are we ready for a chief information security officer l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Are We Ready for a Chief Information Security Officer? PowerPoint Presentation
Download Presentation
Are We Ready for a Chief Information Security Officer?

Loading in 2 Seconds...

play fullscreen
1 / 47

Are We Ready for a Chief Information Security Officer? - PowerPoint PPT Presentation


  • 270 Views
  • Uploaded on

Are We Ready for a Chief Information Security Officer?. The Challenges and Evolution of the Campus IT Security Officer. Jack McCoy, Ed.D., MBA, CISM Information Security Officer East Carolina University. The Security Officer Alphabet. ISO – Information Security Officer

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Are We Ready for a Chief Information Security Officer?' - aricin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
are we ready for a chief information security officer

Are We Ready for a Chief Information Security Officer?

The Challenges and Evolution of

the Campus IT Security Officer

Jack McCoy, Ed.D., MBA, CISM

Information Security Officer

East Carolina University

the security officer alphabet
The Security Officer Alphabet
  • ISO – Information Security Officer
    • Often an “IT” Security Officer
    • Designated official, dedicated to information security
  • CISO – Chief Information Security Officer
    • “C” level executive, a strategic business partner
  • CSO – Chief Security Officer
    • Corporate security, a convergence of information, asset, and physical security

Jack McCoy, East Carolina University

the environment the institution of higher education
The Environment:The Institution of Higher Education
  • A shaky track record for protecting information
  • A culture of shared governance
  • A penchant for distributed computing
  • A desire for free and unfettered exchange of information across organizational boundaries

. . . in essence a formidable environment for those

with campus responsibility for information security

Jack McCoy, East Carolina University

the organization university accountability
The Organization:University Accountability
  • Resistance to corporate type controls may arise because a university is “not a business”
  • Regardless of the culture or inherent challenges a university will be held accountable, just as any other organization (e.g., bank or and retailer)
  • Accountability must trickle down to internal departments, groups, and individuals

Jack McCoy, East Carolina University

the organization university accountability cont
The Organization:University Accountability (cont’)

Challenges arise when the university community:

  • Is not aware of risks to information and potential impacts to the university and its stakeholders
  • Does not believe that the threats are realistic
  • Thinks that someone in another building is taking care of the “security problem” for them
  • Believes that other job duties and responsibilities always take priority over security

Jack McCoy, East Carolina University

the strategic challenges issues likely to be encountered
The Strategic Challenges: Issues Likely to be Encountered
  • “IT” versus “Information” Security
  • Security: “technical” vs. “business” issue
  • Executive awareness and involvement
  • Governance structures and processes
  • Evolving roles and skill sets of the ISO

Jack McCoy, East Carolina University

the relationship of infosecurity maturity structure and roles
The Relationship of InfoSecurity Maturity, Structure, and Roles

InfoSecurity Organizational Maturity

InfoSecurity Functions and Org Structure

ISO Roles, Responsibilities, and Authority

Jack McCoy, East Carolina University

gartner s infosecurity maturity model
Gartner’s InfoSecurity Maturity Model
  • Blissful Ignorance
  • Awareness
  • Correction
  • Operational Excellence

(Scholtz & Byrnes, 2005)

Organizations and their security programs evolve through four phases of maturity:

Jack McCoy, East Carolina University

infosec maturity blissful ignorance
InfoSec Maturity - Blissful Ignorance
  • Extensive, but outdated policies
  • Inadequate user awareness
  • Breaches not reported
  • Prevailing belief that the enterprise is secure
  • No effective communication between the IT security function and business functions

(Scholtz & Byrnes, 2005)

Jack McCoy, East Carolina University

infosec maturity awareness
InfoSec Maturity - Awareness
  • An event leads to a sudden awareness that “something must be done” about security
  • (Re)establishment of dedicated security team
  • Efforts focus on policy review and update
  • Some organizations assume policy is sufficient and regress to blissful ignorance phase
  • Others develop security vision and strategy

(Scholtz & Byrnes, 2005, p. 4)

Jack McCoy, East Carolina University

infosec maturity corrective
InfoSec Maturity - Corrective
  • Strategic program launched, based on information security vision and strategy
  • Security, risk, governance processes revamped
  • New policies derived from business needs
  • Corrective actions prioritized and funded
  • Progress toward goals measured and reported through business and governance channels

(Scholtz & Byrnes, 2005)

Jack McCoy, East Carolina University

infosec maturity operational excellence
InfoSec Maturity – Operational Excellence
  • Information security “embedded into the culture of the organization”
  • Security is driven by business processes
  • Program metrics emphasize continuous improvement
  • The organization understands and accepts residual risks

(Scholtz & Byrnes, 2005, p. 4)

Jack McCoy, East Carolina University

a gartner recommendation
A Gartner Recommendation

Organizations must be aware of and understand the evolving maturity of their security programs.

