Talking with the boss about security
Download
1 / 34

Talking With The Boss About Security - PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on

Talking With The Boss About Security. Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Conference October 21 st , 2005.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Talking With The Boss About Security' - buck


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Talking with the boss about security

Talking With The Boss About Security

Darlene Quackenbush, James Madison University

Shirley Payne, University of Virginia

EDUCAUSE Conference

October 21st, 2005


We must all become much more vigilant in the provision of secure systems, in intrusion detection, in rapid response, and especially in education. We must practice, teach, and infuse all aspects of security into campus lives.

Dr. Linwood H. Rose

President, James Madison University

“Information Security: A Difficult Balance”

EDUCAUSE Review, September/October 2004


Agenda
Agenda secure systems, in intrusion detection, in rapid response, and especially in education. We must practice, teach, and infuse all aspects of security into campus lives.

  • The Executive Audience

  • Benefits of Effective Communication

  • Obstacles To Effective Communication

  • Communication Strategies & Examples

  • References


The executive audience
The Executive Audience secure systems, in intrusion detection, in rapid response, and especially in education. We must practice, teach, and infuse all aspects of security into campus lives.

  • Boards of Trustees

  • Presidents

  • Vice Presidents & Provosts

  • Deans & Department Heads

  • Chiefs of Staff


Perceived barriers to it security
Perceived Barriers To IT Security secure systems, in intrusion detection, in rapid response, and especially in education. We must practice, teach, and infuse all aspects of security into campus lives.

Information Technology Security Study

EDUCAUSE Center for Applied Research, Sept. 2003


Perceived barriers to it security1
Perceived Barriers To IT Security secure systems, in intrusion detection, in rapid response, and especially in education. We must practice, teach, and infuse all aspects of security into campus lives.

Executives can help define appropriate security/privacy balance

Information Technology Security Study

EDUCAUSE Center for Applied Research, Sept. 2003


Privacy and academic freedom are critical components of campus culture; it is vital that decisions on policies and procedures regarding security and related issues be carefully vetted, understood, and authorized by both the highest levels of the campus leadership and the representatives of the campus community. The executive role in all of these matters is crucial if internal dissension and unnecessary strife are to be avoided.

“Presidential Leadership for IT”

David Ward and Brian L. Hawkins

EDUCAUSE Review, May/June 2003


Perceived barriers to it security2
Perceived Barriers To IT Security campus culture; it is vital that decisions on policies and procedures regarding security and related issues be carefully vetted, understood, and authorized by both the highest levels of the campus leadership and the representatives of the campus community.

Executives can enhance policy quality & acceptance

Information Technology Security Study

EDUCAUSE Center for Applied Research, Sept. 2003


Perceived barriers to it security3
Perceived Barriers To IT Security campus culture; it is vital that decisions on policies and procedures regarding security and related issues be carefully vetted, understood, and authorized by both the highest levels of the campus leadership and the representatives of the campus community.

Executives can help determine/clarify responsibilities

Information Technology Security Study

EDUCAUSE Center for Applied Research, Sept. 2003


Perceived barriers to it security4
Perceived Barriers To IT Security campus culture; it is vital that decisions on policies and procedures regarding security and related issues be carefully vetted, understood, and authorized by both the highest levels of the campus leadership and the representatives of the campus community.

Executives can influence others to change

Information Technology Security Study

EDUCAUSE Center for Applied Research, Sept. 2003


If you can get the president to set the right tone, a majority on campus will likely follow her or his lead in supporting the changes and improvements you recommend.

“Gaining the President’s Support for IT Initiative at Small Colleges.”

Laurence W. Mazzeno, President, Alvernia College

EDUCAUSE Quarterly, Number 1, 2004


Perceived barriers to it security5
Perceived Barriers To IT Security majority on campus will likely follow her or his lead in supporting the changes and improvements you recommend.

Executives can determine resources based on risks, if they know them

Information Technology Security Study

EDUCAUSE Center for Applied Research, Sept. 2003


Additional benefits
Additional Benefits majority on campus will likely follow her or his lead in supporting the changes and improvements you recommend.

  • Opportunity to establish appropriate expectations

  • Constructive involvement should a security incident occur


In a time of crisis, it’s always good to have a boss smarter than you.

Joy Hughes, VP/CIO, George Mason University


Be prepared for
Be Prepared For... smarter than you.

  • Additional Work To:

    • tailor the information

    • provide status reports, possibly including development of new metrics

    • respond to inquiries

  • Increased accountability


Obstacles to effective communication

Obstacles To Effective Communication smarter than you.

