Are We Ready for a Chief Information Security Officer?

1
Are We Ready for a Chief Information Security
Officer?
The Challenges and Evolution of the Campus IT
Security Officer

• Jack McCoy, Ed.D., MBA, CISM
• Information Security Officer
• East Carolina University

2
The Security Officer Alphabet

• ISO Information Security Officer
• Often an IT Security Officer
• Designated official, dedicated to information
  security
• CISO Chief Information Security Officer
• C level executive, a strategic business partner
• CSO Chief Security Officer
• Corporate security, a convergence of information,
  asset, and physical security

3
The Challengesof the Campus ISO
4
The EnvironmentThe Institution of Higher
Education

• A shaky track record for protecting information
• A culture of shared governance
• A penchant for distributed computing
• A desire for free and unfettered exchange of
  information across organizational boundaries

. . . in essence a formidable environment for
those with campus responsibility for information
security
5
The OrganizationUniversity Accountability

• Resistance to corporate type controls may arise
  because a university is not a business
• Regardless of the culture or inherent challenges
  a university will be held accountable, just as
  any other organization (e.g., bank or and
  retailer)
• Accountability must trickle down to internal
  departments, groups, and individuals

6
The OrganizationUniversity Accountability
(cont)

• Challenges arise when the university community
• Is not aware of risks to information and
  potential impacts to the university and its
  stakeholders
• Does not believe that the threats are realistic
• Thinks that someone in another building is taking
  care of the security problem for them
• Believes that other job duties and
  responsibilities always take priority over
  security

7
The Strategic Challenges Issues Likely to be
Encountered

• IT versus Information Security
• Security technical vs. business issue
• Executive awareness and involvement
• Governance structures and processes
• Evolving roles and skill sets of the ISO

8
The Evolving Role of the Campus ISO
9
The Relationship of InfoSecurity Maturity,
Structure, and Roles
InfoSecurity Organizational Maturity
InfoSecurity Functions and Org Structure
ISO Roles, Responsibilities, and Authority
10
Gartners InfoSecurity Maturity Model
Organizations and their security programs evolve
through four phases of maturity

• Blissful Ignorance
• Awareness
• Correction
• Operational Excellence
• (Scholtz Byrnes, 2005)

11
InfoSec Maturity - Blissful Ignorance

• Extensive, but outdated policies
• Inadequate user awareness
• Breaches not reported
• Prevailing belief that the enterprise is secure
• No effective communication between the IT
  security function and business functions
• (Scholtz Byrnes, 2005)

12
InfoSec Maturity - Awareness

• An event leads to a sudden awareness that
  something must be done about security
• (Re)establishment of dedicated security team
• Efforts focus on policy review and update
• Some organizations assume policy is sufficient
  and regress to blissful ignorance phase
• Others develop security vision and strategy
• (Scholtz Byrnes, 2005, p. 4)

13
InfoSec Maturity - Corrective

• Strategic program launched, based on information
  security vision and strategy
• Security, risk, governance processes revamped
• New policies derived from business needs
• Corrective actions prioritized and funded
• Progress toward goals measured and reported
  through business and governance channels
• (Scholtz Byrnes, 2005)

14
InfoSec Maturity Operational Excellence

• Information security embedded into the culture
  of the organization
• Security is driven by business processes
• Program metrics emphasize continuous improvement
• The organization understands and accepts residual
  risks
• (Scholtz Byrnes, 2005, p. 4)

15
A Gartner Recommendation

• Organizations must be aware of and understand the
  evolving maturity of their security programs.
• (Scholtz Byrnes, 2005)

16
Information SecurityFunctional Structures

• An organizations security function depends on
  its size, business, culture, regulatory
  requirements
• Functional structure types
• Technical
• Technical / Management
• Management
• (Kobus, 2005)

17
Technical Information Security Structure

• No formal security function
• Security responsibilities assigned to technicians
  in IT operational areas
• Networking
• Operations
• Development
• Reports to IT infrastructure or operational area
• (Kobus, 2005)

18
Aspects of a Technical ISO Role

• Relegated to a purely technical role, e.g.,
  firewall jockey
• Often has few resources and little authority
• The reason for hiring a ISO may be to
• address a regulation, audit, or other requirement
  
• or to sit on the bomb
• (Berinato, 2004)

19
The TechnicianISO
CIO
Network
Systems
App. Dev.
System Adm, Sys Prog, Acct Mgmt
Firewall, Router, IPS Admin
Application Programmer, Developer
Security functions in blue. The designated ISO
may reside in any of these areas.
20
Technical / Management Information Security
Structure

• Designated security team
• Responsibilities cover range of issues
• Technical
• Management
• Strategic enterprise
• Reports to an operational manager
• (Kobus, 2005)

21
The Security CoordinatorISO
CIO
Network
Systems
App Dev
ISO
Firewall, Router, IPS Admin
System Admin, Sys Prog
Application Programmer, Developer
Acct Mgmt, IT Policy, Awareness
22
Management Information Security Structure

• Designated security team
• Responsibilities include
• Enterprise oversight of security programs
• Security governance processes
• Technical security responsibilities shift back to
  IT operations
• Information security may report outside of IT
• (Kobus, 2005)

23
The Management AdvisorISO
CIO
Security Council
Network
Systems
App Dev
ISO
Governance, Risk Mgmt, Corp Policy
App Programmer, Developer
Firewall, Router, IPS Admin
System Admin, Sys Prog
24
The Strategic Business PartnerISO
Security Council
CFO, COO, RMO
CIO
CISO
Governance, Risk Mgmt, Corp Policy
Operational Directors
ISO (Bus. Unit)
Acct Mgt, IT Policy, Projects
Technical security
25
More than One ISO?

