IT security managers are responsible for monitoring security across an organization's network. Beyond the technical side, this role often includes leadership and managerial responsibilities.
IT security managers can expect a salary of around $140,000 based on the U.S. national average on Salary.com. Candidates for the job typically have a bachelor's degree in cybersecurity, computer science, engineering or a similar field. Those looking to pursue this career path can set themselves apart from other candidates by also completing a certification, such as Certified Information Security Manager, CISSP or Certified CISO.
The first step in applying for an IT security manager role involves creating a resume. Next up, it's time to start preparing for the interview.
"An interview is a two-way street; it's an opportunity for the organization to talk to the candidate but also for the candidate to see if the organization is the right fit," said Christophe Foulon, co-author of Hack the Cybersecurity Interview. An organization might offer the right pay, but if there's a culture clash, the candidate is going to end up frustrated or burned out, he added.
Here, Foulon and co-authors Ken Underhill and Tia Hopkins offer advice on how to answer the most common IT security manager interview questions, as well as questions the interviewee should ask the interviewing organization.
Editor's note: This text has been edited for length and clarity.
What is your top tip for candidates preparing for a security manager interview?
Christophe Foulon: My top tip is to understand the expectations of the role. A security manager may oversee people, a product or a process -- or the role could span all three. Read the job description, and ensure you understand which of those three, or combination of those three, would be your responsibility. For example, an application security manager is responsible for the process and technology surrounding application security, so they might not be responsible for people, whereas security engineers sometimes work with the development team from the business. In this scenario, the engineer is meant to act as an embedded security champion in that team.
Ken Underhill: Researching the company and how the job you are applying for fits into the overall security strategy is important. Most candidates I have interviewed never do any research on the company and how the open position will help us. Those that do research have received job offers 99% of the time. As a manager, you need to be prepared to give examples of projects where you have led a team, as well as challenges, bad decisions and positive measurable results you have received.
What are the most common behavioral questions asked in a security manager interview?
Underhill: We have a chapter in the book dedicated to the most common behavioral interview questions we have been asked over the years. I also recommend the software Interview Ready because it helps you identify areas of weakness in your interview skills.
Most behavioral interview questions start with one of these statements:
- Describe a situation where you…
- How did you handle X situation?
- Give me an example of…
- Tell me about a time when you…
My advice is to be honest and provide measurable results -- for example, 'I did X, which led to Y, and the results were Z savings for the company.'
Foulon: One of the most common questions is, 'Tell me about a time where you tackled a difficult situation.' As a hiring manager, I'm looking for a story or situation where you took action and had results. Another question could be, 'Tell me about a time you had to deliver difficult news to a stakeholder or a time where you had to deliver challenging results.'
More on Hack the Cybersecurity Interview
Check out an excerpt from Chapter 3 of Hack the Cybersecurity Interview to learn about the top interview questions for pen testers.
What are the most common technical questions asked in a security manager interview?
Underhill: The technical questions depend on the type of security manager role, such as cloud security manager, network security manager or application security manager.
You can usually expect technical questions to be in depth and ask about the tech stack. For example, as a cloud security manager, you would likely be given a client scenario and asked to architect a more secure network for the client versus an entry-level job interview, where the interviewer would probably just ask about the OSI [Open Systems Interconnection] model.
There are several different job titles for cybersecurity managers. What are the most common?
Underhill: It depends on the organization, but here are some: network security manager, security operations center manager, application security manager, information security manager and cybersecurity manager.
Foulon: The common titles make themselves obvious. For example, vulnerability managers handle vulnerabilities, and application security managers deal with applications. It gets more complicated when you work for a smaller organization where you must wear multiple hats versus an enterprise where you're a gear in a larger machine.
What questions should interviewees ask at the end of a security manager interview?
Tia Hopkins: Always ask the soft close question, 'Is there anything about my background or skill set that concerns you with respect to my ability to perform in this role?' Another one is asking questions about resources -- for example, budget, team size, etc. -- and leadership so you have a sense of what you might be signing up for.
Foulon: Ask about a particular interest or preferences toward a certain cause. For example, if you know that you won't work well with someone that is your polar opposite, you want to find that out in the beginning. The company or hiring manager could have an opposing stance on a particular topic that could be telling about the company culture and how it addresses this particular issue. Based on the response, you'll know if that's the type of environment you want to work in.
Underhill: I recommend candidates ask what three challenges the organization is trying to solve with this position. If the interviewer doesn't know and is the hiring manager, then ask what the top three things they need help with in the first 30 days after you're hired. Based on your research of the company, also ask something such as, 'What have been the benefits and challenges of project X you rolled out?' For example, if a company rolls out a new software, find out the lessons learned from the rollout.
About the authors
Ken Underhill is CEO, executive producer and host of the syndicated Cyber Life television show. Underhill educates around 2.6 million people each year through his online cybersecurity courses and sits on the advisory board of Breaking Barriers Women in CyberSecurity and the Whole Cyber Human Initiative, along with sitting on the board for a number of cybersecurity startup companies.
Christophe Foulon, senior manager and cybersecurity consultant at F10 FinTech, brings over 15 years of experience as a CISO, information security manager, adjunct professor, author and cybersecurity strategist. He also has spent more than 10 years leading, coaching and mentoring people.
Tia Hopkins is field CTO and chief cyber risk strategist at eSentire and adjunct professor of cybersecurity at Yeshiva University. Hopkins was recognized by SC Media as an outstanding educator in 2019, as well as one of the Top 25 Women Leaders in Cybersecurity and Top 100 Women in Cybersecurity, both in 2020. In 2021, she was recognized as a Top Influencer in the Security Executives category by IFSEC Global. Hopkins is also founder of Empow(H)er Cybersecurity, a nonprofit organization aimed at inspiring and empowering women of color to pursue cybersecurity careers.