular, I'm wanting to learn the following: 1) Are there existing civil service positions that are already scoped as technical security positions? I guess each state might be different. (not sure) If not, how are other .edus getting security positions passed through HR in a timely manner that reflect real-world security concerns and can draw qualified staff? 2) How other .edu's are structuring their positions in terms of responsibilities, pay and organizational structure. 3) Are you dividing up the workload in terms of positions such as "security engineer", "security officer", "security operations" or perhaps roles such as "incident response", "identity manager", "data protection/encryption manager", "firewall engineer", "IPS engineer" or some other scheme? Do you have graduated "I, II, III" positions such as Security Engineer I, II, and III. etc. (how about "PersonWhoWearsManyHats I,II,and III") 4) How many of you might have CISO positions, and what the duties and compensation of those positions are and where they are in the organizational chart. If you have a CIO that doubles as a CISO I'd love to learn about that as well. Maybe some of us don't even have the luxury of having multiple security related positions on our campuses. One scenario I've thought of, and is probably being used by some of you, involves the presence of a CIO, and a CISO (and perhaps a CPO as well). The CISO, at the executive level, has security oversight for all of campus (or all campuses) across multiple domains. Technical security teams within the various areas might report to a middle manager who understands both technology and business. The middle manager then reports to the CISO. Or perhaps security is well-integrated into your environment in such a manner that a person does not need "security" in their title, yet they have this clear responsibility and report to some security presence on your campus. I'm sure there are a variety of scenarios at play - please help educate me if you can. In todays world, with security challenges flying at us left and right, increased audit and compliance issues appearing frequently, a rich attack surface, and increasingly sophisticated and well-resourced attackers going after data and financial resources, it seems ever more pressing to implement executive level security oversight if it's not already in existence. In the absence of such oversight, such as an environment where security reports to IT, how might a public university best structure what it does have to provide the maximum payoff? Your thoughts appreciated as time allows. I know we are all busy with our fall semesters! Thank you for any responses.
Current thread:
- Re: Security positions, organizational structures and job descriptions Shirley Payne (Sep 06)