What does a security manager do?

[00:00:00] Chris Sienko: Welcome to the InfoSec Career Video Series. These set of short videos will provide a brief look at cybersecurity careers and the experience needed to enter them. Today, I'll be speaking with InfoSec skills author, Cicero Chimbanda, about the role of security manager. Let's get into it. Welcome, Cicero.

[00:00:23] Cicero Chimbanda: Welcome. Thank you, Chris, for having me.

[00:00:26] CS: Cicero, let's start with the basics. What does a security manager do? What are the day-to-day tasks of a security manager?

[00:00:33] CC: That's a great question, Chris. I think, the first thing is having a framework is always good for a security manager to have, so that they're not reinventing the wheel. I love the priority matrix, which talks about, whenever you're doing work, there are things that are important and urgent. Obviously, the opposite is not important and not urgent. I think, a security manager in the priority matrix, if you're looking at it, you want to be spending most of your time on important and not urgent tasks. Those include planning, scheduling, includes making sure that you are aligning your security with the business.

As a manager, you need to make sure your security is aligned with the strategy, whatever business. Also, looking at tactical initiatives. Also, believe it or not, relationship building is a big component of a security manager. You need to make sure you're getting feedback from your stakeholders, those teams, the back office, legal, HR, or the front office, people who are in sales, or doing the actual work making money for the company. You want to have those relationship building tasks into your calendar. Then, and that includes things like KPIs, reporting.

At the same time, obviously, you need to make sure you're planning your security programs. As a manager, and overseeing it; there's projects with pentesting, if there's projects with vulnerability assessments, if there's user awareness training. You want to make sure you're having visibility of the programs that your projects that you're running, and making sure you're holding people accountable.

That's important, but not necessarily urgent. Now, there are urgent and important tasks that you need to focus on as well. Because we are in an incident response world, right? You have planned events, but then you have what's called unplanned events. Things will happen. As a manager, you need to make sure you're tracking, addressing tickets. You've heard of RAG, right? Red, amber, green. You have those dashboards. Certain things are need immediate attention. Other things are amber, other things are green. The green, you don't necessarily need to focus on. These are some of the things that you need to do, and reports, alerts, looking at your sim’s tools. I know, we'll talk more about that, but these are some general tasks a manager needs to be doing.

[00:03:14] CS: Marvelous. How does one become a security manager? Is this a position that requires specific skills, or experience?

[00:03:22] CC: Yeah. There are two ways to that people take that track. You got individuals that are technical in nature. I like to put it in what's already – let's start with the end in mind. When you're looking at not necessarily a manager, but you're looking at the lead of a director, or a officer, you have what's called a BISO, a TISO and CISO. You got a business, technical or strategic, and we'll talk a little bit more about that.

These are tracks. You can have an individual that goes into a manager, because he has really good soft skills, and good people skills. He has good business acumen, good project management acumen. Not necessarily technical, but he knows how to connect the dots. He becomes a manager through that track. He's very interested in security, or he or she, very interested in security. They manage subject matter experts connecting the dots. That's one track.

The other track is somebody who grew up in the shop, technical in nature, subject matter experts in coding, or building firewalls, or managing administrator of such implementing technical controls. They just have that – they have that respect and they have that knowledge and confidence and they're able to manage other subject matter experts with what they do. Those are two tracks that individuals can get up to a security manager.

[00:04:54] CS: Okay. What types of education is typically required for this? Is this a degree situation? Just online experience? Are there certifications that are absolutely crucial?

[00:05:05] CC: Yeah, Chris. I think, to be a manager in any position in the corporate level, you want to have at least a minimum of a bachelor's degree. I would say that. I think, that gets you elevated. Because you're going to be competing with other people for that job. I also would recommend a master's, because it's not a must, but it's a recommended. If you do have a master's, and obviously, that's good. obviously, in technology, there's a master's in cybersecurity, or security related fields.

