Cyber Security Management is responsible for at least some of the cyber security functions in an organisation. They may set and manage policies, and ensure that colleagues, both in cyber security and other departments comply with them. They may also manage staff, money, or other resources to achieve the most effective results possible. 

Depending on the size of an organisation, there can be some differences. In a smaller organisation, a Cyber Security Manager might be hands-on in some areas: 

• designing or reviewing security controls 
• setting criteria for triaging incidents 
• overseeing the management of incidents 

• reviewing risks 
• taking a broad view of threats and vulnerabilities 

In a larger organisation, a Cyber Security Manager may have less opportunity to be hands-on, instead, spending more time on generic management responsibilities, including budget, people, and recruitment. 

As Cyber Security Management is a senior role – perhaps with the title of Chief Information Officer (CISO) - they establish and operate the cyber security strategy. It is likely that they will work with other senior managers from other departments within the organisation. 

Cyber Security Management ensures that the cyber security efforts and resources of the organisation are applied efficiently and effectively to protect both its systems and services and the information it holds. This is so that the organisation can fully realise the value of these assets, while simultaneously complying with legal, regulatory and ethical constraints. 

In detail, you might: 

• ensure that the organisation’s cyber security policies and controls remain appropriate and proportionate to the assessed risks, and are responsive and adaptable to the changing threat environment, business requirements and relevant laws and regulations 
• ensure that the organisation’s cyber security practice supports the business rather than restricts it 
• in consultation with other managers, develop and implement a cyber security strategy 

• manage the staff and resources of a cyber security team or the department to deliver the necessary cyber security controls and responses as efficiently as possible 
• ensure that the cyber security team or department meets the organisation’s standards on equality and inclusion and supports the values and ethical aims of the organisation 
• drive the professional development of the team or department’s cyber security staff 

In addition, the Chief Information Security Officer (CISO) (or whichever role is responsible for overall cyber security functions): 

• as part of the senior management team, contributes to the organisation’s strategy, pursuit of high standards of behaviour and efficiency 

• is the primary point of contact on Cyber Security issues with key stakeholders across the organisation and outside 
• represents the interests of the cyber security team or department and its staff in decision-making at higher levels, including at enterprise level 
• advises and informs the organisation’s senior managers on the effectiveness of the cyber security strategy 

Job Titles 

For Cyber Security Management roles, titles include:  

• Head of Cyber Security 
• Cyber Security Manager 
• Chief Information Security Officer (CISO) 
• Director of Information & Cyber Security 

Salaries 

A Cyber Security Management role could earn between £60,000 and £90,000 a year, with a Chief Information Security Officer earning up to £130,000. The median figure for senior Cyber Security Management roles in February 2021 was £95,000. 

The salary range is based on job vacancy advertisements published online in February 2021. They may not be representative of the salaries for such roles in all sectors or all regions. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk in March 2021. 

Note that these figures are based on small sample sizes: few senior roles are advertised, and historically the results of the calculation of average salaries have been very volatile, with large swings between months. 

Each of the 16 specialisms are based on knowledge areas within CyBOK.  

More information on CyBOK knowledge areas can be found here. 

Here are the knowledge areas associated with Cyber Security Governance & Risk Management 

Core knowledge – you will need a very good understanding of these areas 

Risk Management and Governance 

Security management systems and organisational security controls, including standards, best practices, and approaches to risk assessment and mitigation. 

Law and Regulation 

International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare. 

Security Operations & Incident Management 

The configuration, operation and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence. 

Related knowledge – you will need a solid understanding of these areas 

Privacy and Online Rights 

Techniques for protecting personal information, including communications, applications, and inferences from databases and data processing. It also includes other systems supporting online rights touching on censorship and circumvention, covertness, electronic elections, and privacy in payment and identity systems. 

Human Factors 

Usable security, social & behavioural factors impacting security, security culture and awareness as well as the impact of security controls on user behaviours. 

Wider knowledge – these areas will help to provide context for your work 

Someone in a cyber security management role would generally benefit from having a broad understanding of all the other Knowledge Areas in CyBOK. 

Skills 

Personal attributes 

• remaining calm under pressure 
• influencing at an organisational level 
• forward thinking 

• staff management 
• budget management 
• project management 
• strategic-level thinking 
• evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action 

Specialist skills 

• high-level risk management 
• applying cyber security standards, such as ISO 27001, and sector-specific requirements, such as PCI-DSS 
• engaging with regulatory authorities 
• leading cultural change on cyber security at an organisation level 

CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs) 

The requirement for a manager to have skills in each of the Skills Groups listed below will depend on the scope of their responsibilities. Only a very senior manager, such as a Chief Information Security Officer (CISO), may need skills in all the Groups. 

