More about a career in cyber security management
In a Cyber Security Management role, you're responsible for at least some of the cyber security functions in an organisation. You may set and manage policies, and ensure that colleagues both in cyber security and other departments comply with them. You may manage staff, money or other resources to achieve the most effective results possible.
As a Cyber Security Manager in a small organisation, you're hands-on in some areas, such as designing or reviewing security controls, setting criteria for triaging incidents, overseeing the management of incidents, reviewing risks, and taking a broad view of threats and vulnerabilities.
In a larger organisation, you may have much less opportunity to be hands-on, spending most of your time on generic management responsibilities, including budgets, people and recruitment.
As the most senior cyber security practitioner - perhaps with the title Chief Information Security Officer (CISO) - you establish and operate the cyber security strategy. It's likely that you work with other senior managers from other departments on your organisation’s overall strategy and high-level performance. You report directly to the organisation’s senior management and you may even be on the board of management yourself.
As a Cyber Security Management specialist, you ensure that the cyber security efforts and resources of your organisation are applied efficiently and effectively to protect both its systems and services and the information it holds. This is so that the organisation can fully realise the value of these assets, while simultaneously complying with legal, regulatory and ethical constraints.
In detail, you might:
- ensure that the organisation’s cyber security policies and controls remain appropriate and proportionate to the assessed risks, and are responsive and adaptable to the changing threat environment, business requirements and relevant laws and regulations
- ensure that the organisation’s cyber security practice supports the business rather than restricts it
- in consultation with other managers, develop and implement a cyber security strategy
- manage the staff and resources of a cyber security team or the department to deliver the necessary cyber security controls and responses as efficiently as possible
- ensure that the cyber security team or department meets the organisation’s standards on equality and inclusion and supports the values and ethical aims of the organisation
- drive the professional development of the team or department’s cyber security staff
In addition, the CISO (or whichever role is responsible for overall cyber security functions):
- as part of the senior management team, contributes to the organisation’s strategy, pursuit of high standards of behaviour and efficiency
- is the primary point of contact on Cyber Security issues with key stakeholders across the organisation and outside
- represents the interests of the cyber security team or department and its staff in decision-making at higher levels, including at enterprise level
- advises and informs the organisation’s senior managers on the effectiveness of the cyber security strategy
The number of levels of role in this specialism varies substantially, depending on the type and size of your organisation.
Roles range from:
- team manager, running a Security or Networks Operations Centre (SOC or NOC)
- departmental manager
- Chief Officer, in the most senior position (responsible for delivering all cyber security requirements)
If the most senior role is focused only on cyber security, it may be labelled as Chief Information Security Officer (CISO). In some organisations, this responsibility may be exercised by the Chief Technology Officer or someone with other specialist responsibilities, such as the Chief Security Officer or Chief Finance Officer.
- remaining calm under pressure
- influencing at an organisational level
- forward thinking
- staff management
- budget management
- project management
- strategic-level thinking
- evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action
- high-level risk management
- applying cyber security standards, such as ISO 27001, and sector-specific requirements, such as PCI-DSS
- engaging with regulatory authorities
- leading cultural change on cyber security at an organisation level
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs)
The requirement for a manager to have skills in each of the Skills Groups listed below will depend on the scope of their responsibilities. Only a very senior manager, such as a CISO, may need skills in all of the Groups.
A1 – Governance
- directs, oversees, designs, implements or operates within the set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage Cyber and Information Security at an enterprise level, supporting an organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements and ensuring compliance with those requirements
A2 – Policy and Standards
- directs, develops or maintains organisational Cyber and Information Security policies, standards and processes using recognised standards (e.g. the ISO/IEC 27000 family, the Security Policy Framework) where appropriate
- applies recognised Cyber and Information Security standards and policies within an organisation, programme, project or operation
A3 – Information Security Strategy
- directs, develops or maintains plans and processes to manage Cyber and Information Security risks appropriately and effectively, whilst complying with legal, statutory, contractual, and business requirements
A4 – Innovation & Business Improvement
- recognises potential strategic application of Cyber and Information Security and initiates investigation and development of innovative methods of protecting information assets, to the benefit of the organisation and the interface between business and information security
- exploits opportunities for introducing more effective secure business and operational processes
A5 – Behavioural Change
- identifies Cyber and Information Security awareness, training and culture management needs in line with security strategy, business needs and strategic direction, and gains management commitment and resources to support these needs
- manages the development or delivery of Cyber and Information Security awareness and training, behavioural analysis programmes and/or security culture management programmes, applying analysis of human factors as appropriate
A6 – Legal and Regulatory Environment and Compliance
- understands the legal and regulatory environment within which the business operates
- ensures that Information Security Governance arrangements are appropriate
- ensures that the organisation complies with legal and regulatory requirements