If you don't have a master's, don't fret. You can have five years of experience, a minimum of five years’ experience is usually where it lands. You get enough respect, and they know that you've been through it. Overall, I would say, in terms of certificates, there are some really good certificates out there, if you don't have – you have a bachelor's, if you don't have a master's, you can get certificates such as like, there's management of security certificates. Certified Information Security Manager by ISACA is a good one. There's the certified secure software lifecycle professional. There's general. You can get general ones, like governance, risk and compliance.

You can also even go from the track of best practices. For example, if you get a project managed PMP. That always helps if you get the Sigma, Six Sigma, or a COBIT. Again, these are best best practices frameworks. That helps your case, because you can, you can say, “Hey, I'm going to lead our organization to make sure we're meeting best practices.”

Then lastly, there are a lot of higher education, that give certifications. A lot of schools now are giving certs, like MIT, for example, is giving the Six Pillars of Technology Management. A lot of schools now are doing that, and even legal. The law schools are giving some legal frameworks for managers. Those are all good educations to have, to help you be a successful manager.

[00:07:23] CS: You mentioned it previously, in regards to these different silos of security manager. What skills, both technical and soft skills does a security manager need to do their job well? You can speak to the different aspects of what a security manager does.

[00:07:41] CC: Sure. Again, I always go back, it's always good to have some framework, or model, or best practice that you focus on. I use STS model. In fact, that's one of the things I talk about in my course. STS stands for security, trust, and stability. These are three pillars that a manager, or a leader can have. Security is where you align the cybersecurity frameworks, or projects to the business. You want to make sure there's alignment. You don't want to just do security for security sake.

The trust component is really where you're meeting your requirements, legally, stakeholders, it's where your communication, writing skills. These are very important; reporting skills, auditing. That all comes with trust. Then stability. That stability is that keeping the lights on, making sure things work, incident response, you're up and running quickly, business continuity. The reliability of your firm, because you have to fulfill your commitments. That's the model that I use when it comes to – so as far as skills.

To fit in there, you do need technical skills. It's good to have – to be a subject matter expert in one thing. You don't have to be in a lot of things. If you're good at one thing, then your team will respect you for that. You'll be a go-to person for that as well. Also, you'll be empathetic with your teammates, because you've been there, done that. If you've never stayed up all night, if you've never did an incident response, have gone through testing, you've never done that type of thing, then then the other guys, there'll be a gap on the empathetic. It’s important as a manager.

Also, I would say, lastly, having a good intel research business acumen is very important, especially when we're talking about aligning security to the business side. In that, that's really a relationship and you can get that on your own with whatever industry you're managing.

[00:09:58] CS: Okay. Cicero, are there any common tools, or software that security managers use?

[00:10:05] CC: Yeah. A lot of people have different preferences, but there are some baselines. There are some baselines, Chris. I think, the first thing is threat modeling tools. You need to have the ability to know what the threat actors are doing out in the wild, but also, what are the vulnerabilities that are in your organization? Some are vulnerabilities that you know and you assume, because of the risk model. There's threat modeling tools out there to help you manage the threats, the overall threat in your environment. That's first. That's the first tool.

The second one is monitoring tools. You got to have eyes and ears of your network and of your people and of the process. There's a three prong; people, process and technology. A sims is a good tool for your technology. Then you have some EDR tools, endpoint detection, recovery tools, then you have some intel research. The last I want to put is also having tools to communicate to those who aren't technically, or security savvy. What I mean by that, speaks a different language. KPIs, key performance indices, that you're putting out and communicating. KRI, key risk indices, metrics reporting. These are very important tools to do your job, both communicating out and also being communicated to you.

[00:11:48] CS: Okay, where do security managers work? I'm assuming this is something that just about any industry, or organization is going to need a security manager. Is this an enterprise level, vendor level, consultant, federal, all of the above?

