دانلود رایگان مقاله انگلیسی درک مهارت های کلیدی برای مدیران امنیت اطلاعات - الزویر 2018

ABSTRACT

Information security management is a necessity for all institutions and enterprises that regard company information as valuable assets. Developing, auditing and managing information security depends upon professional expertise in order to achieve the desired information security governance. This research seeks the key skills required for the position of information security management as well as the methods to develop these skills through professional training programs. The study adopts the Delphi method which requires building a list of items through a literature survey and involves experts with certain expertise to modify the list until a consensus on less than 20% of the items is reached. Through completing three rounds of the Delphi technique - data collection, relevance voting and ranking - sixteen skills are shortlisted as the key skills. In the final list, the majority belong to core information security skills, and the top two skills belong to project/process management skills and risk management skills, indicating the importance of these skills for the information security manager role. In addition, a series of related professional training programs and certifications are surveyed, the outcome of which highlights a number of most comprehensive and appropriate programs to develop these determined skills.

Conclusions

The first research question of this study was “what are the most important key skills to be possessed by ISMs as required by different ISMS frameworks and in accordance to market demands?”. The obtained list of the key skills is given in Table 2, from where we can conclude that ISMs should be able to design IT security systems, develop and implement information security policies, and ensure information security governance through coordination with executive management in order to provide the required security for corporate objectives. These skills are a product of an extensive understanding of the applied IT security standards and frameworks, including IEEE, IETF and ISO, NIST, COBIT and ISACA standards and frameworks. Furthermore, ISMs should be able to assess the efficiency of security teams as regards task performing, auditing information security systems for vulnerabilities through penetration testing, and managing any incidents that could occur during operations. The second research question of this study was “How can these skills be developed through professional certifications offered in the domain?”. To answer this question, vendor-neutral certifications are analyzed to determine whether they support the key skills determined for ISMs, and the obtained results are submitted in Table 3. Accordingly, it is apparent that the most efficient path in developing such skills are through registering with CISSP, which is considered as a key certification to acquire several technical and risk management skills, in addition to a few core information security skills. Furthermore, the next steps are recommended as acquiring the CISA and CISM certifications in order to obtain further risk management skills, as well as other important core information security skills.