• Organizations are creating two security
  positions
• CISO bridges the gap between business process
  and policy directives, and technical security
• BISO business unit (e.g., IT) representative,
  implements process policy directives
• CISO consults with business units on
  implementation of policy and process directives
• CISO advises senior executives on the management
  of risks brought about by the use of technology
• (Witty, 2001)

26
Information Security Maturity, Structure, ISO
Role
Gartners Maturity Model Kobus Funct. Structure ISO Role Characterization
Blissful Ignorance Technical Technician
Awareness Technical / Management Security Coordinator
Corrective Management Management Advisor
Operational Excellence Management Strategic Business Partner
27
The DebateWho is Really in Charge? Who
Should Be?
28
Who is Responsible for Campus IT Security?

• In 2002 Gartner predicted 60 of higher ed ISOs
  would report outside of IT by 2005 (Hurley,
  Harris, Zastrocky, Yanosky, 2002)
• In 2003 94.5 of IT security functions reported
  to the top IT adm (Hawkins, Rudy, Madsen, 2003)
  
• In 2004 95.2 of IT security functions reported
  to the top IT adm (Hawkins, Rudy, Nicolich,
  2004)
• Were not on track to realize Gartners
  prediction
• The top IT administrator is ultimately responsible

29
Reporting to the CIO - Advantages

• Advantages of the Security CIO
• Access to executive leadership
• C level skills and organizational awareness
• Ability to initiate change in the IT
  infrastructure to enhance information security
• Represents greater influence and value for the
  CIO position

30
Reporting to the CIO - Disadvantages

• Disadvantages of the Security CIO
• Information security oversight is a part-time
  role
• Increased CIO workload may lead to the neglect
  other strategic objectives
• Conflicts of interest arise when security
  controls impede the timely delivery of projects
  and services
• Difficult to conduct unbiased investigations of
  IT operations
• (Koch, 2004)

31
If Information Security Moves Out of IT

• Accountability must follow responsibility
• CIOs do not want accountability without authority
• Security must report to an executive with broad
  managerial responsibilities for the
  organization,
• For example, the CEO, CFO, COO
• Information Security and IT must work closely
  together as a team
• (Koch, 2004)

32
The Future of the Campus ISO
33
The Future of the ISO A View from Gartner

• More companies are appointing a CISO with
• decreasing responsibility for day-to-day
  security operations, and a greater level of
  participation in strategic business decisions
• (Gartner, 2005)

34
State of the Industry

• A 2005 Global State of Information Security1
  study
• 34 of respondents employ a CSO/CISO
• More security executives report to the CEO or
  Board than the CIO
• 46 report to the CEO/Board
• 36 report to the CIO
• (CSO, 2005)

1A joint study of PricewaterhouseCoopers and CIO
Magazine, representing a range of industries,
e.g., computer-related manufacturing software,
consulting professional services, financial
services, education, health care,
telecommunications, transportation.
35
The Emerging CISO Role

• Technical security is becoming an operational
  issue
• Information security is emerging as a strategic
  business issue, addressed through risk management
  processes
• Resulting in more authority and influence being
  invested in the security manager or CISO
• More CISOs are participating in crucial business
  decisions and are reporting outside of IT
• Ceding turf to a more powerful security function
  also raises political issues, especially with
  the CIO position
• (Vijayan, 2004)

36
The Emerging CISO Role (cont)

• Experts are divided over whether the CIO, CSO, or
  CISO should be responsible for security
• However, it is clear that the IT industry is
  moving toward shared responsibilities for
  security
• So, whether the roles of the CIO and the CSO are
  mutually exclusive or gradually merging into a
  mutually beneficial relationships still is not
  evident.
• (Germain, 2005)

37
Looking Further Into The Future

• Gartner predicts
• there will be a new breed of security expert who
  
• will be trusted to protect the organisation of
  the future, and in many companies, this person
  will be given the title of the Risk Management
  Officer
• (Gartner, 2005)

38
Is Your Campus Ready for a CISO?
39
Factors to Consider

• The organizational maturity of your institutions
  information security program
• Executive awareness, security culture, etc.
• Your institutions size, resources, and culture
• The nature of your institutions governance
  framework and enterprise risk management processes

