Introduction: Management in the age of cybersecurity

These days, no organization can run successfully without cybersecurity managers. In their oversight role, cybersecurity managers ensure staff follows cyber safe practices, manage the protection of the IT infrastructure, coordinate the response to incidents and ensure the recovery after an attack. Basically, they are responsible for good security governance.

The roles and responsibilities are varied for cybersecurity managers. In fact, the cybersecurity manager/administrator role includes a variety of advanced-level information security positions focused on overseeing security systems and teams. He or she can also manage IT security programs that will enable workers to recognize and deal with a cybersecurity incident like a data breach or cyber-attack while ensuring that controls and policies are implemented to mitigate risks.

Ways to prepare for a security manager career

With many organizations in search of qualified security managers, it’s a great time for professionals to prepare for a cybersecurity manager or information security manager career with great opportunities and salary projections. In addition to a college degree in computer science, cybersecurity or a related technical field, candidates need years of experience managing security operations and teams and, above all, the ability to prove continued training and solid security and management certifications.

Cybersecurity certifications that are most in demand

CIPM

An increased focus around data security has driven interest in privacy certifications like the CIPM. The International Association of Privacy Professionals (IAPP) offers the Certified Information Privacy Manager (CIPM) credentialing program which assesses candidates’ understanding of information privacy laws and practices. As IAPP explains, “the CIPM designation says that you’re a leader in privacy program administration and that you’ve got the goods to establish, maintain and manage a privacy program across all stages of its lifecycle.” The IAPP CIPM, which was launched in 2013 as the first and only certification in privacy program management, suits risk managers and others responsible for privacy within their teams.

CIPM has been accredited under ANSI/ISO standard 17024:2012 and covers many aspects of creating and implementing a good privacy program, from creating a privacy team to setting up a working privacy program framework to covering all of its life cycle scheme. 

Candidates are given 2.5 hours to answer 90 questions. Cost is $550. Scheduling is done by Pearson VUE but the applicant will be able to choose a convenient testing place and time. Results are given to the testers immediately at the conclusion of the session.

CISM

If looking to move from a technical to managerial career or wanting to prove that they have management skills as well as technical knowledge, then the Information Systems Audit and Control Association (ISACA) offers a great option. In fact, “ISACA’s Certified Information Security Manager (CISM) certification indicates expertise in information security governance, program development and management, incident management and risk management.” The CISM suits cybersecurity and IT security managers but is also ideal for information risk managers.

In order to be certified, testers need to submit a proper application, pass the exam and have the required work experience (at least five years in information security management). The test covers four domains: Information Security Governance, Information Risk Management, Information Security Program Development & Management and Information Security Incident Management. 

Candidates have four hours to answer 150 multiple-choice questions that are decided analyzing the latest knowledge required for the job. The cost is $575 for ISACA members and $760 for non-members.

GSLC

The GIAC®️ Security Leadership Certification (GSLC) is intended for security professionals with managerial or supervisory responsibilities and, in particular, those that plan and manage security projects and initiatives. The GSLC certification covers key management topics that address the overall security life cycle including technical topics like cryptography, network concepts and application security, as well as structuring an effective security program, creating proper security policies, running an awareness program and managing the whole security architecture. 

The certification also addresses incident response and business continuity. This is a very important topic for security managers who are normally asked not only to protect the IT infrastructure but also to be able to put the organization in the condition to resume operations as soon as possible after an incident.

Candidates have three hours to answer 115 questions and are required to have at least 65% of correct answers. The test is open-book but not open-internet or open-computer. Unlike CISM, GSLC has no particular professional experience prerequisite.

Candidates have many resources to prepare for the test, including GIAC practice tests ($169 per test). Two tests are actually included with a certification attempt. Other courses are also available online.

CISSP

According to (ISC)², this certification is ideal for security managers. In fact, the Certified Information Systems Security Professional (CISSP) certification path is designed for cybersecurity managers who need to build their knowledge across a broad range of technical and management topics. 

The CISSP-ISSMP has been refreshed to reflect the issues [security and privacy] that cybersecurity management professionals currently face. As (ISC)² states, “earning the CISSP proves you have what it takes to effectively design, implement and manage a best-in-class cybersecurity program.”

CISSP is vendor-neutral and covers the following topics: Security Architecture and Engineering (13%), Security and Risk Management (15%), Software Development Security (10%), Asset Security (10%), Communication and Network Security (14%), Identity and Access Management (13%), Security Assessment and Testing (12%) and Security Operations (13%).