Security,

Security, Etc.


Obstacle responsibility for security placed low in the organization

Alarmist view or smarter than you.

straight facts?

What’s his experience level?

Obstacle: Responsibility for security placed low in the organization


Obstacle significant lack of awareness

What do computers have to do with identity theft? smarter than you.

Why is he talking about fishing?

Obstacle: Significant lack of awareness


Obstacle unclear terminology

IPS = International Primatological Society smarter than you.

“Compromised” computer?

Obstacle: Unclear terminology


Obstacle security not an institutional priority

This doesn’t help attract research $$ smarter than you.

This doesn’t enhance student life

Obstacle: Security not an institutional priority


Obstacle lack of security metrics

Is the situation really getting worse? smarter than you.

How do we compare with others?

Obstacle: Lack of security metrics


Obstacle security viewed as one time fix it project

But we trained the workforce three years ago! smarter than you.

You’ve had your turn at the well.

Obstacle: Security viewed as one-time fix-it project


Obstacle cultural factors

There will be an insurrection if we centralize server management!

What do the faculty think of this idea?

Obstacle: Cultural factors


Obstacle executive role not clear

I’m not a techie. How could I possibly help? management!

So what are we paying the CIO to do?

Obstacle: Executive role not clear


Effectively talking with the boss about security requires
Effectively Talking With the Boss About Security Requires… management!

  • Establishing trust

  • Building awareness

  • Losing the jargon

  • Linking security to institutional priorities

  • Solidifying business case with metrics

  • Setting appropriate expectations

  • Addressing cultural issues

  • Emphasizing importance of executive level involvement


Communication strategies getting it done
Communication Strategies management!“getting it done”

Good communication doesn’t just happen

On-going attention


A project plan
A Project Plan . . . management!

  • Review the landscape

  • Set a target

  • Managed communication

  • Maintaining communication


Differing viewpoints

ISO or Security Practioner management!

Operational

Focused

Technical

Executive

Governance

Broad

Mission-focused

Differing Viewpoints


Targeting nirvana source governing for enterprise security julia allen june 2005
Targeting Nirvana management!Source: Governing for Enterprise Security, Julia Allen, June 2005

  • Enterprise level

  • Expected and respected topic

  • Treated as a business requirement

  • Appears regularly on the executive agenda

  • Addressed in strategic and operational planning


Targeting nirvana continued
Targeting Nirvana management!(continued)

  • Discussion and debate are encouraged

  • Regular benchmarking

  • Leaders are respected as value contributors

  • Business enabler

  • Integrated into the enterprise

  • Not solely an IT responsibility

  • Full understanding of individual roles and responsibilities


Strategies
Strategies management!

  • Advocate security as risk management

  • Identify risks at an the executive level

  • Craft the security message

  • Prepare to inform and educate

  • Engage others

  • Remain open

  • Accommodate the culture

  • Communicate for the long-term


Maintenance
Maintenance management!

  • Stay informed

  • Be persistent

  • Remain agile

  • Be honest


Positive achievement
Positive Achievement management!

Commuication among parties that are informed, persistently committed, agile in their views and honest in dealing with information security

Communications Nirvana

Real Value for Security


References
References management!

ACE Letter to Presidents Regarding Cybersecurity

http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm

Developing Security Education and Awareness Programs

http://www.educause.edu/ir/library/pdf/EQM0347.pdf

Gaining the President’s Support for IT Initiatives at Small Colleges

http://www.educause.edu/apps/eq/eqm04/eqm0417.asp

Governing for Enterprise Security

http://www.sei.cmu.edu/pub/documents/05.reports/pdf/05tn023.pdf

EDUCAUSE Information Security Governance Assessment Tool

http://www.educause.edu/LibraryDetailPage/666?ID=SEC0421

Information Security: A Difficult Balance

http://www.educause.edu/pub/er/erm04/erm0456.asp

Information Security Governance: A Call to Action

http://www.cyberpartnership.org/InfoSecGov4_04.pdf

Information Technology Security: Governance, Strategy, and Practice in Higher Education

http://www.educause.edu/LibraryDetailPage/666?ID=ERS0305

Presidential Leadership for Information Technology

http://www.educause.edu/ir/library/pdf/erm0332.pdf

Report of the Best Practices and Metrics Teams

www.incits.org/tc_home/CS1/2005docs/cs1050005.pdf


ad