Torchora
Back to Home

Key Responsibilities and Required Skills for Information Systems Security Manager

💰 $ - $

Information SecurityCybersecurityIT ManagementRisk & Compliance

🎯 Role Definition

The Information Systems Security Manager is a senior technical leader responsible for designing, implementing, and managing the enterprise information security program. This role leads security operations, threat and vulnerability management, risk assessments, compliance with regulatory and industry frameworks (e.g., NIST, ISO 27001, PCI DSS, HIPAA, GDPR), and governance practices across on-premises and cloud environments. The manager serves as both a hands-on technical expert and a strategic advisor to IT and business stakeholders, translating business needs into secure architectures, policies, and measurable security outcomes.

📈 Career Progression

Typical Career Path

Entry Point From:

  • Information Security Analyst / Senior Security Analyst
  • Systems Administrator with security specialization
  • Security Engineer or SOC Lead

Advancement To:

  • Director of Information Security / Head of Information Security
  • Chief Information Security Officer (CISO)
  • VP of IT Risk & Compliance

Lateral Moves:

  • Cloud Security Architect
  • IT Risk Manager / Enterprise Risk Manager
  • Compliance or Privacy Lead

Core Responsibilities

Primary Functions

  • Develop, maintain and execute the enterprise information security strategy and roadmap aligned to business objectives, ensuring measurable improvement in security posture across people, process, and technology.
  • Lead the design, implementation, and operational management of security operations capabilities including SIEM, SOC workflows, threat hunting, alert tuning, and incident escalation to reduce mean time to detect (MTTD) and mean time to respond (MTTR).
  • Own vulnerability management program life cycle — from scanner configuration and discovery to prioritization, remediation tracking, metrics, and continuous improvement across servers, endpoints, network devices, and cloud workloads.
  • Conduct and coordinate risk assessments, business impact analyses, and security control assessments for new systems and major changes, producing clear remediation plans and risk acceptance documentation for executive review.
  • Develop, review and enforce organizational security policies, standards, procedures, and guidelines (e.g., access control, secure configuration, encryption, logging/monitoring) and ensure they map to NIST/ISO/PCI/HIPAA requirements where applicable.
  • Lead incident response and digital forensics efforts for security breaches and significant events, coordinating cross-functional teams, external forensics vendors, law enforcement, and communications to contain incidents and minimize business impact.
  • Oversee identity and access management (IAM) strategy — including RBAC/ABAC design, privileged access management, single sign-on (SSO), multi-factor authentication (MFA), lifecycle provisioning and periodic entitlement reviews.
  • Drive cloud security governance for AWS/Azure/GCP environments, ensuring secure infrastructure-as-code practices, cloud-native logging/monitoring, workload segmentation, and secure configuration baselines are enforced.
  • Implement and maintain data protection controls including DLP, encryption at rest/in-transit, tokenization, key management, and data classification to reduce data exfiltration and support privacy compliance.
  • Manage third-party vendor security risk through vendor risk assessments, contract language, security questionnaires, penetration testing requirements, and continuous monitoring of vendor security posture.
  • Oversee security architecture reviews and secure design guidance for application development, infrastructure projects, and DevOps pipelines to embed security earlier in the SDLC (shift-left).
  • Plan and manage periodic penetration tests and red team exercises, interpret results, track remediation, and integrate findings into training, baseline hardening, and architectural changes.
  • Define and track security KPIs and metrics (e.g., vulnerability remediation SLAs, patching cadence, phishing click rates, incident response metrics), prepare executive dashboards and narrative for senior leadership and the board.
  • Lead compliance audit preparation and response (SOC 1/2, ISO 27001, PCI DSS, HIPAA), liaise with external auditors, and coordinate evidence collection and remediation of audit findings.
  • Manage security budget, tool lifecycle, vendor relationships, procurement and negotiation, ensuring cost-effective acquisition and operationalization of security solutions.
  • Recruit, mentor and develop security team members, defining roles, performance objectives, training plans (including certifications like CISSP/CISM/CISA), and career paths to build a high-performing team.
  • Collaborate closely with legal, privacy, risk, IT, and business units to ensure security controls enable business initiatives while meeting regulatory and contractual obligations.
  • Maintain up-to-date threat intelligence and cybersecurity trends, translate intelligence into defensive actions, and adapt controls to emerging threats such as ransomware, cloud misconfigurations, and supply chain attacks.
  • Establish business continuity and disaster recovery security considerations, ensuring backup integrity, secure restore processes, and security requirements are incorporated into continuity planning.
  • Oversee secure configuration, patch management and change control practices across endpoints, servers, network, and cloud to minimize exposure to known vulnerabilities.
  • Drive security awareness and training programs across the organization, measure effectiveness, and deliver role-based training for developers, administrators, and executives.
  • Coordinate cross-functional tabletop exercises, incident simulations and crisis management drills to validate processes, communication flows, and decision-making under simulated security incidents.
  • Author and maintain threat models for critical applications and systems, coordinating with architects and engineers to mitigate design-level risks and to validate compensating controls.
  • Ensure logging, monitoring, and retention policies meet operational, legal and business requirements, and that logs are actionable for detection, investigation and forensics.