(Scholtz & Byrnes, 2005)

Jack McCoy, East Carolina University

information security functional structures
Information SecurityFunctional Structures
  • An organization’s security function depends on its size, business, culture, regulatory requirements
  • Functional structure types:
    • Technical
    • Technical / Management
    • Management

(Kobus, 2005)

Jack McCoy, East Carolina University

technical information security structure
“Technical” Information Security Structure
  • No formal security function
  • Security responsibilities assigned to technicians in IT operational areas
    • Networking
    • Operations
    • Development
  • Reports to IT infrastructure or operational area

(Kobus, 2005)

Jack McCoy, East Carolina University

aspects of a technical iso role
Aspects of a Technical ISO Role
  • Relegated to a purely technical role, e.g., “firewall jockey”
  • Often has few resources and little authority
  • The reason for hiring a ISO may be to
    • address a regulation, audit, or other requirement
    • or to “sit on the bomb”

(Berinato, 2004)

Jack McCoy, East Carolina University

the technician iso
The “Technician”ISO

CIO

Network

Systems

App. Dev.

Firewall, Router, IPS Admin

System Adm, Sys Prog, Acct Mgmt

Application Programmer, Developer

* Security functions in blue. The designated ISO may reside in any of these areas.

Jack McCoy, East Carolina University

technical management information security structure
“Technical / Management” Information Security Structure
  • Designated security team
  • Responsibilities cover range of issues:
    • Technical
    • Management
    • Strategic enterprise
  • Reports to an operational manager

(Kobus, 2005)

Jack McCoy, East Carolina University

the security coordinator iso
The “Security Coordinator”ISO

CIO

ISO

Network

Systems

App Dev

Acct Mgmt, IT Policy, Awareness

Firewall, Router, IPS Admin

System Admin, Sys Prog

Application Programmer, Developer

Jack McCoy, East Carolina University

management information security structure
“Management” Information Security Structure
  • Designated security team
  • Responsibilities include:
    • Enterprise oversight of security programs
    • Security governance processes
  • Technical security responsibilities shift back to IT operations
  • Information security may report outside of IT

(Kobus, 2005)

Jack McCoy, East Carolina University

the management advisor iso
The “Management Advisor”ISO

Security Council

CIO

ISO

Network

Systems

App Dev

Governance, Risk Mgmt, Corp Policy

Firewall, Router, IPS Admin

System Admin, Sys Prog

App Programmer, Developer

Jack McCoy, East Carolina University

the strategic business partner iso
The “Strategic Business Partner”ISO

Security Council

CFO, COO, RMO

CISO

CIO

Governance, Risk Mgmt, Corp Policy

ISO (Bus. Unit)

Operational Directors

Acct Mgt, IT Policy, Projects

Technical security

Jack McCoy, East Carolina University

more than one iso
More than One ISO?
  • Organizations are creating two security positions:
    • CISO – bridges the gap between business process and policy directives, and technical security
    • BISO – business unit (e.g., IT) representative, implements process & policy directives
  • CISO consults with business units on implementation of policy and process directives
  • CISO advises senior executives on the management of risks brought about by the use of technology

(Witty, 2001)

Jack McCoy, East Carolina University

information security maturity structure iso role
Information Security Maturity, Structure, ISO Role

Jack McCoy, East Carolina University

who is responsible for campus it security
Who is Responsible for Campus IT Security?
  • In 2002 Gartner predicted 60% of higher ed ISOs would report outside of IT by 2005 (Hurley, Harris, Zastrocky, & Yanosky, 2002)
    • In 2003 94.5% of IT security functions reported to the top IT adm (Hawkins, Rudy, & Madsen, 2003)
    • In 2004 95.2% of IT security functions reported to the top IT adm (Hawkins, Rudy, & Nicolich, 2004)
  • We’re not on track to realize Gartner’s prediction
  • The top IT administrator is ultimately responsible

