Torchora
Back to Home

Key Responsibilities and Required Skills for a Security Program Manager

💰 $130,000 - $190,000

Information SecurityCybersecurityProgram ManagementTechnologyGovernanceRisk & Compliance

🎯 Role Definition

As a Security Program Manager, you are the central force driving our security strategy from concept to execution. You will be responsible for defining program scope, objectives, and deliverables, ensuring they align with our broader business goals. This is not just a project management role; you are a strategic partner who will build relationships across Engineering, Legal, Product, and executive leadership to foster a culture of security. You will translate complex technical security challenges into actionable plans, track progress with meaningful metrics, and communicate program status, risks, and successes to stakeholders at all levels. Your leadership will be critical in navigating the dynamic landscape of cybersecurity threats and regulatory requirements, ensuring our organization remains resilient and trustworthy.

📈 Career Progression

Typical Career Path

Entry Point From:

  • Senior Security Analyst / Engineer
  • GRC (Governance, Risk, and Compliance) Specialist
  • IT Project Manager with a security focus
  • Technical Program Manager

Advancement To:

  • Senior or Principal Security Program Manager
  • Director of Information Security
  • Head of Security Governance, Risk, and Compliance
  • Chief Information Security Officer (CISO)

Lateral Moves:

  • Enterprise Risk Manager
  • Technical Program Manager (Product or Infrastructure)
  • Security Architect

Core Responsibilities

Primary Functions

  • Develop, manage, and drive the execution of the holistic information security program roadmap, aligning initiatives with strategic business objectives and emerging threat landscapes.
  • Lead large-scale, cross-functional security programs and projects from initiation through completion, including defining scope, allocating resources, managing schedules, and mitigating risks.
  • Establish and maintain a comprehensive security governance framework, including the development, review, and enforcement of security policies, standards, and procedures across the organization.
  • Act as the primary liaison between technical security teams and non-technical business stakeholders, translating complex security concepts into understandable business implications and requirements.
  • Define, track, and report on Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) to measure the effectiveness of the security program and provide actionable insights to senior leadership.
  • Oversee and mature the organization's risk management program, including conducting regular risk assessments, maintaining the risk register, and driving risk treatment plans.
  • Manage and coordinate compliance efforts with relevant regulations and standards (e.g., SOC 2, ISO 27001, GDPR, CCPA, PCI DSS), working closely with internal teams and external auditors.
  • Plan and lead incident response tabletop exercises and drills to ensure organizational readiness, and play a key coordination role during actual security incidents.
  • Drive the vulnerability management lifecycle, collaborating with engineering and IT teams to prioritize and remediate identified vulnerabilities in a timely manner.
  • Manage the third-party risk management (TPRM) program, conducting security assessments of new and existing vendors to ensure they meet our security requirements.
  • Develop and deliver engaging security awareness and training programs to educate employees on security best practices and foster a strong security-conscious culture.
  • Prepare and present regular program status updates, risk analyses, and strategic recommendations to executive leadership, steering committees, and the Board of Directors.
  • Facilitate the evaluation and implementation of new security technologies, tools, and services, ensuring they integrate effectively into our existing ecosystem.
  • Champion the integration of security into the software development lifecycle (SDLC), promoting DevSecOps principles and collaborating with development teams to build security in from the start.
  • Manage the security program budget, including forecasting, resource planning, and tracking expenditures to ensure financial accountability.
  • Build and maintain strong, collaborative relationships with key stakeholders across Engineering, Product, Legal, HR, and other departments to ensure security is a shared responsibility.
  • Continuously assess and improve security processes and workflows, identifying opportunities for automation and increased efficiency.
  • Lead post-mortem analysis following security incidents or program challenges, documenting lessons learned and driving corrective actions to prevent recurrence.
  • Coordinate external penetration testing and other security assessments, managing the engagement from scoping to remediation of findings.
  • Stay abreast of the latest cybersecurity trends, threats, and technologies to ensure the security program remains modern, effective, and forward-looking.

Secondary Functions

  • Support ad-hoc data requests and exploratory data analysis related to security metrics and trends.
  • Contribute to the organization's broader data governance strategy and roadmap.
  • Collaborate with business units to translate their unique security needs into engineering and program requirements.
  • Participate in sprint planning and agile ceremonies within the security engineering and GRC teams.

Required Skills & Competencies

Hard Skills (Technical)

  • Program & Project Management: Expertise in project management methodologies (Agile, Scrum, Waterfall) and tools (Jira, Confluence, Asana) to manage complex, multi-stakeholder initiatives.
  • Information Security Frameworks: Deep knowledge of common security and privacy frameworks such as NIST Cybersecurity Framework (CSF), ISO 27001/27002, SOC 2, and GDPR.
  • Risk Management: Proficiency in conducting qualitative and quantitative risk assessments, creating risk registers, and developing risk treatment plans.
  • GRC Tooling: Experience using Governance, Risk, and Compliance (GRC) platforms (e.g., OneTrust, LogicGate, Archer) to manage controls, risks, and audits.
  • Cloud Security Concepts: Strong understanding of security principles within cloud environments (AWS, Azure, GCP), including identity and access management, network security, and configuration management.
  • Technical Acumen: Ability to understand and discuss technical concepts such as vulnerability management, incident response, network security, and application security.
  • Security Certifications: Professional certifications such as CISSP, CISM, PMP, or CRISC are highly valued.

Soft Skills

  • Stakeholder Management: Exceptional ability to build rapport, trust, and strong working relationships with technical teams, business leaders, and executives.
  • Communication & Influence: Outstanding verbal and written communication skills, with the ability to articulate complex security topics to diverse audiences and influence decisions without direct authority.
  • Strategic Thinking: Ability to see the big picture, connect security initiatives to business goals, and develop long-term strategies for risk reduction and program maturity.
  • Leadership: Proven leadership skills to guide cross-functional teams, inspire a shared vision, and drive projects to successful completion in a matrixed organization.
  • Problem-Solving: A pragmatic and analytical approach to problem-solving, with the ability to navigate ambiguity and make sound decisions under pressure.
  • Adaptability: Thrives in a fast-paced, dynamic environment and can effectively manage shifting priorities and evolving security challenges.

Education & Experience

Educational Background

Minimum Education:

  • Bachelor's Degree in a relevant field or equivalent practical experience in the technology or security industry.

Preferred Education:

  • Master's Degree in Cybersecurity, Information Systems, or Business Administration (MBA).

Relevant Fields of Study:

  • Computer Science
  • Information Security / Cybersecurity
  • Management Information Systems
  • Business Administration

Experience Requirements

Typical Experience Range: 5-10 years of experience in information security, IT audit, or technical program management. A minimum of 3 years should be in a dedicated program or project management capacity leading security-focused initiatives.

Preferred: Experience in a high-growth technology, SaaS, or cloud-native company is highly desirable. A proven track record of building security programs from the ground up or significantly maturing existing ones is a major plus.

Explore More Careers