A career in IT security: The path to becoming a CISO
by Tina Siering
What are the tasks of a CISO?
The Chief Information Security Officer, or CISO for short, occupies one of the central positions within an organization. He or she bears overall responsibility for the area of information security. This includes IT security, but also goes far beyond that: the CISO is responsible for the secure handling of information and data in general. There are other security-related positions in companies that sound similar but have a different focus: For example, the CSO (Chief Security Officer) is responsible for the security of the technical and physical infrastructure, while the CIO (Chief Information Manager) looks after information and communications technology within a company.
The Chief Information Security Officer is not organizationally anchored in IT, but usually reports directly to the CEO or the CIO. In his function, the CISO designs an overall strategy for information security within a company. This strategy is based on an individual analysis of all systems and processes. The aim of his or her work is to protect the company's own organization completely and in the best possible way against all potential security risks.
In his day-to-day job, a CISO is responsible for building and regularly monitoring the basic security architecture, protecting against cyber risks, data loss and fraud, and also for identity and access management. In all these areas, he develops security policies that apply company-wide, optimizes processes and organizes training to raise employee awareness of security issues.
As a result of developments in recent years, the position of CISO has continued to grow in importance. On the one hand, this is due to the enormous rise in cyber threats and the increasing dependence on digital systems. On the other hand, the introduction of the European General Data Protection Regulation (GDPR) has also ensured that the topic of IT security must now have an even higher priority. The task of the CISO is to ensure that the company implements and complies with legal requirements such as the DSGVO or the IT Security Act 2.0.
What are the requirements for the CISO position?
Anyone who wants to work as a CISO must have a wide range of knowledge and skills: A CISO needs extensive knowledge in the field of IT and understanding of how networking works. Some examples of this are the function of a VPN, the routing of information or how a DNS works.
Equally important is in-depth knowledge of IT security. This is one of the key areas for the CISO. The CISO must find the right solutions to effectively protect their organization's networks and digital systems from the dangers posed by cybercrime - and to do this, they must be familiar with the options and modes of operation of established protection measures such as antivirus software, firewalls and endpoint protection. It is also important to have knowledge of the different types of cyber threats in order to successfully defend against DDoS attacks, phishing, email fraud or other social engineering techniques.
The CISO should also have know-how in the compliance area in order to be able to comply with regulatory requirements. Depending on the industry and core business, this may include the German Data Protection Regulation (DSGVO), IT-Grundschutz, KRITIS or PCI requirements. The CISO is the person in the company who is responsible for the implementation of and compliance with these legal requirements.
Management skills are another skill a CISO needs. The CISO analyzes and plans solutions and concepts for IT security in the company largely independently. He or she coordinates the implementation and realization of measures within this framework. Without organizational talent, it is difficult to maintain an overview and orchestrate the overall construct.
Dealing with people also plays a role for the CISO. In his position, direct contact with many people in the company is required. This relates, for example, to the implementation of IT security rules or even information events on the subject.
Many companies affected by IT security incidents
The survey also shows that around a third of German companies experienced IT security incidents in 2021 that caused damage. Within the affected companies, ransomware leads the pack with a share of 21 percent. Hacking of websites and data theft follow in equal second and third place with 18 percent. The figures make it clear that every company in Germany can be the target of a cyberattack, and that enormous damage can be caused by ransomware.
Not only large corporations are affected, but increasingly small and medium-sized companies as well. There are clear reasons for this, such as the still widespread misconception that one is not a worthwhile victim of targeted cyberattacks. Ransomware and the associated extortion have made every company a potentially interesting target. On the other hand, cybercriminals are primarily looking for easy targets. SMEs often have a limited budget when it comes to IT and IT security in particular. Accordingly, it is easier to penetrate the networks of these smaller companies.
The path to becoming a CISO - training, studies and advanced training courses
As with many new careers in IT, there is no clearly defined training path for the CISO. Nevertheless, it is of course possible to focus one's own training on the goal of becoming a CISO. In many cases, the basis is a university degree. A bachelor's degree in computer science or a similar course of study opens the door to the IT security industry. Increasingly, there are also master's degrees with a focus on IT security.
As a fresh graduate, however, it is not directly possible to start as a CISO. This responsible position requires broad specialist knowledge and, above all, professional experience. For this reason, most companies looking for a CISO pay particular attention to the previous stages in the applicant's resume. Practical experience of between seven and twelve years is often required, at least five of which must have been in a position with management responsibility.
Applicants can prove their skills and knowledge in the field of IT security via certifications. In our blog post "The world's top 10 cybersecurity certifications", we explain which international certificates and training courses are internationally recognized. In addition, there are some German and European certifications that are helpful for a career in IT security. First and foremost, these include certificate courses that teach BSI IT-Grundschutz and ISO/IEC 27001/27002. ISO 27001 is one of the basic requirements for organizing IT systems according to currently valid security standards. Anyone who wants to hold the responsible position of CISO must be confident in dealing with ISO 27001.
Some IT service providers also offer specific training courses that, if successfully completed, award a certificate as CISO. Here, care must be taken to ensure that the provider is reputable. The content that such courses impart is definitely helpful and gives a good picture of the tasks that a CISO has.
The salary of a CISO
The position of Chief Information Security Officer entails a great deal of responsibility and is generally well remunerated. According to the well-known job exchanges, the average salary as a CISO is around 100,000 euros per year. However, the salary range is very broad. The individual salary depends primarily on the size of the organization. Larger networks are more demanding and require more expertise.
Starting salaries in smaller companies often range between 50,000 and 65,000 euros. However, there are also many job offers where the annual salary is in a range between 125,000 and 175,000 euros. Top salaries then even range beyond 200,000 euros per year.
Conclusion on the career as CISO
The Chief Information Security Officer is the most important person within a company when it comes to IT security. A position with such great responsibility requires a lot of experience, expertise and special skills. Accordingly, the road is long. But with focus and thoughtful career planning in the area of IT security, it is possible to work toward the CISO in a targeted manner. In any case, it is helpful to take the initiative to acquire the necessary expertise through further training and to prove this with the appropriate certifications.