Chapter 9: Cybersecurity Manager

This chapter focuses on cybersecurity management roles. This type of role is a mid-to-senior-level role, typically requiring years of experience both in the subject matter as well as leadership.

The following topics will be covered in this chapter:

• What is a cybersecurity manager?
• How much can you make in this career?
• What other careers can this type of role lead to?
• Certification considerations
• Example roles
• Common interview questions for a cybersecurity manager

What is a cybersecurity manager?

The role of a cybersecurity manager spans a broad range of types and responsibilities. At a high level, cybersecurity managers will either lead an entire cybersecurity program or a specific functional group that is part of a broader program strategy. Specifically, an organization might put a leader in place to lead their security operations program, which would include developing a strategy aligned with the desired security outcomes of the business from a tactical perspective. We will refer to this type of leader as a cybersecurity program manager.

Within the overall security operations program strategy, there will be specific functional groups responsible for the day-to-day operations and execution of the strategy, such as threat intelligence teams, security analysts, and security engineers. These functional groups also require managers, and we'll refer to these managers as cybersecurity team managers to avoid confusion.

Cybersecurity program manager

A cybersecurity program manager is an individual that effectively leads, communicates, and is responsible for an organization's cybersecurity programs. As part of a cybersecurity program's management, they are responsible for helping with the development of cybersecurity projects and infrastructure, as well as ensuring alignment with business programs and strategies. No matter how secure an organization may be, if the strategy introduces friction or roadblocks to daily operations and productivity, user adoption and executive buy-in will likely be an uphill battle.

The cybersecurity program manager is usually heavily involved with the CISO and other members of leadership to ensure that programs are in line with their vision of how security should be handled. Some of the components of a cybersecurity program are compliance, governance, security operations, asset security, and infrastructure security. These individuals are usually not involved at the operational level with all aspects of the program but more so at the strategic level, ensuring the program is running smoothly and on target.

Some of the certifications that can come in handy for an individual in this role are the following:

• Project Management Professional (PMP): https://www.pmi.org/certifications/project-management-pmp
• Certified Information Systems Security Professional (CISSP): https://www.isc2.org/Certifications/CISSP
• Certified Information Security Manager (CISM): https://www.isaca.org/credentialing/certifications
• Certified Information Systems Auditor (CISA): https://www.isaca.org/credentialing/cisa
• CompTIA Security+: SANS (https://www.sans.org/cyber-security-certifications/?msc=main-nav) and GIAC (https://www.giac.org/certifications/) certifications

The types of cybersecurity programs may include, but are certainly not limited to, the following:

• Security awareness and user training
• Incident response
• Security governance and risk management
• Identity and access management
• Security operations and security engineering
• Software development security

Cybersecurity team manager

A cybersecurity team manager is an individual responsible for a specific team within an organization's security program and any individuals that might be reporting to them. The size or maturity of the organization usually determines the team that a cybersecurity manager might be responsible for, and/or whether they would have responsibilities at the individual contributor level while being considered a process manager.

There are several types of cybersecurity team managers; the first depends on whether the manager is a technical manager or a people manager. Depending on the size or maturity of the company and the type of product that they are delivering/creating, companies look for technical managers who have a deep understanding of technical requirements. These technical managers often grow directly from other technical roles into this type of leadership role, becoming responsible for managing different subspecialties.

The other type of manager in this category is the people manager who has a fundamental understanding of all the technical areas but does not go as deep as the cybersecurity specialists or consultants they might be managing. On the other hand, these managers can handle the required business relations, people, and processes. They can help teams remove some of the blocks and organizational processes that would otherwise slow or stop them from delivering results.

Cybersecurity manager roles and responsibilities vary, depending on the needs of the organization. As seen in the following descriptions, some organizations may choose to align managers to specialized areas of cybersecurity, such as critical infrastructure, applications, or the cloud:

• Critical infrastructure security manager: Cybersecurity managers in this type of role are mostly responsible for ensuring the availability of the infrastructure by performing several due diligence activities, such as assessing and mitigating risk, monitoring for potential threats, and creating and testing incident response plans.
• Network security manager: Network security managers are typically focused on edge infrastructure and end user activity (firewall, IDS/IPS, web/content filtering, and so on) and are responsible for protecting corporate assets from external cyberattacks and insider threats. It is important that network security managers strike a balance between security and functionality, meaning that mitigating controls selected for implementation should not negatively impact employee productivity.
• Application security manager: Application security managers are tasked with leading teams of software developers to ensure secure coding teams by following best practices, such as dynamic and static analysis, input validation and output sanitation, proper encryption and authentication requirements, and access control.
• Cloud security manager: Migrating data to the public cloud introduces different data protection challenges compared to on-premises environments. One of the most common risks is data exposure resulting from a poorly defined cloud security strategy or misconfigured cloud security controls. Cloud security managers monitor cloud environments for vulnerabilities, threats, risks, and proper data access and cloud workload configuration controls.

