Home / Jobs / Information Security Manager
Principal/Manager (12-16 years)

Information Security Manager

You'll be the person running our day-to-day security operations, making sure our systems are locked down tight. This means leading the team, owning the security roadmap, and translating all that technical jargon into plain English for the rest of the business. Honestly, you're the shield that protects our digital crown jewels, balancing real-world threats with business needs. It's a big job, and it's always interesting, never boring.

Job ID
JD-INSE-MGRINSE-005
Department
Technical Roles
NOS Level
Level 5
OFQUAL Level
Level 7-8
Experience
Principal/Manager (12-16 years)

Role Purpose & Context

Role Summary

The Information Security Manager is responsible for building, running, and continuously improving our company's security programmes. You'll lead a team of talented security professionals, making sure they've got what they need to protect our systems and data. Day-to-day, you'll be at the coalface, ensuring our security controls are actually working, responding to incidents, and generally keeping us safe from the bad actors out there. This role sits right at the heart of our technical operations, bridging the gap between deep technical defence and broader business strategy. When you do this well, our systems remain secure, our data stays private, and our customers trust us implicitly. If it's not done well, frankly, we're looking at potential breaches, regulatory fines, and a massive hit to our reputation – which, let's be real, no one wants. The tricky part is constantly adapting to new threats while also making sure security doesn't become a blocker for innovation. The reward, though? Knowing you're protecting the business, building a strong team, and genuinely making a difference in a constantly evolving landscape. You're not just preventing problems; you're enabling the business to grow securely.

Reporting Structure

Key Stakeholders

Internal:

External:

Organisational Impact

Scope: This role directly impacts our operational resilience, regulatory compliance, and overall brand reputation. You're responsible for keeping our digital assets safe, which means you directly influence our ability to operate without disruption, avoid hefty fines, and maintain customer trust. Get it right, and the business thrives. Get it wrong, and the consequences can be catastrophic, affecting everything from revenue to employee morale.

Performance Metrics

Quantitative Metrics

  1. Metric: Risk Reduction Score
  2. Desc: Demonstrate a measurable reduction in the quantified financial risk score across the organisation, often calculated using a framework like FAIR (Factor Analysis of Information Risk).
  3. Target: Achieve a 15% reduction in overall quantified financial risk year-over-year.
  4. Freq: Quarterly and Annually
  5. Example: If our Annualised Loss Expectancy (ALE) for critical assets was £2M at the start of the year, we'd aim to bring that down to £1.7M by year-end through effective control implementation and risk mitigation.
  6. Metric: Audit & Compliance Findings
  7. Desc: The number and severity of findings from internal and external security audits (e.g., SOC 2, ISO 27001).
  8. Target: Achieve zero material findings and reduce the number of minor findings by 25% on major audits.
  9. Freq: Per Audit Cycle (typically annually)
  10. Example: Successfully pass our annual ISO 27001 audit with no major non-conformities and only 2-3 minor observations, down from 5-6 the previous year.
  11. Metric: NIST CSF Maturity Improvement
  12. Desc: Improvement in the organisation's overall security programme maturity score as assessed against the NIST Cybersecurity Framework.
  13. Target: Increase our overall NIST CSF maturity score from 'Tier 2: Risk Informed' to 'Tier 3: Repeatable' within 18 months.
  14. Freq: Bi-annually
  15. Example: Move from having ad-hoc processes for incident response to documented, tested playbooks and a clear reporting structure, pushing our 'Respond' function maturity up a tier.
  16. Metric: Security Budget Adherence
  17. Desc: Manage the security operational and capital budget effectively, staying within allocated funds.
  18. Target: Manage the security budget to within 5% of the annual plan, identifying cost efficiencies where possible.
  19. Freq: Monthly and Quarterly
  20. Example: End the fiscal year having spent £950K of a £1M budget, demonstrating careful resource allocation and cost control without compromising security effectiveness.
  21. Metric: Mean Time to Respond (MTTR)
  22. Desc: The average time it takes for the team to contain and eradicate a security incident from detection.
  23. Target: Reduce MTTR for critical (P1/P2) incidents by 15% quarter-over-quarter.
  24. Freq: Monthly
  25. Example: If our average MTTR for a P1 incident was 4 hours last quarter, we'd aim to bring that down to 3 hours 24 minutes this quarter through improved automation and team training.

