1 / 47

Are We Ready for a Chief Information Security Officer?

Are We Ready for a Chief Information Security Officer?. The Challenges and Evolution of the Campus IT Security Officer. Jack McCoy, Ed.D., MBA, CISM Information Security Officer East Carolina University. The Security Officer Alphabet. ISO – Information Security Officer

aricin
Télécharger la présentation

Are We Ready for a Chief Information Security Officer?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Are We Ready for a Chief Information Security Officer? The Challenges and Evolution of the Campus IT Security Officer Jack McCoy, Ed.D., MBA, CISM Information Security Officer East Carolina University

  2. The Security Officer Alphabet • ISO – Information Security Officer • Often an “IT” Security Officer • Designated official, dedicated to information security • CISO – Chief Information Security Officer • “C” level executive, a strategic business partner • CSO – Chief Security Officer • Corporate security, a convergence of information, asset, and physical security Jack McCoy, East Carolina University

  3. The Challengesof the Campus ISO

  4. The Environment:The Institution of Higher Education • A shaky track record for protecting information • A culture of shared governance • A penchant for distributed computing • A desire for free and unfettered exchange of information across organizational boundaries . . . in essence a formidable environment for those with campus responsibility for information security Jack McCoy, East Carolina University

  5. The Organization:University Accountability • Resistance to corporate type controls may arise because a university is “not a business” • Regardless of the culture or inherent challenges a university will be held accountable, just as any other organization (e.g., bank or and retailer) • Accountability must trickle down to internal departments, groups, and individuals Jack McCoy, East Carolina University

  6. The Organization:University Accountability (cont’) Challenges arise when the university community: • Is not aware of risks to information and potential impacts to the university and its stakeholders • Does not believe that the threats are realistic • Thinks that someone in another building is taking care of the “security problem” for them • Believes that other job duties and responsibilities always take priority over security Jack McCoy, East Carolina University

  7. The Strategic Challenges: Issues Likely to be Encountered • “IT” versus “Information” Security • Security: “technical” vs. “business” issue • Executive awareness and involvement • Governance structures and processes • Evolving roles and skill sets of the ISO Jack McCoy, East Carolina University

  8. The Evolving Role of the Campus ISO

  9. The Relationship of InfoSecurity Maturity, Structure, and Roles InfoSecurity Organizational Maturity InfoSecurity Functions and Org Structure ISO Roles, Responsibilities, and Authority Jack McCoy, East Carolina University

  10. Gartner’s InfoSecurity Maturity Model • Blissful Ignorance • Awareness • Correction • Operational Excellence (Scholtz & Byrnes, 2005) Organizations and their security programs evolve through four phases of maturity: Jack McCoy, East Carolina University

  11. InfoSec Maturity - Blissful Ignorance • Extensive, but outdated policies • Inadequate user awareness • Breaches not reported • Prevailing belief that the enterprise is secure • No effective communication between the IT security function and business functions (Scholtz & Byrnes, 2005) Jack McCoy, East Carolina University

  12. InfoSec Maturity - Awareness • An event leads to a sudden awareness that “something must be done” about security • (Re)establishment of dedicated security team • Efforts focus on policy review and update • Some organizations assume policy is sufficient and regress to blissful ignorance phase • Others develop security vision and strategy (Scholtz & Byrnes, 2005, p. 4) Jack McCoy, East Carolina University

  13. InfoSec Maturity - Corrective • Strategic program launched, based on information security vision and strategy • Security, risk, governance processes revamped • New policies derived from business needs • Corrective actions prioritized and funded • Progress toward goals measured and reported through business and governance channels (Scholtz & Byrnes, 2005) Jack McCoy, East Carolina University

  14. InfoSec Maturity – Operational Excellence • Information security “embedded into the culture of the organization” • Security is driven by business processes • Program metrics emphasize continuous improvement • The organization understands and accepts residual risks (Scholtz & Byrnes, 2005, p. 4) Jack McCoy, East Carolina University

