How to Become a Security Manager

The path to becoming a security manager can be long. Getting a job in the field requires at least a bachelor's degree plus several years of relevant professional experience. Some employers prefer a master's degree and/or a professional certification.

Even though it takes significant work to become a cybersecurity manager, the result can be worth the effort. This is a lucrative career in a fast-growing field.

The Bureau of Labor Statistics (BLS) projects a 16% job growth rate — much faster than average — from 2021-2031 for computer and information systems managers. This category includes information technology (IT) security managers.

This page provides an in-depth exploration of how to become a security manager. Find out what kind of education, experience, and professional certification you may need to step into a security manager role.

What Is a Security Manager?

Security managers — also called cybersecurity managers or IT security managers — oversee an organization's information security. This high-level role involves supervising security software upgrades and coordinating incident response. Security managers also train and manage cybersecurity personnel.

Security managers need skills and knowledge in computer science, general IT, and cybersecurity. This role relies on strong analytical, leadership, communication, and business abilities. Popular work environments for security managers include the computer systems design, information, finance and insurance, and management industries.

A security manager's job includes supervising other IT professionals, like information security analysts and computer support specialists. Security managers also interact with high-level managers and executives for their organizations.

Education Requirements for Security Managers

The education requirements for a security manager vary by position, employer, and industry. However, a bachelor's degree is typically the minimum standard for this field. Appropriate majors include computer science, cybersecurity, information science, and information technology. General computer science programs may offer cybersecurity concentrations.

Many employers prefer candidates with a master's degree in business administration or in another field that develops management, business, and technology skills. In some cases, employers may accept professional experience as a substitute for education or vice versa.

In general, the more degrees a security manager earns, the better their job prospects and salary potential. Once in a security manager role, professionals should pursue continuing education. The cybersecurity field changes constantly, so security managers need to stay on top of new technologies and evolving best practices.

Explore Your Degree Options

• Bachelor’s in Cybersecurity Programs
• Master's in Cybersecurity Programs
• Bachelor's in Information Assurance Programs
• Bachelor's in Information Technology Programs
• Computer Science Degree Programs
• Degrees in Business and Technology
• Information Systems Security Degree Programs
• IT Management Degree Programs

Internship Opportunities

Internships can allow students to get practical cybersecurity experience before they graduate. An internship can also help learners make professional connections that may lead to job offers. The length of an internship varies from weeks to months. The type of work that interns complete varies as well.

• Cyber Internships: Students can find paid cybersecurity internships at the Cybersecurity and Infrastructure Security Agency. Interns work closely with professionals on projects to keep the country's systems safe.
• Lockheed Martin Cybersecurity Internships: Lockheed Martin's thousands of internships include some cybersecurity positions. Interns get mentorship from their managers.

Experience Requirements for Security Managers

Experience requirements for a security manager role depend on the individual workplace. Security manager is a high-level position and may be part of the executive leadership. This means the experience requirements can be quite high.

Employers usually expect security managers to hold at least five years' relevant professional experience. For senior roles at large companies, security managers may need as much as 15 years' experience. Smaller organizations often require less experience.

Security managers get professional experience in other IT positions, like information security analyst or computer systems analyst. In some cases, education can substitute for experience. Some educational programs, including bootcamps, let students gain education and experience at the same time.

Required Certifications for Cybersecurity Managers

There are no mandatory certification requirements for a security manager career. However, a professional certification verifies your expertise. This validation can lead to more career advancement opportunities or a higher entry-level salary. Some employers prefer candidates who can prove their skills by earning a professional certification.

Some certifications are available through bootcamps or certificate programs. Security managers can earn others through professional organizations.

• Certified Information Security Manager: The CISM certification demonstrates advanced knowledge in risk management, information security governance, and program management. This credential can help security professionals move into management roles. Candidates must pass the CISM certification exam. CISM-holders must complete continuing education hours to maintain the credential.
• Certified Information Systems Security Professional: The CISSP credential shows that holders can create and manage cybersecurity programs. CISSP-holders get access to networking opportunities, resources, and educational tools. Applicants must pass an exam, complete at least five years of relevant professional experience, and agree to a code of ethics.

