Torchora
Back to Home

Key Responsibilities and Required Skills for Manager – Information Security

💰 $120,000 - $170,000

Information SecurityCybersecurityIT ManagementGRC

🎯 Role Definition

The Manager – Information Security leads the design, implementation, and continuous improvement of an enterprise information security program. This role is accountable for risk-based security strategy, incident detection and response, policy and controls governance, vulnerability management, secure architecture guidance, and cross-functional security enablement. The manager partners with engineering, operations, legal, and business leaders to embed security into product development and business processes while ensuring compliance with relevant frameworks (ISO 27001, NIST CSF, SOC 2, PCI DSS, GDPR, etc.).

📈 Career Progression

Typical Career Path

Entry Point From:

  • Senior Security Engineer / Lead Security Engineer
  • Security Architect / Cloud Security Engineer
  • IT Risk Analyst / GRC Analyst

Advancement To:

  • Director, Information Security
  • Head of Security / Senior Director, Cybersecurity
  • Chief Information Security Officer (CISO)

Lateral Moves:

  • Manager, Cloud Security
  • Manager, Security Operations (SOC)
  • Manager, Governance, Risk & Compliance (GRC)
  • Privacy & Data Protection Lead

Core Responsibilities

Primary Functions

  • Lead the development, implementation, and continual improvement of the enterprise information security strategy and roadmap aligned to business objectives, regulatory obligations, and industry best practices.
  • Own and maintain the information security policy, standards, procedures, and control baseline; ensure policies are communicated, understood and enforced across all business units.
  • Manage risk assessment processes including asset inventory, business impact analysis, threat modeling, vendor risk assessments, and annual risk reporting to senior leadership and the board.
  • Direct the security incident response program: define playbooks, coordinate cross-functional incident handling, perform root-cause analysis, and lead after-action reviews with remediation timelines.
  • Oversee vulnerability management activities across cloud, on-premise, and third-party systems including prioritization, patch management coordination, scanning cadence, and reporting of remediation metrics.
  • Run or partner with SOC operations for detection engineering and SIEM optimization (use case development, alert tuning, false-positive reduction, and escalation workflows).
  • Architect and review secure cloud and hybrid architectures; provide technical guidance on secure deployments in AWS, Azure, and GCP, including network segmentation, IAM hardening, and secure configuration baselines.
  • Lead identity and access management governance: role-based access control (RBAC), privileged access management (PAM), single sign-on (SSO), MFA rollouts, lifecycle processes, and access certification programs.
  • Develop and operationalize data protection and encryption strategies (data classification, data loss prevention (DLP), key management, and database encryption) to protect sensitive and regulated information.
  • Oversee application security practices including secure SDLC adoption, threat modeling, static and dynamic code analysis (SAST/DAST), code-review guidance, and developer security training.
  • Manage third-party and supply chain security program: vendor onboarding security assessments, contractual security requirements, continuous monitoring, and remediation tracking.
  • Ensure compliance with relevant regulatory and contractual requirements (e.g., SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR, CCPA), lead audits and remediation, and prepare evidence and status updates for auditors and regulators.
  • Define and track security metrics and KPIs (MTTR for incidents, time to remediate vulnerabilities, risk exposures, audit findings) and present quarterly and ad-hoc reports to senior leadership and the board.
  • Lead cross-functional security projects including incident simulations, tabletop exercises, red-team/blue-team engagements, and major security program rollouts to increase organizational resilience.
  • Build, coach, and manage a high-performing security team (security operations, engineering, GRC specialists); define objectives, career development plans, hiring needs, and budget recommendations.
  • Own security budget planning and vendor management: evaluate third-party security products and MSSP partners, negotiate contracts, and measure vendor performance against SLAs.
  • Establish and run a privacy-security interface for collaboration with legal and privacy officers to ensure security controls support data protection obligations and privacy-by-design principles.
  • Drive secure configuration and hardening standards for endpoints, servers, containers, and network devices; work with IT operations to automate baselines and ensure continuous compliance.
  • Lead threat intelligence integration: ingest relevant threat feeds, synchronize threat detection and response playbooks, and perform proactive hunting for advanced threats.
  • Coordinate disaster recovery (DR) and business continuity (BCP) plans from a security perspective, ensure DR tests incorporate security requirements, and validate recovery tolerances for critical assets.
  • Advocate and deliver security awareness and behavior-change programs for employees and contractors; measure program effectiveness and reduce human-driven risk through targeted training.

