We will be happy to advise you!

Hotline:
+49 (0) 40 38 90 710

E-mail:
info@secion.de

Contact form

A career in IT security: The path to becoming a CISO

by

Reading time: minutes ( words)
Career as CISO - the path to becoming the head of security

What are the tasks of a CISO?

The Chief Information Security Officer, or CISO for short, occupies one of the central positions within an organization. He or she bears overall responsibility for the area of information security. This includes IT security, but also goes far beyond that: the CISO is responsible for the secure handling of information and data in general. There are other security-related positions in companies that sound similar but have a different focus: For example, the CSO (Chief Security Officer) is responsible for the security of the technical and physical infrastructure, while the CIO (Chief Information Manager) looks after information and communications technology within a company.


The Chief Information Security Officer is not organizationally anchored in IT, but usually reports directly to the CEO or the CIO. In his function, the CISO designs an overall strategy for information security within a company. This strategy is based on an individual analysis of all systems and processes. The aim of his or her work is to protect the company's own organization completely and in the best possible way against all potential security risks.


In his day-to-day job, a CISO is responsible for building and regularly monitoring the basic security architecture, protecting against cyber risks, data loss and fraud, and also for identity and access management. In all these areas, he develops security policies that apply company-wide, optimizes processes and organizes training to raise employee awareness of security issues.


As a result of developments in recent years, the position of CISO has continued to grow in importance. On the one hand, this is due to the enormous rise in cyber threats and the increasing dependence on digital systems. On the other hand, the introduction of the European General Data Protection Regulation (GDPR) has also ensured that the topic of IT security must now have an even higher priority. The task of the CISO is to ensure that the company implements and complies with legal requirements such as the DSGVO or the IT Security Act 2.0.

What are the requirements for the CISO position?

Anyone who wants to work as a CISO must have a wide range of knowledge and skills: A CISO needs extensive knowledge in the field of IT and understanding of how networking works. Some examples of this are the function of a VPN, the routing of information or how a DNS works.


Equally important is in-depth knowledge of IT security. This is one of the key areas for the CISO. The CISO must find the right solutions to effectively protect their organization's networks and digital systems from the dangers posed by cybercrime - and to do this, they must be familiar with the options and modes of operation of established protection measures such as antivirus software, firewalls and endpoint protection. It is also important to have knowledge of the different types of cyber threats in order to successfully defend against DDoS attacks, phishing, email fraud or other social engineering techniques.


The CISO should also have know-how in the compliance area in order to be able to comply with regulatory requirements. Depending on the industry and core business, this may include the German Data Protection Regulation (DSGVO), IT-Grundschutz, KRITIS or PCI requirements. The CISO is the person in the company who is responsible for the implementation of and compliance with these legal requirements.


Management skills are another skill a CISO needs. The CISO analyzes and plans solutions and concepts for IT security in the company largely independently. He or she coordinates the implementation and realization of measures within this framework. Without organizational talent, it is difficult to maintain an overview and orchestrate the overall construct.


Dealing with people also plays a role for the CISO. In his position, direct contact with many people in the company is required. This relates, for example, to the implementation of IT security rules or even information events on the subject.

Many companies affected by IT security incidents

The survey also shows that around a third of German companies experienced IT security incidents in 2021 that caused damage. Within the affected companies, ransomware leads the pack with a share of 21 percent. Hacking of websites and data theft follow in equal second and third place with 18 percent. The figures make it clear that every company in Germany can be the target of a cyberattack, and that enormous damage can be caused by ransomware.


Not only large corporations are affected, but increasingly small and medium-sized companies as well. There are clear reasons for this, such as the still widespread misconception that one is not a worthwhile victim of targeted cyberattacks. Ransomware and the associated extortion have made every company a potentially interesting target. On the other hand, cybercriminals are primarily looking for easy targets. SMEs often have a limited budget when it comes to IT and IT security in particular. Accordingly, it is easier to penetrate the networks of these smaller companies.

The path to becoming a CISO - training, studies and advanced training courses

As with many new careers in IT, there is no clearly defined training path for the CISO. Nevertheless, it is of course possible to focus one's own training on the goal of becoming a CISO. In many cases, the basis is a university degree. A bachelor's degree in computer science or a similar course of study opens the door to the IT security industry. Increasingly, there are also master's degrees with a focus on IT security.