How Do I Become a Security Manager?

The typical process for becoming a security manager starts with an undergraduate program in a field like computer science or cybersecurity. Many employers prefer applicants with a graduate degree. This means that many security managers spend six full-time years pursuing higher education.

An internship can give real-world experience to students or recent graduates. Although not an industry requirement, many security managers earn a professional certification to prove their skills. Security manager positions often demand at least five years' relevant professional experience.

Between education and experience requirements, many security managers spend more than a decade preparing for their first role. Explore our list below for detailed steps that explain how to become a security manager.

CyberDegrees.org is an advertising-supported site. Featured or trusted partner programs and all school search, finder, or match results are for schools that compensate us. This compensation does not influence our school rankings, resource guides, or other editorially-independent information published on this site.

Match me with a bootcamp.

Find programs with your skills, schedule, and goals in mind.

Match me to a bootcamp

Steps to Working in Security Management

1. Earn a Bachelor's Degree. Your first step to becoming a security manager should be a bachelor's degree. Good majors to consider include computer science, cybersecurity, and information science. You may be able to add a concentration in information security to another degree. A typical bachelor's program takes four full-time years to complete.
2. Complete an Internship. Look for internship opportunities during or after your bachelor's program. Internships provide hands-on work experience. As an intern, you may make professional connections that can help you land your first job in the field.
3. Get Certified. Security management roles do not require a specific professional certification. However, many employers prefer candidates with a credential that proves their skills. Certification applicants must usually hold a related degree, pass an exam, and complete a minimum number of work hours. You may need to complete continuing education to keep your certification valid.
4. Build Relevant Professional Experience. Many cybersecurity managers need more than five years of professional IT experience to qualify for their roles. Senior-level positions require even more time, up to 10 years. Extremely high-level roles may demand 15 years of experience in the field.
5. Pursue a Master's Degree. Many employers prefer or require IT security managers to complete graduate education. An MBA is a popular option for security managers. This degree usually takes about two full-time years to complete, with many people working while in graduate school.
6. Participate in Continuing Education. Once you land a security manager role, make sure to keep up with new technologies and changes in the field. Consider completing continuing education or professional development hours. You can also stay up to date by reading industry-related articles and attending cybersecurity workshops and conferences.

Should I Become a Security Manager?

A career as a security manager can offer a lucrative salary, many types of career opportunities, and future advancement potential. Tech professionals who enjoy working with computers, solving problems, and leading people may thrive in this role.

Now is a smart time to consider a career in cybersecurity. Demand for skilled professionals outpaces supply, a trend that is likely to continue in the near future. Strong need for cybersecurity managers means that employees can expect job stability and negotiating power.

Still, becoming a security manager takes time and hard work. Aspiring professionals must complete education requirements and gain relevant professional experience. It can be a long road from starting in a bachelor's program to landing your first security manager role. Weigh the pros and cons and consider the challenges involved in this demanding career path.

The Job Hunt

To find a job as a security manager, seek mentor recommendations, attend networking opportunities, and go to job fairs. Ask former classmates, instructors, and managers for leads. Joining a professional organization often gives access to local job postings, professional development events, and mentorship programs for early career professionals.

See below for helpful job boards to begin your search for security manager opportunities.

Indeed: One of the biggest job sites in the world, Indeed helps job-seekers research companies and find open positions. People can also post their resumes here.

ZipRecruiter: ZipRecruiter connects employers and job-seekers with opportunities. You can search jobs, research salaries, and read reviews of companies.

InfoSec-Jobs.com: This job site connects people with open positions in cybersecurity, ethical hacking, security engineering, and vulnerability analysis.

Dice: Dice allows tech professionals to discover new career opportunities. Users can filter job searches by distance, employment status, and remote options.

CareersinCyber.com: A top career site for the cybersecurity, tech risk, and IT governance industries, CareersinCyber.com posts roles at all levels.

Professional Spotlight: Dr. Lisa McKee Ph.D., CISA, CDPSE, CRISC

• What prompted your journey to become a security manager?

