ICT security manager

Description

ICT security managers propose and implement necessary security updates. They advise, support, inform and provide training and security awareness and take direct action on all or part of a network or system.

Other titles

The following job titles also refer to ICT security manager:

ICT security chief
ICT technical security expert
IT security manager
information security manager
ICT security managers
security coordinator
IT security chief

Minimum qualifications

Bachelor’s degree is generally required to work as ICT security manager. However, this requirement may differ in some countries.

ISCO skill level

ISCO skill level is defined as a function of the complexity and range of tasks and duties to be performed in an occupation. It is measured on a scale from 1 to 4, with 1 the lowest level and 4 the highest, by considering:

  • the nature of the work performed in an occupation in relation to the characteristic tasks and duties
  • the level of formal education required for competent performance of the tasks and duties involved and
  • the amount of informal on-the-job training and/or previous experience in a related occupation required for competent performance of these tasks and duties.

ICT security manager is a Skill level 4 occupation.

ICT security manager career path

Similar occupations

These occupations, although different, require a lot of knowledge and skills similar to ICT security manager.

ethical hacker
ICT security administrator
ICT resilience manager
IT auditor
ICT security consultant

Long term prospects

These occupations require some skills and knowledge of ICT security manager. They also require other skills and knowledge, but at a higher ISCO skill level, meaning these occupations are accessible from a position of ICT security manager with a significant experience and/or extensive training.

Essential knowledge and skills

Essential knowledge

This knowledge should be acquired through learning to fulfill the role of ICT security manager.

Internal risk management policy: The internal risk management policies that identify, assess and prioritise risks in an IT environment. The methods used to minimise, monitor and control the possibility and the impact of disastrous events that affect the reaching of business goals.
Computer forensics: The process of examining and recovering digital data from sources for legal evidence and crime investigation.
Information security strategy: The plan defined by a company which sets the information security objectives and measures to mitigate risks, define control objectives, establish metrics and benchmarks while complying with legal, internal and contractual requirements.
Ict quality policy: The quality policy of the organisation and its objectives, the acceptable level of quality and the techniques to measure it, its legal aspects and the duties of specific departments to ensure quality.
Ict security standards: The standards regarding ICT security such as ISO and the techniques required to ensure compliance of the organisation with them.
Internet governance: The principles, regulations, norms and programs that shape the evolution and use of internet, such as internet domain names management, registries and registrars, according to ICANN/IANA regulations and recommendations, IP addresses and names, name servers, DNS, TLDs and aspects of IDNs and DNSSEC.
Ict project management: The methodologies for the planning, implementation, review and follow-up of ICT projects, such as the development, integration, modification and sales of ICT products and services, as well as projects relating technological innovation in the field of ICT.
Ict problem management techniques: The techniques related to identifying the solutions of the root cause of ICT incidents.
Legal requirements of ict products: The international regulations related to the development and use of ICT products.
Ict system user requirements: The process intended to match user and organisation’s needs with system components and services, by taking into consideration the available technologies and the techniques required to elicit and specify requirements, interrogating users to establish symptoms of problem and analysing symptoms.
Internet of things: The general principles, categories, requirements, limitations and vulnerabilities of smart connected devices (most of them with intended internet connectivity).

Essential skills and competences

These skills are necessary for the role of ICT security manager.

Manage it security compliances: Guide application and fulfilment of relevant industry standards, best practices and legal requirements for information security.
Establish an ict security prevention plan: Define a set of measures and responsibilities to ensure the confidentiality, integrity and availability of information. Implement policies to prevent data breaches, detect and respond to unathorised access to systems and resources, including up-to-date security applications and employee education.
Develop information security strategy: Create company strategy related to the safety and security of information in order to maximise information integrity, availability and data privacy.
Define security policies: Design and execute a written set of rules and policies that have the aim of securing an organisation concerning constraints on behaviour between stakeholders, protective mechanical constraints and data-access constraints.
Manage disaster recovery plans: Prepare, test and execute, when necessary, a plan of action to retrieve or compensate lost information system data.
Implement ict risk management: Develop and implement procedures for identifying, assessing, treating and mitigating ICT risks, such as hacks or data leaks, according to the company’s risk strategy, procedures and policies. Analyse and manage security risks and incidents. Recommend measures to improve digital security strategy.
Solve ict system problems: Identify potential component malfunctions. Monitor, document and communicate about incidents. Deploy appropriate resources with minimal outage and deploy appropriate diagnostic tools.
Maintain ict identity management: Administer identification, authentication and authorisation of individuals within a system and control their access to resources by associating user rights and restrictions with the established identity.
Lead disaster recovery exercises: Head exercises which educate people on what to do in case of an unforeseen disastrous event in the functioning or security of ICT systems, such as on recovery of data, protection of identity and information and which steps to take in order to prevent further problems.

Optional knowledge and skills

Optional knowledge

This knowledge is sometimes, but not always, required for the role of ICT security manager. However, mastering this knowledge allows you to have more opportunities for career development.

