In times of digitalisation and Industry 4.0, the supervision and continuous development of information security in a company is becoming increasingly relevant. A chief information security officer (CISO) usually has the lead responsibility in this area. Allegra Berger has held this position at TÜV TRUST IT since May 2019. In this interview, she talks about the tasks of a CISO and reveals what she particularly likes about her job.
Ms Berger, as a chief information security officer, you are primarily responsible for information security in the company. What does that look like in practice?
I work both internally for TÜV TRUST IT in Cologne and externally for our customers. In practice, my tasks are not that different. In addition to advising companies on security concepts, I am also directly involved in their implementation and accompany our customers until certification. A central topic is the establishment and maintenance of an ISMS, including regular status reporting to the respective managing director. All of this also requires a certain awareness of security issues in the company, which often has to be created first.
So many companies lack the necessary security awareness?
It’s a little different in every company, but often employees are not even aware of the extent of necessary IT security measures. Everyone knows what is offered. But many only realise what is behind it when a certification audit is due. Often, it is only then that our customers notice how their security infrastructure is set up and what needs to be done to optimise it. How to act in the event of a loss in order to avoid something worse should also be discussed. Everyone knows that it is necessary to react. But how exactly and which role each employee plays in the process is something I discuss in detail with our clients.
Accordingly, consulting an external expert makes absolute sense for companies.
Yes, definitely. Many companies, especially in the CRITIS sector, employ their own CISO, but often the addition of an external expert makes sense in order to get an objective view of one’s own company and to use the expanded competences in the subject. This is particularly useful when preparing for certification. I have experience with a wide variety of clients, have met different auditors and know how audits are conducted. This is particularly useful in the run-up to certification, as some clients are naturally nervous and sometimes overwhelmed by the flood of documents. By supporting the client in the planning and the entire process, I can provide a feeling of confidence and relieve them of responsibilities.
What do you think one has to contribute to this important task?
There is certainly no one right way. With the right background, you can certainly slide into such a job as a career changer, for example by training as an ISMS manager or auditor. Certification as a CISO, practitioner and consultant can also open the door to this position. Regardless of what training you bring, work experience plays a very important role. I also think that a certain degree of independence and a structured way of working are indispensable. And since we have a lot to do with people, openness and sociability are definitely helpful.
Finally: What do you like most about your job?
Here I can directly follow on from my last statement: I like the contact with people, the close cooperation in the team and the feeling that I can really make a difference. It’s great when we manage to create awareness for IT security issues in a company and see how the employees gain in security, simply by knowing afterwards what to do in case of emergency. This is incredibly important, especially in this time of advancing digitalisation and increasingly intelligent malware. We can support companies on this path and that not only gives our customers a good feeling, but also us.
Thank you very much for the interview, Ms Berger!