  15. A Gartner Recommendation Organizations must be aware of and understand the evolving maturity of their security programs. (Scholtz & Byrnes, 2005) Jack McCoy, East Carolina University

  16. Information SecurityFunctional Structures • An organization’s security function depends on its size, business, culture, regulatory requirements • Functional structure types: • Technical • Technical / Management • Management (Kobus, 2005) Jack McCoy, East Carolina University

  17. “Technical” Information Security Structure • No formal security function • Security responsibilities assigned to technicians in IT operational areas • Networking • Operations • Development • Reports to IT infrastructure or operational area (Kobus, 2005) Jack McCoy, East Carolina University

  18. Aspects of a Technical ISO Role • Relegated to a purely technical role, e.g., “firewall jockey” • Often has few resources and little authority • The reason for hiring a ISO may be to • address a regulation, audit, or other requirement • or to “sit on the bomb” (Berinato, 2004) Jack McCoy, East Carolina University

  19. The “Technician”ISO CIO Network Systems App. Dev. Firewall, Router, IPS Admin System Adm, Sys Prog, Acct Mgmt Application Programmer, Developer * Security functions in blue. The designated ISO may reside in any of these areas. Jack McCoy, East Carolina University

  20. “Technical / Management” Information Security Structure • Designated security team • Responsibilities cover range of issues: • Technical • Management • Strategic enterprise • Reports to an operational manager (Kobus, 2005) Jack McCoy, East Carolina University

  21. The “Security Coordinator”ISO CIO ISO Network Systems App Dev Acct Mgmt, IT Policy, Awareness Firewall, Router, IPS Admin System Admin, Sys Prog Application Programmer, Developer Jack McCoy, East Carolina University

  22. “Management” Information Security Structure • Designated security team • Responsibilities include: • Enterprise oversight of security programs • Security governance processes • Technical security responsibilities shift back to IT operations • Information security may report outside of IT (Kobus, 2005) Jack McCoy, East Carolina University

  23. The “Management Advisor”ISO Security Council CIO ISO Network Systems App Dev Governance, Risk Mgmt, Corp Policy Firewall, Router, IPS Admin System Admin, Sys Prog App Programmer, Developer Jack McCoy, East Carolina University

  24. The “Strategic Business Partner”ISO Security Council CFO, COO, RMO CISO CIO Governance, Risk Mgmt, Corp Policy ISO (Bus. Unit) Operational Directors Acct Mgt, IT Policy, Projects Technical security Jack McCoy, East Carolina University

  25. More than One ISO? • Organizations are creating two security positions: • CISO – bridges the gap between business process and policy directives, and technical security • BISO – business unit (e.g., IT) representative, implements process & policy directives • CISO consults with business units on implementation of policy and process directives • CISO advises senior executives on the management of risks brought about by the use of technology (Witty, 2001) Jack McCoy, East Carolina University

  26. Information Security Maturity, Structure, ISO Role Jack McCoy, East Carolina University

  27. The “Debate”Who is Really in Charge? Who Should Be?

  28. Who is Responsible for Campus IT Security? • In 2002 Gartner predicted 60% of higher ed ISOs would report outside of IT by 2005 (Hurley, Harris, Zastrocky, & Yanosky, 2002) • In 2003 94.5% of IT security functions reported to the top IT adm (Hawkins, Rudy, & Madsen, 2003) • In 2004 95.2% of IT security functions reported to the top IT adm (Hawkins, Rudy, & Nicolich, 2004) • We’re not on track to realize Gartner’s prediction • The top IT administrator is ultimately responsible Jack McCoy, East Carolina University

  29. Reporting to the CIO - Advantages Advantages of the “Security” CIO: • Access to executive leadership • “C” level skills and organizational awareness • Ability to initiate change in the IT infrastructure to enhance information security • Represents greater influence and value for the CIO position Jack McCoy, East Carolina University