As a fresh graduate, however, it is not directly possible to start as a CISO. This responsible position requires broad specialist knowledge and, above all, professional experience. For this reason, most companies looking for a CISO pay particular attention to the previous stages in the applicant's resume. Practical experience of between seven and twelve years is often required, at least five of which must have been in a position with management responsibility.


Applicants can prove their skills and knowledge in the field of IT security via certifications. In our blog post "The world's top 10 cybersecurity certifications", we explain which international certificates and training courses are internationally recognized. In addition, there are some German and European certifications that are helpful for a career in IT security. First and foremost, these include certificate courses that teach BSI IT-Grundschutz and ISO/IEC 27001/27002. ISO 27001 is one of the basic requirements for organizing IT systems according to currently valid security standards. Anyone who wants to hold the responsible position of CISO must be confident in dealing with ISO 27001.


Some IT service providers also offer specific training courses that, if successfully completed, award a certificate as CISO. Here, care must be taken to ensure that the provider is reputable. The content that such courses impart is definitely helpful and gives a good picture of the tasks that a CISO has.

The salary of a CISO

The position of Chief Information Security Officer entails a great deal of responsibility and is generally well remunerated. According to the well-known job exchanges, the average salary as a CISO is around 100,000 euros per year. However, the salary range is very broad. The individual salary depends primarily on the size of the organization. Larger networks are more demanding and require more expertise.


Starting salaries in smaller companies often range between 50,000 and 65,000 euros. However, there are also many job offers where the annual salary is in a range between 125,000 and 175,000 euros. Top salaries then even range beyond 200,000 euros per year.

Conclusion on the career as CISO

The Chief Information Security Officer is the most important person within a company when it comes to IT security. A position with such great responsibility requires a lot of experience, expertise and special skills. Accordingly, the road is long. But with focus and thoughtful career planning in the area of IT security, it is possible to work toward the CISO in a targeted manner. In any case, it is helpful to take the initiative to acquire the necessary expertise through further training and to prove this with the appropriate certifications.

Need help upgrading your IT security for 2022? Contact us!

By clicking on the "Submit" button, you confirm that you have read our privacy policy. You give your consent to the use of your personal data for the purpose of contacting you by Allgeier secion, Zweigniederlassung der Allgeier CyRis GmbH.

* Mandatory field

Go back

Related articles

Caution, Quishing: Criminals use QR codes for phishing attacks

Caution, Quishing: Criminals use QR codes for phishing attacks

QR codes have been around for almost 30 years. Today, we scan the square codes with our smartphone as a matter of course to release bank orders, create a digital vaccination certificate or retrieve coupons. However, since QR codes are also used by cybercriminals for fraudulent purposes, you should not trust the little squares without limits. You should be especially careful if you receive a QR code via email: A sophisticated phishing attack could be hiding behind it. We show you how to recognize quishing attacks and protect yourself from them.

Black Basta: New findings on the notorious ransomware

Caution, Quishing: Criminals use QR codes for phishing attacks

In early October, the ransomware group Black Basta attacked an IT service provider of the Deutsche Presse-Agentur (dpa), stealing the data records of 1,500 dpa employees as well as pension recipients of the dpa support fund. Two weeks later, the cybercriminals published the first sensitive data of the victims on the darknet. This incident is just one of many attacks associated with the notorious Black Basta ransomware - and there will be many more to come. That's because, as new research shows, the cybercriminals act very similarly to other aggressive hacker groups.

Hacking to listen to: The 5 most popular IT security podcasts from our IT security consultants

Hacking you can listen to: 5 popular IT security podcasts

The cybersecurity industry is more dynamic and rapidly changing than any other sector. Today's insights may already be outdated tomorrow. Because at the same pace as IT security develops new measures to protect IT infrastructure, networks, and endpoints, cyber criminals bring new tools to the market, refine attack methods, or use unknown techniques to successfully carry out cyber attacks. Anyone who wants to stay as well informed as possible in the multi-layered environment is dependent on regular updates. This applies equally to technically interested users and IT staff. One popular source of information in Germany is the podcast. More than 40% of all Germans regularly listen to podcasts - one fifth of them daily. We asked our IT security consultants for recommendations on ethical hacking and present our top 5 most popular cybersecurity podcasts here.