The threat situation is worsening. Information and data security in our growing corporate and collaboration networks therefore has top priority in companies when designing IT infrastructures. The appointment of an information security officer (ISB) is – in contrast to a data protection officer – not fundamentally prescribed by law, but only required in specific applications such as certification according to ISO 27001 or BSI IT-Grundschutz. Nevertheless, more and more companies are voluntarily deciding to fall back on the expertise of an internal or external information security officer.
When should an information security officer be deployed?
The management has overall responsibility for the IT governance of a company. Meeting this responsibility in terms of content and also in terms of operational risk management not only demands a lot of time from the management, but above all a certain amount of expertise in order to be able to identify and evaluate risks and derive adequate security measures. However, many managing directors are overwhelmed by this. The task of an information security officer is to advise the management – in close collaboration with IT management, data protection officers and emergency managers, but independently – with regard to the planning, control and monitoring of effective information security management.
“In many cases, the position of information security officer is not even filled or this challenging task is temporarily taken over by IT managers. The lack of independence from department heads, resource bottlenecks and the occasional lack of further training on issues relating to information security, however, do not always make this constellation the best choice for such an important advisory and control body, “reports Netzlink Managing Director Sven-Ove Wähling. “An external information security officer closes precisely this gap, which is becoming increasingly larger in the course of advancing digitization and the current challenges posed by the change in the world of work (keyword: home office).”
For most small and medium-sized companies, the certification and regular training of an internal information security officer is not worthwhile. Ordering an ISB externally is not only a sensible decision for many companies for reasons of cost: As consultants with project experience, they can often better assess which concept is best for the specific corporate purpose and the respective process organization.
Tasks of an information security officer
The spectrum that an information security officer has to fulfill is very broad and is determined individually with the management for the respective application. An ISB typically takes on the following tasks:
As-is recording – what is security-critical information, how is it secured, where are weak points, results of previous measures and which future measures should be implemented with which priority?
Report directly to the management and documentation of security deficiencies / risks and security-relevant incidents or security incidents.
Elaboration of security concepts and testing for feasibility.
The IM coordinates the goals of information security with the goals of the company and – if not already available – creates a guideline for information security in coordination with the respective department heads.
The ISB also provides the employees and users with the necessary information and awareness in order to implement and apply the security guidelines in day-to-day business, e.g. in the form of awareness training.
While data protection officers in the company are primarily responsible for compliance with the General Data Protection Regulation (GDPR), the monitoring of data processing and the documentation of processing activities, an ISB is primarily concerned with the technical organizational measures, the so-called “TOMs”, to protect the Information security apart.
Challenges go beyond technical organizational measures
A particular challenge for the ISB is presented by companies that have outdated technical equipment and systems that have grown over time and that are closely interwoven with the entire corporate IT system. “Legacy systems that serve as data suppliers for downstream systems often represent potential security risks for the entire information network. However, these cannot be easily exchanged or shut down,” explains Sven-Ove Wähling. “Here, the information security officers have to take a close look at these systems in detail and, together with the IT department and management, think about how the systems and information flows can be secured in order to reconcile the goals of information security and the individual company goals as best as possible.”
Netzlink recorded a major increase in requests for so-called penetration tests – a type of controlled hacker attack in order to identify and document existing weak points in the system landscape and initiate suitable countermeasures. In addition to the operational systems, e-mail is one of the main gateways for malware in companies today. Although the risks can be limited to a certain extent by means of technical organizational measures, the users are also particularly challenged here to implement them in day-to-day business for smooth IT operations. With the help of regular awareness training via face-to-face or online training, Netzlinks IT security experts train companies about the dangers of the electronic mailbox and check what users have learned, for example by sending test phishing emails, also in everyday business. The Braunschweig system house flanks the range of security services such as the provision of external data protection and information security officers and security assessments with other services such as the “Detective Netleak” vulnerability analysis and a website security check to secure customer data via the web.
“The ISB is not only an independent advisory body for the management, pointing out weaknesses in IT and possible solutions for the sustainable minimization of business risks, but also an important interface to IT and IT users. In most cases the management knows about their overall responsibility for IT and information security in the entire collaboration network, but delegating this to the IT, which is often busy with the operational business, is not always the best way – with regard to the long-term corporate goals “, Netzlink’s managing director Sven-Ove Wähling sums up. “Closing this gap – for example by appointing an internal or external ISB – is a cardinal task of forward-looking management, especially in view of the growing demands of digitization.”