Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Security positions, organizational structures and job descriptions
From: Shirley Payne <payne () VIRGINIA EDU>
Date: Thu, 6 Sep 2007 18:11:44 -0400


This is doesn't answer all your questions, but you might find
information at the link below very useful, as I have. UC Berkley has
done excellent work developing descriptions for various levels of IT
security positions.



Shirley C. Payne
Director for IT Security & Policy
University of Virginia

Curt Wilson wrote:
Dear EDUCAUSE Colleagues -

My team has an opportunity to restructure to some degree. In light of
this, would anyone be so kind as to provide job descriptions for your
security staff, both technical and executive? Any information shared
would be considered confidential unless you determine otherwise. A link
to my PGP key is below.

In particular, I'm wanting to learn the following:

1) Are there existing civil service positions that are already scoped as
technical security positions? I guess each state might be different.
(not sure) If not, how are other .edus getting security positions passed
through HR in a timely manner that reflect real-world security concerns
and can draw qualified staff?

2) How other .edu's are structuring their positions in terms of
responsibilities, pay and organizational structure.

3) Are you dividing up the workload in terms of positions such as
"security engineer", "security officer", "security operations" or
perhaps roles such as "incident response", "identity manager", "data
protection/encryption manager", "firewall engineer", "IPS engineer" or
some other scheme? Do you have graduated "I, II, III" positions such as
Security Engineer I, II, and III. etc. (how about
"PersonWhoWearsManyHats I,II,and III")

4) How many of you might have CISO positions, and what the duties and
compensation of those positions are and where they are in the
organizational chart. If you have a CIO that doubles as a CISO I'd love
to learn about that as well.

Maybe some of us don't even have the luxury of having multiple security
related positions on our campuses.

One scenario I've thought of, and is probably being used by some of you,
involves the presence of a CIO, and a CISO (and perhaps a CPO as well).
The CISO, at the executive level, has security oversight for all of
campus (or all campuses) across multiple domains. Technical security
teams within the various areas might report to a middle manager who
understands both technology and business. The middle manager then
reports to the CISO. Or perhaps security is well-integrated into your
environment in such a manner that a person does not need "security" in
their title, yet they have this clear responsibility and report to some
security presence on your campus. I'm sure there are a variety of
scenarios at play - please help educate me if you can.

In todays world, with security challenges flying at us left and right,
increased audit and compliance issues appearing frequently, a rich
attack surface, and increasingly sophisticated and well-resourced
attackers going after data and financial resources, it seems ever more
pressing to implement executive level security oversight if it's not
already in existence. In the absence of such oversight, such as an
environment where security reports to IT, how might a public university
best structure what it does have to provide the maximum payoff?

Your thoughts appreciated as time allows. I know we are all busy with
our fall semesters!

Thank you for any responses.

  By Date           By Thread  

Current thread:
  • Re: Security positions, organizational structures and job descriptions Shirley Payne (Sep 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]