Information security coordinator

by John Bandler

An information security coordinator is a person designated to be in charge of information security and cybersecurity in a small or mid-sized organization.

Why designate someone to be in charge of cybersecurity?

To properly manage something, someone needs to be in charge of it. That person needs to be inside the organization, even if they also rely upon people outside the organization.

If no one is in charge, if no one is designated to work on it, chances are good nothing will get done, or whatever gets done isn't done efficiently. Especially in an area with the complexities of cybersecurity.

What do we call that person's role / title?

I like the term "information security coordinator" because it states a role and responsibility, but does not imply a level of training, experience, or authority that might not necessarily exist. It works for most small and mid-sized organizations.

Here's a summary of some possibilities and why they work or don't work.

  • Information Security Coordinator: My top pick. Shows the "coordination" aspect, provides a title, but doesn't overstate the role
  • Cybersecurity Coordinator: Almost equally good. I prefer the above because to me it seems like it covers more ("all information", not just cyber)
  • Information Security Officer (ISO): May not be the right name in many cases. This is often a specialized role requiring certain prerequisites, usually working under a CISO.
  • Chief Information Security Officer (CISO): Again, this may not be right in many cases. This implies an individual on a career path with specialized education, training, and experience, supervising others. Few small or mid sized organizations have an employee properly qualified to claim this title, or the practical ability to hire such a person.

Why can't we outsource this role?

Organizations rely upon outside vendors and service providers for many things and this can extend to cybersecurity and information governance.

But they cannot outsource all decision making nor the ultimate responsibility for cybersecurity. After all, someone in the organization needs to make decisions about which outside vendors to use and why. Not every outside provider is perfect, and even when they are the organization still needs to make its own decisions.

Whether the organization is seeking or obtaining advice from lawyers, cybersecurity consultants, information technology providers, or cybercrime incident response providers, they want to (1) find competent professionals but also (2) always retain the final decision-making ability.

To properly manage something, someone needs to be in charge of it. That person needs to be inside the organization.

Think of it this way also. Suppose you do outsource the role. How do you select that person/vendor, how do you know that person/vendor is doing a good job, and how would you know when it is time to find another, and who to pick? Someone inside the organization needs to work on that!

Who should be in charge?

First, let’s assume you are not specifically hiring a person for this as a full-time role, but instead have existing employees and need to pick one of them to fill this additional role.

If you have an IT professional who is an employee of the company and with the below aptitudes, they are the logical candidate. But many organizations do not have a full-time IT professional on staff.

The person you designate as in charge of information security should be an employee with a good head on their shoulders, good common sense, with an ability to see the big picture and also master details. They will need good communication skills, ability to work a computer, and some degree of technical knowledge plus a desire to improve upon it.

This employee would liaise with outside IT and information security professionals and inside governance (management).

The person will need sufficient authority—either by their own position or appropriate backing by someone in a higher position—to ensure cybersecurity is appropriately prioritized and necessary tasks get accomplished.

How much time should they devote?

Clearly, the organization and designated individuals need to devote “reasonable” time to the important management of cybersecurity. That will depend upon each organization, but the amount of time must be greater than zero.

Imagine the continuum of all organizations in this country. The biggest might have hundreds of full-time information security professionals, plus an even bigger team of IT professionals. The smallest organization has none, and then there is everywhere in between.

But the unifying takeaway is that every organization needs to spend a reasonable amount of time and resources on cybersecurity. Reasonable for its own circumstances.

We know that zero is not enough, some might call that negligent. So let's work with something that helps us, defends us, and is defensible.

You may need a village - a committee

Organizations can also consider forming a standing committee to help make decisions about information assets and systems and how they are managed. This could be called an Information Governance Committee. Some decisions on IT, providers, platforms and applications can be critical with long term impact across the entire business. Forming a committee of stakeholders can help ensure issues are addressed ahead of time and better business decisions are made.

People who should be on this committee include:

  • High level managers of the organization
  • The information security coordinator
  • Various stakeholders in various roles who are committed to the organization and protecting and improving it.
  • Traits that are desirable include:
  • Good common sense and an ability to follow facts and logic, assess risks, and make or advise for reasonable decisions.
  • Committed to the organization and protecting and improving it.
  • Can devote a reasonable amount of time to help assess and give solid input or advice.
  • A degree of technical knowledge is desirable, or at least a willingness to learn or listen about it.

See my other article on the information governance committee.

Disclaimer

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

This is to inform and you assume all risk for cybersecurity decisions you make. This is an introduction and more can be written on this topic.

I may explain nuances further in other articles, or one of my books. Other experts may have differing opinions.

Ask ten different IT or IS experts, you will get ten or more different definitions for a term, and as many different recommendations for cybersecurity posture. Cybersecurity is about decisions and risk management.

Conclusion

Designating someone to be in charge of information security in an organization is essential, otherwise it will probably not be managed well.

Well managed organizations properly govern their information assets, including people, computer devices, data, and networks.

If your organization has not yet designated someone to take responsibility for cybersecurity, now is the time.

If you are that person in charge of cybersecurity and need help, or if your organization needs help with cybersecurity, feel free to contact me.

Additional reading

This article is hosted at https://johnbandler.com/information-security-coordinator, copyright John Bandler, all rights reserved.

Originally posted 4/28/2024, updated 9/26/2024.