Security is not something that was taught when I first started college. In fact, I have held most of my roles before they were taught in schools. I was doing audit before they had information assurance programs. I have been doing privacy for many years, but just recently schools started having full degree programs for privacy. I am often asked how one gets into compliance, but I have yet to find degree programs for that. I got into security by chance. I was at a company working as a business analyst and the project was wrapping up when the CIO approached me and asked if I would be interested in doing security and taking over payment card industry compliance (PCI). I had little knowledge about PCI. I graciously accepted the position knowing I would have to learn and figure it out and was excited for the opportunity. I created my job title and wrote my job description. It was a new role for the organization, and I was the first security person. My title was information security and compliance analyst. I read many articles, took PCI specific training courses, and learned on the job. Each year that passed, my knowledge in the domain grew and I approached PCI assessments differently based on what I had learned.

• If you work in a particular industry, what prompted this choice and how did it evolve?

I have worked in many different industries. I select roles that align with my skillset. In each one I learn new things. The industry is not important, but it is vitally important to keep learning to be successful. Stay relevant, because you will quickly get left behind as soon as you stop learning, reading articles, networking and keeping up with industry changes. This is a rapidly changing domain, and one cannot sit by idly while the rest are moving forward at rapid speeds.

• What educational path did you take to become a security manager? (Did you pursue additional education at any point? What was the experience like?)

I am a lifetime learner and have seven degrees. I completed two Associate of Applied Science degrees in computer programming and microcomputer programming. Then I got my first job as a developer. I went on to complete a Bachelor of Science degree in management information systems with a minor in organizational communication and a Bachelor of Art degree in communication arts. I did this because most job postings asked for communication skills. We all know the stereotypes that developers do not know how to communicate, and I needed a way for my resume to stand out compared to others. Several years later, I completed a Master of Science degree in strategic leadership. Ever since then it has been my dream to be Dr. McKee. I graduated in May 2022 with a Doctor of Philosophy in cyber defense and a dissertation in privacy.

I have always worked full-time during the day and attended night classes. I am an in-person learner. Given my busy life with work and as a single parent raising a kid, I needed programs that were flexible. I was fortunate to have found accelerated degree programs that only met 1-2 nights a week for 4 hours each night. I completed dual accelerated bachelor’s degrees in a year. The accelerated master’s degree took 18 months. The Ph.D. program was the first time I ever attended a traditional public university and unfortunately, they also had traditional 16-week semesters. The program was not accelerated and initially I expected it would take five years to complete. Things just fell into place, and I was able to complete the full 72-credit program in 5 semesters, or 21 months. More amazingly, I completed the degree while having a highly demanding job working 80-90 hours a week, adjunct teaching, volunteering with professional groups, mentoring young women, speaking at conferences and events all over the country and still maintained a 4.0 GPA! I am the exception, not the norm. I am the statistic .0001% as a woman, in cybersecurity, management, with a Ph.D. Dreams do come true; with perseverance and determination, anything is possible.

Employers do not care where you get your degree, how much it cost, or how much debt you have. Be smart about school choices. I went to schools I could afford and chose degree programs that fit my learning style. Also, not all degrees are created equally. When selecting a degree program, carefully evaluate the classes and pick those that excite you and add to your body of knowledge. For example, I like accelerated in-person programs. They are harder to find but they are out there. I also chose programs with classes I wanted to take. A colleague and I both have MIS degrees. The colleague went to an engineering school that required lots of calculus, chemistry, and physics; my degree did not require those, but they are both MIS. Additionally, when looking for a Ph.D., it was hard finding a program that did not have computer programming. I already did that and knew I did not like it. I also knew I wanted a degree program in security since none of the other degrees or certifications I had were in security. It took nearly 10 years to find a degree program that fit my needs. I didn’t even find it myself; it was referred to me by a colleague when I mentioned I was having a hard time finding a degree program that aligned with my role. I did not know at the time, the university referred to me was only a few hours from my house and all but two classes in the program were things I do on a daily basis at my job. It was the perfect fit and so close to home! Employers care if you have a degree and can apply what you learned so be practical when choosing schools and degree programs.