  30. Reporting to the CIO - Disadvantages Disadvantages of the “Security” CIO • Information security oversight is a part-time role • Increased CIO workload may lead to the neglect other strategic objectives • Conflicts of interest arise when security controls impede the timely delivery of projects and services • Difficult to conduct unbiased investigations of IT operations (Koch, 2004) Jack McCoy, East Carolina University

  31. If Information Security Moves Out of IT • Accountability must follow responsibility • CIOs do not want accountability without authority • Security must report to an executive with “broad managerial responsibilities” for the organization, • For example, the CEO, CFO, COO • Information Security and IT must work closely together as a team (Koch, 2004) Jack McCoy, East Carolina University

  32. The Future of the Campus ISO

  33. The Future of the ISO A View from Gartner More companies are appointing a CISO with “decreasing responsibility for day-to-day security operations, and a greater level of participation in strategic business decisions” (Gartner, 2005) Jack McCoy, East Carolina University

  34. State of the Industry A 2005 Global State of Information Security1 study: • 34% of respondents employ a CSO/CISO • More security executives report to the CEO or Board than the CIO • 46% report to the CEO/Board • 36% report to the CIO (CSO, 2005) 1A joint study of PricewaterhouseCoopers and CIO Magazine, representing a range of industries, e.g., computer-related manufacturing & software, consulting & professional services, financial services, education, health care, telecommunications, & transportation. Jack McCoy, East Carolina University

  35. The Emerging CISO Role • Technical security is becoming an operational issue • Information security is emerging as a strategic business issue, addressed through risk management processes • Resulting in “more authority and influence being invested in the security manager or CISO” • More CISOs are participating in “crucial business decisions” and are reporting outside of IT • Ceding turf to a “more powerful security function also raises political issues,” especially with the CIO position (Vijayan, 2004) Jack McCoy, East Carolina University

  36. The Emerging CISO Role (cont’) • Experts are divided over whether the CIO, CSO, or CISO should be responsible for security • However, it is clear that the IT industry is moving toward “shared responsibilities for security” • So, “whether the roles of the CIO and the CSO are mutually exclusive or gradually merging into a mutually beneficial relationships still is not evident.” (Germain, 2005) Jack McCoy, East Carolina University

  37. Looking Further Into The Future Gartner predicts: “there will be a new breed of security expert who will be trusted to protect the organisation of the future, and in many companies, this person will be given the title of the Risk Management Officer” (Gartner, 2005) Jack McCoy, East Carolina University

  38. Is Your Campus Ready for a CISO?

  39. Factors to Consider • The organizational maturity of your institution’s information security program • Executive awareness, security culture, etc. • Your institution’s size, resources, and culture • The nature of your institutions governance framework and enterprise risk management processes Jack McCoy, East Carolina University

  40. Factors to Consider (cont’) The university CIO is the person typically responsible for security. So consider: • The CIO’s workload, operational priorities, and strategic objectives • The working relationship of the CIO and ISO • ISO access to executive leadership • ISO “C” level skills: e.g., business acumen, political savvy, and organizational awareness Jack McCoy, East Carolina University

  41. A Peek Into My Crystal Ball • For the immediate future many CIOs will retain responsibility for security, leveraging their “C” level skills and organizational contacts for good effect • Higher education institutions will eventually embrace the corporate CISO model -- but not overnight! • Larger institutions with greater resources will lead the change Jack McCoy, East Carolina University

  42. A Peek Into My Crystal Ball (cont’) • “Security” CIOs will continue to serve as unofficial campus CISOs, but . . . • Eventually, even “Security” CIOs will hand information security over to another “C” level position • The role of the campus ISO will evolve rapidly, offering many opportunities for advancement Jack McCoy, East Carolina University

