IT Security Manager / CISO
Lead security programmes, manage risk, and govern enterprise security posture
Job titles
Information Security Manager, CISO +
UK salary range
£70,000–£150,000
US salary range
$120,000–$250,000
Time to first role
8–15 years from IT entry level
About this role
IT security managers and CISOs are responsible for an organisation's security strategy, governance, risk management, and compliance. This is a senior leadership path — most practitioners arrive here after 8–15 years in technical security roles.
Key skills employers look for
Certification roadmap
Technical Foundation
Security managers must have credible technical depth — usually accumulated over years in analyst or architect roles
SY0-701CompTIA Security+
The foundational security cert every practitioner in this path will hold (usually acquired years earlier in their analyst role).
Management-Level Security
The certs that employers screen for at manager level
CISMISACA CISM
The gold standard for security managers — covers governance, risk management, incident management, and programme development. Frequently required for CISO and Head of Security roles. Requires 5 years of information security work experience.
CISSPISC2 CISSP
The most globally recognised senior security credential. Covers 8 security domains from architecture to law. Complementary to CISM — many senior security leaders hold both.
GRC & Risk
Governance, risk, and compliance specialisation for risk-focused roles
CRISCISACA CRISC
Certified in Risk and Information Systems Control — the most respected risk management cert for IT. Valued in banking, insurance, and regulated industries where IT risk reporting to the board is a formal requirement.
Frequently asked questions
CISM or CISSP first?
CISM if you're primarily on a management track — it's more focused on governance and programme leadership. CISSP if you want broader credibility or plan to move between technical architecture and management. Both require years of qualifying experience, so they can't be rushed.
Key terms for this career path
These concepts underpin the certifications in this roadmap and appear regularly in exam questions.
Dynamic route
A route that is automatically learned and updated by a router using a routing protocol, rather than being manually configured.
Security pillar
The Security pillar is a set of best practices for designing and operating cloud systems that protect data, systems, and assets through confidentiality, integrity, and availability controls.
Public IP address
A globally unique IP address assigned to a device that allows it to communicate directly over the internet.
Extensible Authentication Protocol
Extensible Authentication Protocol (EAP) is a flexible authentication framework used in network access control, particularly in wireless and point-to-point connections, that supports multiple authentication methods without requiring changes to the underlying protocol.
Risk acceptance
Risk acceptance is a risk management strategy where an organization acknowledges a potential risk but decides to tolerate it without taking active measures to reduce or eliminate it.
Security strategy
A security strategy is a high-level plan that outlines how an organization protects its information assets, aligns security with business goals, and manages risk over time.