What Does a Security Compliance
Manager Do?
Security compliance managers develop and oversee an organization’s security policies and procedures in accordance with industry regulations, standards, and laws. It is their responsibility to ensure that the organization meets all of the security requirements to prevent cyber-attacks and data breaches. Their duties include creating and maintaining policies and procedures, conducting audits, and staying current with security trends, threats, and regulations.
Successful security compliance managers will have strong analytical and problem-solving skills, along with the ability to communicate effectively with non-technical executives and staff.
Are you a job seeker?
Browse zengig’s
comprehensive list
of job openings
and apply online
National Average Salary
Security compliance manager salaries vary by experience, industry, organization size, and geography. To explore salary ranges by local market, please visit our sister site zengig.com.
The average U.S. salary for a Security Compliance Manager is:
$110,290
Security Compliance Manager
Job Descriptions
The first step when hiring a great security compliance manager is a well-crafted job description. Below are real-world examples to help give you the best chance of success on your recruiting journey.
Example 1
We are seeking a Security Compliance Manager to achieve our company’s data security and compliance objectives. This work encompasses management of security controls (SOC 2), contract assessments, and enterprise best practices. This unique opportunity is perfect for individuals that want to build on their cyber security experience, are passionate about compliance, and want to make an impact in the company. The security compliance manager is responsible for directing, managing, and providing leadership for the organization’s information security and compliance program. This includes developing, implementing, and maintaining an information security program that meets or exceeds the requirements of industry regulations, standards, policies, and legal requirements.
Typical duties and responsibilities
- Develops, maintains, and communicates the organization’s information security policy and procedures
- Directs and oversees the assessment, selection, implementation, and maintenance of information security tools and technologies
- Evaluate new or updated industry regulations to ensure continued compliance
- Enforces information security controls and investigates/responds to information security incidents
- Participates in business continuity planning (BCP) activities when required by regulation or senior leadership
- Prepares reports, business cases, and presentations on security risk, controls, the status of compliance efforts, etc.
- Acts as liaison between IT and other functions (e.g., legal) regarding information security events or incidents
Education and experience
- A bachelor’s degree in information security, computer science, or related field
- 4-6 years of management experience
- Certifications (preferred): CISSP, CISM, CRISC, CISA, CEH,
- Well-versed in industry regulations and have the ability to translate complex security concepts into layman’s terms
Required skills and qualifications
- Must be able to effectively communicate with all levels of management
- Strong interpersonal skills and ability to influence others
- Detail-oriented with the ability to see the “big picture”
- Thorough knowledge of information security and compliance concepts
- Working knowledge of industry-leading information security tools and technologies
- Possess strong analytical and problem-solving skills
- Ability to work independently and manage multiple priorities simultaneously
Preferred qualifications
- In-depth knowledge of at least one major regulatory framework (e.g., PCI DSS, HIPAA, SOX, FFIEC)
- Certifications in information security or compliance (CISSP, CISM, CRISC, CISA, CEH)
- Experience leading security teams for financial, retail, healthcare, small business, education, etc.
- Interest in emerging technologies related to information security and compliance
Example 2
As an Enterprise Security Compliance Manager, you will be responsible for managing the firm’s security compliance activities as focused on third-party vendors. You will be responsible for leading efforts that include collecting and organizing written responses and documentation, leading calls and meetings to gather information from vendors, and ensuring that all follow-up communications and remediation items are completed on time. You will be responsible for scheduling and coordinating vulnerability assessments, penetration tests, and associated remediation activities. You will be a member of the Global Security and Risk Management team and will report directly to the Information Security Officer and work closely with the rest of the Security Team, while accomplishing these and other critical functions:
- Managing the firm’s vendor audit process including, cloud service providers, engaging in a risk-based approach to determine the depth of each audit, leading the audit, and providing recommendations to management based on the results
- Organizing and conducting meetings of the firm’s cloud security review team, coordinating the assessment of vendors, and leveraging team members’ expertise in the vendor review process
- Arranging third party penetration tests and vulnerability testing by identifying and negotiating with vendors, scheduling testing, and following-up on results delivery
- Reviewing firm contracts as part of the firm’s contract review process; assessing and recommending adjustments that serve to minimize security risk in firm agreements
- Supporting the client’s security review process on an overflow basis from intake through closure by identifying all necessary internal stakeholders based on the request (e.g., security survey, audit, review), assembling relevant and appropriate documentation, drafting responses, scheduling and leading calls/meetings, and communicating follow-up activities
- Coordinating with the information security officer, evaluating the results of internal & external system vulnerability scans, and arranging necessary internal follow-up to facilitate agreement regarding any recommended remediation items
- Tracking agreed security remediation efforts from vulnerability tests with the support of the information security officer and others, and ensuring successful disposition of each item
- Working to enhance the confidentiality, integrity, and availability of data at the firm, regardless of form
- Maintaining information security documentation and assisting in the development of security policies and procedures
- Serving as a subject matter expert for information security principles and practices (especially as they pertain to vendors and cloud security), and promoting a culture of security throughout the firm
- Liaising with other teams and subject matter experts on various technologies, status, and testing
- Working with the technology department management team to identify key metrics and reporting requirements as they relate to technology performance and operation
- Creating and presenting regular reports to senior technology management
- Documenting security information appropriate to team initiatives
- Interfacing with staff throughout the firm to facilitate the efficient and secure use of technology services
- Preparing technical documentation and reports as required
As an Enterprise Security Compliance Manager, you will be expected to apply your organizational and communication skills while displaying a positive, high-energy attitude. The successful Manager must have strong analytical skills, including effectively defining problems and identifying solutions, a technical understanding of encryption and cloud security controls to allow evaluation of vendors’ security posture, along with well-developed professional interpersonal skills. The ideal manager must display the ability to interact effectively with clients, vendors, and colleagues at all organizational levels.