Jack McCoy, East Carolina University

reporting to the cio advantages
Reporting to the CIO - Advantages

Advantages of the “Security” CIO:

  • Access to executive leadership
  • “C” level skills and organizational awareness
  • Ability to initiate change in the IT infrastructure to enhance information security
  • Represents greater influence and value for the CIO position

Jack McCoy, East Carolina University

reporting to the cio disadvantages
Reporting to the CIO - Disadvantages

Disadvantages of the “Security” CIO

  • Information security oversight is a part-time role
  • Increased CIO workload may lead to the neglect other strategic objectives
  • Conflicts of interest arise when security controls impede the timely delivery of projects and services
  • Difficult to conduct unbiased investigations of IT operations

(Koch, 2004)

Jack McCoy, East Carolina University

if information security moves out of it
If Information Security Moves Out of IT
  • Accountability must follow responsibility
    • CIOs do not want accountability without authority
  • Security must report to an executive with “broad managerial responsibilities” for the organization,
    • For example, the CEO, CFO, COO
  • Information Security and IT must work closely together as a team

(Koch, 2004)

Jack McCoy, East Carolina University

the future of the iso a view from gartner
The Future of the ISO A View from Gartner

More companies are appointing a CISO with

“decreasing responsibility for day-to-day security operations, and a greater level of participation in strategic business decisions”

(Gartner, 2005)

Jack McCoy, East Carolina University

state of the industry
State of the Industry

A 2005 Global State of Information Security1 study:

  • 34% of respondents employ a CSO/CISO
  • More security executives report to the CEO or Board than the CIO
    • 46% report to the CEO/Board
    • 36% report to the CIO

(CSO, 2005)

1A joint study of PricewaterhouseCoopers and CIO Magazine, representing a range of industries, e.g., computer-related manufacturing & software, consulting & professional services, financial services, education, health care, telecommunications, & transportation.

Jack McCoy, East Carolina University

the emerging ciso role
The Emerging CISO Role
  • Technical security is becoming an operational issue
  • Information security is emerging as a strategic business issue, addressed through risk management processes
  • Resulting in “more authority and influence being invested in the security manager or CISO”
    • More CISOs are participating in “crucial business decisions” and are reporting outside of IT
  • Ceding turf to a “more powerful security function also raises political issues,” especially with the CIO position

(Vijayan, 2004)

Jack McCoy, East Carolina University

the emerging ciso role cont
The Emerging CISO Role (cont’)
  • Experts are divided over whether the CIO, CSO, or CISO should be responsible for security
  • However, it is clear that the IT industry is moving toward “shared responsibilities for security”
  • So, “whether the roles of the CIO and the CSO are mutually exclusive or gradually merging into a mutually beneficial relationships still is not evident.”

(Germain, 2005)

Jack McCoy, East Carolina University

looking further into the future
Looking Further Into The Future

Gartner predicts:

“there will be a new breed of security expert who

will be trusted to protect the organisation of the future, and in many companies, this person will be given the title of the Risk Management Officer”

(Gartner, 2005)

Jack McCoy, East Carolina University

factors to consider
Factors to Consider
  • The organizational maturity of your institution’s information security program
    • Executive awareness, security culture, etc.
  • Your institution’s size, resources, and culture
  • The nature of your institutions governance framework and enterprise risk management processes

Jack McCoy, East Carolina University

factors to consider cont
Factors to Consider (cont’)

The university CIO is the person typically responsible for security. So consider:

  • The CIO’s workload, operational priorities, and strategic objectives
  • The working relationship of the CIO and ISO
  • ISO access to executive leadership
  • ISO “C” level skills: e.g., business acumen, political savvy, and organizational awareness

Jack McCoy, East Carolina University

a peek into my crystal ball
A Peek Into My Crystal Ball
  • For the immediate future many CIOs will retain responsibility for security, leveraging their “C” level skills and organizational contacts for good effect
  • Higher education institutions will eventually embrace the corporate CISO model -- but not overnight!
    • Larger institutions with greater resources will lead the change

