IT security officers – tasks, training, and salary

The facts in a nutshell 

• The job of an IT Security Officer is to make their company’s IT infrastructure as secure as possible. They protect computers, servers, clouds, mobile devices and the like from access by unauthorised persons. 
• Most companies are not required by law to have an IT Security Officer. But with the threat of cyber criminality on the rise, there is a point where employing an IT Security Officer becomes a no-brainer.  
• IT Security Officers are experts in high demand in the labor market across multiple industries. 

• On average, an IT Security Officer earns an annual gross salary between €60,000 and €90,000. 
• In view of the high payroll costs and the shortage of skilled workers in the market, it’s not worth it for every company to meet its information security needs through internal resources alone. This is where external service providers can step in.  
  

IT security vs. information security – who does what? 

In order to help pin down the role of an IT Security Officer, it is worth taking a look at IT security itself. As a term, it’s often used synonymously with information security. So let’s start by unraveling the two:   

Information security focuses on the protection of information. The information itself is the asset. It exists independently of IT systems and requires protection in all its forms. Examples of information assets range from paper files to the unique company know-how in your employees’ heads.  

IT security, on the other hand, refers to the IT infrastructure: everything from computers, servers, clouds, mobile devices and the like must all be protected from access by unauthorised persons. The purpose of an IT system is to transport and process information. And it’s the job of an IT Security Officer to make sure that nothing goes south.

Every IT security measure contributes to information security, but the reverse is not true. Not every issue surrounding information security also relates to IT security. 

 

Why do companies need IT Security Officers?  

Perhaps it’s best to look at an example by way of explanation... 

‘Oops, your files have been encrypted!’  

It is the spring of 2017. Countless people have just been notified by this aggravating message on their computer screens that they have fallen victim to a ransomware attack. The aptly named ‘WannaCry’ cryptovirus includes a timer counting down the hours and minutes until all the data on the infected device is deleted forever. Victims are informed that they can ransom their data back for between €300–€600 in bitcoin.  

In under three days, WannaCry infected more than 200,000 private and company machines in more than 150 countries. The consequences are seismic. Even the Deutsche Bahn and the National Health Service (NHS) in the UK fell victim to the attack. In the case of the latter, the attack led in part to life-threatening situations for patients. 

What cause the attack? WannaCry exploited a vulnerability in a Windows’s protocol for printer and file sharing – any computer that had not updated to the latest version of the operating system was vulnerable.  

It is in order to prevent such scenarios, among other things, that companies above a certain size employ IT security experts. While not a legal requirement for most companies (unlike the appointment of a Data Protection Officer), with the threat of cyber criminality on the rise and changes such as ‘New Work’ presenting new challenges in IT security, employing an IT Security Officer is a no-brainer after a certain point.  

What tasks does an IT Security Officer have? 

Put simply, the job of an IT Security Officer is to make their company’s IT infrastructure as steel-clad as possible. They weigh up which measures are a priority, which are worth the effort and which are too expensive compared to the risk they are supposed to prevent.  

The tasks of an IT Security Officer include:  

• Conducting an IT security gap analysis 
• Implementing processes and methods for risk management (i.e. weighing probability, potential damage, importance for company success and risks) 

• Deriving appropriate IT security goals and measures in coordination with the CISO and management 
• Implementing IT security measures (e.g. evaluating and improving the physical security of server rooms and office premises) 
• Reviewing cloud providers for their encryption techniques, access protection (e.g. single sign-on) and backup techniques  
• Organising employee training to raise awareness of issues such as social engineering and phishing 
• Setting up an incident and continuity management system  

• Creating and implementing policies as required by ISO 27001 / TISAX® (e.g. mobile device policy, access control policy and cryptographic controls policy) 
• Handling and dealing with IT security incidents such as cyberattacks 
• Documenting and continuously monitoring IT security measures  
• Managing IT security resources (budget, working time)  
• Functioning as contact person and person responsible for all IT security-related issues for employees and superiors  

Sound like a lot? Indeed, the job of an IT Security Officer is very demanding and involves a lot of responsibility. That’s why IT Security Officer is not an entry-level job.  

What qualifications does an IT Security Officer need to have?  

As with so many IT jobs, an IT Security Officer’s academic path can be flexible. What counts more than a degree is previous work experience. If you want to set the course for a job in IT security early on, you should consider degree programs such as computer science or business informatics that impart deep technical skills. Many universities even offer IT security as a master’s degree program.  

IT security experts can receive training in ISO 27001 or pursue a number of different industry certifications such as Security+ and Network+ from CompTIA. Part of the UK government’s Certified Cyper Professional (CCP) assured service scheme, a CISMP training course is considered the qualification of course for IT security specialists.  

What salary can an IT Security Officer expect to make? 

As mentioned above, IT Security Officers are experts in high demand in the labor market across multiple industries. Given the shortage of IT security specialists and the growing pressure on companies to shore up their cyber defenses, the deck is stacked in the favor of applicants going into contract negotiations.  

On average, an IT Security Officer earns an annual gross salary between €60,000 and €90,000. 

Outsourcing the role of IT Security Officer – is that possible? 

In view of the high payroll costs and the shortage of skilled workers in the market, it’s not worth it for every company to meet its information security needs through internal resources alone. Maybe your team is overworked and overwhelmed by the heavy documentation load. Perhaps your team doesn’t have the expertise required for ISO 27001 certification and fails a due diligence audit... When faced with challenges like these, it’s best to turn an external service provider to give you the individual guidance you need.  

A quick and project-based solution, an external service provider’s wealth of experience also means you skirt the timely onboarding process. On you’re own, it’s like drowning in a sea of measures and guidelines. With the templates and blueprints that providers like DataGuard provide, it’s smooth sailing.  

And external service providers can ease your financial burden, too. At DataGuard, for example, customers pay between €500 and €2,000 per month for our “InfoSec-as-a-Service” solution. 

Our experts can help you achieve your information security goals. Why not get to know us in person?