- A Bachelor’s degree, a Diploma of higher education, or sufficient security and technology experience is required
- A Bachelor’s degree in Information Systems, Computer Science, Engineering, or a related field is desired
- A recognized security certification is desired
- A minimum of five (5) years of experience focused on information security is required
- A minimum of ten (10) years of experience working in information technology is required
- A minimum of two (2) years of experience applying project management concepts is required
- Experience working in a law practice office environment is desired
Example 3
ABC Company is looking for a Security Compliance Manager with a deep security and compliance background to lead a system development and process improvement team. As part of the ABC Company Security Assurance team, this candidate is a key liaison with ABC Company service teams, infrastructure teams, ABC Company Security, and other areas across the company.
As a Security Compliance Manager within the Security Assurance Compliance Operations team, you will oversee the execution our program for evaluating compliance with industry standards (ISO, SOC), federal regulations (FedRAMP/NIST, DOD) and customer contractual requirements. You will have complete ownership and accountability of programs from start to finish, aimed at improving the ABC Company personnel screening compliance and risk monitoring. The successful candidate is comfortable interacting with both technology and business leaders across the organization at all levels. You will drive consensus among stakeholders and verify that controls are effective, or remediated to become effective. We value personality, insight, intellectual flexibility, and sound business judgment.
Responsibilities
- Improvement and/or development of new screening compliance programs
- Manager underlying programs, coordinate Stakeholder management and Sr. Leadership program update communications
- Assist in the development and tracking of Compliance Operations metrics, such as the number of open exceptions, number of open support requests, and burndown rates for given programs
- Develop weekly/monthly reports that capture key business trends, highlights, lowlights, and metrics as the compliance programs are conducted. Provide status, recommended updates, and detailed metrics and evidence
- Assist in evaluating new compliance programs and requirements and help transition ongoing operations of all compliance programs to long-term control owners within the organization
- Be comfortable influencing change, earning trust with stakeholders, enhancing the customer experience, and driving the completion of the programs you are responsible for
- Communicate effectively at multiple levels of sensitivity and across multiple audiences
A day in the life
- On any given day this role will liaise with internal Security teams teams, audit, HR Screening Services, HR Risk and Compliance, Employee Services, Operations Security, ABC Company Legal, and various Services Teams
- You will assist our stakeholders stakeholders with aligning standard operating procedures, controls, monitoring, and reporting with the goal of improving operations, policies, and risk management effectiveness
- You will ensure the ongoing screening program compliance working with cross-functional teams to meet our audit and contractual requirements
Basic qualifications
- Bachelor’s degree
- 5+ years of Security Compliance program monitoring and reporting
- 5+ years supervising a small team of security or compliance specialists
- 5+ years proven knowledge of program management lifecycle, and skilled at project management tools
- 5+ years experience in leading multi-organizational initiatives, and driving team accountability to achieve impactful goals
- 4+ years of experience working in an operations environment, driving improvements resulting in measurable business impact
Preferred qualifications
- Masters degree or higher (or in the progress of working toward a higher degree)
- Advanced knowledge of NIST, ISO, SOC and/or related frameworks
- Advanced Microsoft Excel, SQL, and/or Tableau experience
- Experience supporting enterprise-wide Security Compliance programs designed to anticipate, assess, and minimize control gaps and audit findings
- Experience with metrics-based projects and utilizing metrics to gauge risk and success
- High level of comfort in communicating effectively across internal and external organizations
- Understanding of the ABC Company service catalog
- Meets/exceeds ABC Company’s leadership principles requirements for this role
- Meets/exceeds ABC Company’s functional/technical depth and complexity for this role
Example 4
ABC Company requires a Network Security Policy Management and Network Compliance subject matter expert. The primary responsibility of this position includes driving network device compliance, including firewall, router, switch, and load balancer. Additionally, this position requires performing assessments of vendor solutions on a need basis. Some of these measures include, but are not limited to, assessing infrastructure devices, awareness training for internal team members, and recommending best practices for the business. Additionally this SME will be responsible for verifying the remediation and providing alternate solutions which complies with in the policy while achieving the business objectives.