Qualitative Metrics

  1. Metric: Team Effectiveness & Morale
  2. Desc: How well your team functions, their professional growth, and overall satisfaction.
  3. Evidence: Regular 1:1s showing clear development plans, positive feedback in internal engagement surveys, low voluntary attrition rates within the security team, and successful completion of team-led projects. You'll see your team members stepping up and taking initiative, not just waiting for instructions.
  4. Metric: Stakeholder Trust & Collaboration
  5. Desc: The level of trust and willingness to collaborate shown by other departments (e.g., Engineering, Product, Legal) towards the security team.
  6. Evidence: Other teams proactively involving security early in project planning, seeking your advice on new initiatives, positive feedback from cross-functional peers, and security being seen as an enabler rather than a blocker. You'll be invited to the table, not just brought in when there's a problem.
  7. Metric: Strategic Influence
  8. Desc: Your ability to influence broader business strategy with security considerations, ensuring security is built-in, not bolted on.
  9. Evidence: Security considerations being integrated into product roadmaps and architectural decisions from the outset, your recommendations being adopted by senior leadership, and security being a regular topic in executive discussions. Your input isn't just heard; it's acted upon.
  10. Metric: Programme Maturity & Documentation
  11. Desc: The robustness and clarity of security policies, procedures, and documentation.
  12. Evidence: Well-maintained and easily accessible security policies, up-to-date incident response playbooks, clear risk registers, and comprehensive architectural diagrams. Auditors should find our documentation clear and complete, making their job easier.

Primary Traits

Supporting Traits

Primary Motivators

  1. Motivator: Protecting the Organisation
  2. Daily: You'll feel a deep sense of satisfaction knowing that the policies you've implemented, the tools you've deployed, and the team you've led have prevented a real-world attack. Every day is a chance to build a stronger defence and safeguard our assets.
  3. Motivator: Building and Mentoring a High-Performing Team
  4. Daily: You'll get a real buzz from seeing your team members grow, develop new skills, and take on more responsibility. You're motivated by creating a collaborative environment where everyone learns from each other and contributes to a shared mission.
  5. Motivator: Solving Complex, Evolving Problems
  6. Daily: The ever-changing threat landscape and the challenge of securing complex technical environments will keep you engaged. You thrive on figuring out how to secure new technologies, adapt to new attack vectors, and continuously improve our defences.

Potential Demotivators

Honestly, this role isn't for everyone. If you need things to be perfectly ordered, predictable, or if you expect every single security recommendation to be adopted immediately, you'll probably struggle. You'll spend a lot of time advocating, educating, and sometimes, frankly, battling against inertia. The 'urgent' request that disrupted your Thursday will get deprioritised on Friday because something else came up. You'll build a beautiful security programme that gets watered down because the business moved on, or budget was reallocated. If you need to see every piece of work make it to production exactly as you envisioned, you'll find this tough.

Common Frustrations

  1. The 'Department of No' Stigma: Constantly battling the perception that security's only function is to block business initiatives and slow down development, rather than enable secure growth.
  2. Budgeting for a Non-Event: The immense difficulty of justifying a multi-million pound budget to prevent a catastrophic event that, thankfully, hasn't happened yet.
  3. Shadow IT Ambush: Discovering a business-critical SaaS application, holding sensitive customer data, that was purchased on a credit card by the marketing department without *any* security review.
  4. DevSecOps Theatre: Engineering teams claiming to be 'doing DevSecOps' by running a scanner, but then ignoring 90% of the findings to meet release deadlines.
  5. Vendor Hype vs. Reality: Wasting weeks on a proof-of-concept for a 'Next-Gen AI' security tool that turns out to be little more than a fancy dashboard on top of basic signature matching.
  6. The Inevitable Weekend Call: Knowing that your phone will ring at 2 AM on a Saturday for a critical incident, regardless of your vacation plans or personal life.

