Information System Security Officer (ISSO)

From: Canadian Centre for Cyber Security

This is an ad-hoc management role within cyber security that is primarily engaged in oversight and reporting of information system security within a department, branch, or organization. This role is primarily responsible for local planning and management of the security of system(s) over which they have been given authority. This role may report indirectly or directly to the CISO or another authority (e.g. Corporate security officer or Chief information officer or their delegate).

On this page

NICE framework reference

None.

Consequence of error or risk

Error, neglect, outdated information, or poor judgment could result in decisions or actions that could compromise the security of the system over which the ISSO has authority. Depending on the system, this could have a significant impact on the business. A lack of a full appreciation of the business needs for security will jeopardize the security posture of the organization in the face of evolving threats.

Development pathway

This is commonly a part-time role assigned or assumed by an individual with some technical experience but is not normally a "cyber security professional". In small and medium organizations this role may also be an IT manager or senior manager with some technical or security experience.

Other titles

  • Chief security officer
  • Departmental security officer
  • Information security director

Note: depending on the size of the organization and the reliance on IT, this occupational role may be subsumed within the responsibilities of the chief information officer, chief technology officer, chief resiliency officer or similar role.

Related National Occupational Classifications

0213 – Communication and Information Systems Managers

Tasks

  • Collaborate with key stakeholders to plan and establish an effective cyber security risk management program
  • Ensure compliance with the changing laws and applicable regulations
  • Develop and implement strategic plans that are aligned to the organizational objectives and security requirements
  • Direct and approve the design of cyber security systems
  • Identify, acquire and oversee management of financial, technical and personnel resources required to support cyber security objectives
  • Advise other senior management on cyber security programs, policies, processes, systems, and elements
  • Ensure development and implementation of security controls to support organizational objectives
  • Review, approve, oversee monitoring of cyber security policies and controls
  • Ensure incident response, disaster recovery and business continuity plans are in place and tested
  • Draft terms of reference, oversee and review cyber security investigations
  • Maintain a current understanding the IT threat landscape for the business context
  • Schedule and oversee security assessments and audits
  • Oversee and manage vendor relations related to acquired IT security products and services
  • Supervise or manage protective or corrective measures when a cyber security incident or vulnerability is discovered

Required qualifications for education

Post-secondary education in a cyber or IT related field (e.g. Computer engineering, Computer Science, IT, Business Technology Management – Digital Security or equivalent).

Required training

As required to support the role for example cyber security team management, incident management and cyber security planning would be an asset.

Required work experience

3 to 5 years’ experience in IT domain with some management experience.

Tools and technology

  • Strategic and business plans
  • Threat and risk assessments
  • Vulnerability management processes and vulnerability assessments
  • Incident management processes and procedures
  • Security event and incident management systems and/or incident reporting systems and networks
  • Cyber security risk management processes and policies
  • Privacy and security legislation
  • Organizational security infrastructure and reporting systems

Competencies

Underpinning this occupation are those competencies demonstrated for an executive level which include those identified within the NICE framework.

Basic application of the following knowledge, skills, and abilities (KSAs):

  • Integrated/organizational security concepts, principles and practice (software, system, data, physical and personnel)
  • Preventative technical, operational and management controls available and organizational responsibilities for those controls
  • Sector/context relevant threats, business needs and technical infrastructure
  • Project management and security requirements throughout the project lifecycle
  • Supply chain vulnerabilities and integrity

Advanced application of the following KSAs:

  • Organizational threats and vulnerabilities including:
    • Cyber security threat landscape
    • Vulnerability management requirements and the range of potential mitigations available when a vulnerability management protocol does not exist
    • Organizational security infrastructure including protective and defensive systems
  • Cyber security team management
  • Developing, implementing and allocating resources, personnel and technology to address organizational security objectives
  • Identifying requirements and developing cyber security and cyber security risk management policies and procedures
  • Supplier management (if IT or security services are outsourced)
  • Organizational communications, public communications and communicating during a crisis
  • Cyber security program management, measures, and monitoring

Future trends affecting key competencies

  • The increased reliance on virtualized and/or "cloud-based" services will require knowledge of responsibilities of the services provider including their cyber security responsibilities relative to organizational cyber security risks. As a senior security advisor to management, this role will need a full appreciation of the business risks is required.
  • If practiced within the organization, there will be a requirement to fully understand the security implications of "bring your own devices" (BYOD) and managing the associated risks.
  • Increased use of automated tools, aided by artificial intelligence, will require understanding of how the tools will be integrated into the organizational security infrastructure and the implications to personnel, resources, procedures, and policies. This will need to be integrated into a security strategy and action plan for the organization.
  • Increased use of automated tools by threat actors poses challenges for organizations that do not have complementary defensive tools. Accordingly, creative, locally relevant mitigation strategies will be required.
  • Mechanisms to support the required level of trust and organizational risk will need to be in place to support monitoring and reporting of results from automated tools. Consequently, there will be a need to understand organizational risks posed, measures of security and what policies, processes, or procedures need to be in place. Actions will also need to consider the organizational constraints and alternatives.
  • The emergence and use of quantum technologies by threat actors will fundamentally change encryption security. This will require advanced knowledge and skills related to implementing a quantum safe strategy and supporting processes within the organization.
Report a problem on this page

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: