What responsibilities an interim CISO (Chief Information Security Officer) must assume
IT security concerns every employee and every department. What tasks then remain in the IT security department? What is the role of the interim CISO (Chief Information Security Officer) in the company? The answer seems simple, but it is not. The tasks are highly dynamic and are not only influenced by compliance requirements.
Almost no one will claim that security is a field with poor career prospects – on the contrary. The shortage of IT specialists is coming to a head, as reported by the digital association Bitkom. According to a Bitkom survey, three out of ten companies in all sectors with at least one open IT position are looking for programmers. These are followed by project managers (17 percent) and security experts (8 percent).
This survey result should not lead us to conclude that security expertise is only sought after by eight percent of companies. In reality, each of the positions mentioned requires a certain level of expertise in IT security, and the trend is rising. This increase in the importance of IT security demonstrates good career prospects for anyone with IT security expertise. But despite the encouraging future prospects, questions remain: What exactly should someone who becomes a CISO (Chief Information Security Officer) do in a company? After all, IT security is not the job of one person or department; it concerns everyone.
Responsibility and tasks of an interim CISO resulting from compliance requirements
Clearly, there is a basic understanding of what a CISO does: A CISO is responsible for information security in the company. In contrast to the term IT security officer, CISO indicates that the person is usually assigned to the management. It follows from the responsibility for IT security that a CISO must ensure that all legal and contractual requirements that IT security must adhere to are actually met (compliance).
Interim CISO needs Domain and IT Knowledge
This means that the specific tasks of a CISO depend, among other things, on the industry to which the company belongs (industry-specific requirements for IT security and compliance), whether it is a bank or an industrial company, for example. This also depends on which compliance regulations or laws and ordinances apply, such as the KRITIS regulation for operators of critical infrastructures or the requirements of banking supervision. However, compliance requirements are changing more rapidly than in the past as a result of advancing digitization. Accordingly, there may be changes in tasks for CISOs.
Simply stating that a CISO is responsible for IT security in the company does not paint a fixed picture of the tasks; these can vary from company to company and change over time.
The work of an interim CISO in practice
ISO standards on IT security and the BSI’s (Bundesamt für Sicherheit in der Informationstechnik) basic IT protection do provide an overview of IT security tasks. In practice, however, the day-to-day operations of a CISO can differ from this.
For example, the tasks and challenges for a CISO naturally also depend on the particular digital technologies that are or will be used in a company. The increasing use of cloud technologies in companies presents new challenges for the CISO. More than half of CISOs feel pressured due to complex IT architectures such as cloud.
A survey by Accenture sheds light on the issue of IT security responsibility: in the “Securing the Future Enterprise Today – 2018” study, 73 percent of the approximately 1,400 executives surveyed worldwide believe that cybersecurity staff must be present in all areas of the company and that protection programs must be executed on a large scale. Currently, 25 percent of “non-CISO executives” are responsible for cybersecurity. A quarter of respondents believe business unit leaders should be responsible in the future.
The CISO agenda is getting longer
Those who move to the center of corporate operations and collaborate with all departments must cope with an ever-growing list of tasks and projects. Issues such as the alignment between corporate strategy and IT security strategy, implementation of contractual obligations and growing compliance requirements, the problem of a shortage of security specialists, new technologies and growing threats from cyber-attacks are creating an overload of potential security projects.
The responsibility and importance of CISOs is growing
The Accenture study draws parallels between the CIO and the CISO. Just as the CIO has found his way into management in many companies, this will also be the case for many CISOs. This has consequences not only for but for security in the company as a whole.
Interim CISO from IT District
The protection of your data and processes is a central task that carries great responsibility and requires a lot of experience. It is absolutely difficult to find an experienced expert with the appropriate organizational and technological skills to fill the vacant position. Nevertheless, the Chief Information Security Officer (CISO) position is essential to ensure the functionality of your IT internally and to maintain the trust of your customers and business partners externally.
The reasons for looking for an interim CISO can be as varied as the responsibilities of CISO himself. But regardless of whether project assignments, vacancy bridging or change management are required – IT District GmbH is the strong partner at your side who will steer your company through the transformation phase with a steady hand and a cool head.
We fill the vacancy with an experienced interim CISO. Thus, we bring profound experience in IT Security Management into your company. Organizational, technical and process-related tasks can be tackled immediately – with a fresh view from “outside”. We optimize your information and cybersecurity strategy and always maintain an overview and balance in the conflicting areas of organization, technology, law, internal service provision and external service provision.
Leverage interim CISO and reduce risks
We are able to execute the role of a CISO (Chief Information Security Officer) in your company. This gives you the relevant competencies without having to fill an entire position.
IT security is much more than just virus protection or a firewall. Also, the
- Protection of data (e.g., your trade secrets),
- integrity (the data has not been altered) and
- authenticity (the information comes from the person specified as the sender or author)
must not be overlooked. Depending on the business area, these requirements are significant and must be implemented through appropriate compliance policies. And this IT compliance is becoming increasingly important.
The managing director of a company is liable for adherence to the compliance guidelines in his company. A set of rules that exists but is ignored in practice no longer meets the requirements.
Since many company processes are now handled by IT, a managing director is also liable for problems that are triggered by IT. Examples include lost accounting data – which must be available for 10 years for a tax audit. It is not just a matter of the data being somewhere in the backup, but also of ensuring the integrity of the data – i.e., it must be possible to rule out subsequent changes.
A managing director – unless he comes from IT – does not have the necessary background knowledge to be able to check compliance with the guidelines.
We perform the task of an interim CISO
We work closely with your existing IT and ensure through our reviews that even unpopular regular tasks are carried out. We also help set up secure networks and work with your IT team to secure your business.