What Role Doesn't Offer

  1. A purely technical, hands-on coding role – you'll be leading and managing more than building.
  2. A static, predictable environment – the threat landscape is constantly changing, meaning your priorities will too.
  3. Guaranteed immediate adoption of every security recommendation – you'll need to influence and negotiate.
  4. A role where you can avoid difficult conversations with senior stakeholders or other departments.

ADHD Positives

  1. The fast-paced, incident-driven nature of security can be incredibly engaging, providing constant novelty and problem-solving opportunities that suit an ADHD brain.
  2. Hyperfocus can be a superpower during a critical incident, allowing you to dive deep into logs and threat intelligence to quickly identify solutions.
  3. The need for creative, 'outside the box' thinking to anticipate and counter new threats is highly valued.

ADHD Challenges and Accommodations

  1. Managing multiple long-term programmes and administrative tasks can be challenging; we can help with structured project management tools and executive assistants for some admin.
  2. Maintaining focus during lengthy policy reviews or GRC documentation can be tough; breaking these tasks into smaller, time-boxed sprints can help.
  3. We can offer flexible work arrangements to help manage energy levels and provide quiet spaces for focused work when needed.

Dyslexia Positives

  1. Strong spatial reasoning and pattern recognition skills, often associated with dyslexia, are invaluable for identifying anomalies in security logs and understanding complex network architectures.
  2. Excellent verbal communication skills can be a huge asset when presenting complex security concepts to non-technical audiences or leading incident calls.
  3. A holistic, big-picture thinking approach helps in understanding interconnected systems and potential attack paths.

Dyslexia Challenges and Accommodations

  1. Extensive documentation, policy writing, and report generation might be slower; we encourage the use of AI writing tools (more on this below) and offer proofreading support.
  2. Reading dense technical specifications or legal documents can be tiring; we provide access to text-to-speech software and encourage visual aids where possible.
  3. We're happy to discuss any specific software or tools that could aid in reading, writing, or organisation.

Autism Positives

  1. A methodical, logical approach to problem-solving is crucial in information security, especially during incident analysis and forensic investigations.
  2. An ability to focus deeply on technical details and spot inconsistencies that others might miss is a significant advantage in identifying vulnerabilities.
  3. Direct and honest communication, often a trait, is highly valued in a security context where clarity and accuracy are paramount.

Autism Challenges and Accommodations

  1. Navigating complex social dynamics and political influencing can be draining; we'll provide clear expectations for stakeholder engagement and support in these interactions.
  2. Unexpected changes or urgent incidents can be disruptive; we aim for clear communication about shifting priorities and provide structured playbooks for incident response.
  3. We can offer a consistent work environment, clear communication channels, and support for managing sensory input (e.g., noise-cancelling headphones, quiet workspaces).

Sensory Considerations

Our office environment is typically a modern open-plan space, which can sometimes be active. However, we also offer dedicated quiet zones, meeting rooms, and the flexibility for remote work to help manage sensory input. We're happy to discuss specific needs to ensure your workspace is comfortable and productive.

Flexibility Notes

We believe in output over presence. We offer flexible working hours and a hybrid remote/office model. We understand that life happens, and we're committed to supporting our team members to do their best work in a way that suits them.

