Remote information security managers run the security programme that keeps an organisation's information assets, systems, and processes protected — developing the policies and controls that define the security baseline, managing the compliance certifications (SOC 2, ISO 27001, HIPAA, FedRAMP) that give customers and regulators confidence in the organisation's security posture, assessing and managing the risk landscape continuously as the business and threat environment evolve, and operating as the organisational authority on security governance even when hands-on technical remediation belongs to engineering. The role is where security strategy becomes an operational reality, and where the gap between a company's stated security commitments and its actual practices is either closed or left to become a liability.
What they do
Information security managers develop and maintain security policy and control frameworks — the information security policy suite (acceptable use, access control, data classification, incident response, vendor risk, business continuity, and the 20–40 supporting policies that constitute a mature ISMS), the security control implementation mapped to the chosen framework (ISO 27001, NIST CSF, CIS Controls, SOC 2 criteria), the policy review cadence and change management process, and the policy exception management framework (how exceptions to security standards are requested, reviewed, approved, and tracked with compensating controls). They manage security certifications and audits — the SOC 2 Type II audit programme (scope definition, control implementation, evidence collection, auditor management, and report production), the ISO 27001 ISMS implementation and certification audit coordination, the customer security questionnaire programme (the standardised security questionnaire library and the efficient response process for the 50–200 customer questionnaires received annually), and the customer-facing security documentation (the trust page, the security FAQ, the penetration test summary that sales and procurement teams rely on to close deals in enterprise accounts). They conduct risk assessment and management — the annual information security risk assessment (asset inventory, threat landscape analysis, control effectiveness evaluation, residual risk quantification), the continuous risk register management (new risks identified through incidents, threat intelligence, and business changes), the risk treatment decision framework (accept, mitigate, transfer, or avoid for each identified risk), and the board and executive reporting that translates technical risk into business terms that enable informed investment decisions. They manage the vendor risk programme — the vendor security assessment process (the questionnaire tiers by vendor criticality, the due diligence review, the contractual security requirements), the ongoing vendor monitoring (renewal assessments, incident notification requirements, SLA tracking for security-relevant vendors), and the subprocessor management for GDPR and equivalent data protection regulation compliance. They coordinate security incident response — the incident response plan documentation and tabletop exercise programme, the incident severity classification framework, the legal and regulatory notification requirements (GDPR 72-hour breach notification, state data breach notification laws), the forensics engagement process for significant incidents, and the post-incident improvement programme that translates incident lessons into control enhancements.
Required skills
Security frameworks and standards — the ISO 27001 ISMS structure (the clauses, the Annex A controls, the implementation guidance, the certification audit process), the SOC 2 Trust Services Criteria and their mapping to common control implementations, the NIST Cybersecurity Framework and its relationship to other standards, and the regulatory requirements relevant to the organisation's industry (HIPAA for healthcare, PCI DSS for payment card data, FedRAMP for US federal markets) that determine the compliance programme scope. Risk management methodology — the information security risk assessment methodology (asset-threat-vulnerability-impact-likelihood framework), the risk quantification approaches (qualitative risk matrix versus FAIR quantitative risk analysis), the risk treatment decision process, and the residual risk acceptance framework that gives the organisation a structured basis for accepting risk rather than pursuing uneconomic control implementations. Policy and programme management — the security policy writing craft (the format, language level, and structure that produces policies people actually follow rather than compliance theatre documents), the exception management process design, the security awareness programme management (the training platform operation, phishing simulation programme, security culture measurement), and the documentation management that keeps the ISMS current without creating an unmanageable documentation burden. Audit and evidence management — the audit preparation methodology (evidence collection processes, control testing documentation, auditor communication protocols), the continuous control monitoring approach (the tooling and processes that make evidence collection an ongoing operational activity rather than an annual scramble), and the audit finding response and remediation tracking process.
Nice-to-have skills
GRC platform experience for information security managers at organisations using dedicated governance, risk, and compliance tooling — the platform configuration and administration for Vanta, Drata, Secureframe, Tugboat Logic, or comparable automated compliance platforms that integrate directly with cloud providers, identity systems, and endpoint management to automate evidence collection for SOC 2 and ISO 27001, and the workflow configuration for risk register, vendor risk, and exception management processes that replace manual spreadsheet-based GRC. Privacy programme management for information security managers at organisations where data protection compliance (GDPR, CCPA, PIPEDA) is a material risk or business enabler — the privacy impact assessment process, the data subject rights request handling (access, deletion, portability), the Records of Processing Activities maintenance, the privacy-by-design review process for new product features, and the data protection officer function (whether filled by the security manager or a separate role). Cloud security governance for information security managers at cloud-native organisations — the cloud security posture management (CSPM tool operation and findings triage), the cloud account structure and access governance (AWS SCPs, GCP organisation policies, Azure management groups), the infrastructure-as-code security review process, and the shared responsibility model documentation that clarifies which controls are the cloud provider's responsibility and which remain the organisation's.
Remote work considerations
Information security management is well-suited to remote work — the policy development, compliance programme management, risk assessment, and vendor risk work are all documentation and process-intensive functions that execute effectively remotely. The relationship-intensive dimensions (building credibility with engineering teams who must implement controls, maintaining the trust of executives who must fund security investments, earning the cooperation of employees who must follow security policies) require deliberate investment in remote relationship-building: regular presence in engineering all-hands, skip-level conversations with department heads, and participation in the broader company communication channels that an in-person security manager would engage with through physical proximity. Information security managers working remotely should also consider the access security requirements of their own role: accessing sensitive systems (SIEM, identity provider admin consoles, audit evidence repositories, incident case files) from a home office environment requires the same control standards the manager applies to the rest of the organisation, including managed device requirements, multi-factor authentication, and secure network access.
