Compliance & Risk as career
Author: Stefan Waldvogel
Information Security Manager career path
This article describes a job I partially did in Germany. I didn't have a specific job title for this activity, but I can transfer the activity into a US job title.
"Compliance and Risk" is a massive topic in Cybersecurity because the industry has to follow many standards. Companies who work with credit card data have to work with PCI DSS, health care companies work with HIPPA, the military has their own rules, Europe has GDPR and more laws.
My background: I worked for Airbus, and we developed products for the German Air Force, and the goal was to get them compliant for the wanted security level.
If I worked in the US, my title could be "Information Security Manager", "Compliance & Risk Manager," or something similar.
"Compliance and Risk" is a massive topic in Cybersecurity because the industry has to follow many standards. Companies who work with credit card data have to work with PCI DSS, health care companies work with HIPPA, the military has their own rules, Europe has GDPR and more laws.
My background: I worked for Airbus, and we developed products for the German Air Force, and the goal was to get them compliant for the wanted security level.
If I worked in the US, my title could be "Information Security Manager", "Compliance & Risk Manager," or something similar.
If you have this title, you can work in different sub-areas. Depending on the team size or the project, you do all or split the work. The following activities are possible:
- You administrate the ISMS tool
- You collect and request the wanted information
- You work as an advisor for developers and the customer
- You write security/compliance reports
- You teach your team members
Degree and fundamental skills
The US and Germany are similar in terms of wanted education. You do not need a degree for this job, but it is a plus. You find everything, and one of my colleagues had a Ph.D.
On the skill side, you need a wide variety of skills.
The US and Germany are similar in terms of wanted education. You do not need a degree for this job, but it is a plus. You find everything, and one of my colleagues had a Ph.D.
On the skill side, you need a wide variety of skills.
What are you doing on a daily basis?
If you work alone or with a small team, working as an Information Security Manager is incredibly diverse.
You work with IT and take care of database backups, and you work with the customer and the developers to get the wanted data.
A more boring activity is feeding the Information Security Management System (ISMS) tool with data and related project management work.
When you accompany a new product, your main work is giving the developers and the developing departments guidance. You know more about security than everybody else, and they need your help to develop a compliant product. Man times you meet developers, and you go to conferences. Often you have to solve "impossible" problems for the lowest possible price. You deal with the CIA triage every day.
In your "free" time, you write your reports. This part can be massive. Let us say you write a security concept for an aircraft, which can go into ten-thousands of pages. Writing such a "monster" is complicated, and you constantly talk to the customer. You never deliver 10,000 pages as a final unseen product ->. Instead, you send blocks to the customer, they give you input, and you improve the text. Some customers are stringent and accurate. Some text blocks do ten times a cycle, primarily if you work with agile development. If you deal with the military, the wording is everything.
If you work with a team and have juniors, you teach them. If they know more, you have less work, and you can concentrate on your advisor/manager role.
If you work alone or with a small team, working as an Information Security Manager is incredibly diverse.
You work with IT and take care of database backups, and you work with the customer and the developers to get the wanted data.
A more boring activity is feeding the Information Security Management System (ISMS) tool with data and related project management work.
When you accompany a new product, your main work is giving the developers and the developing departments guidance. You know more about security than everybody else, and they need your help to develop a compliant product. Man times you meet developers, and you go to conferences. Often you have to solve "impossible" problems for the lowest possible price. You deal with the CIA triage every day.
In your "free" time, you write your reports. This part can be massive. Let us say you write a security concept for an aircraft, which can go into ten-thousands of pages. Writing such a "monster" is complicated, and you constantly talk to the customer. You never deliver 10,000 pages as a final unseen product ->. Instead, you send blocks to the customer, they give you input, and you improve the text. Some customers are stringent and accurate. Some text blocks do ten times a cycle, primarily if you work with agile development. If you deal with the military, the wording is everything.
If you work with a team and have juniors, you teach them. If they know more, you have less work, and you can concentrate on your advisor/manager role.
Your first job:
In Germany, most people have nearly all responsibilities and the full spectrum even without a degree.
It works because if you get a manager role, you have some years of work experience before you get this job. My department didn't hire people without solid hands-on or military background.
We have more job separation in the US, and you can start with a data entry job. A posible titlke could be Information Security Analyst. You get emails, and you feed the information into the ISMS. This data entry part is the most boring job.
My personal advice: If you do this and sit next to a person with a more interesting job, try to understand the data and find mistakes (everyone is a human). If your boss/supervisor sees you are a critical thinker and you understand the data, you will not stay long in this position.
Try to move up and go to conferences and meetings. Learn more about the ISMS tool and play with a test database. Learn more about data/question selection part-> if you know how this works, you are ready to move up.
In Germany, most people have nearly all responsibilities and the full spectrum even without a degree.
It works because if you get a manager role, you have some years of work experience before you get this job. My department didn't hire people without solid hands-on or military background.
We have more job separation in the US, and you can start with a data entry job. A posible titlke could be Information Security Analyst. You get emails, and you feed the information into the ISMS. This data entry part is the most boring job.
My personal advice: If you do this and sit next to a person with a more interesting job, try to understand the data and find mistakes (everyone is a human). If your boss/supervisor sees you are a critical thinker and you understand the data, you will not stay long in this position.
Try to move up and go to conferences and meetings. Learn more about the ISMS tool and play with a test database. Learn more about data/question selection part-> if you know how this works, you are ready to move up.
The challenges
If you do this job, you need superior soft skills. The reason is, you deal with one massive problem: Law and compliance makers do not always have an idea about how technology works or the guidelines are from the "Stone Age." On top of it, developers can do a lot, but not everything for the lowest price, and the most secure product does not work in a combat situation.
Some requirements are technically impossible.
As an Information Security Manager, you have to find a balance, and sometimes, you break the rules. If you do that, talk to the customer first....
If you do this job, you need superior soft skills. The reason is, you deal with one massive problem: Law and compliance makers do not always have an idea about how technology works or the guidelines are from the "Stone Age." On top of it, developers can do a lot, but not everything for the lowest price, and the most secure product does not work in a combat situation.
Some requirements are technically impossible.
As an Information Security Manager, you have to find a balance, and sometimes, you break the rules. If you do that, talk to the customer first....
The following picture gives you a realistic example of a "real" product. An External Loading Unit is a big laptop, and you can transfer data in an aircraft, and you get the data out of an airplane.
Conclusion
Working as an Information Security Manager can be a great job. You can do many different activities, talk to developers, leaders, see a product growing, and your abilities to solve "impossible" problems allows the developers to create a compliant product --> and the customer is happy about it.
You are a key component of a successful and compliant product.
This job never gets boring, because each product is new and work with new people all the time. One disadvantage: This job is ultra-challenging, and therefore people in this field have between 5 and >20 years of work experience before they move into such a position. I had about 13 to 14 years of related work experience before doing this as a "side" job.
Working as an Information Security Manager can be a great job. You can do many different activities, talk to developers, leaders, see a product growing, and your abilities to solve "impossible" problems allows the developers to create a compliant product --> and the customer is happy about it.
You are a key component of a successful and compliant product.
This job never gets boring, because each product is new and work with new people all the time. One disadvantage: This job is ultra-challenging, and therefore people in this field have between 5 and >20 years of work experience before they move into such a position. I had about 13 to 14 years of related work experience before doing this as a "side" job.
© 2021. This work is licensed under a CC BY-SA 4.0 license