A1 – Governance 

Principles: 

• directs, oversees, designs, implements or operates within the set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage Cyber and Information Security at an enterprise level, supporting an organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements and ensuring compliance with those requirements 

A2 – Policy and Standards 

Principles: 

• directs, develops or maintains organisational Cyber and Information Security policies, standards and processes using recognised standards (e.g. the ISO/IEC 27000 family, the Security Policy Framework) where appropriate 
• applies recognised Cyber and Information Security standards and policies within an organisation, programme, project or operation 

A3 – Information Security Strategy 

Principles: 

• directs, develops or maintains plans and processes to manage Cyber and Information Security risks appropriately and effectively, whilst complying with legal, statutory, contractual, and business requirements 

A4 – Innovation & Business Improvement 

Principles: 

• recognises potential strategic application of Cyber and Information Security and initiates investigation and development of innovative methods of protecting information assets, to the benefit of the organisation and the interface between business and information security 

• exploits opportunities for introducing more effective secure business and operational processes 

A5 – Behavioural Change 

Principles: 

• identifies Cyber and Information Security awareness, training and culture management needs in line with security strategy, business needs and strategic direction, and gains management commitment and resources to support these needs 
• manages the development or delivery of Cyber and Information Security awareness and training, behavioural analysis programmes and/or security culture management programmes, applying analysis of human factors as appropriate 

A6 – Legal and Regulatory Environment and Compliance 

Principles: 

• understands the legal and regulatory environment within which the business operates 
• ensures that Information Security Governance arrangements are appropriate 
• ensures that the organisation complies with legal and regulatory requirements 

A7 – Third Party Management 

Principles: 

• identifies and advises on the technical, physical, personnel and procedural risks associated with third party relationships, including systems development and maintenance, contracts, end of service, outsourced service providers and business partners and sub contracting. Assesses the level of confidence that third party Cyber and Information Security capabilities/services operate as defined 

H1 – Business Continuity and Disaster Recovery Planning 

Principles: 

• contributes to defining the need for, and the development of Business Continuity Management (BCM) and Disaster Recovery (DR) Plans, Processes or Functions 

H2 – Business Continuity and Disaster Recovery Management 

Principles: 

• contributes to the implementation, operation and maintenance of Business Continuity and Disaster Recovery Processes or Functions 

H3 – Cyber Resilience 

Principles: 

• contributes to the development and implementation processes to anticipate, recognise and defend against changing Cyber and Information risk environments which threaten business stability, and the development and implementation of plans to introduce an holistic culture of Information Security across an organisation aimed at identifying and reacting promptly and effectively to incidents 

J1 – Management, Leadership and Influence 

Principles: 

• works effectively in teams, either as a member or leader 

• encourages and supports others to meet objectives and to develop as Information Security professionals 
• is a leader on Information Security issues, either locally or across an organisation 
• provides technical leadership in a professional field, either within an organisation or across an industry sector 

J2 – Business Skills 

Principles: 

• understands local or corporate business aims and uses this knowledge to maximise the cost-effectiveness of Information Security 
• contributes to the development of cost-effective corporate Information Security strategy; takes action to achieve greater corporate efficiency in line with strategic aims 
• takes reasoned decisions on Information Security based on business aims and influences 

*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec. 

Experience 

There may be the ability to move into a management role from a senior level in any career if experience includes risk management, resource management and strategic thinking. However, there will generally need to be at least a few years of direct experience in a cyber security role. This will have probably been gained as a team leader or, in a small organisation, as a senior cyber security professional responsible for one or several cyber security functions. 

Careers or roles that may provide a good foundation for moving into cyber security management without extensive cyber security experience include: 

• IT system management 

• financial management 
• security management 

Linked Specialisms 

• Secure Operations 
• Cyber Security Audit and Assurance 
• Cyber Security Governance and Risk Management 

Moving On 

From a lower-level Cyber Security Management role in a small or medium-sized cyber security organisation or department, you might move into the Chief Officer role (which may be titled the Chief Information Security Officer, or CISO). 

From a lower-level cyber security management role in a large cyber security organisation or department, you might move into a team or departmental management role. From a senior management role, you might move into the Chief Officer role (or CISO). 

Our certification framework can be accessed here. This framework allows you to see which certifications may be useful to you, within the different specialisms and at which point of your career.

Entry route information can be found here.

You can also visit the National Cyber Security Centre website at the links below:

NCSC Certified Degrees 

NCSC Certified Training