Cyber Security Management is the management of cyber security resources, staff and policies at an enterprise level in line with business objectives and regulatory requirements.
Cyber Security Management is responsible for at least some of the cyber security functions in an organisation. They may set and manage policies, and ensure that colleagues, both in cyber security and other departments comply with them. They may also manage staff, money, or other resources to achieve the most effective results possible.
Depending on the size of an organisation, there can be some differences. In a smaller organisation, a Cyber Security Manager might be hands-on in some areas:
In a larger organisation, a Cyber Security Manager may have less opportunity to be hands-on, instead, spending more time on generic management responsibilities, including budget, people, and recruitment.
As Cyber Security Management is a senior role – perhaps with the title of Chief Information Officer (CISO) - they establish and operate the cyber security strategy. It is likely that they will work with other senior managers from other departments within the organisation.
Cyber Security Management ensures that the cyber security efforts and resources of the organisation are applied efficiently and effectively to protect both its systems and services and the information it holds. This is so that the organisation can fully realise the value of these assets, while simultaneously complying with legal, regulatory and ethical constraints.
In detail, you might:
In addition, the Chief Information Security Officer (CISO) (or whichever role is responsible for overall cyber security functions):
For Cyber Security Management roles, titles include:
A Cyber Security Management role could earn between £60,000 and £90,000 a year, with a Chief Information Security Officer earning up to £130,000. The median figure for senior Cyber Security Management roles in February 2021 was £95,000.
The salary range is based on job vacancy advertisements published online in February 2021. They may not be representative of the salaries for such roles in all sectors or all regions. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk in March 2021.
Note that these figures are based on small sample sizes: few senior roles are advertised, and historically the results of the calculation of average salaries have been very volatile, with large swings between months.
Each of the 16 specialisms are based on knowledge areas within CyBOK.
More information on CyBOK knowledge areas can be found here.
Here are the knowledge areas associated with Cyber Security Governance & Risk Management
Core knowledge – you will need a very good understanding of these areas
Security management systems and organisational security controls, including standards, best practices, and approaches to risk assessment and mitigation.
International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare.
The configuration, operation and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence.
Related knowledge – you will need a solid understanding of these areas
Techniques for protecting personal information, including communications, applications, and inferences from databases and data processing. It also includes other systems supporting online rights touching on censorship and circumvention, covertness, electronic elections, and privacy in payment and identity systems.
Usable security, social & behavioural factors impacting security, security culture and awareness as well as the impact of security controls on user behaviours.
Wider knowledge – these areas will help to provide context for your work
Someone in a cyber security management role would generally benefit from having a broad understanding of all the other Knowledge Areas in CyBOK.
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs)
The requirement for a manager to have skills in each of the Skills Groups listed below will depend on the scope of their responsibilities. Only a very senior manager, such as a Chief Information Security Officer (CISO), may need skills in all the Groups.
A1 – Governance
A2 – Policy and Standards
A3 – Information Security Strategy
A4 – Innovation & Business Improvement
A5 – Behavioural Change
A6 – Legal and Regulatory Environment and Compliance
A7 – Third Party Management
H1 – Business Continuity and Disaster Recovery Planning
H2 – Business Continuity and Disaster Recovery Management
H3 – Cyber Resilience
J1 – Management, Leadership and Influence
J2 – Business Skills
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
There may be the ability to move into a management role from a senior level in any career if experience includes risk management, resource management and strategic thinking. However, there will generally need to be at least a few years of direct experience in a cyber security role. This will have probably been gained as a team leader or, in a small organisation, as a senior cyber security professional responsible for one or several cyber security functions.
Careers or roles that may provide a good foundation for moving into cyber security management without extensive cyber security experience include:
From a lower-level Cyber Security Management role in a small or medium-sized cyber security organisation or department, you might move into the Chief Officer role (which may be titled the Chief Information Security Officer, or CISO).
From a lower-level cyber security management role in a large cyber security organisation or department, you might move into a team or departmental management role. From a senior management role, you might move into the Chief Officer role (or CISO).
Our qualifications framework is currently under development. Sign up to our newsletter here to be notified when this is published.
Entry route information can be found here.
You can also visit the National Cyber Security Centre website at the links below: