CISOs and ISOs: Tasks, training, and salary at a glance

The facts in a nutshell

• CISO stands for Chief Information Security Officer, whereas an ISO is an Information Security Officer.
• Both are experts in the field of information security who implement measures in their company of employment.
• On the job market, information security experts are a hot item.
• There is no dedicated degree program for a career in information security; graduates in computer science and business administration are equally qualified.
• More important than a degree are previous experience and knowledge about ISO 27001 and information security management systems.
• With annual salaries north of 70,000–100,000 euro, both jobs are well paid due to the high level of responsibility the position carries.
• Many companies choose to outsource the ISO or CISO role and hire external service providers.

What is a CISO?

A CISO (Chief Information Security Officer) is a senior executive responsible for an organisation's information security. CISOs develop and implement security policies and procedures to protect the organisation's critical data and systems from cyberattacks. Working alongside other departments, including IT and business, CISOs identify and manage information security risks.

In addition, CISOs oversee the implementation and maintenance of security controls, such as firewalls and intrusion detection systems. They also provide security awareness training to employees.

What is ISO?

An Information Security Officer (ISO) is an information security expert accountable for designing and enforcing an organization's information security program. They aim to safeguard the organization's information assets against any unauthorised access, use, disclosure, disruption, alteration, or damage.

ISOs usually possess a profound comprehension of information security principles and practices, besides expertise in risk management, security controls, and incident response. They must possess outstanding communication and interpersonal skills to collaborate effectively with diverse stakeholders, such as senior executives, IT personnel, and business users.

Are there differences between a CISO and ISO?

Normally, a CISO or ISO is directly subordinate to top-level management and works closely with the IT department as well as the compliance and legal teams. The CISO role is more strategic and overarching – a CISO has to keep an eye on the entire company. An ISO is more concerned with the implementation of measures in the individual departments, acting, for example, as a project manager for the introduction of an information security management system.

But the role may be defined differently within each company structure. Many companies only have either a CISO or an ISO – in which case the job titles can be considered synonymous.

What are the tasks of a CISO or ISO?

The responsibilities of the job are not legally defined; a CISO’s day-to-day activities will largely depend on the company itself and the respective industry. However, there are special cases in the public sector where the job profile is legally defined.

A CISO’s responsibilities include:

• Protecting company assets from attacks and data breaches (in cooperation with the Data Protection Officer and IT)
• TISAX® and ISO 27001/27002 certification
• Introducing an information security management system
• Choosing suitable methods and tools  
• Risk management and advising company management 
• Communication between departments

CISOs are often computer scientists or computer scientist graduates with advanced training or specialisation in the field of information security, in addition to years of experience. Depending on the company, the position of CISO can be filled by an internal employee or an external service provider.

What qualifications does a CISO or ISO need to have?

Many roads lead to information security. Computer scientists can receive training in ISO 27001 or pursue a number of different industry certifications, such as Security+ and Network+ from CompTIA. Graduates in business administration are also great candidates for advanced training and certification as an Information Security Officer. Today, many universities even offer masters programs in cybersecurity. But it should be noted that a degree is not required for a career in information security.

Even more important is previous experience in the fields of:

• Implementing IT security (with a good grip on critical infrastructure)
• Setting up an ISMS
• Certifying an ISMS in accordance with ISO 27001 / TISAX
• Managing information security incidents
• Staff training and awareness-raising activities
• Negotiations and project management

Information Security Analyst, Information Security Officer and similar jobs are highly respected positions that often bring in a six-figure salary.

Salary and importance of information security experts

As mentioned at the outset, InfoSec professionals are in short supply. Information security requirements are constantly on the rise: for example, cyberattacks caused 223 billion euro in damages to the German economy last year alone. One of the tasks of CISOs and ISOs is to protect their own companies from such attacks, a protection companies are willing to pay a great deal for.

According to surveys by Glassdoor, the average earning potential is... 

• a gross annual salary of around 70,000 EUR for Information Security Officers.
• a gross annual salary of over 100,000 EUR for Chief Information Security Officers.

You might also be interested in:

• Information security and data protection: efficiency through synergies
• Cyberattacks on companies – vulnerabilities and countermeasures

Outsourcing the role of CISO and ISO – how external service providers can help

Not every company has the resources or the will to implement and manage information security. In some cases, the internal team might be overworked and overwhelmed by the heavy documentation load. Perhaps the team doesn’t have the right expertise for a certain project or fails a due diligence audit... When faced with challenges like these, it’s best to turn to an external service provider for guidance.

The advantage: external services are quick to purchase, and the service provider’s experience means you skirt the timely onboarding process. A good provider will assign you a personal contact. This is your go-to for all the challenges your company faces, with the know-how from past experience to overcome them.

Another win: it’s cheaper to hire an external service provider than to pay the salary for a full-time company position.

At DataGuard, our customers can pay as little as 500-2000 euros per month, depending on the complexity of their needs. Meet your information security goals today.