Personal attributes

remaining calm under pressure
influencing at an organisational level
forward thinking
staff management
budget management
project management
strategic-level thinking
evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action

Specialist skills

high-level risk management
applying cyber security standards, such as ISO 27001, and sector-specific requirements, such as PCI-DSS
engaging with regulatory authorities
leading cultural change on cyber security at an organisation level

CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs)

The requirement for a manager to have skills in each of the Skills Groups listed below will depend on the scope of their responsibilities. Only a very senior manager, such as a Chief Information Security Officer (CISO), may need skills in all the Groups.

A1 – Governance

Principles:

directs, oversees, designs, implements or operates within the set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage Cyber and Information Security at an enterprise level, supporting an organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements and ensuring compliance with those requirements

A2 – Policy and Standards

Principles:

directs, develops or maintains organisational Cyber and Information Security policies, standards and processes using recognised standards (e.g. the ISO/IEC 27000 family, the Security Policy Framework) where appropriate
applies recognised Cyber and Information Security standards and policies within an organisation, programme, project or operation

A3 – Information Security Strategy

Principles:

directs, develops or maintains plans and processes to manage Cyber and Information Security risks appropriately and effectively, whilst complying with legal, statutory, contractual, and business requirements

A4 – Innovation & Business Improvement

Principles:

recognises potential strategic application of Cyber and Information Security and initiates investigation and development of innovative methods of protecting information assets, to the benefit of the organisation and the interface between business and information security

exploits opportunities for introducing more effective secure business and operational processes

A5 – Behavioural Change

Principles:

identifies Cyber and Information Security awareness, training and culture management needs in line with security strategy, business needs and strategic direction, and gains management commitment and resources to support these needs
manages the development or delivery of Cyber and Information Security awareness and training, behavioural analysis programmes and/or security culture management programmes, applying analysis of human factors as appropriate

A6 – Legal and Regulatory Environment and Compliance

Principles:

understands the legal and regulatory environment within which the business operates
ensures that Information Security Governance arrangements are appropriate
ensures that the organisation complies with legal and regulatory requirements

A7 – Third Party Management

Principles:

identifies and advises on the technical, physical, personnel and procedural risks associated with third party relationships, including systems development and maintenance, contracts, end of service, outsourced service providers and business partners and sub contracting. Assesses the level of confidence that third party Cyber and Information Security capabilities/services operate as defined

H1 – Business Continuity and Disaster Recovery Planning

Principles:

contributes to defining the need for, and the development of Business Continuity Management (BCM) and Disaster Recovery (DR) Plans, Processes or Functions

H2 – Business Continuity and Disaster Recovery Management

Principles:

contributes to the implementation, operation and maintenance of Business Continuity and Disaster Recovery Processes or Functions

H3 – Cyber Resilience

Principles:

contributes to the development and implementation processes to anticipate, recognise and defend against changing Cyber and Information risk environments which threaten business stability, and the development and implementation of plans to introduce an holistic culture of Information Security across an organisation aimed at identifying and reacting promptly and effectively to incidents

J1 – Management, Leadership and Influence

Principles:

works effectively in teams, either as a member or leader

encourages and supports others to meet objectives and to develop as Information Security professionals
is a leader on Information Security issues, either locally or across an organisation
provides technical leadership in a professional field, either within an organisation or across an industry sector

J2 – Business Skills

Principles:

understands local or corporate business aims and uses this knowledge to maximise the cost-effectiveness of Information Security
contributes to the development of cost-effective corporate Information Security strategy; takes action to achieve greater corporate efficiency in line with strategic aims
takes reasoned decisions on Information Security based on business aims and influences

*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.

Experience

There may be the ability to move into a management role from a senior level in any career if experience includes risk management, resource management and strategic thinking. However, there will generally need to be at least a few years of direct experience in a cyber security role. This will have probably been gained as a team leader or, in a small organisation, as a senior cyber security professional responsible for one or several cyber security functions.

Careers or roles that may provide a good foundation for moving into cyber security management without extensive cyber security experience include:

IT system management
financial management
security management

Cyber Security Management

More about a career in cyber security management

An introduction to this specialismWorking life

An introduction to this specialism

What will your responsibilities include? What are your tasks likely to include?Responsibilities

What will your responsibilities include? What are your tasks likely to include?

What personal attributes might you need? What specialist skills are important?Skills

What personal attributes might you need? What specialist skills are important?

What core, related and wider knowledge is important for working in this specialism?Knowledge

What core, related and wider knowledge is important for working in this specialism?

What other cyber security or IT role might you progress to from this specialism?Moving on

What other cyber security or IT role might you progress to from this specialism?

Which certifications and qualifications are relevant to roles in this specialism?Qualifications

Which certifications and qualifications are relevant to roles in this specialism?