Roles and responsibilities
- 3+ years of direct working experience in Skybox/algosec solutions, which includes firewall assurance, network assurance, network modeling, change manager, and vulnerability control
- Familiar with tools such as Tufin, and FireMon for network security policy management
- Strong knowledge of Cisco FMC, Palo Alto Panorama, and CheckPoint Management platform
- Minimum 5+ years of recent experience working in an enterprise environment, networking, and routing
- Minimum 5+ years of recent experience with firewalls, and next generation firewalls (Cisco ASA, FTD, CheckPoint, Palo Alto, Juniper, etc.)
- Thorough understanding of CIS, NIST, STIGS standards and guidelines, ITIL framework, and change management
- Thorough knowledge of load balancer, IPS, virtual firewalls, software-defined networking, micro segmentation, and web proxy solutions
- Minimum 5+ years of recent experience in security management practices such as risk management and administrative network access policies
- Thorough understanding of vulnerability management, penetration testing, and attack simulations
- Proven ability to write process and procedure documents for the enterprise
- Good understanding of IT infrastructure and application lifecycle management
- Ability to reduce risk posture of the environment by conducting regular security gap analysis
- Ability to support the incident response and architecture review processes whenever security expertise is needed
- Experience managing challenging situations and challenges of large organizations
Qualifications
- Bachelor’s degree in Computer Science, Electronics, or related field
- Skybox, algosec CCNA, CCNP, CCIE and vendor certifications are a plus (Cisco, Juniper, Palo Alto, etc.)
- Minimum of 12+ years of progressive infrastructure and cyber security experience, preferably within a large global organization. Exposure to any two-security areas, such as infrastructure security and network security, is mandatory
- Knowledge about translating security concepts into language that is meaningful to many audiences, including business and technical leaders, and individual contributors
- Demonstrated ability to influence decision-making processes at all levels of the Organization
- Preferably worked for an external client through large corporations that may employ in-house teams
- Experience reporting metrics about the state of security programs to management
- Analytical and problem-solving skills, as well as excellent judgment and self-motivation
- The ideal candidate is a good team player and keen learner, with commitment to the security industry
- Business acumen, communication skills, and process-oriented thinking
- Ability to think methodically, attention to detail, and healthy paranoia are vital attributes
Candidate Certifications to Look For
- CISSP. Earning the CISSP proves candidates have what it takes to effectively design, implement, and manage a best-in-class cybersecurity program. With a CISSP, candidates validate their expertise and become an (ISC)² member, unlocking a broad array of exclusive resources, educational tools, and peer-to-peer networking opportunities.
- CISM. The Certified Information Security Manager (CISM) certification indicates expertise in information security governance, program development and management, incident management and risk management. Take a candidate’s career out of the technical realm to management.
- CRISC. ISACA’s Certified in Risk and Information Systems Control (CRISC) certification is ideal for mid-career IT/IS audit, risk and security professionals. It is the only credential focused on enterprise IT risk management.
- CISA. If candidates are entry-level to mid-career professionals, CISA can showcase their expertise and assert their ability to apply a risk-based approach to planning, executing, and reporting on audit engagements. Gain instant credibility in their interactions with internal stakeholders, regulators, external auditors, and customers.
Sample Interview Questions
- What experience do you have developing and implementing security compliance protocols?
- How would you collaborate with the legal department for incident response?
- What are common challenges when creating, managing, and communicating compliance programs?
- What types of social engineering attacks do you think might be targeting large companies such as ours?
- What do you consider your greatest accomplishment as a security compliance manager?
- What experience do you have with auditing and assessing risk?
- How will you ensure our company complies with all relevant security standards and regulations?
- What steps do you take to remain aware of the latest laws and security regulations?
- Can you share a project that you spearheaded during your time at your previous employer that was successful?
- Describe the most serious compliance challenge you’ve previously faced. What steps did you take to resolve it?
- Describe your knowledge and experience with HIPAA and PCI-DSS.
- How has the changing security landscape affected this role over the past few years?
- What is your greatest strength when it comes to implementing and managing a compliance program?