Zum Hauptinhalt springen

IT Security Consultant (m/f/d)

Full-time, fully remote or Hamburg

IT security rarely fails due to a lack of concepts. It fails because concepts do not reach real IT.

We come from the attacker’s perspective. We test systems as they will actually be attacked later. Not theoretically, not as a model, but technically and practically. It is precisely this perspective that characterizes our work in consulting and projects.

We are now looking for someone as an IT Security Consultant (m/f/d) who can take this perspective further. Not as paperwork, but as a tangible improvement in customer environments.

What the role is about

You support companies in their security development over the long term, often as an external information security officer or as part of consulting projects. The industries of our customers are diverse.

Your goal: to design IT security so that it works in everyday life.

You work at the interface between architecture, operations and security and ensure that security measures are not only defined but also implemented.


The collaboration is predominantly remote and is preferred as the team works nationwide. On-site appointments with the customer may be necessary in individual cases, but are not the rule. Working in the office in Hamburg is also possible; a suitable workstation is available for this purpose.

Your tasks

  • Establishment and further development of information security structures in accordance with ISO 27001
  • Supporting companies with the implementation of regulatory requirements such as NIS-2 and DORA
  • Development of pragmatic security concepts that work in operation
  • Evaluation and improvement of IT architectures in cloud and hybrid environments
  • Translation of technical risks into concrete, implementable measures
  • Acting as an external information security officer in long-term client relationships
  • Close cooperation with technical teams from Penetration Testing and Red Teaming
  • Identification of weak points in the real system implementation, not only at document level

You don’t manage documents. You ensure that security arrives in the infrastructure.

Technical claim

A technical understanding in the following areas is an advantage for the role, but not a mandatory requirement:

  • Modern network and cloud architectures (Azure, AWS or hybrid)
  • Identity and access management in complex organizations
  • Logging, detection, hardening and security monitoring
  • Typical attack surfaces in enterprise environments
  • Interaction of applications, infrastructure and security controls

In principle, the role is also suitable for people who familiarize themselves with these topics in a structured manner and develop their knowledge within the framework of projects.

What you should bring with you

  • Experience in IT security, IT consulting or IT architecture
  • Understanding of information security frameworks such as ISO 27001
  • Interest in regulatory topics such as NIS-2 and DORA
  • Ability to combine technical and organizational requirements
  • Structured way of working with a focus on implementation in operations
  • Ability to analyze complex IT architectures and derive security risks
  • Understanding of modern cloud and hybrid architectures (Azure, AWS or comparable)
  • Experience in dealing with IAM, network and logging/monitoring concepts
  • Communication skills between technical teams and management level
  • Willingness to familiarize yourself deeply with new technical environments
  • Completed studies in computer science, IT security or business informatics or a comparable technical qualification (e.g. IT training such as IT specialist for system integration or application development)

Not all of the above requirements need to be met in full. The decisive factor is a suitable basic professional qualification in combination with technical understanding and the willingness to familiarize yourself with the relevant topics.

Desirable, but not a mandatory requirement:
  • Understanding regulatory requirements and operational realities in
    • Insurances
    • Finance and banking
    • Trade
    • Energy industry
    • Maritime sector
  • Experience in Critical Infrastructures or regulated environments
  • Certifications such as ISO/IEC 27001 Lead Implementer, Certified Information Systems Security Professional (CISSP), Microsoft Certified: Azure Security Engineer Associate (Exam AZ-500), IT-Grundschutz Practitioner (BSI) or comparable

What we consciously do not look for

  • Roles with a purely audit, documentation or reporting focus without sufficient technical integration into IT architectures and system landscapes
  • Activities in which security concepts are created without being implemented or effectively anchored in the client’s operations
  • Advice without reference to real attack paths, system behavior or technical dependencies
  • Strongly checklist-oriented working methods without context to the specific IT architecture or the individual customer environment
  • Approaches that only formally meet regulatory requirements (e.g. ISO 27001, NIS-2, DORA) without ensuring technical and organizational effectiveness in operation
  • Security concepts that consider individual IT areas in isolation without taking adequate account of the interaction between infrastructure, identity, network and applications

Our customers

Our customers come from very different worlds. Banks and insurance companies work with us, as do industrial companies, retailers and operators of critical infrastructures. From medium-sized companies to international corporations, everything is included.

This diversity ensures that no two projects are the same.

We come from a technical testing background. Penetration testing, red teaming and realistic attack simulations are part of our everyday work. We see systems as they would be attacked under real conditions. This perspective flows directly into our consulting and architecture work.

The result is not theoretical concepts, but concrete improvements that work in practice.

The projects range from ISO 27001 set-up and further development to NIS 2 and DORA implementations and in-depth architecture reviews in complex, evolved IT landscapes.

Mode of operation

We work pragmatically, technically and directly.

  • Short decision-making processes
  • A lot of personal responsibility
  • Direct exchange with customers and technical teams
  • Remote-first (fully remote) with optional office in Hamburg
  • Flexible working time models

Responsibility lies where competence is.

Our claim

Security must work, not just be documented.

We measure consulting by whether it works in system operation. Not by the quality of the presentation, but by the stability of the implementation.

Application process

  1. Interview with the management
    Focus: technical depth, mindset, understanding of IT security in real operations
  2. Discussion with the team
    Focus: cooperation, technical understanding, practical approach

We only hire on a permanent basis.

Send us:

  • a short cover letter with your view on functioning IT security
  • Curriculum vitae with relevant stations
  • optional: references on ISO 27001, architecture work or security consulting
  • optional: technical examples from previous projects

to hello(at)kalwe(dot)it. We will get back to you as soon as possible.