Salary
Remote information security managers earn $120,000–$190,000 USD at mid-to-senior level in the US market, with senior security managers and security directors at high-compliance organisations reaching $195,000–$280,000+. European remote salaries range €80,000–€155,000. Companies selling to enterprise or regulated-industry customers where security posture is a direct sales enabler (SOC 2 Type II and ISO 27001 certification often required to pass procurement), healthcare technology and financial services companies with regulatory compliance obligations, companies handling significant volumes of personal data under GDPR and equivalent frameworks, and government and defence contractors with FedRAMP or equivalent requirements pay at the upper end.
Career progression
Security analysts, security engineers, and compliance specialists who develop programme management, policy, and stakeholder communication skills move into information security manager roles. IT auditors and risk management professionals from Big 4 or internal audit backgrounds who develop security depth are another common path. From information security manager, the progression runs to senior information security manager, director of information security, and CISO. Some information security managers specialise into privacy (DPO/CPO roles), into GRC consulting, or into product security management roles at companies where security programme oversight extends to the security of customer-facing products.
Industries
Technology companies selling to enterprise customers where security certification is a procurement prerequisite, healthcare technology and life sciences companies with HIPAA and clinical data security requirements, financial services companies with regulatory examination obligations, government and defence contractors with federal security compliance requirements, companies processing significant personal data under GDPR and state privacy laws, and professional services firms advising clients on security and compliance are the primary employers.
How to stand out
Information security manager roles are filled by candidates who demonstrate both programme management credibility and the ability to translate security requirements into business terms that earn executive support and engineering cooperation. Specific outcome evidence: the SOC 2 Type II programme you built from scratch for a company with no prior certification, completing the first audit within 11 months of programme initiation and achieving a clean opinion on 64 controls, enabling the company to move into enterprise sales segments that had previously been blocked by security questionnaire failures; the vendor risk programme you designed that assessed and risk-rated 180 vendors in the first year, identifying 8 critical vendors with unacceptable security postures and replacing 3 of them with more secure alternatives, removing the uncontrolled data exposure risk those relationships represented; the security awareness programme you rebuilt that moved phishing simulation click-through rate from 23% to 4% in 8 months and security policy acknowledgment from 60% to 98%, creating a measurably more security-aware organisation. Candidates who can present a complete programme narrative — the initial state, the programme components built, the milestones achieved, and the measurable outcomes — are significantly more compelling than those who describe the function abstractly.
FAQ
What is the difference between an information security manager and a CISO? The CISO (Chief Information Security Officer) is a C-suite or near-C-suite executive role with organisational authority over the entire security function — reporting to the CEO or board, with direct responsibility for security strategy, security investment decisions, and the company's security posture as a business risk management matter. An information security manager is a programme management role — responsible for running the security programme (policies, compliance, risk assessment, vendor risk) but typically not a direct C-suite report, and typically operating within a security strategy set by the CISO or by senior leadership. At smaller organisations (under 200 people), the information security manager is often the most senior security role, functionally serving as the CISO without the title or the executive authority that comes with it. At larger organisations, information security managers report to the CISO and own specific programme areas rather than the full security function. Whether a role is a "true CISO" or an "information security manager with CISO responsibilities" matters for both compensation expectations and the level of organisational authority the role actually carries.
How do you build security programme credibility with engineering teams who see security as a blocker? By demonstrating that security controls are designed to enable the business rather than restrict it, and by making the security programme's operational cost to engineering teams as low as possible. The credibility-building approach: show up in engineering contexts (architecture reviews, sprint planning, technology selection discussions) before there's a security problem that requires intervention, contributing security perspective as one input among many rather than as a veto. Design controls for automation: a security review that requires engineering to fill out a form and wait for approval is a process that generates friction and resentment; the same security objective achieved through a scan in the CI/CD pipeline that gives developers immediate feedback is a control that engineers appreciate. Be explicit about risk tolerance: communicate clearly which security requirements are non-negotiable (SOC 2 control requirements, GDPR obligations, contractual commitments) and which are good practices that engineering can adapt or phase in, rather than presenting all security guidance as equally mandatory. Track the time your programme costs engineering teams and work to reduce it: an information security manager who can demonstrate that their programme's net cost to engineering productivity has decreased over time while security posture has improved has built a fundamentally different relationship with engineering than one who generates an ever-growing list of requirements.
What is the relationship between information security and privacy programmes? Information security and privacy are closely related but distinct disciplines with different objectives. Information security focuses on protecting the confidentiality, integrity, and availability of information — preventing unauthorised access, ensuring data accuracy, and maintaining system availability. Privacy focuses on the appropriate handling of personal data — individuals' rights over their information, the lawfulness of data processing, the limitation of data use to stated purposes. The two programmes overlap significantly: a data breach is both a security failure (confidentiality was not maintained) and a privacy failure (personal data was exposed to unauthorised parties). At many organisations, the same team or manager is responsible for both, and the ISO 27001 ISMS naturally incorporates privacy controls alongside technical security controls. At larger organisations, a dedicated privacy function (often led by a Data Protection Officer or Chief Privacy Officer) operates alongside the security function, and the security manager's job is to ensure the security programme supports privacy objectives (data minimisation in system design, access controls that limit personal data exposure, breach detection that triggers privacy notification obligations) without trying to run the privacy programme directly.