Key Responsibilities

Experience Levels Responsibilities

  1. Level: Information Security Manager (L5)
  2. Responsibilities: Set the vision and strategy for specific security programmes (e.g., Vulnerability Management, Cloud Security, Incident Response) aligned with the overall security roadmap and business objectives. You'll be thinking 12-18 months out, not just next week.
  3. Build and lead a high-performing security team. This means hiring, mentoring, performance managing, and ensuring your team has the skills and resources they need to excel. You're responsible for their growth and development.
  4. Own the budget for your security programmes, typically ranging from £500K to £2M annually. This includes vendor selection, contract negotiation, and making sure we're getting the best value for our security investments.
  5. Drive the transformation of our security posture by identifying gaps, proposing solutions, and overseeing their implementation. This isn't just about maintaining; it's about continuous improvement and innovation.
  6. Translate complex technical risks into clear, actionable business language for senior leadership and other departments. You'll be presenting to the CTO, Head of Product, and sometimes even the board's audit committee.
  7. Manage relationships with key security vendors and external partners, ensuring they deliver on their commitments and provide the support we need. You're the primary contact for these strategic relationships.
  8. Lead the response to major security incidents, acting as the incident commander. This means coordinating technical teams, communicating with leadership, and making critical decisions under pressure to minimise impact.
  9. Supervision: You'll operate with a high degree of autonomy, managing your programmes and team with quarterly objectives and strategic alignment meetings with the Director of Information Security. Day-to-day, you're self-directed and accountable for your outcomes.
  10. Decision: You have full authority for your functional domain: budget allocation up to £1M, hiring and firing decisions within your team, vendor selection up to £250K, and approval of security architecture designs within your programme scope. Any decisions impacting P&L above £1M or requiring significant organisational change will need consultation with the Director of Information Security and potentially the CTO.
  11. Success: Success looks like a demonstrable improvement in our security posture, a highly effective and engaged security team, and strong, trusted relationships with internal and external stakeholders. Your programmes will be robust, well-documented, and consistently delivering against their objectives, ultimately reducing our overall business risk.

Decision-Making Authority

Save 15-25 hours weekly, giving you more time to focus on strategy and team development.

Let's be honest, the security world is moving at lightning speed, and there's never enough time in the day. That's where AI comes in. We're not talking about replacing people; we're talking about giving you a serious superpower to cut through the noise and focus on what truly matters.

ID:

Tool: Alert Triage Automation

Benefit: Use an AI-powered SOAR (Security Orchestration, Automation, and Response) tool to automatically enrich incoming alerts with threat intelligence, user context, and asset criticality. The AI can close out 60-70% of low-fidelity alerts without human intervention, meaning your team focuses on real threats, not false positives. This frees up your senior analysts significantly.

ID:

Tool: Threat Intelligence Synthesis

Benefit: Point an AI model at dozens of daily threat intelligence feeds (blogs, government alerts, vendor reports). The AI generates a concise daily summary highlighting TTPs and vulnerabilities relevant *only* to our specific tech stack and industry. This means you and your team get tailored, actionable intelligence in minutes, saving hours of manual review and helping you make quicker, more informed strategic decisions.

ID:

Tool: Policy & Procedure Generation

Benefit: Use a generative AI to create a solid first draft of new security policies or procedures (e.g., 'Acceptable Use of AI Tools' or an updated Incident Response Playbook). You provide the key principles and requirements, and the AI generates a comprehensive, structured document that you can then refine and tailor. This cuts down the tedious drafting time dramatically, letting you focus on the substance.

ID: ️

Tool: Executive Summary Drafting

Benefit: After a security incident, feed the technical timeline, logs, and remediation steps into an AI model. Prompt it to 'Write a 3-paragraph executive summary for a non-technical board of directors, focusing on business impact, containment actions, and next steps.' This creates a solid first draft, removing technical jargon and ensuring clear, concise communication to senior leadership, saving you valuable time during a stressful period.