  43. A Survival Kit of Skills for the Campus ISO • Grounded in multiple protection disciplines • Capable project/program manager • Life long passion to learn • Business acumen • Diplomatic and adaptable • Adept at framing issues as risk management • Professional training and certifications (Boni, 2005) Jack McCoy, East Carolina University

  44. References Boni, W. (2005, April 5). The role of the CSO: An industry perspective. Presented at the EDUCAUSE Security Professionals Conference 2005. Washington, DC. Retrieved November 2, 2005 from the EDUCAUSE Web site http://www.educause.edu/LibraryDetailPage/666?ID=SPC0528 Berinato, S. (2004, July). CISO role: Locked out. Retrieved November 2, 2005 from the CSO Online Web site http://www.csoonline.com/read/070104/cisco.html CSO. (2005). The state of information security, 2005: A worldwide study conducted by CIO Magazine and PricewaterhouseCooper. Retrieved November 2, 2005 from the CSO Online Web site http://www.csoonline.com/csoresearch/report93.html CSO. (2004). What is a chief security officer? Retrieved September 30, 2005 from the CSO Online Web site http://www.csoonline.com/research/leadership/cso_role.html EDUCAUSE (2002). Higher education contribution to national strategy to secure cyberspace. Retrieved August 17, 2005, from http://www.educause.edu/ir/library/pdf/NET0027.pdf Jack McCoy, East Carolina University

  45. References (continued) Gartner (2005, September 15). Gartner highlights the evolving role of CISO in the new security order. Retrieved November 2, 2005 from the Gartner Web site http://www.gartner.com/press_releases/asset_135714_11.html Germain, J. (2005, October 13). Your next job title: CISO? Retrieved November 2, 2005 from the Newsfactor Magazine Web site http://www.cio-today.com/story.xhtml?story_title=Your_Next_Job_Title__CISO_&story_id=38430 Hawkins, B. L., Rudy, J. A., & Madsen J. W. (2003). EDUCAUSE core data report: 2003 summary report. Retrieved September 30, 2005 from the EDUCAUSE Web site http://www.educause.edu/ir/library/pdf/pub8001c.pdf Hawkins, B. L., Rudy, J. A., & Nicolich, R. (2004). EDUCAUSE core data report: 2004 summary report. Retrieved November 2, 2005 from the EDUCAUSE Web site http://www.educause.edu/ir/library/pdf/pub8002.pdf Hurley, D., Harris, M., Zastrocky, M., & Yanosky, R. (2002, December 9). Information security officers needed in higher education. Retrieved November 2, 2005 from the Gartner Web site http://www.gartner.com Jack McCoy, East Carolina University

  46. References (continued) Kobus, W. S. (2005, November 1). Security management. Presented at the ISSA Triangle InfoSeCon conference on November 1, 2005 in Cary, NC. Koch, C. (2004, April 15). Hand over security. Retrieved November 3, 2005 from the CSO Online Web site http://www.cio.com/archive/041504/homeland.html MacLean. R. (2004, May 18). Defining the role of the security officer in higher education. The Security Professional’s Workshop May 16-18, 2004. Washington, DC. Retrieved September 30, 2005 from the EDUCAUSE Web site http://www.educause.edu/LibraryDetailPage/666?ID=SPC0417 Scholtz, T. & Byrnes, F. C. (2005, June 27). Use information security program maturity timeline as an analysis tool. Retrieved November 2, 2005 from the Gartner Web site http://www.gartner.com Vijayan, J. (2004, October 4). Rise of the CISO: Chief information security officers have more influence -- and greater challenges -- than ever before. Retrieved November 4, 2005 from the Computerworld Web site http://www.computerworld.com/securitytopics/security/story/0,10801,96291,00.html Jack McCoy, East Carolina University

  47. References (continued) Witty, R. J. (2001). The Role of the Chief Information Security Officer. Retrieved November 2, 2005 from the Gartner Web site http://www.gartner.com Jack McCoy, East Carolina University

More Related