A Tale of 3 CISOs

Do you have what it takes to be a higher education CISO? This was the topic addressed by three higher education CISOs during a panel at the 2017 RSA Conference in San Francisco on February 15, 2017. Moderated by Joanna Grama of EDUCAUSE, the panel included:

The panelists were asked a number of different questions during the nearly hour-long session and shared their perspectives on the latest hot topics and top tips for being a successful higher education CISO. This blog highlights some of the stories shared by Neal, Randy, and Tina at the conference.

photo of panelists: Joanna Grama, Neal Fisch, Tina Thorstenson, and Randy Marchany

Left to right: Joanna Grama, Neal Fisch, Tina Thorstenson, and Randy Marchany

1. How do you sell or market security inside the university? What works and what doesn't? How do students factor into this conversation, as well?

Neal: Being a small institution [California State University, Channel Islands], we've had the benefit of a "small town feel" where everyone knows everyone. This allowed me to collaborate more effectively with my colleagues across the campus and share security awareness in a more personable fashion. Reminding campus colleagues that IT and information security are here to support, and not impede, their efforts is a constant, as is reinforcing the notion that we are a department of "yes" and will work to find the best, most secure solution to fit their needs. Setting up roadblocks and hurdles for your business partners on campus is not the best way to gain their support for the security program. For our students, we are always available to them if they need advice regarding security issues via services such as our help desk or direct contact to information security via e-mail.

Randy: First, always remember the business process will trump the security process. We need to remember that IT supports the business function of the university. So, stress that we provide methods to ensure the business process is in accordance with applicable laws and regulations. Second, all security is local. I'm not there to tell them how to do their jobs. I'm there to help them do their job in a safe manner. Enlist the local IT support staff to help implement good security practices. Find ways to get them the training they need to do their jobs. Listen to what the end users and IT staff need. Third, hire good people and provide an environment to allow them to do their jobs. Fourth, never turn down an opportunity to speak in front of groups in the university. A former co-worker used to say, "Always be selling."

Tina: Well, working in a large research university is really very similar to overseeing security for a small to midsized city. The key point is to make sure that everyone at the university understands that security is a personal responsibility. If a department needs to set up a service (maybe a website, for example), it is responsible for not only its content and usability but also its security. Each service owner needs a minimum of two people managing the service: one focused on content and delivery and one focused on proper infrastructure and security. For our students, we provide a number of services to aid them in doing everything from improving the security of their devices to guiding them in best practices for social media and identity-theft protection.

2. What is the scope of your authority and to whom do you report? What are the pros and cons of that scope and your reporting line?

Neal: I report to our vice president for technology and innovation/CIO, who reports directly to our president. I'm responsible for administering California State University system-wide policy for information security, our information security program (which includes security and privacy policy, compliance, and IT risk management/assessments), awareness, and portions of security operations.

Randy: I report to our vice president for IT/CIO, who reports to the president, who in turn reports to our board of visitors. The board authorized the CIO to ensure compliance with established security measures throughout the university. I'm responsible for making that happen across the administrative, academic/instructional, and research business processes of the university. Having the support of the board and the CIO is key.

Tina: I report to our CIO and am responsible for the university's information security program, including security operations, policy and compliance, identity and access management, awareness, system architecture, and IT risk assessments. I've found that it may be less about direct reporting lines that make a security program effective and more about how well your organization has established communication channels and points of escalation.

3. What does "a day in the life" look like?

All of the panelists said that there is no typical day for a higher education CISO. In fact, all of their answers started with "It depends."

Neal: On a good day, I could be focusing on strategic, project, or operations development and making some headway in advancing the security program. On an average day, I could be addressing varying communications from across any area on campus (police, the power plant, food services, etc.) regarding phishing, possible malware detection, many vendor security risk assessments, oh...and meetings. On a bad day, well...let's just say I never look forward to the bad days.

Randy: I'm lucky in that we have the IT Security Lab as part of the IT security office so I get to interact with the lab students to see what cool projects or research they're doing. My deputy and I are fortunate to teach classes for the Electrical and Computer Engineering departments. That gives us insight into the academic side of the house. The security analysts will let me know if there are any issues that need to be addressed, such as potential compromises. We're in the middle of our two-factor authentication project, as well as a log archiving and analysis project, so getting updates on those projects is a daily event. We're also implementing the 20 Critical Security Controls so keeping track of our progress is a daily task.

Tina: Any given day can bring a variety of activities including moving initiatives forward in a proactive way, responding to questions or potential incidents, or educating a department on effective security practices. There is no shortage of things to be done, and every day brings unique challenges.

4. What is the most important skill for a higher ed information security leader?

Neal: Communication by far, followed very closely by decision-making skills and strategic thinking.

Randy: Communication skills are vital. Find the "geeks who can speak."

Tina: Communication is key. Developing processes and programs for efficient decision making is a clear second.

5. Pick your pleasure: SEE-SO, SIS-OH, or C-I-S-O?

Everyone unanimously said SEE-SO.

During the session, it was noted that the EDUCAUSE Center for Analysis and Research (ECAR) will be publishing research later this year on the state of CISOs in higher education. CISOs responding to ECAR research noted that communication is the most important skill for higher education CISOs. See The IT Workforce in Higher Education, 2016 Research Hub.

Now that you've heard from three of our community experts about what it takes to be a higher ed CISO, visit the Information Security Guide chapter on Career and Workforce Development for additional resources, including a Toolkit for New CISOs. You can also listen to the original panel discussion and view slides in the video below.


Valerie M. Vogel is senior manager of the cybersecurity program for EDUCAUSE.

© 2017 Valerie M. Vogel. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.