What Does a Security Manager Do?
What is a Security Manager?
An Information Security Manager is expected to manage an organization’s IT security in every sense of the word – from coming up with security strategies & solutions to implementing training procedures. You may also be required to handle imminent security threats and deal with the aftermath of any breaches. Although your technical skills may take a backseat (at times) to your leadership work, you will be the driving force behind your company’s security measures.
What does this mean in practical terms? Well, it might mean security assessments & audits, product tests, budget meetings, interdepartmental discussions, policy & compliance analyses and other tasks related to running a business. But it will also involve hands-on practice. The finest Security Managers a) really know what they’re doing and b) know how to convey that knowledge to multiple stakeholders, including non-technical executives.
Security Manager Job Responsibilities
As part of this mid-level management job, you may be required to:
- Create and execute strategies to improve the reliability and security of IT projects
- Define, implement and maintain corporate security policies and procedures
- Spearhead vulnerability audits, forensic investigations and mitigation procedures
- Respond immediately to security-related incidents and provide a thorough post-event analysis
- Manage a diverse team of security administrators, analysts and IT professionals
- Act as a key liaison between upper-level management, programmers, risk assessment staff and auditors
- Institute organization-wide training in security awareness, protocols and procedures
- Ensure compliance regarding staff security and clearance
- Assess, test and select new security products and technologies
- Prepare cost estimates and identify integration issues
- Administer department budgets and staff schedules
Security Manager Careers
Security Manager Career Paths
Security Managers typically get their start in entry-level administrative positions such as:
- Security Administrator
- Network Administrator
- System Administrator
After getting your foot in the door, you might consider a more specialized security position that will give you the required work experience. For instance:
Once you are a Security Manager, you might progress to top-level security positions:
You will often see similar job listings for:
- Information Systems Security Manager
- Information Security Manager
- IT Security Manager
- Systems/Applications Security Manager
- Security Manager (Systems/Applications/Information)
Security Manager Salaries
According to Payscale, the median salary for an Information Security Manager is $110,822 per year (2019 figures). Overall, you can expect to take home a total pay of $75,493 – $157,894. This includes your base annual salary, bonuses, profit sharing, tips, commissions, overtime pay and other forms of cash earnings, as applicable.
However, insiders will tell you that $75,493 is too low. Job salaries in the Midwest often start at a minimum of $90K. Figure will be higher on East and West Coasts.
Security Manager Job Requirements
Security Manager job listings tend to follow a similar pattern. Overall, employers want to see a BS in a relevant technical field, at least 5 years of work experience, CISSP and/or CISM certification, tech expertise and a lot of soft skills (e.g. leading teams, devising & managing projects, working well with clients, etc.).
Whenever and wherever you can, try to find ways to get management & teaching experience before you apply for the job. In a Security Manager interview, you may be asked how you communicated a complex concept to your team; dealt with a difficult HR situation; handled a security crisis; and/or planned a defense strategy. Some companies may want you to explain how a piece of security software works, or ask you to chat about a time when you implemented a security program. You’ll discover that they’re assessing your communication & interpersonal skills as well as your technical knowledge.
Security Managers are expected to have, at minimum, a bachelor’s degree in Computer Science, Cyber Security or a related technical field. If you don’t have a technical degree, you could consider gaining a master’s degree with a concentration in IT security. You can bolster this qualification with training and professional certifications.
Since this is a management position, employers want to see 5-10 years of work experience in information technology. Many job descriptions will specify that at least 3-5 of these years must be in the field of information security.
Security Managers should have a “ground-up” knowledge of programming, architecture and IT security. Hiring committees will be looking for evidence of hands-on security expertise and familiarity with current tech advances. As you build your career, you might consider honing your skills in:
- Practices and methods of IT strategy, enterprise architecture and security architecture
- Security concepts related to DNS, routing, authentication, VPN, proxy services and DDOS mitigation technologies
- ISO 27001/27002, ITIL and COBIT frameworks
- PCI, HIPAA, NIST, GLBA and SOX compliance assessments
- Windows, UNIX and Linux operating systems
- C, C++, C#, Java and/or PHP programming languages
- Firewall and intrusion detection/prevention protocols
- Secure coding practices, ethical hacking and threat modeling
- TCP/IP, computer networking, routing and switching
- Network security architecture development and definition
- Knowledge of third party auditing and cloud risk assessment methodologies
Soft skills play a huge role in management positions. Every day, you will be collaborating with CISOs, outside vendors and teams of engineers and analysts. That means employers will want to see proof of outstanding leadership, oral and communication skills.
They are also going to be looking for efficient multi-taskers and creative problem-solvers. Like general contractors on a building site, Security Managers are responsible for addressing a dizzying array of company issues.
Certifications for Security Managers
Security Managers are fairly high up in the hierarchy, so certifications are recommended. Generally speaking, CISSP and CISM are the two most requested qualifications from employers.
- CISM: Certified Information Security Manager
- CISSP: Certified Information Systems Security Professional
- CISSP-ISSMP: Information Systems Security Management Professional
- GSLC: GIAC Security Leadership