High demandSecurity

IT Security Manager / CISO

Lead security programmes, manage risk, and govern enterprise security posture

3
Core certs
3
Phases
8–15 years from IT entry level
Time to entry

Job titles

Information Security Manager, CISO +

UK salary range

£70,000–£150,000

US salary range

$120,000–$250,000

Time to first role

8–15 years from IT entry level

About this role

IT security managers and CISOs are responsible for an organisation's security strategy, governance, risk management, and compliance. This is a senior leadership path — most practitioners arrive here after 8–15 years in technical security roles.

Key skills employers look for

Security governance & strategyRisk frameworks (ISO 27001, NIST)Compliance & auditIncident managementSecurity budgeting & reportingBoard communication

Certification roadmap

1

Technical Foundation

Security managers must have credible technical depth — usually accumulated over years in analyst or architect roles

FoundationCompTIA
6–10 weeks

SY0-701CompTIA Security+

The foundational security cert every practitioner in this path will hold (usually acquired years earlier in their analyst role).

2

Management-Level Security

The certs that employers screen for at manager level

ProfessionalISACA
3–5 months

CISMISACA CISM

The gold standard for security managers — covers governance, risk management, incident management, and programme development. Frequently required for CISO and Head of Security roles. Requires 5 years of information security work experience.

ProfessionalISC2
4–6 months

CISSPISC2 CISSP

The most globally recognised senior security credential. Covers 8 security domains from architecture to law. Complementary to CISM — many senior security leaders hold both.

3

GRC & Risk

Governance, risk, and compliance specialisation for risk-focused roles

ProfessionalISACAOptional
3–5 months

CRISCISACA CRISC

Certified in Risk and Information Systems Control — the most respected risk management cert for IT. Valued in banking, insurance, and regulated industries where IT risk reporting to the board is a formal requirement.

Frequently asked questions

CISM or CISSP first?

CISM if you're primarily on a management track — it's more focused on governance and programme leadership. CISSP if you want broader credibility or plan to move between technical architecture and management. Both require years of qualifying experience, so they can't be rushed.

Key terms for this career path

These concepts underpin the certifications in this roadmap and appear regularly in exam questions.

Browse full IT glossary →