On the other hand, cybersecurity managers could potentially be aligned to the functional areas of the cybersecurity program, such as security operations, the red team, and the blue team. The following list provides examples of cybersecurity manager roles:

• Security Operations Center (SOC) manager: The security operations team is a critical component of a cybersecurity program. At a high level, the team is responsible for the detection of and response to threats within the corporate environment, regardless of where they are discovered within the infrastructure.

An SOC manager is responsible for managing SOC analysts, in addition to defining policies, creating and refining security operations team processes, and working with security engineers to continue to grow the organization's capabilities.

• Blue team/red team manager: The blue team defends the enterprise. This team is responsible for monitoring and maintaining the company's security and network defense system against cyberthreats, typically by working with (defending against) the company's red team.

The red team sits on the offensive side of the cybersecurity coin. This team helps the blue team by simulating cyberattacks designed to test the effectiveness of the security controls in place.

Individuals on these teams report to their team managers, who are responsible for working together to define the scope and rules of engagement for testing the organization's defenses.

Job titles and teams

There are several different job titles managers may hold according to the https://www.cyberseek.org/pathway.html website:

• Security manager
• Information systems security officer
• Information security manager
• Security administrator
• Information security officer

The types of cybersecurity teams may include, but are not limited to, the following:

• Threat intelligence
• Network security architecture
• Digital forensics
• Blue team analysts
• Red team analysts

The following mind map may be helpful in understanding the different cybersecurity domains: https://www.linkedin.com/pulse/cybersecurity-domain-map-ver-30-henry-jiang.

The considerations for certifications for cybersecurity team manager roles are very similar to those for cybersecurity program managers:

• CISSP
• CISM and CISA
• CompTIA Security+
• SANS/GIAC certifications
• Other management-focused certifications

As usual, when recommending certifications, I suggest evaluating the information and knowledge gained and the value they will add to your career. Some of the values include bypassing HR filters to demonstrate to hiring managers that you have a level of knowledge in the field, or even just personal bragging rights while learning new information.

How much can you make in this career?

Cybersecurity program managers can earn $90,000 to $150,000 on average based on their experience, location, and a number of other factors. It could definitely be higher, considering that companies who might need program managers at this level include other bonuses and financial rewards in their compensation packages.

The salary range for cybersecurity team managers is extensive, as it runs from that of an individual contributor system or process owner, starting at $60,000, right up to the top end of the spectrum at $170,000 for those managing programs and who have one or more teams of stakeholders reporting to them. The location, specialization, experience, and area of responsibility will affect the salary earned in any specific position.

What other careers can you do?

With career growth, some of the positions cybersecurity managers can look forward to will only begin with additional responsibilities if they are individual contributors and only responsible for the security of one system. After managing multiple systems, managers can then begin leading teams. Continued growth usually leads to a manager becoming a director, who, in addition to being responsible for multiple managers and their direct reports, will also be responsible for additional tasks, such as budgeting for the programming, road-mapping for the growth of the program, as well as interfacing and managing the relationships of the different leaders in the business.

Common interview questions

Here are some common questions that you may face during an interview for the position of cybersecurity manager:

• What are the different types of programs you have previously been responsible for?

Rather than simply describing the technologies and systems you have been responsible for, talk about the business problems, how specific technology was implemented to solve them, and the results achieved. For those responsible for multiple systems, discuss how the different systems were used/integrated/connected to help solve a more significant business problem and achieve results. If you are inheriting a legacy environment, discuss how you potentially optimized its use, maintained or replaced the system, and your results.

For those responsible for managing teams who then work with the systems, discuss the strategy you used to manage the team and systems, manage the business relationships, and help achieve the business mission.

• How do you help to drive cultural changes in your security programs?

Cultural change starts with C-suite and management buy-in to start integrating security and risk-based decisions into how they run the business. It all starts with awareness of the potential impact of security issues. Risk-based choices for a company could be the following:

• Risk-informed-acceptance of a risk by the business
• Risk avoidance by avoiding risky business areas
• Risk mitigation by actively taking steps to reduce the risk
• Risk transference by outsourcing aspects of a risk or using insurance
• Risk ignorance by not acknowledging potential risks in an environment
• For more information on the risk management process, see the following: https://www.pmi.org/learning/library/practical-risk-management-approach-8248.