A7 – Third Party Management
- identifies and advises on the technical, physical, personnel and procedural risks associated with third party relationships, including systems development and maintenance, contracts, end of service, outsourced service providers and business partners and sub contracting. Assesses the level of confidence that third party Cyber and Information Security capabilities/services operate as defined
H1 – Business Continuity and Disaster Recovery Planning
- contributes to defining the need for, and the development of Business Continuity Management (BCM) and Disaster Recovery (DR) Plans, Processes or Functions
H2 – Business Continuity and Disaster Recovery Management
- contributes to the implementation, operation and maintenance of Business Continuity and Disaster Recovery Processes or Functions
H3 – Cyber Resilience
- contributes to the development and implementation processes to anticipate, recognise and defend against changing Cyber and Information risk environments which threaten business stability, and the development and implementation of plans to introduce an holistic culture of Information Security across an organisation aimed at identifying and reacting promptly and effectively to incidents
J1 – Management, Leadership and Influence
- works effectively in teams, either as a member or leader
- encourages and supports others to meet objectives and to develop as Information Security professionals
- is a leader on Information Security issues, either locally or across an organisation
- provides technical leadership in a professional field, either within an organisation or across an industry sector
J2 – Business Skills
- understands local or corporate business aims and uses this knowledge to maximise the costeffectiveness of Information Security
- contributes to the development of cost-effective corporate Information Security strategy; takes action to achieve greater corporate efficiency in line with strategic aims
- takes reasoned decisions on Information Security based on business aims and influences
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
You may be able to move into a management role from a senior level in any career if your experience includes risk management, resource management and strategic thinking. However, you will generally need to have at least a few years of direct experience in a cyber security role. This will probably have been gained as a team leader or, in a small organisation, as a senior practitioner responsible for one or several cyber security functions.
Careers or roles that may provide a good foundation for moving into cyber security management without extensive cyber security experience include:
- IT system management
- financial management
- security management
Working in a cyber security role requires specialist knowledge, and some roles require a lot. Such knowledge can be acquired in several ways and, although the requirements for any given role are described here in terms of Knowledge Areas (KAs) from the Cyber Security Body of Knowledge (CyBOK), this doesn't mean that a cyber security specialist must read the relevant sections of CyBOK.
Increasingly, however, cyber security qualifications, training and skills definitions are being mapped to CyBOK - so the KAs are a good way of describing the knowledge associated with a specialism.
As a Cyber Security Manager at any level, you'll typically use the knowledge in the KAs listed below, although not always to the same level of detail. You're most likely to need a very good understanding of the Core Knowledge, which is essential to performing the role. You may still need a good understanding of the Related Knowledge but not to quite the same degree. You may need a much less detailed understanding of the Areas under Wider Knowledge, which provides context for your work.
Security management systems and organisational security controls, including standards, best practices, and approaches to risk assessment and mitigation.
International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare.
The configuration, operation and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence.
Techniques for protecting personal information, including communications, applications, and inferences from databases and data processing. It also includes other systems supporting online rights touching on censorship and circumvention, covertness, electronic elections, and privacy in payment and identity systems.
Usable security, social & behavioural factors impacting security, security culture and awareness as well as the impact of security controls on user behaviours.
Someone in a cyber security management role would generally benefit from having a broad understanding of all the other Knowledge Areas in CyBOK.
Within an organisation, you're most likely to move into Cyber Security Management from a role in:
- Cyber Security Audit & Assurance
- Cyber Security Governance & Risk Management
- Cyber Threat Intelligence
- Secure Operations
Alternatively, you may move into a Cyber Security Management role from:
- a role as a Cyber Security Generalist
- a senior practitioner role in any of the other specialisms
Or, you may have had a role in another part of the organisation, such as:
- business risk management
- corporate governance
- internal audit
- financial audit
- financial compliance
From a lower-level Cyber Security Management role in a small or medium-sized cyber security organisation or department, you might move into the Chief Officer role (which may be titled the Chief Information Security Officer, or CISO).
From a lower-level cyber security management role in a large cyber security organisation or department, you might move into a team or departmental management role. From a senior management role, you might move into the Chief Officer role (or CISO).
Cyber Security Management roles may be titled:
- Head of Cyber Security
- Cyber Security Manager
- Chief Information Security Officer (CISO)
- Director of Information & Cyber Security
A cyber security manager might earn between £60,000 and £90,000 a year, with a Chief Information Security Officer earning up to £130,000. The median figure for senior cyber security management roles in February 2021 was £95,000.
The salary range is based on job vacancy advertisements published online in February 2021. They may not be representative of the salaries for such roles in all sectors or all regions. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk in March 2021.
Note that these figures are based on small sample sizes: few senior roles are advertised, and historically the results of the calculation of average salaries have been very volatile, with large swings between months.