When was the last time you evaluated your IT security concept? Do you even have one? How do you create it? Who takes care of it? If something goes wrong, what do you do? Are you liable for it?

Should every company have an IT security officer?

The German government provides a list of companies and industries that belong to Germany's critical infrastructure (KRITIS). These companies, known as IT-kritis, are required by law to appoint an IT security officer for the company, whose job it is to advise the company's management on IT security issues and support the implementation of necessary measures.

Regardless of whether your company is part of the critical infrastructure or not, you have a vested interest in protecting your IT systems and the data they process or generate. The German Federal Office for Information Security (BSI) was established in 1991 for this reason and developed the “basis for IT security” (IT-Grundschutz) as proven methodology to increase information security in companies. One requirement of these basic protections is to have an IT security officer.

IT security is fundamentally about data protection. The loss of data or the failure of the systems that process data is critical for your company, its employees, and all your customers. Put simply, every company should be concerned with IT security for its own sake and, ideally, have an IT security officer.

Critical infrastructure sectors and industries

Culture and media icon
Culture and media
  • Broadcasting (television and radio)
  • Printed and electronic press
  • Cultural institutions
  • Symbolic structures
State and local authorities icon
State and local authorities
  • Government and administration
  • Parliament
  • Judicial Facilities
  • Emergency/Rescue
    including civil protection
Energy icon
Energy
  • Electricity
  • Gas
  • Mineral oil
  • District heating
Food icon
Food
  • Farming and Food industry
  • Grocery
Financial and insurance icon
Financial and insurance
  • Banks
  • Stock exchanges
  • Insurance
  • Financial services
Transport and traffic icon
Transport and traffic
  • Aviation
  • Maritime
  • Inland navigation
  • Rail transport
  • Road traffic
  • Logistics
Water icon
Water
  • Public water supply
  • Public sewage disposal
Information technology and telecommunications icon
Information technology and tele­commu­nications
  • Telecommunications
  • Information Technology
Health icon
Health
  • Medical care
  • Drugs and vaccines
  • Laboratories

Why do I need an IT security officer?

While every company is different, one thing is true for all: An IT security concept is an essential part of operational planning. This is just as valid for the local hair salon as it is for the multinational corporation. Although the concept varies and includes aspects that are individually tailored to the specific company, an IT security concept serves every company in the same way as a safeguard for optimized business operations.

Your company is successful
because of its ideas.
It is important to ensure that
these are adequately protected.

In daily business operations, a wide variety of risks inevitably arise, not only from the human factor, but also from processes and IT systems used by the company. By means of IT risk management, it is important to holistically view, evaluate, understand and mitigate the existing risks associated with your IT landscape.

Employees share their ideas in a meeting

When it comes to decisions regarding IT security, we at IT-Kompass are an objective and informed partner who can advise you on the necessity and benefits of such investments.

Last but not least, managing directors for corporations are legally obligated to properly organize and manage the company under their control. They are also liable for damages resulting from failure to fulfill these obligations. This includes the management of a company's IT infrastructure and data. See Section 43 Directors’ Liability as pertaining to Limited Liability Companies (GmbHG).

Good to know

Managing directors for corporations are legally obligated to properly organize and manage the company under their control. They are also liable for damages resulting from failure to fulfill these obligations. This includes the management of a company's IT infrastructure and data. See Section 43 Directors’ Liability as pertaining to Limited Liability Companies (GmbHG).

IT-Kompass company logo
Employees share their ideas in a meeting

What are the tasks and requirements of an IT security officer?

  • Provides management with an overview and current status of all activities and issues related to IT security
  • Creates an IT security guideline and the IT security concept for the organization in cooperation with management and ensures that it is always up to date
  • Creates IT documentation and maintains IT security policies and guidelines for the organization
  • Supports the establishment and operation of the IT security organization
  • Manages the resources available for IT security, including personnel, equipment and budget
  • Conducts training on IT security and related internal policies and guidelines
  • Guarantees the flow of information for IT security topics within the organization
  • Documents and evaluates the effectiveness of IT security measures
  • Leads the analysis and follow-up for all IT security related incidents
  • Serves as the point of contact for colleagues, external partners and customers in all matters related to IT security

Responsibilities of an IT security officer: Is your house in order?

When people think of IT security, they think of things like hackers and computer viruses. But it involves much more.

Responsibilities of an IT security officer:
Is your house in order?

When people think of IT security, they think of things like hackers and computer viruses. But it involves much more.

An unfamiliar USB stick

...which seems to be lying randomly in a parking lot but was purposefully placed there by an attacker expecting to be connected to a computer later.

Social engineering attacks

...via phone, social media, email, or even mail - e.g. to the boss's secretary or the accounting department to gather information or arrange a payment.

Company data

...processed and stored on private devices or insecure systems pose the risk of data leakage, compromise, and access by unauthorized third parties.

An employee

...who knowingly causes damage - e.g. industrial espionage, data destruction or falsification.

Fire alarm!

Will all data remain confidential and equipment secure when the fire department arrives? Are computers locked at all?

