Information security manager

How to become an information security manager

Greg Belding
January 30, 2019 by
Greg Belding

Becoming an information security manager is a goal that many in the information security and IT fields have set for themselves. The position demands a symphony of skills all coming together – from top-flight security technology and tool skills to innate managerial skills that either you have, or you don’t. In return, information security managers receive experience with a commanding view of their respective security department or team and are paid well to boot.

This article will detail what you have to do to become an information security manager and serves as a general roadmap for how you can blaze your own trail to this promising career.

ChatGPT: Self-paced technical training

ChatGPT: Self-paced technical training

Take our introductory training to teach you how to securely use ChatGPT to investigate SOC & Incident response issues. Book a meeting with our team to learn more.

What does an information security manager do?

In terms of the big picture, information security managers are essentially the brain of the operation in an information security department or team. Whereas the “lower-ranking” information security professionals will focus on the more hands-on daily security technology and tool configuration changes, information security managers focus more on the higher-level information security considerations and changes. This distinction may sound like not that big of a deal, but it really can be quite profound.

At a micro level, information security managers are really the biggest star of the information security team or department. This is not by any means an exhaustive list of what an information security manager does on a daily basis; it does, however, give a general feel for what one would be expected to do daily:

  • Create and implement strategies to improve the security and reliability of IT projects
  • Create, execute and maintain organization information security policies and procedures
  • Manage a diverse team of information security experts, from incident responders to vulnerability auditors
  • Institute an information security awareness training program for the entire organization
  • Act as the highest escalation level for security incidents (aside from CISO)
  • Asses, test and implement new information security technology and tools
  • Prepare cost estimates
  • Operating within department/team budgetary guidelines
  • Administer department/team staff schedules
  • Hiring and onboarding new department/team staff members

Where to begin

First, we must note that there is no one set path to becoming an information security manager. With that said, this article will give a general overview of how to get to an information security manager position that may mirror your career path.


Organizations hiring for this position generally require at least a bachelor’s degree. A recent study found that 87% of employers hiring information security professionals only hire candidates with a bachelor’s degree. If you have earned a bachelor’s degree in either an information security or IT-related discipline, you’re golden. If you have one in another field, you’re not out of luck: some employers will hire an information security analyst position with a degree in another field. For example, I have a bachelor’s degree in Economics and was hired for my first analyst position on the merits of my unrelated degree. I then relied on self-taught learning and job experience to help me reach the level of information security manager.

If you are facing a situation where your unrelated degree and experience will not bridge the gap to information manager, don’t worry. A great way to handle this situation is to pursue a master’s degree in either an information security or IT-related discipline (emphasis on the former). This should help to satisfy the education requirements of even the most persnickety of organizations.

Gain experience

With your education requirement(s) satisfied, the next thing is to gain the necessary experience that will make you an effective, competent information security manager.

The main experience requirement is that you will need at least five years of information security experience in the field. This does not mean five years of any particular information security position, just five years of experience or more. You may have begun your information security career as an incident responder for a year then moved on to cybersecurity analyst for a few more years, or you may have been hired on as a help desk analyst then have been promoted to a security auditor for several years before you reach the professional experience threshold.

Skills to acquire

Despite the somewhat open-ended view of the career path for the information security manager, there are some hard skills that you will want to have acquired before you get hired for this position. A short list of these skills include:

  • Information security and IT security architecture, organization architecture and strategy practices/methods
  • Network security architecture definition and development
  • Security concepts related to networking and the organization IT environment
  • Firewall and intrusion prevention and detection protocols
  • Strong communication skills that enable the information security manager to act as a contact liaison for the information security department/team
  • Real world, effective managerial and leadership skills


The last step to hammering down your information security manager career path is to enhance your education and experience with certifications. Certifications can help distinguish candidates for this position, as demonstrates that you have put together all the elements needed for an effective information security manager.

While there are a number of information security certifications available. Two are the most helpful for this position – the Certified Information Security Manager, or CISM, and the Certified Information Systems Security Professional, or CISSP. Both of these certifications require at least five years of information security experience in the field before you can call these certifications your own.


The position of information security manager is a sought-after, high-powered position that is the quasi-long-term goal for many entering the field of information security. While there is no one path to this position, you can generally expect to have a bachelor’s degree, over five years of experience in information security and a certification or two to back up your information security prowess.

ChatGPT: Self-paced technical training

ChatGPT: Self-paced technical training

Take our introductory training to teach you how to securely use ChatGPT to investigate SOC & Incident response issues. Book a meeting with our team to learn more.

If you have earned all of these elements and have the requisite managerial skills needed, you will be a strong candidate for an information security manager position and will have reached a major milestone in your information security career.


Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.