Secondary Functions

  • Provide subject-matter expertise for procurement and RFPs to evaluate security capabilities and contractual security language.
  • Support security-related change advisory board (CAB) reviews, ensuring changes consider security impact and appropriate mitigation.
  • Contribute to employee onboarding/offboarding security processes and access certification efforts.
  • Assist privacy and data governance teams to map security controls to privacy program requirements and data inventories.
  • Partner with application and platform teams to define secure APIs, secrets management, and CI/CD pipeline hardening.

Required Skills & Competencies

Hard Skills (Technical)

  • Information security program management and governance, including policy development, risk assessment, and control frameworks (NIST CSF, NIST SP 800-53, ISO 27001).
  • Security operations and incident response: SIEM (Splunk, QRadar, Sentinel), SOC processes, threat hunting, playbook development, and forensic analysis.
  • Vulnerability management and penetration testing lifecycle with tools such as Nessus, Qualys, Rapid7, Burp Suite, and experience with remediation tracking.
  • Cloud security for AWS/Azure/GCP: secure architecture patterns, CSPM, IAM, cloud logging, container and serverless security, and infrastructure-as-code controls.
  • Identity and access management (IAM) and privileged access management (PAM) technologies — SSO, MFA, Okta/Azure AD, CyberArk, BeyondTrust.
  • Data protection technologies: encryption, key management, DLP, tokenization, and experience enforcing data classification.
  • Network and endpoint security: firewalls, IDS/IPS, EDR/XDR solutions (CrowdStrike, Carbon Black), secure network design, segmentation and NAC.
  • Regulatory compliance and audit readiness (SOC 2, PCI DSS, HIPAA, GDPR) — mapping technical controls to compliance requirements and supporting audits.
  • Secure software development lifecycle (SDLC) practices, application security testing (SAST/DAST), code review best practices, and DevSecOps toolchains.
  • Logging, monitoring and observability stacks, log retention policy design, and the ability to create high-fidelity detection rules and alerts.
  • Security architecture and systems design experience, producing secure design documentation and threat modelling outputs.
  • Familiarity with endpoint, mobile and IoT security considerations and mitigation strategies.
  • Ability to evaluate and manage security tools and vendors, including procurement, ROI analysis and operationalization.

Soft Skills

  • Strong leadership and people management skills — hiring, mentoring and developing security professionals.
  • Executive communication and storytelling — producing concise risk narratives and dashboards for senior leaders and boards.
  • Cross-functional collaboration — ability to influence engineering, product, legal and business stakeholders without direct authority.
  • Decision-making under pressure and crisis management capability.
  • Strategic thinking and practical bias for action: balance long-term security goals with immediate operational needs.
  • Project management and prioritization skills; adept at managing multiple initiatives and resourcing trade-offs.
  • Continuous learning mindset and curiosity about emerging threats and technologies.
  • Strong written communication for policy, incident reports, and audit responses.
  • Ethical judgment, integrity and respect for confidential information and privacy.

Education & Experience

Educational Background

Minimum Education:

  • Bachelor's degree in Computer Science, Information Security, Cybersecurity, Information Systems, or related technical field.

Preferred Education:

  • Master's degree in Cybersecurity, Information Assurance, Computer Science, Business Administration (MBA with IT focus), or equivalent advanced degree.

Relevant Fields of Study:

  • Computer Science / Software Engineering
  • Information Security / Cybersecurity
  • Information Systems / IT Management
  • Risk Management / Business Continuity

Experience Requirements

Typical Experience Range:

  • 5–12 years of progressive information security experience with 2–5 years in a managerial or lead role (varies by organization size).

Preferred:

  • 8+ years of broad information security experience including hands-on SOC, incident response, vulnerability management and cloud security. Prior experience leading security teams, managing audits (SOC 2/ISO/PCI), and working closely with executive leadership. Relevant certifications such as CISSP, CISM, CISA, CRISC, or equivalent are highly desirable.
Explore More Careers