The Job Title
A quick search at any major job search engine reveals that not many postings exist for an Information Security Officer. This is in large part because there are a number of positions in an organization which carry out the same duties under a different job title. In general, it became apparent that an Information Security Officer, an Information Security Architect, and Information Security Analyst all were carrying out the same duties and held the same position within an organization. The job titles then, are virtually interchangeable.
Most Common Duties
The most common duty seen in all ISO job descriptions was taking responsibility for Information Security policy. The Information Security Officer is expected to draft, evaluate, and constantly improve the organization's Information Security policy. The ISO is also expected to be knowledgeable in current Information Security trends and legislation – ensuring that the organization’s policies are in compliance with best practices and legal requirements. The policies that fell under the ISO’s duties were not limited purely to Information Security, but also to disaster recovery and contingency planning.
In addition to overseeing an organization’s Information Security policies, the ISO’s duties also include risk management. This includes creating and implementing risk assessment programs as well as overseeing testing. As part of this duty the Information Security Officer is also tasked with being the point of contact for incident reporting and tracking in regards to information security breaches and faults.
The final duty which was present in every ISO job description analyzed was that of trend-watching, knowledge maintenance, and industry actualization. Given the responsibility of the position, it should be no surprise that ISOs are expected to be up-to-date on all matters which affect their area of expertise.
A few Observations on Information Security Officer Duties and job descriptions
For those of you interested in becoming ISOs, there were a few trends which became apparently after reading over such a vast number of job descriptions:
-A Bachelor’s degree in a relevant field (IT, Computer Science, Business Administration, IS) is required to obtain the position. A Masters is considered an asset, but not a hard requirement.
-Certifications were mentioned as nice to have, but rarely put as required. Of the certifications mentioned, the CISSP certification seemed to be the most preferred. If you're interested in this certification a great place to start would be the ISC's web site on the certification.
-Within the organization, the ISO almost always reported to the Chief Information Security Officer (CISO), CIO, or CTO and is expected to work in an inter-department team as well as to project manage and lead project specific teams.
-According to the Bureau of Labor Statistics, specialists in IT and especially in IT Security should continue to see a large number of job openings and growth in the field.