APRIL 2023
Tech Corner
An Intro to Roles in Cyber Security:
Information Security Manager Role an
Exciting and Rewarding Career
BY IQBAL SINGH
Introduction
Information security managers play a key role in avoiding disasters by identifying any
weak areas that might make information systems vulnerable. Information security
management is the process of protecting an organization’s data and assets against
potential threats. One of the primary goals of these processes is to protect data
confidentiality, integrity, and availability. Information security management may be
driven both internally by corporate security policies and externally by regulations such
as the General Data Protection Regulation (GDPR), Health Insurance Portability and
Accessibility Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI
DSS). An Information security management strategy begins by identifying these
assets, developing and implementing policies and procedures for protecting them,
and maintaining and maturing these programs over time. Information security
management includes implementing security best practices and standards designed
to mitigate threats to data like those found in the ISO/IEC 27000 family of standards.
Many organizations have internal policies for managing access to data, but some
industries have external standards and regulations as well. For example, healthcare
organizations are governed by the Health Insurance Portability and Accessibility Act
(HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS) protects
payment card information.
Information Security is exciting career that opens the doors for global mobility
35
� APRIL 2023
Information security managers assess an organization’s security measures such as
anti-virus software, passwords, and firewalls in order to identify any areas that might
make information systems vulnerable to attack. They also analyze reports generated
by the monitoring system to identify anything that may indicate a future risk.
Information security managers also manage backup and security systems, look after
the recovery of data in disaster situations, and oversee security violation investigations.
Often, simulated attacks are carried out in order to test the efficiency of the security
measures that are in place. Information security managers also provide training for
employees, explaining security risks as well as the need for using strong passwords
and protecting data when using mobile devices outside the office. Based on seniority
and job function, employees and managers are typically given different levels of
access to company data.
Types of Security Management
Three common types of security management streams include:
Information Security: Information security management includes implementing
security best practices and standards designed to mitigate threats to data like
those found in the ISO/IEC 27000 family of standards.
Network Security: The network is the vector by which most cyberattacks reach an
organization’s systems and its first line of defence against cyber threats. Network
security management includes deploying network monitoring and defence
solutions, implementing network segmentation, and controlling access to the
network and the devices connected to it.
Cyber Security: Cybersecurity management refers to a more general approach to
protecting an organization and its IT assets against cyber threats. This form of
security management includes protecting all aspects of an organization’s IT
infrastructure, including the network, cloud infrastructure, mobile devices, Internet
of Things (IoT) devices, and applications and APIs.
Amongst the three, information security management requires the least amount of
technical depth as it is majorly focussed on processes, procedures and audits. This
role is ideal for people with some technical abilities who can make strategic decisions
and apply their skills in high-pressure situations. This seems like a good fit for a
veteran’s profile. Thus, it provides a gentle segway for a military veteran to enter into
the domain of cyber security by entering via the gate of information security.
Subsequently with some effort and upskilling the person can smoothly pivot to more
technical roles in cyber security.
36
� APRIL 2023
Skills And Knowledge Areas Required
An information security professional requires technical and managerial knowledge
and experience to effectively design, engineer, and manage the overall security
posture of an organization. A successful security leader must educate teams across
the company on the importance of cybersecurity, while simultaneously handling the
eight domains of infosec:
Security and Risk Management
Asset Security
Security Architecture and Engineering
Communication and Network Security
Identity and Access Management (IAM)
Security Assessment and Testing
Security Operations
Software Development Security
A Typical Day in the Life of an Information Security Manager (ISM)
Most employers are seeking candidates that have both technical and workplace skills.
The ideal person in this role is a thought leader, a consensus builder, and an
integrator of people and processes. While the ISM is the leader of the security
program, he must also be able to coordinate disparate drivers, constraints and
personalities, while maintaining objectivity and a strong understanding that security is
just one of the business's activities. It cannot be undertaken at the expense of the
enterprise's ability to deliver on its goals and objectives. Typical activities in a day may
look something like this:
Meeting(s) with the system administrator team to discuss the need to audit the
organization's domain controllers and other authenticating systems.
Meeting(s) with one of the software engineering teams to discuss customer data
flows throughout the cloud commerce systems ( for example).
Discussions with the HR team to discuss the InfoSec team's involvement in the
offboarding process: the use of data loss prevention (DLP) tools, disabling access to
departing staff members, preserving data for those on litigation hold, deciding
which systems will be placed on legal hold, indicating how departing staff
members can retrieve their personal files (which you never supported) from their
computers after they're gone, wiping systems to ensure no loss of data, deciding
when systems can be placed back into service after legal hold, determining how
and when to terminate access for departing staff members. Of course, all these
processes change for every country in the world!
Meetings with the product team to discuss the requirements for Internet of Things
(IoT) security in the next version of the company's product. The product team may
not be too keen to meet you nor to include security requirements in the next
design as their priorities maybe different. However, you need to build consensus
and carry people along.
37
� APRIL 2023
Risk assessment of third-party vendors. While this should have been done when
the org entered into a contract with the third party, but we do not live in an ideal
world. Now leadership is asking about our risk exposure. So you need to step in.
Update the code-of-conduct document with the legal department.
Present the results of the latest security audit to company leadership, done under
the watchful eye of the corporate audit department, and utilizing an external firm.