Additionally, when choosing between certifications and education, that was an easy answer for me: education. Education does not require annual maintenance fees to keep it, it can never be taken away and I learn a lot more in a class reading articles, writing papers and classroom conversation than studying and passing a certification. Sure, education is more expensive, but for me it was also a more effective learning style.

• Did you have to pass any certifications or tests to enter the field or progress in your career? What were they like?

No, I had five degrees before ever sitting for a certification exam. The first one I did was the first offering of PCI ISA in 2010. While not required, I did it to learn, and it had additional benefits for my employer. Several years later in 2016, I obtained the first industry certification, and I only did it because my employer at the time required it. I tried to get out of it saying I had five degrees, but it was necessary to keep my job and I did it. I have since obtained two other certifications because I wanted to. It was a way to stay relevant and increase knowledge in areas of my job I do daily.

When selecting degrees or professional groups, choose ones that align with your interests. As a privacy professional, IAPP is most relevant for that. All other areas of my job I follow ISACA because they have many certifications and trainings in my area of expertise. ISC2 is popular for the CISSP. CompTIA is great for entry level and advanced technical certification and training. These are just a few, but there are many others. They are not all the same so select the ones that either align with your current role, desired future role or because you want to learn a new area. It is not necessary to have an alphabet of certifications after your name. A few is good but it is not necessary to have them all. Also, when deciding on certifications, it is easier to manage and most often cheaper to maintain with renewal fees if selecting a family of related certifications from the same professional group. For example, ISACA has CISM and ISC2 has CISSP. Both are viewed as security management type certifications. If unsure which is best for you, then look at what else the professional group has to offer, what are the annual maintenance fees, do they have other certifications that may be of interest to you in the future, and go from there.

• What advice do you have for individuals considering becoming a security manager?

Do not discredit prior experiences. Often people will say they are not qualified because they were a developer, network, or server admin. My response is, you were doing security in those roles and may not realize it. Applications are developed with security in mind, developers know secure coding guidelines. Network and server admins know how to secure devices, ensure access is restricted, and many other security controls. All that experience is relevant even if they were not specifically labeled security roles. In fact, having that knowledge in many ways makes the individual a better security person. They have done the job hands-on and know what to look for. They know how to mitigate security gaps or different options to solve security issues because they did the job. They can speak with the architects, engineers, and others and understand the technical speak because they most likely had to do that in prior roles. I would hire a person for a security role with a technology background anytime over hiring someone without it. It is not easy teaching someone all about technology but once they have the fundamentals, teaching them other aspects such as security, privacy and audit is much easier.

• What do you wish you'd known before becoming a security manager? (Any high and low points worth mentioning?)

I wish I knew the power networking has and the importance of just showing up to local professional group events. I did not start doing this until 15 years into my career, no one told me, and I was not a member of any groups since I did not have certifications. The relationships and colleagues I have met through these groups and events is priceless. It is great attending a professional meet-up and knowing most of the attendees. This is where most of my jobs have come by referral. It gives people an opportunity to get to know me and develop relationships. People I can reach out to and ask how they are responding to different attacks, threats, updates to laws, etc. There is no playbook for how to be a security manager, but reaching out to colleagues is the next best thing.

Resources for Future Security Managers

FAQ About Becoming a Cybersecurity Manager

How do I become a cybersecurity manager?

Becoming a cybersecurity manager requires a bachelor's degree in computer science or a cybersecurity-related field. Professionals also need about five years of relevant work experience.

What are the experience requirements for cybersecurity managers?

Experience requirements for a security manager vary by employer. However, it is common to require at least five years' experience working in information technology.

Can I learn how to be a security manager without a degree?

A bachelor's degree is typically the minimum education requirement for a security manager. However, you may be able to get a job by completing a bootcamp and earning professional certifications that demonstrate your skills and knowledge.

Is it hard to become a security manager?

Becoming a security manager usually takes many years of education and experience. Someone who can put in the work and time can find many career opportunities in this in-demand field.

Reviewed by: Monali Mirel Chuatico