What qualifications are required for the post of CISO?
Security as a management discipline
IT security and data protection are increasingly becoming a management discipline in the digital age. The analogue world is has been ideally secured and well-structured for several decades. The influence that the digital world has acquired has often been neglected. The resulting adjustments are therefore often inadequately implemented. Also, due to the increasing transfer of services and data onto the Internet, many new risks are arising.
Hazards and risks apply to all industries
Companies are all subject to the same attack patterns, even if they have different focuses – whether it is an insurance company that needs to protect sensitive customer data, an energy company that has to secure information about the plant control system to ensure that there are no interruptions to the power supply, or an automobile manufacturer protecting intellectual property such as the development data of its new vehicle models.
In the face of increasing hacker attacks, therefore, all companies should declare information security to be a strategic objective and, while developing a digital strategy, introduce a stringent security plan throughout the enterprise. Many – in particular large – companies, therefore call on the services of a Chief Information Security Officer (CISO). But so far, no consistent understanding of the occupational profile has been established nor has the position of the CISO been precisely defined within the organisational structure of companies.
The CISO must protect the entire company
One of the key duties of CISOs is to prevent data from being manipulated. The consequences of this are often underestimated. In addition, they must use their powers of persuasion at all hierarchy levels to get every department on board. In addition to the professional qualifications, extensive soft skills are required, such as communication, teamwork and diplomatic skill, tenacity, compromise ability, resilience and trust.
What is the key selling point in the CV?
There is no training course for becoming a CISO; however, various certificates facilitate the ascent to Chief Information Security Officer.
IT professionals being sought for specialist security functions must offer a broader spectrum of competency – in terms of their qualifications and profiles – than pure IT experts. The standard tasks include effective prevention work and the planning of potential attack scenarios. For this kind of planning, an in-depth knowledge of security, cryptography, and networks are required in addition to the programming languages.
Alongside knowledge of the field of encryption with a mathematical focus and a degree in a subject like (business) information systems, mathematics, natural sciences or economics (with IT as a special focus), extensive professional experience in the area of IT security (threat response/analysis and intelligence), CERT, intrusion detection design and prevention systems is a must. Sound knowledge in the fields of anti-malware software, network administration, IT security or IT forensics are equally essential as are the common scripting and programming languages.
A good CISO is proactive and prevents data theft or prolonged IT systems outages from occurring at all.
From the perspective of the HR department, sector knowledge is the be-all and end-all when it comes to finding the right personnel to fill posts in the area of information security. Alongside sector expertise, an in-depth knowledge of the applicable legal frameworks (such as KonTraG, MaRisk) and compliance is relevant when it comes to successfully implementing necessary security solutions while complying with legal requirements.
Corporate security should be even more focused and not classified as a triviality. Security is not a flash in the pan, but rather a necessity that is becoming increasingly important – especially in this age of digital change!