Through security awareness both at the management level and by encouraging awareness at the individual level, risks can be effectively managed. Having awareness at the individual level makes it personally applicable to an individual, rather than just part of their work role. Making the content or awareness training engaging rather than just informational will encourage more people in the organization to adopt a cultural change.

• How would you demonstrate root cause analysis?

Cybersecurity managers hope to work with a team that is responsible for supporting the incident response to a situation, especially with a security implication, while the technology in question might not always be something that they are managing directly. Some organizations conduct postmortems to better understand what happened during an event, what went right, what went wrong, what was the root cause (without assigning blame), and how things could be improved to avoid similar issues occurring.

"Basic problem solving. Demonstrate a methodical way of going from a symptom to root cause and correction... It allows you to gauge [the] feedback mechanism (whether a system or stakeholders or both) to validate [the] plan of action."

– Omkhar Arasaratnam

• What would you do in order to ensure that your organization was prepared for an evaluation against a standard such as SOC 2 compliance?

With any standard, process, or assessment, it is helpful to understand the standards against which compliance or success will be measured, and then to look inside your organization to see how close the standards are to being met. Using this gap assessment will guide the rest of the implementation.

Service Organization Control 2 (SOC 2) is a set of compliance requirements and auditing processes targeted at third-party service providers that helps companies understand external risks. You are now the third-party vendor for another company, and they are looking at this report to help analyze the risk they will be assuming by partnering with your organization. It helps companies determine whether their business partners and vendors can securely manage data and protect the interests and privacy of their clients.

SOC 2 was developed by the American Institute of Certified Public Accountants (AICPA) (https://www.aicpa.org/). Within its processes, there are two types of SOC 2 reports:

• SOC 2 Type 1 details the systems and controls you should have in place for security compliance. In order to prepare for this audit, you will need to provide auditors with evidence of these systems and controls and allow them to verify whether you meet the relevant trust principles. Think of this as a point-in-time verification of controls.
• However, as a good cybersecurity manager, you should strive to ensure that these controls continue to be maintained or grow in maturity over time. This will prepare you for the next type of assessment.
• SOC 2 Type 2 – in this assessment, the auditor assesses how effective your program's processes are at providing the desired level of data security and management over a period of time.

By planning to have validation of your controls continuously monitored, you will be able to ensure that your controls function as designed. Additionally, you use the monitoring data to make improvements, you can then add additional automated reporting to encourage the growth and implementation of the controls.

Security compliance programs such as SOC2 should just be a baseline for an organization.

The major focus of the SOC2 compliance certification standard is listed as follows. In order to be successful, you should be able to demonstrate to the auditor that you meet the criteria that the AICPA has set:

• Security: The organization's system must have controls in place to safeguard against unauthorized physical and logical access. Be careful not to overlook controls for physical access and to understand the shared responsibility model when using cloud services.
• Availability: The system must be available for operation and must be used as agreed. Whether you're using cloud services or your own systems, be sure to test failover capabilities and ensure that they function as intended.
• Processing integrity: System processing must be complete, accurate, well-timed, and authorized.
• Confidentiality: Information held by the organization that is classified as confidential by a user must be protected. Having a proper data definition and classification procedure from the beginning is extremely helpful compared to implementing one after a protection mechanism has already been deployed.
• Privacy: All personal information that the organization collects, uses, retains, and discloses must be in accordance with its privacy notice and principles. These are specified by the AICPA and the Canadian Institute of Chartered Accountants (CICA). As global privacy standards expand, be sure to consider the implications they will have for your business models. For example, while you might not be doing business in Europe, you may still be subject to the General Data Protection Regulation.

The SOC2 is just one of many compliance standards that you might look to apply in your organization. The key is just to use them as a baseline for your security program, not a high watermark.

• How do I develop a cybersecurity strategy for my program?

The development of a cybersecurity strategy is, at its heart, an alignment with the business strategy. The first step is talking to business leaders and seeing where the business is heading or where it needs improvement, and then developing a strategy from that. For example, if your salespeople are informing you that SOC2 is preventing them from working with larger clients, a solution for that could be included in the strategy. If your developers are looking to start bringing development in-house, you could help them with integrating security checkpoints during the SDLC process to find and discover bugs or coding issues before they become vulnerabilities.