40
Factors to Consider (cont)

• The university CIO is the person typically
  responsible for security. So consider
• The CIOs workload, operational priorities, and
  strategic objectives
• The working relationship of the CIO and ISO
• ISO access to executive leadership
• ISO C level skills e.g., business acumen,
  political savvy, and organizational awareness

41
A Peek Into My Crystal Ball

• For the immediate future many CIOs will retain
  responsibility for security, leveraging their C
  level skills and organizational contacts for good
  effect
• Higher education institutions will eventually
  embrace the corporate CISO model -- but not
  overnight!
• Larger institutions with greater resources will
  lead the change

42
A Peek Into My Crystal Ball (cont)

• Security CIOs will continue to serve as
  unofficial campus CISOs, but . . .
• Eventually, even Security CIOs will hand
  information security over to another C level
  position
• The role of the campus ISO will evolve rapidly,
  offering many opportunities for advancement

43
A Survival Kit of Skills for the Campus ISO

• Grounded in multiple protection disciplines
• Capable project/program manager
• Life long passion to learn
• Business acumen
• Diplomatic and adaptable
• Adept at framing issues as risk management
• Professional training and certifications
• (Boni, 2005)

44
References

• Boni, W. (2005, April 5). The role of the CSO An
  industry perspective. Presented at the EDUCAUSE
  Security Professionals Conference 2005.
  Washington, DC. Retrieved November 2, 2005 from
  the EDUCAUSE Web site http//www.educause.edu/Libr
  aryDetailPage/666?IDSPC0528
• Berinato, S. (2004, July). CISO role Locked out.
  Retrieved November 2, 2005 from the CSO Online
  Web site http//www.csoonline.com/read/070104/cisc
  o.html
• CSO. (2005). The state of information security,
  2005 A worldwide study conducted by CIO Magazine
  and PricewaterhouseCooper. Retrieved November 2,
  2005 from the CSO Online Web site
  http//www.csoonline.com/csoresearch/report93.html
  
• CSO. (2004). What is a chief security officer?
  Retrieved September 30, 2005 from the CSO Online
  Web site http//www.csoonline.com/research/leaders
  hip/cso_role.html
• EDUCAUSE (2002). Higher education contribution to
  national strategy to secure cyberspace. Retrieved
  August 17, 2005, from http//www.educause.edu/ir/l
  ibrary/pdf/NET0027.pdf

45
References (continued)

• Gartner (2005, September 15). Gartner highlights
  the evolving role of CISO in the new security
  order. Retrieved November 2, 2005 from the
  Gartner Web site http//www.gartner.com/press_rele
  ases/asset_135714_11.html
• Germain, J. (2005, October 13). Your next job
  title CISO? Retrieved November 2, 2005 from the
  Newsfactor Magazine Web site http//www.cio-today.
  com/story.xhtml?story_titleYour_Next_Job_Title__C
  ISO_story_id38430
• Hawkins, B. L., Rudy, J. A., Madsen J. W.
  (2003). EDUCAUSE core data report 2003 summary
  report. Retrieved September 30, 2005 from the
  EDUCAUSE Web site http//www.educause.edu/ir/libra
  ry/pdf/pub8001c.pdf
• Hawkins, B. L., Rudy, J. A., Nicolich, R.
  (2004). EDUCAUSE core data report 2004 summary
  report. Retrieved November 2, 2005 from the
  EDUCAUSE Web site http//www.educause.edu/ir/libra
  ry/pdf/pub8002.pdf
• Hurley, D., Harris, M., Zastrocky, M., Yanosky,
  R. (2002, December 9). Information security
  officers needed in higher education. Retrieved
  November 2, 2005 from the Gartner Web site
  http//www.gartner.com

46
References (continued)

• Kobus, W. S. (2005, November 1). Security
  management. Presented at the ISSA Triangle
  InfoSeCon conference on November 1, 2005 in Cary,
  NC.
• Koch, C. (2004, April 15). Hand over security.
  Retrieved November 3, 2005 from the CSO Online
  Web site http//www.cio.com/archive/041504/homelan
  d.html
• MacLean. R. (2004, May 18). Defining the role of
  the security officer in higher education. The
  Security Professionals Workshop May 16-18, 2004.
  Washington, DC. Retrieved September 30, 2005 from
  the EDUCAUSE Web site http//www.educause.edu/Libr
  aryDetailPage/666?IDSPC0417
• Scholtz, T. Byrnes, F. C. (2005, June 27). Use
  information security program maturity timeline as
  an analysis tool. Retrieved November 2, 2005 from
  the Gartner Web site http//www.gartner.com
• Vijayan, J. (2004, October 4). Rise of the CISO
  Chief information security officers have more
  influence -- and greater challenges -- than ever
  before. Retrieved November 4, 2005 from the
  Computerworld Web site http//www.computerworld.co
  m/securitytopics/security/story/0,10801,96291,00.h
  tml

47
References (continued)

• Witty, R. J. (2001). The Role of the Chief
  Information Security Officer. Retrieved November
  2, 2005 from the Gartner Web site
  http//www.gartner.com