A fake employee

Who is standing at the door taking a "break"? Can bogus employees or bogus customers gain unauthorized access to the building?

Passwords written down

Are passwords kept in a drawer, or maybe taped under the keyboard?

Access authorizations

Who has access to the server room and is access monitored?

Open office spaces

...often allow screens to be freely visible. Time for reading is not necessary. A quick photo with a cell phone is enough.

Basically, the following applies: IT security depends on the employees, their care in handling data and systems, healthy caution and, above all, their level of knowledge of IT and existing attack vectors.

A consultant shows the plan on the computer

Appoint an internal or external IT security officer?

Employing an IT security officer in-house may be the right solution for some companies, but the right choice depends on more than just the size of the organization. Even large companies often take advantage of external expertise and try to implement cost-effective, scalable solutions. The tasks of an IT security officer do not change in comparison. They are identical for any size company. The amount of work and the number of personnel may differ, but the responsibilities do not.

It is important to understand that the IT Security Officer is not responsible for managing an IT department, making all decisions related to IT, or managing various IT projects. This person is solely responsible for and fully committed to the conceptualization of IT security. As such, an external partner can be invaluable, as the advice and recommendations he or she offers are strategically sound and completely objective. The IT security officer is able to scale resources as needed, understands best practices, and has the perspective that comes from implementing solutions in different organizations and industries.

A consultant shows the plan on the computer
Good to know

The IT security officer is not responsible for managing an IT department, making all IT-related decisions, or managing various IT projects.

This person is solely responsible for your IT security and is fully committed to it.

IT-Kompass company logo

It is important to understand that the IT Security Officer is not responsible for managing an IT department, making all decisions related to IT, or managing various IT projects. This person is solely responsible for and fully committed to the conceptualization of IT security. As such, an external partner can be invaluable, as the advice and recommendations he or she offers are strategically sound and completely objective. The IT security officer is able to scale resources as needed, understands best practices, and has the perspective that comes from implementing solutions in different organizations and industries.

Why is IT-Kompass your ideal partner for appointing an external IT security officer?

Two colleagues discussing in front of a computer
Especially if you have entrusted the maintenance and protection of your corporate IT to a service provider, you need to be sure that your IT infrastructure is optimally protected and that the work is carried out correctly by your service provider.
An employee sits in front of his computer
Neutrality is essential in the quantitative and qualitative assessment of the security level. This is where an IT security officer from IT-Kompass, who are certified by TÜV Rheinland, comes into play by providing you with an independent point of contact.
A person checks printed reports
Within the framework of this partnership, you will not just receive a one-time recommendation, but benefit from a regular and continuously adjusted overview of existing vulnerabilities and deficits, on the basis of which you can anticipate the path to an optimized IT security strategy for your company. We support you in this!
IT security expert shows the IT infrastructure on a flipchart
Even if you already work with another systems house, you can hire IT-Kompass as an external IT security officer. This gives you the opportunity to ensure a neutral view of your IT security.

What is the process like with an external IT security officer from IT-Kompass?

Gear icon with IT-Kompass logo

Have you recognized that your company is unprotected against IT risks and want to actively change this? Or you have already dealt with the issue but would like to put your company to the test and determine the current state?

We are here to help and can offer you an initial check in the form of a comprehensive information security analysis.

  • Within the scope of this analysis we determine the current protection level and show you your further optimization potential.
  • If you would like to have the appropriate concepts for optimization developed and implemented, our team of IT security officers and system administrators is at your disposal.
  • If you would like to implement your own IT security organization within your company, we are at your disposal to provide an IT security officer.
  • As an IT security officer, we will work with you to develop a security guideline and an IT security concept that suits you.
  • regular monthly reports provide you with a constantly updated overview of the existing security level and offer further recommendations for action.
  • We are there for all your questions about IT security. You decide how much you need our support. If you are interested or have further questions, just give us a call.
A group picture of seven team members of IT-Kompass

The IT-Kompass team consists of dedicated and highly qualified subject matter experts who have specialized knowledge in areas such as IT security, cloud infrastructure, e-commerce, the development of software and mobile apps, network administration and digitalization. We are happy to assist you.

What does an IT security concept contain?

A good plan is never set in stone. It recognizes that circumstances and priorities can change. The plan serves as a guide for decision making and can be adjusted as needed, but without a plan you are acting aimlessly. An IT security plan addresses the following:

The concept...

...defines what needs to be protected; what data and systems need to be protected against different scenarios; what equipment is needed; access to which software or resources.

01

...prepares a risk and threat assessment with an estimate of the probabilities for various scenarios and the resulting damage to the company.

02

...determines which measures can be taken within IT security to minimize both the risks and the resulting damage.

03

...prioritizes the various areas within IT security based on estimated risks and damages.

04

...assesses the effectiveness of current IT security measures.

05

...estimates the resources (human and financial) required to resolve issues in the event of an incident.

06

...is continuously reviewed and revised as needed.

07

These partners already rely on IT-Kompass for their IT security and IT security consulting services

Kontakt

Customer center

We are personally available:

Mon.-Fri. 8:00 a.m. - 5:00 p.m.