Based on the desired future state of the business, you can conduct a GAP assessment that will help you look at the work needed to complete objectives. Ensure that you check with each of the lines of business for as much alignment as possible. It may even be possible to get them to pay for your security strategy if it helps with achieving their objectives. Once alignment is achieved, ensure that a buffer in the budget is included for dealing with unexpected incidents. In the event of budget cuts, ensure that you make management aware of functionalities or advances they will be sacrificing. To cover yourself, get decisions regarding budget cuts confirmed in writing/email in case they lead to a problem in the future.

• How do cybersecurity program managers ensure alignment with business priorities?

As program manager, you are responsible for ensuring that projects deployed within a cybersecurity program meet an organization's business needs as a whole. This organizational overview starts with clarifying the intent of the cybersecurity project and understanding the business problems they are looking to solve. The program manager must act as a business partner and influencer, delivering on their programs. They need to know what is happening within different lines of the business and the potential impact changes can have on the program.

While it is helpful for this individual to be more technically minded so that they can look at the changing technological landscape, future technologies, and how they can help to optimize their portfolio, it is not always necessary. Lack of technical understanding can be supplemented with the support of a team and/or outside consultants. Program management needs to be forward-thinking in helping businesses achieve their goals and have its finger on the pulse of current technology.

One of the early stages of this includes working with different lines of the business, understanding the impact of these changes (positive/negative), and then providing a top-level assessment before a project sponsor signs off on a project. At the more significant organization level, changes to applications or services provided by the security department can have a knock-on effect on the workflow in different lines of the business, and this needs to be thoroughly understood and made a part of any risk-based decision before a project is approved or implemented. Starting with pilot programs can be a great way to test the effects of such changes within an organization and limit the results to a small subset.

• How do cybersecurity program managers work to ensure that they can enable business programs?

The most critical aspect of a cybersecurity program manager's role is understanding a business application portfolio and ensuring that they can enable an optimized business mission by implementing security controls and procedures appropriately. This means thinking ahead and remaining aligned with future business strategies and initiatives, ensuring the company's level of cyber-resilience improves (or, at a minimum, gets maintained) as it continues to evolve.

For example, suppose your company is primarily on-premises in aging data centers and looking into ways of using cloud service providers (CSPs) to help it migrate to a more scalable and resilient operating model. In that case, the cybersecurity program should be helping in that journey to enable secure options as the company shifts its business model. Whether it is considering Platform as a Service (PaaS), Infrastructure as a Service (IaaS), or Software as a Service (SaaS), work with them to understand the shared responsibility models from each of the cloud providers so that they know their areas of responsibilities versus the CSP and where potential risks lie.

This responsibility includes understanding and working with the CISO and other security leaders on what changes they need to implement to optimize the business or update their security tools to meet changing needs.

• How do you set up an application security program?

When working with developers or setting up an application security-focused security program, the concept of shifting as far left as possible is usually the first thing that comes to mind. When you are thinking about it from a people-process-technology perspective, starting with people is the first step you'll want to consider.

Let's say, for example, that developers are working with you to start addressing things such as preferred coding languages, their thoughts on security, providing developer-focused security training, and so on. Supposing you have the data or statistics on the most common vulnerabilities discovered in their code in the past year, you can use them as examples with a member of the red team, showing how those vulnerabilities are exploitable. If you didn't have that data, you could start with the OWSAP top 10 vulnerabilities (https://owasp.org/Top10/). Providing developers with context and training on how to reduce those vulnerabilities and become security experts themselves expands the reach of the security department.

Combining processes and tools helps to complete a cycle by providing the right tools at the right time. Let's start with the Integrated Development Environment (IDE); by providing tools that can help identify potential errors and vulnerabilities during coding and secure code training, you reduce the need for it to be reworked later as a bug or vulnerability. Next, having quick Static App Scanning (SAS) at the unit level ensures that code doesn't have glaring vulnerabilities. As the code comes together, having Dynamic App Scanning (DAS), Runtime Application Self Protection (RASP), mobile code scanning, and scanning containers, images, software repositories, and libraries helps make it more holistic.

It is beneficial to have a working group of development and security leaders deciding on the standards and implications, and changing the management approach to tackle applications that might have vulnerabilities and whether they have the approval to be deployed into an environment. There will be times when a business will need to deploy an application with known exposures to meet business needs. This working group can help with compensating controls for the environment and a business-as-usual remediation plan for any necessary software improvements.

• How do you measure success in your security program?