Expect to save 15-25 hours weekly across your team's operational tasks and your own strategic reporting. Weekly time savings potential
You'll typically use 3-5 core AI-powered tools and platforms, some integrated into existing security tools, others standalone. Typical tool investment
Explore AI Productivity for Information Security Manager →

12-15 specific tools & techniques with implementation guides

Competency Requirements

Foundation Skills (Transferable)

Beyond the technical wizardry, a great Information Security Manager needs a solid set of foundational skills. These are the human elements that make the difference between a good manager and a truly exceptional one – especially when you're dealing with high stakes and complex problems.

Functional Skills (Role-Specific Technical)

This is where your deep security knowledge comes into play. You'll need to be well-versed in the core methodologies and tools that underpin a robust information security programme. We're looking for someone who doesn't just know these concepts but can strategically apply them and lead a team in their implementation.

Technical Competencies

Digital Tools

Industry Knowledge

Regulatory Compliance Regulations

Essential Prerequisites

Career Pathway Context

Think of this as the natural next step from a Lead Security Engineer. You've mastered the technical craft, you've led projects, and now you're ready to step up and own entire programmes, manage people, and influence the broader security strategy. It's about shifting from 'how do we build this securely?' to 'what security capabilities do we need, and how do we get them?'

Qualifications & Credentials

Emerging Foundation Skills

Advancing Technical Skills

Future Skills Closing Note

Your technical foundation is your superpower, but as an Information Security Manager, you're learning to wield it strategically. It's about enabling your team, making smart technology choices, and ensuring our security posture is future-proofed against an ever-evolving threat landscape. This isn't about doing all the hands-on work yourself; it's about leading the charge.

Education Requirements

Experience Requirements

You'll need roughly 12-16 years of progressive experience in information security, with at least 3-5 years in a leadership or managerial capacity where you were responsible for a team and specific security programmes. This isn't your first rodeo; you've seen a few incidents, managed a few projects, and you're ready to step up and own a significant part of our security defence.

Preferred Certifications

Recommended Activities

Career Progression Pathways

Entry Paths to This Role

Career Progression From This Role

Long Term Vision Potential Roles

Sector Mobility

Your skills as an Information Security Manager are highly transferable across almost any industry, from finance and healthcare to technology and government. The core principles of protecting information and managing risk are universal, though the specific regulatory and technical contexts will vary. This role gives you a fantastic foundation for a long and impactful career.

How Zavmo Delivers This Role's Development

DISCOVER Phase: Skills Gap Analysis

Zavmo maps your current competencies against all requirements in this job description through conversational assessment. We evaluate your foundation skills (communication, strategic thinking), functional skills (CRM expertise, negotiation), and readiness for career progression.

Output: Personalised skills gap heat map showing strengths and priorities, estimated time to competency, neurodiversity accommodations.

DISCUSS Phase: Personalised Learning Pathway

Based on your DISCOVER results, Zavmo creates a personalised learning plan prioritised by impact: foundation skills first, then functional skills. We adapt to your learning style, pace, and neurodiversity needs (ADHD, dyslexia, autism).

Output: Week-by-week schedule, each module linked to specific job responsibilities, checkpoints and milestones.

DELIVER Phase: Conversational Learning

Learn through conversation, not boring modules. Zavmo uses 10 conversation types (Socratic dialogue, role-play, coaching, case studies) to build competence. Practice difficult QBR presentations, negotiate tough renewals, and handle churn conversations in a safe AI environment before facing real clients.

Example: "For 'Stakeholder Mapping', Zavmo will guide you through analysing a complex enterprise account, identifying key decision-makers, and building an engagement strategy."

DEMONSTRATE Phase: Competency Assessment

Zavmo automatically builds your evidence portfolio as you learn. Every conversation, practice scenario, and application example is captured and mapped to NOS performance criteria. When ready, your portfolio supports OFQUAL qualification claims and demonstrates competence to employers.

Output: Competency matrix, evidence portfolio (downloadable), qualification readiness, career progression score.

Discover Your Skills Gap Explore Learning Paths