ISB (InfoSec)
A chief information security officer (CISO) or information security officer (ISO), is a person who is responsible for planning, coordinating, and implementing measures to ensure the confidentiality, integrity, and availability of information and IT systems in a company. These three differ significantly in terms of budget responsibility.
An ISB analyses existing risks and vulnerabilities, creates security policies and processes, trains employees on how to handle data securely, carries out security audits, reacts to security incidents and reports to management on the status of information security. An ISB is not only responsible for technical aspects of information security, but also for organizational, legal and strategic issues. They must understand the company's requirements and goals, comply with relevant legal and industry-specific standards, promote a security culture and raise awareness of the importance of information security.
Why is information security important for your company?
Here are a few recent examples:
- Mercedes Benz, entire Gitlab data (code) online
- 23andme, DNA data published by approx. 6 million customers.
- Trello, data hacked on 15 million customers
- Motel One, ransomware attack
- Verivox, software vulnerability
25%
of executives integrate data security functions into products, services and relationships with third parties
More about this
Executives effectively integrate data security functions by using “security by design” right from the development phase. Regular safety audits and employee training strengthen internal security expertise. When working with third parties, compliance with clearly defined security requirements is essential. This is ensured through contractually defined standards and regular reviews. A comprehensive data protection strategy that takes into account both technical and legal aspects rounds off the security concept and ensures compliance. In this way, managers not only create a safe environment, but also promote customer trust.
Do you need a CISO/ISO?
A company needs an ISB if it processes sensitive or sensitive information that is at high risk of theft, loss, manipulation, or misuse. Hiring an ISB is often an industry standard (e.g. healthcare, finance, insurance, etc.).
An ISB is usually recommended for risky data processing such as financial data, trade secret data, research and development data, or critical infrastructures. An ISB helps the company protect this information, meet the security requirements of its customers and partners, maintain its reputation and competitive advantage, and avoid potential financial or legal consequences of security breaches.
What activities does a CISO/ISO perform?
A CISO/ISO from SIDD performs the following activities:
- They creates, implements, and monitors an information security strategy. This strategy is tailored to the company's business objectives, risk situation and compliance requirements.
- They defines, implements and reviews security policies, standards, and processes that comply with recognized best practices and norms, such as ISO 27001, BSI Baseline protection, or NIST Framework.
- They advises and trains management, departments and employees on all aspects of information security, including raising awareness of current threats and trends, teaching security principles and practices, and promoting a security culture within the company.
- They coordinates and manages internal and external security audits, the implementation of vulnerability and risk analyses, the preparation and update of the security concept and emergency plan, the handling of security incidents and the implementation of improvement measures.
- They communicates with relevant stakeholders, such as the data protection officer, the IT manager, the legal advisor, the works council, the customers, the suppliers and the authorities, to ensure coordinated and effective information security.
How much work does a CISO/ISO have?
The cost of a CISO/ISO depends on various factors, such as the size and complexity of the organization, the scope and type of information to be protected, the level of maturity of the existing information security management system (ISMS), and legal and contractual requirements. A general answer is therefore not possible, but a rough orientation can be given based on the following criteria:
- The amount of time required per week or month for the job varies depending on the scope of responsibilities, the degree of delegation to other employees or external service providers, and the availability of standardized processes and tools.
- A study by the industry association BSI has shown that the role in Germany requires an average of around 12 hours per week, although this figure fluctuates significantly depending on the size of the company. For small companies (up to 50 employees), the figure is around 4 hours per week, for medium-sized companies (51 to 250 employees) around 8 hours a week and for large companies (over 250 employees) around 16 hours a week.
- Costs depend on skill level, experience, employment status (internal or external), and compensation. In addition, there are the costs of continuing education, certification, travel costs, software licenses, and other resources needed to complete the tasks.
Why name us as your external CISO/ISO?
You save time and money by outsourcing operational and administrative information security tasks to us.
You benefit from our many years of experience and comprehensive expertise in the area of information security.
You minimize both security risks and security incidents.
You will receive independent and objective advice on all issues relating to information security.
You strengthen the trust of your customers, employees and business partners in the handling of their personal data.
Which packages does SIDD offer?
CISO/ISO package
What happens after you order at SIDD?
After hiring SIDD as an external CISO/ISO, onboarding starts as follows:
Contract signing
We conclude a service contract that contains the framework conditions and scope of our activities as an ISB. Digital, of course 😉
Kick-off meeting
We conduct a kick-off workshop with you to get to know each other, agree on expectations and discuss the next steps.
InfoSec analysis
We carry out an inventory of your data protection-relevant processes, systems and documents in order to determine the current status and the need for action.
InfoSec concept
We create an action plan to implement information security requirements. This plan includes, among other things, the preparation or revision of guidelines, planning training and awareness measures.
InfoSec implementation
We support you in the practical implementation of the planned measures, e.g. through advice, training, and testing.
InfoSec Support
We are available to you as a permanent point of contact for all InfoSec questions and are responsible for the continuous monitoring, updating and adaptation of measures to the changing legal and technical framework conditions.