Talk with the with the network services manager/ team to review hardening
standards as well as the results of the most recent network scans.
Hope you get the drift? The unpredictable nature of information security means that
though certain tasks will always need to be completed, such as checking in with the
latest security news reports, compliances, audits, etc the next days’ events will likely
differ from its predecessors.
Certifications & Upskilling Pathway
Certifications lend credibility to your profile
CompTIA Security+
This is a global certification that validates the baseline skills necessary to perform core
security functions and pursue an IT security career. This is a baseline cybersecurity
certification emphasizing hands-on practical skills, ensuring the security professional
is better prepared to problem solve a wider variety of today’s complex issues. Security+
incorporates best practices in hands-on troubleshooting, ensuring candidates have
practical security problem-solving skills required to:
38
� APRIL 2023
Assess the security posture of an enterprise environment and recommend and
implement appropriate security solutions
Monitor and secure hybrid environments, including cloud, mobile, and IoT
Operate with an awareness of applicable laws and policies, including principles of
governance, risk, and compliance
Identify, analyze, and respond to security events and incidents
Security + is a Vendor Neutral Certification
Security+ is compliant with ISO 17024 standards and approved by the US DoD to meet
directive 8140/8570.01-M requirements.
CEH (v12)- Certified Ethical Hacker Certification
This Certified Ethical Hacker-Version 12 (earlier CEHv11) course will train you on the
advanced step-by-step methodologies that hackers actually use, such as writing virus
codes, and reverse engineering, so you can better protect corporate infrastructure
from data breaches. This ethical hacking course will help you master advanced
network packet analysis and advanced system penetration testing techniques to build
your network security skill-set and beat hackers at their own game. This is a
certification by EC-Council that helps information security professionals to grasp the
fundamentals of hacking thus enabling them to easily identify vulnerabilities in the
network and system infrastructure. One also learns about commercial grade hacking
tools & techniques.
CEH Offers a different Perspective to the Security Defender
39
� APRIL 2023
A CEH recognizes attack strategies, the use of creative attack vectors, and mimics the
skills and creativity of malicious hackers. Unlike black hat hackers, Certified Ethical
Hackers operate with permission from the system owners and take all precautions to
ensure the outcomes remain confidential. Bug bounty analysts are expert ethical
hackers who use their attack skills to reveal vulnerabilities in the systems.
Certified Information Systems Security Professional (CISSP) Certification
This is a globally recognized certification from (ISC)2 for information security
professionals that covers a broad range of security topics. The CISSP is ideal for
experienced security practitioners, managers and executives interested in proving
their knowledge across a wide array of security practices and principles, including
those in the following positions:
Chief Information Security Officer
Chief Information Officer
Director of Security
IT Director/Manager
Security Systems Engineer
Security Analyst
Security Manager
Security Auditor
Security Architect
Security Consultant
Network Architect
CISSP can be a Gateway to a Career in Info Security for a Military Veteran
Preparation can be achieved through self-study and using CISSP practice books and
study guides, as well as online practice exams. Many candidates also enroll in various
CISSP training courses to prepare for the exam.
Certified Information Security Manager® (CISM®) Certification
With a Certified Information Security Manager® (CISM®) certification, you’ll learn how
to assess risks, implement effective governance and proactively respond to incidents.
This is a certification from ISACA. The certification helps to validate the expertise and
knowledge of the candidates regarding the relationship between an information
security program and the broader business targets. The certification also validates that
the candidate has the hands-on knowledge of developing, managing and
implementing an information security program for an organization.
40
� APRIL 2023
CISM can help you move from a Team Player to a Manager
This certification upgrades you on the following domains:
Information Security Governance.
Information Security Program.
Information Security Program.
Incident Management.
Conclusion
An Information Security Manager is an exciting and dynamic career which has a lot of
business criticality associated with the role. The role calls for expertise in a wide array
of technical, business, leadership, project management and communication skills. The
military veterans by virtue of their military service already possess several of the skills
required in the wide spectrum. Also the role is similar in many respects to a military
security professional role in that while the concepts remain more or less the same
merely the context changes. Accordingly, this provides an good and relatively easier
pathway to a career in the Info/ cyber security domain in the industry.
While it may look daunting at first and there would be many a doubt that will arise in
your mind. There would be that chatter in your mind of self-doubt that would
discourage you from even attempting it. However, you must tame the tiger of self-
doubt within and overcome it, for success is assured if you pick up the challenge in
the right spirit and continue relentlessly. All that is required is some upskilling and
adding a few certifications that would lend credibility to your profile and make the
switch from military to the corporate easier.
Iqbal Singh is an ex-infantry officer now in a technology role working
with a Big Tech firm based at Gurgaon, India. Iqbal started his career
with The Garhwal Rifles in Dec 1987 and served in several conflict zones
on active military service across Sri Lanka, Punjab, Jammu & Kashmir
and Nagaland. He quit the Army in 2008 to pursue a corporate career
in technology. He has passion for technology and breaking myths and
stereotypes. Iqbal propagates that you can achieve all that you believe
in provided you are willing to put in the effort the whole nine yards. That
is how the popular concept of ABCT (Any Body Can Tech) was born
within Forces Network. Iqbal is also the Founder of Forces Network.
Please provide your invaluable opinion/feedback on this Article, by
clicking/tapping HERE - Editor
41
