31.08.2023 – Data is the backbone of modern businesses. It enables growth, innovation and is central to operational success. But just as data presents opportunities, it also presents risks. A security incident can not only cause financial damage, but also shake the confidence of customers and partners and thus jeopardies the company's reputation. To prevent this, the proactive role of the Chief Information Security Officer (CISO) is becoming increasingly indispensable. Felix Hagemann, Senior Consultant Technology at Robert Walters in Frankfurt am Main, explains the comprehensive area of responsibility of the CISO, his challenges, the career path and his benefits for companies.

Why a CISO is indispensable

The ongoing digital transformation has continuously challenged companies to renew and secure their IT infrastructures in recent years. The increasing reliance on cloud technologies and connected devices – also known as the Internet of Things (IoT), where physical devices are connected to the internet or other networks – has increased the attack surface. With the rapid shift to home office models during the corona pandemic, many existing vulnerabilities became even more apparent. Hackers used this opportunity to intensify their attacks. A global survey conducted in 2022 found that around 46% of the companies surveyed in Germany had been the victim of a cyber attack at least once (Statista, 2022).

In addition, legal compliance requirements are also constantly tightening, such as the Digital Operational Resilience Act (DORA) regulation, the Bank Supervisory Requirements for IT (BAIT) or Insurance Supervisory Requirements for IT (VAIT). Companies that do not implement robust security strategies thus risk significant penalties.

In the midst of this changing landscape of digital transformation and increased external threats, the role of the CISO has become more important. She ensures that the integrity, confidentiality and accessibility of corporate information are always maintained. Especially in highly regulated industries, such as banking or insurance, the complexity of this task is growing. "There is a growing awareness of the importance of sound security measures, which leads to an increased demand for CISOs," notes Hagemann.

What are the tasks of a CISO?

A CISO is tasked with creating and maintaining a solid security infrastructure for an organisation. This includes developing strategies, managing risks, designing security architectures, responding to security incidents and training employees. In doing so, he leads a team of experts and works closely with other departments. However, the role of CISO requires not only expertise in IT and cyber security, but also soft skills such as strategic thinking, interpersonal communication and leadership skills.

What does the career path of a CISO look like?

"The path to the position of a CISO is varied. Many start their career as an IT Security Analyst or IT Security Engineer and work their way up through different roles, such as IT Security Architect or Information Security Officer," explains Hagemann. "To qualify as a CISO, certificates such as CISSP, CISM or even experience with regulatory standards such as GDPR or ISO 27001 are also often required," says Hagemann.

Hagemann goes on to explain: "Anyone who wants to become a CISO should always stay on the ball: Regularly learn new things, keep in touch with other IT security experts, deepen knowledge in specific areas and never miss important conferences. All this can give you a decisive edge in this fast-changing industry."

How much does a CISO earn?

Salaries for CISOs vary widely depending on company size, industry, geographic location and experience. In large companies or in industries that are particularly affected by cyber threats (such as financial services or technology), salaries can be significantly higher. Hagemann: "In general, CISOs' annual salaries can be in the low to mid six-figure range, or even seven-figure range in rare cases." 

More detailed information on salaries can be found in our annual salary survey.

Complex hurdles for the CISO

The work of a CISO is not without obstacles. In the context of "There is no glory in prevention", CISOs often struggle to convince management of the need for preventive security measures. The dilemma: justifying security investments is often complicated by the fact that their successes are not immediately apparent.

In addition to persuasion, the CISO faces an ever-changing cyber threat landscape. The lack of skilled professionals can make it significantly more difficult to build an effective security team. Furthermore, budget constraints can hinder the implementation of comprehensive security strategies. Last but not least, the CISO must ensure that complex data protection and security regulations are continuously adhered to.

"A secure environment - and companies must realise this - is the basis for innovation. Only in a stable framework can companies grow without being constantly slowed down by security concerns," Hagemann emphasises. This unique balance between risk management and business innovation illustrates the multi-layered challenges a CISO faces.

Terms

CISSP = Certified Information Systems Security Professional

CISM = Certified Information Security Manager

GDPR = General Data Protection Regulation

ISO 27001 = An international standard for information security

Source

Statista, 2022: 
https://de.statista.com/statistik/daten/studie/1230157/umfrage/unternehmen-die-in-den-letzten-12-monaten-eine-cyber-attacke-erlebt-haben/