Candidates have three hours for the CISSP CAT exam and six hours for the non-English linear, fixed-form exam. The Computerized Adaptive Testing (CAT) version allows candidates to answer approximately 100-150 questions tailored to their preparation. The linear version requires approximately 250. Passing score is 700 out of 1000. Testing is all done through Pearson VUE.

(ISC)² has a number of training options that include practice tests, self-study, online instructor-led and classroom classes.

Which certification?

Each certification is a valid option for professionals who need to validate their knowledge and abilities and provide a managerial level of information security for their business. CISM, however, is more business-oriented and focuses on information risk management. In fact, it is :a management-focused certification,” writes Cybersecurity Guide, so “those looking to obtain it should have hands-on experience managing, designing, and overseeing an enterprise’s information security program.”

The GSLC prepares candidates on how to secure an enterprise, while CISSP covers in-depth critical security topics that are more technical-oriented. “The CISSP credential suits mid and senior-level managers who are working towards, or have already attained positions as, CISOs, CSOs or Senior Security Engineers.”

The CIPM certification has a strong focus on privacy and is a great credential for professionals in managerial roles that are responsible for data privacy.

Most have a component for also testing the “soft” skills (communication, analytical thinking and problem-solving) that are so important in managerial positions and that complement the “hard” skills (i.e., “to have the technical know-how to design and evaluate systems and network architectures, as well as be able to keep up to date and understand the latest information on trends, best practices, standards, and methods”).

Other certifications that focus on cybersecurity management skills

The CompTIA Security+ is a great starting point for anyone looking to pursue a career in cybersecurity, as the exam focuses also on the latest trends and techniques in identity management and risk management. However, the CompTIA CySA+ is a more advanced cybersecurity certification which takes a deeper dive into topics such as threat management and vulnerability management, in addition to best practices as a response. This is a credential that gives a high-level overview of the business/management side of things.

Note: As CompTIA’s most advanced certification, CASP+ qualifies you for senior-level cybersecurity positions, but the credential is not necessarily geared toward managers. Together the Security+ and CySA+ spans a variety of roles.

Salary and career info for security managers in the cyber realm

According to PayScale, the average salary for a security manager is $66,564. From the job description, we learn “[they] are generally expected to streamline their companies’ security processes, regardless of the industry,” to protect valuable information from cyber breaches. For information security managers with a bachelor’s degree, advanced computer security knowledge and about five years of experience who get tasked to “coordinate and execute security policies and controls, while assessing a company’s vulnerabilities,” Study.com estimates the salary at about $132,000 a year.

Note: “The average salary for a CISM-certified professional ranges from $52,402 to $243,610”; whereas, “the average salary in the US for CISSPs is, according to Payscale.com, between $68,594 and $128,338 if you’re male, and between $59,810 and $119,553 if you’re female.” The average male salary for GSLC ranges from $75k – $189k; in contrast, the average salary for CIPM is $84k even though gender earnings ratios are not revealed.

It’s also worth seeing the latest data from CyberSeek’s Cybersecurity Career Pathway that provides detailed information about the salaries, credentials and skill sets associated with the cyber-security manager/administrator.

Conclusion

Security managers are the driving force behind the company’s security measures, strategies and solutions. They play a significant role in handling security incident management, vulnerability management and device management.

In addition to assign, direct and control the work of employees under their supervision, they also provide senior-level support regarding incident response functions through technical activities. Basically, they’ll manage an organization’s IT security in every sense of the word.

Knowledge and soft skills are both important, so credentials that address the basic requirements of professionals in managerial roles are important to validate skills and help security managers in their career progression.

 

Sources

  1. CIPM Certification, IAPP
  2. Cyber Security Certification: GSLC, GIAC
  3. CISM, ISACA
  4. CISSP, (ISC)², Inc.
  5. CISM vs CISSP, EDUCBA
  6. The 5 Most In-Demand Cybersecurity Jobs for 2020, Focal Point
  7. Best InfoSec and Cybersecurity Certifications of 2020, Business News Daily
  8. Be an Information Systems Security Manager: Career Roadmap, Study.com
  9. How to Become a Security Manager, CybersecurityEducation.org
  10. Become a Security Manager, CyberDegrees.org
  11. Average Security Manager Salary, PayScale, Inc.
  12. Degrees & Careers: How to Work in Cyber Security, LearnHowToBecome.org
  13. Data Greater Demand for Cybersecurity Professionals by US Employers, Security Magazine
  14. Demand and Salary Prospects for Cyber Security Jobs, Cybersecurity Insiders
  15. Why and How to Become a Security Manager, InfoSecAddicts.com
  16. Cybersecurity Supply/Demand Heat Map, CyberSeek
  17. Cybersecurity certification guide, Cybersecurity Guide
  18. Cybersecurity Management, NICCS