Systems development life-cycle: The sequence of steps, such as planning, creating, testing and deploying and the models for the development and life-cycle management of a system.
Ict network security risks: The security risk factors, such as hardware and software components, devices, interfaces and policies in ICT networks, risk assessment techniques that can be applied to assess the severity and the consequences of security threats and contingency plans for each security risk factor.
Decision support systems: The ICT systems that can be used to support business or organisational decision making.
Cyber attack counter-measures: The strategies, techniques and tools that can be used to detect and avert malicious attacks against organisations’ information systems, infrastructures or networks.
Outsourcing model: The outsourcing model consists of principles and fundamentals of service-oriented modelling for business and software systems that allow the design and specification of service-oriented business systems within a variety of architectural styles, such as enterprise architecture.
Hybrid model: The hybrid model consists of principles and fundamentals of service-oriented modelling for business and software systems that allow the design and specification of service-oriented business systems within a variety of architectural styles, such as enterprise architecture.
Audit techniques: The techniques and methods that support a systematic and independent examination of data, policies, operations and performances using computer-assisted audit tools and techniques (CAATs) such as spreadsheets, databases, statistical analysis and business intelligence software.
Tools for ict test automation: The specialised software to execute or control tests and compare predicted testing outputs with actual testing results such as Selenium, QTP and LoadRunner
Ict security legislation: The set of legislative rules that safeguards information technology, ICT networks and computer systems and legal consequences which result from their misuse. Regulated measures include firewalls, intrusion detection, anti-virus software and encryption.
Organisational resilience: The strategies, methods and techniques that increase the organisation’s capacity to protect and sustain the services and operations that fulfil the organisational mission and create lasting values by effectively addressing the combined issues of security, preparedness, risk and disaster recovery.
Cyber security: The methods that protect ICT systems, networks, computers, devices, services, digital information and people against illegal or unauthorised use.
Service-oriented modelling: The principles and fundamentals of service-oriented modelling for business and software systems that allow the design and specification of service-oriented business systems within a variety of architectural styles, such as enterprise architecture and application architecture.
Levels of software testing: The levels of testing in the software development process, such as unit testing, integration testing, system testing and acceptance testing.
Web application security threats: The attacks, vectors, emergent threats on websites, web applications and web services, the rankings of their severity identified by dedicated communities such as OWASP (Open Web Application Security Project).

Information confidentiality: The mechanisms and regulations which allow for selective access control and guarantee that only authorised parties (people, processes, systems and devices) have access to data, the way to comply with confidential information and the risks of non-compliance.
Open source model: The open source model consists of principles and fundamentals of service-oriented modelling for business and software systems that allow the design and specification of service-oriented business systems within a variety of architectural styles, such as enterprise architecture.
Investment analysis: The methods and tools for analysis of an investment compared to its potential return. Identification and calculation of profitability ratio and financial indicators in relation to associated risks to guide decision on investment.
Ict recovery techniques: The techniques for recovering hardware or software components and data, after failure, corruption or damage.
Mobile device management: The methods for managing the use of mobile devices within an organisation, while ensuring security.
Ict encryption: The conversion of electronic data into a format which is readable only by authorized parties which use key encryption techniques, such as Public Key Infrastructure (PKI) and Secure Socket Layer (SSL).
Saas (service-oriented modelling): The SaaS model consists of principles and fundamentals of service-oriented modelling for business and software systems that allow the design and specification of service-oriented business systems within a variety of architectural styles, such as enterprise architecture.
Ict process quality models: The quality models for ICT services which address the maturity of the processes, the adoption of recommended practices and their definition and institutionalisation that allow the organisation to reliably and sustainably produce required outcomes. It includes models in a lot of ICT areas.

Optional skills and competences

These skills and competences are sometimes, but not always, required for the role of ICT security manager. However, mastering these skills and competences allows you to have more opportunities for career development.

Provide technical documentation: Prepare documentation for existing and upcoming products or services, describing their functionality and composition in such a way that it is understandable for a wide audience without technical background and compliant with defined requirements and standards. Keep documentation up to date.
Define technology strategy: Create an overall plan of objectives, practices, principles and tactics related to the use of technologies within an organisation and describe the means to reach the objectives.
Use ict ticketing system: Utilise a specialised system to track registration, processing and resolution of issues in an organisation by assigning each of these issues a ticket, registering inputs from involved persons, tracking changes and displaying the status of the ticket, until it is completed.
Execute ict audits: Organise and execute audits in order to evaluate ICT systems, compliance of components of systems, information processing systems and information security. Identify and collect potential critical issues and recommend solutions based on required standards and solutions.
Identify ict security risks: Apply methods and techniques to identify potential security threats, security breaches and risk factors using ICT tools for surveying ICT systems, analysing risks, vulnerabilities and threats and evaluating contingency plans.

ISCO group and title

2529 – Database and network professionals not elsewhere classified

 

 


 

 

References
  1. ICT security manager – ESCO
Last updated on August 8, 2022