Secondary Functions

  • Support ad-hoc security questionnaires, RFP security sections, and customer security reviews to drive sales enablement and contractual compliance.
  • Provide mentorship and technical subject-matter guidance to engineers, product owners, and IT staff on secure design and implementation decisions.
  • Assist with procurement and implementation of security tooling (SIEM, EDR, vulnerability scanners, IAM/PAM systems) and manage rollout schedules with stakeholders.
  • Maintain and improve incident and vulnerability playbooks; continuously iterate on lessons learned from real incidents and tabletop exercises.
  • Participate in cross-functional governance forums (risk committees, architecture review boards, change advisory boards) to represent security considerations.
  • Partner with product management to integrate security requirements into product roadmaps and feature definitions, ensuring secure-by-design delivery.
  • Contribute to security communications program: publish executive briefings, security newsletters, incident status updates, and compliance certifications for customers.
  • Conduct occasional hands-on technical tasks including pen test scoping, reviewing security designs, and validating remediation actions for critical findings.

Required Skills & Competencies

Hard Skills (Technical)

  • Information security program management and strategic planning with measurable outcomes and KPIs.
  • Risk assessment and risk management methodologies (quantitative and qualitative), business impact analysis, and residual risk reporting.
  • Incident response and digital forensics: playbook creation, IR orchestration, evidence preservation, and root cause analysis.
  • Vulnerability management and remediation processes, familiarity with scanning tools (Qualys, Tenable, Rapid7) and patch management.
  • SIEM and SOC operations experience (Splunk, QRadar, Azure Sentinel, Elastic) including detection engineering and log analytics.
  • Cloud security expertise across AWS, Azure, and GCP: secure landing zones, IAM, VPC design, and cloud-native security services.
  • Identity and Access Management (IAM), SSO, MFA, PAM, and least-privilege models.
  • Security frameworks and compliance: ISO 27001 lead implementer/auditor knowledge, NIST CSF, CIS Controls, SOC 2, PCI DSS, GDPR/CCPA.
  • Application security knowledge: secure SDLC, SAST/DAST tools, threat modeling, and dependency/third-party scanning.
  • Network security fundamentals: firewalls, IDS/IPS, VPNs, microsegmentation, and secure network architecture.
  • Data protection and cryptography: DLP, key management, TLS, PKI, and database encryption strategies.
  • Experience with GRC tooling (ServiceNow GRC, RSA Archer) and audit management processes.
  • Penetration testing coordination and red/blue team exercise experience, with the ability to interpret findings and prioritize remediation.
  • Endpoint detection and response (EDR) experience (CrowdStrike, Carbon Black, Microsoft Defender) and malware analysis basics.
  • Automation and infrastructure-as-code security (Terraform, CloudFormation scanning), CI/CD pipeline security integrations.

Soft Skills

  • Strong leadership and people management: hiring, mentoring, performance management, and cross-functional influence.
  • Excellent verbal and written communication skills for translating technical risk to business impact for executives and the board.
  • Strategic thinker with a pragmatic, risk-based approach to security investments and trade-offs.
  • Stakeholder management and partnership orientation with engineering, product, legal, and compliance teams.
  • Project and program management skills including budgeting, vendor negotiations, and delivery oversight.
  • Sound decision-making under pressure during incidents, with calm escalation and clear action plans.
  • Coaching and training aptitude to uplift security knowledge across the organization.
  • Change management capabilities to drive adoption of security controls and behaviors.
  • Attention to detail and strong analytical skills for audit evidence, control assessments, and security reporting.
  • Customer-facing professionalism to respond to security questionnaires, vendor audits, and customer security concerns.

Education & Experience

Educational Background

Minimum Education:

  • Bachelor's degree in Computer Science, Information Security, Information Technology, Cybersecurity, or related field.

Preferred Education:

  • Master’s degree in Information Security, MBA with technology focus, or equivalent advanced certification.

Relevant Fields of Study:

  • Computer Science
  • Information Security / Cybersecurity
  • Information Systems
  • Network Engineering
  • Risk Management / Business Continuity

Experience Requirements

Typical Experience Range:

  • 7–12 years of progressive experience in information security, IT risk, or security operations, with at least 3–5 years in a team lead or management role.

Preferred:

  • 10+ years total experience with demonstrated experience managing security programs, leading incident response, and achieving compliance certifications (SOC 2, ISO 27001, PCI DSS).
  • Experience operating security programs in cloud-first and SaaS environments, working with product engineering teams, and interfacing with executive leadership.

Certifications (Highly Desirable)

  • CISSP, CISM, CISA, CRISC
  • ISO 27001 Lead Implementer / Lead Auditor
  • CCSP (Cloud Security), GIAC certifications (GCIH, GPEN), or equivalent
  • Practical certifications such as CEH or OSCP where hands-on expertise is required

If you need a condensed version for a posting or an ATS-optimized bullet summary, tell me the target audience (enterprise, startup, regulated industry) and I will tailor it.

Explore More Careers