Jack McCoy, East Carolina University

a peek into my crystal ball cont
A Peek Into My Crystal Ball (cont’)
  • “Security” CIOs will continue to serve as unofficial campus CISOs, but . . .
  • Eventually, even “Security” CIOs will hand information security over to another “C” level position
  • The role of the campus ISO will evolve rapidly, offering many opportunities for advancement

Jack McCoy, East Carolina University

a survival kit of skills for the campus iso
A Survival Kit of Skills for the Campus ISO
  • Grounded in multiple protection disciplines
  • Capable project/program manager
  • Life long passion to learn
  • Business acumen
  • Diplomatic and adaptable
  • Adept at framing issues as risk management
  • Professional training and certifications

(Boni, 2005)

Jack McCoy, East Carolina University

references
References

Boni, W. (2005, April 5). The role of the CSO: An industry perspective. Presented at the EDUCAUSE Security Professionals Conference 2005. Washington, DC. Retrieved November 2, 2005 from the EDUCAUSE Web site http://www.educause.edu/LibraryDetailPage/666?ID=SPC0528

Berinato, S. (2004, July). CISO role: Locked out. Retrieved November 2, 2005 from the CSO Online Web site http://www.csoonline.com/read/070104/cisco.html

CSO. (2005). The state of information security, 2005: A worldwide study conducted by CIO Magazine and PricewaterhouseCooper. Retrieved November 2, 2005 from the CSO Online Web site http://www.csoonline.com/csoresearch/report93.html

CSO. (2004). What is a chief security officer? Retrieved September 30, 2005 from the CSO Online Web site http://www.csoonline.com/research/leadership/cso_role.html

EDUCAUSE (2002). Higher education contribution to national strategy to secure cyberspace. Retrieved August 17, 2005, from http://www.educause.edu/ir/library/pdf/NET0027.pdf

Jack McCoy, East Carolina University

references continued
References (continued)

Gartner (2005, September 15). Gartner highlights the evolving role of CISO in the new security order. Retrieved November 2, 2005 from the Gartner Web site http://www.gartner.com/press_releases/asset_135714_11.html

Germain, J. (2005, October 13). Your next job title: CISO? Retrieved November 2, 2005 from the Newsfactor Magazine Web site http://www.cio-today.com/story.xhtml?story_title=Your_Next_Job_Title__CISO_&story_id=38430

Hawkins, B. L., Rudy, J. A., & Madsen J. W. (2003). EDUCAUSE core data report: 2003 summary report. Retrieved September 30, 2005 from the EDUCAUSE Web site http://www.educause.edu/ir/library/pdf/pub8001c.pdf

Hawkins, B. L., Rudy, J. A., & Nicolich, R. (2004). EDUCAUSE core data report: 2004 summary report. Retrieved November 2, 2005 from the EDUCAUSE Web site http://www.educause.edu/ir/library/pdf/pub8002.pdf

Hurley, D., Harris, M., Zastrocky, M., & Yanosky, R. (2002, December 9). Information security officers needed in higher education. Retrieved November 2, 2005 from the Gartner Web site http://www.gartner.com

Jack McCoy, East Carolina University

references continued46
References (continued)

Kobus, W. S. (2005, November 1). Security management. Presented at the ISSA Triangle InfoSeCon conference on November 1, 2005 in Cary, NC.

Koch, C. (2004, April 15). Hand over security. Retrieved November 3, 2005 from the CSO Online Web site http://www.cio.com/archive/041504/homeland.html

MacLean. R. (2004, May 18). Defining the role of the security officer in higher education. The Security Professional’s Workshop May 16-18, 2004. Washington, DC. Retrieved September 30, 2005 from the EDUCAUSE Web site http://www.educause.edu/LibraryDetailPage/666?ID=SPC0417

Scholtz, T. & Byrnes, F. C. (2005, June 27). Use information security program maturity timeline as an analysis tool. Retrieved November 2, 2005 from the Gartner Web site http://www.gartner.com

Vijayan, J. (2004, October 4). Rise of the CISO: Chief information security officers have more influence -- and greater challenges -- than ever before. Retrieved November 4, 2005 from the Computerworld Web site http://www.computerworld.com/securitytopics/security/story/0,10801,96291,00.html

Jack McCoy, East Carolina University

references continued47
References (continued)

Witty, R. J. (2001). The Role of the Chief Information Security Officer. Retrieved November 2, 2005 from the Gartner Web site http://www.gartner.com

Jack McCoy, East Carolina University