[00:12:01] CC: Yeah, it is all the above. Now, security is such a high risk, and in the forefront of all business leaders. That security manager needs to be – There no longer are the days where IT manages security, because there's conflict of interest, right? If you have a security manager that's reporting to an IT manager, or IT director, if he says to the IT director, “Hey, we need to change this, because of that.” There’s that conflict of interest.

In the industries, I go back to the terms that I use, BISO, which is a business information security officer. You got a TISO, which is a tactical information security officer. Then, you got a CISO, which is a strategic information security officer. The reason why I break that down is different industries will use different types of business leaders, or managers. They might look, if the industry is like, let's say, it's more strategic in nature, they do very complex, like a laboratory, or NASA, they might want a strategic manager; somebody who understand strategy, future, modeling.

If it's a technical field, like you're selling technical products, like a Microsoft, or AWS, they might want a more technical manager. If it's a bank, or healthcare, they might want more a business-oriented manager. All industry needs managers, so you can't go wrong there.

[00:13:43] CS: Okay. If one gets into the role security manager, can you move into other roles from security manager? We hear all the time, people being afraid of making the wrong decision, or feeling locked into a role. How well does a security manager of these sorts pivot into other types of positions, and what other types of positions are complimentary towards security manager?

[00:14:07] CC: The good thing, Chris, is when you're a security manager, you get to basically, touch all areas of a company’s – because you’re monitoring, if you will. If you got arteries, you got the vessels. You're monitoring, all the inner workings of a body, which in this case, is your organization. You'll get a chance to touch all levels. You can make great lateral movement as a security manager. If you want to go into the business side, if you want to go into – and I always use two sides. You got the front office, those who are selling, or interfacing clients, and you got the back office, if you want to move into compliance, or HR, or operations or technology. You have the ability to do lateral movement.

Also, there's upward movement. You can become the CISO, if that's where you want to go. You can become the chief operating officer. It starts with mentoring. Then the other one is, you can always take a step back and say, “You know what? I love this asset recovery of security. I want to become the disaster recovery man, or woman. That's what I'm going to do.” You'll be a leg up, because you have the ability to connect the dots as the DR, or whatever, user awareness, if you want to go training, you can do that, too. There's several ways that you can move.

[00:15:33] CS: That's great. I figured as much, but I like to hear it. One last question, for our listeners who are ready to get started now, what's something they can do right this minute, after this video is done, that will move them towards the goal of becoming a security manager?

[00:15:46] CC: I think, if let's say, you're in a corporation, you're doing what you're doing, start branching out to get to know a lot of your partners in the business side, and start asking questions like, for example, what are some of the goals that you have to achieve as a business, or an individual worker? What are some of the pain points? Those are the two things.

If you build your arsenal, and what you're doing really, is you're building relationships. Because moving into a security manager, it's all about relationships. People don't want to know how much you know, until they know how much you care. When you're a good listener, you're caring about what they're doing, what they're going through, and you're building that arsenal, I like to do a matrix of relationship, right? It's a relationship matrix. That's one.

Number two, choose your industry. If you're not already in a business, or in a company, choose an industry, and start learning what are some of the goals, pain points? What are some of the things that are – the trends that are going on in that industry? For example, healthcare, financial, utility, Department of Defense. Start immersing yourself and getting that tribal knowledge that are there. The last thing I would say is get a mentor. Start with the end in mind. It's always good to have a mentor. You can reverse engineer any job. If I want to be a manager, and I'm not a manager, I’d get a mentor, or a coach that's a manager, and then ask them how they got there and then do what they did.

[00:17:28] CS: Cicero Chimbanda, thank you for your time and insights today. I think, people are really going to get a lot out of this.

[00:17:33] CC: Thank you, Chris, for having me.

[00:17:36] CS: Thank you all for watching this episode. If you'd like to know more about other cybersecurity job roles, please check out the rest of InfoSec’s career video series. We'll see you next time. Bye now.