Measurement of the success of a security program should be based on the people, process, and technology involved in the business. Starting at the people level with organizational culture, which usually consists of the security awareness program. At the process level, the focus should be on business enablement while at the technology level, it should be how security aids in securing the various levels of the organization's technology footprint.

While each company will have different metrics depending on its size, maturity, and industry, ultimately they should focus on how the security program has helped to mitigate or minimize risks for their company.

Helping the company's stakeholders implement security practices in their daily lives, whether that be at home or work, will help drive safe behaviors with technology. For example, providing users with password managers for personal use will make them feel more comfortable and minimize the harmful habit of password reuse. Many password managers include Two-Factor Authentication (2FA) features that allow them to display a rotating second-factor authentication token, helping to add a layer of security compared to simply using a username and password. Other aspects of assisting the people layer of an organization relate to helping them identify potential phishing emails and scams. Phishing and cons are increasingly arriving via social media and SMS, so helping employees be safe in their personal lives will also improve their behavior at work.

As mentioned previously, implementing secure password use and multi-factor authentication processes encourages the use of safe methods and mitigates risks around user identity takeovers and password reuse. Technology is also implemented as part of that process to help secure user identities. Some measurements you can look for are a reduction in account takeovers, a reduction in clicks on phishing emails, and an increase in the reporting of phishing emails.

This people-and-process approach should be used as a model for all other aspects of the business, and measuring success should minimize unsafe practices.

Improvements in vulnerability management programs should be made following a similar approach – understanding what can help improve processes and providing people with the necessary training and resources to improve outcomes. Measuring the ability of your team to mitigate known vulnerabilities within or before their assigned SLAs will demonstrate your program's ability to manage and reduce risks in this area.

• How do you manage vulnerability management programs and the risk management involved?

At the program level, one of the many challenges an organization faces is ensuring that it has an excellent vulnerability management program, followed by program execution that leads to effectively managing the identified risks. There are a couple of foundational elements of vulnerability management program management that we need to cover before discussing how we would manage the risk surrounding it for the organization.

The foundation of any vulnerability management starts with an asset management program. The first two controls on the CIS Top 18 controls (https://www.cisecurity.org/controls/cis-controls-list) demonstrate how important they are to an organization as they are at the top of the list. A good vulnerability management program needs a solid asset inventory management program that includes software, hardware, and understanding the implications of third-party software (having a software bill of materials helps to understand this: https://www.ntia.gov/SBOM) and services. This asset management program will allow you to understand all of the hardware, software, code, and other things that are within an organization's boundaries. Managers need to understand the current software or firmware levels of all these assets, what patches are available for the assets, and the potential vulnerabilities within that remain unpatched.

Sometimes, patches can break functionality or interoperability between assets. As software and hardware vendors release patches or updates to their software or hardware, it is crucial to understand the vulnerability that the patch or update is looking to mitigate and whether it might break any functionality or interoperability between other assets in an environment. It is recommended that a patch be tested in a restricted sandbox environment to ensure that it works before rolling it out to the network.

Other aspects of vulnerability management that need to be considered are the prioritization of the application of the patches and the associated downtime, followed closely by understanding the resources from the different aspects of the business that would be responsible for the application process. Often, the resources responsible for the application of the patches are not under the responsibility of the vulnerability management program. The program needs to develop an organizationally accepted service-level agreement (SLA) and work with resources to ensure that the patches are applied within the appropriate time frame.

Organizations need to develop a criticality rating (for example, critical, high, medium, and low) for risks and when those patches need to remediate. This SLA is often created based on the criticality of the vulnerability for which the patch's risk is meant to remediate. Some companies have developed a 7, 30, 60, and 90-day approach for applying the appropriate patches. Unfortunately, that does not consider the compensating controls within the organizational environment, so while a vulnerability might be rated as critical externally without controls, it might be different inside the environment.

As a potential cybersecurity manager, during your interview, it becomes critical that you pull back from the interviewer's line of questioning and discuss these points:

• Where are the pain points of the security program and the business?
• What have they done to address them, and what have they tried that's failed?
• How can you help them solve their issues?

Summary

In this chapter, you learned what a cybersecurity manager is, their average salaries in the United States, certifications to consider, career path options, role types, and common questions you might be asked during an interview. Be sure to understand the difference between roles that require more people leadership than technical leadership and vice versa, as well as whether the role is more specialized or functional in nature.

In the next chapter, we will turn our attention to a role that is one of the industry's best-kept secrets – cybersecurity sales engineer.