1、Are We Ready for a Chief Information Security Officer?,Jack McCoy, Ed.D., MBA, CISM Information Security Officer East Carolina University,The Challenges and Evolution of the Campus IT Security Officer,November 9, 2005,Jack McCoy, East Carolina University,The Security Officer Alphabet,ISO Information
2、 Security Officer Often an “IT” Security Officer Designated official, dedicated to information security CISO Chief Information Security Officer “C” level executive, a strategic business partner CSO Chief Security Officer Corporate security, a convergence of information, asset, and physical security,
3、The Challenges of the Campus ISO,November 9, 2005,Jack McCoy, East Carolina University,The Environment: The Institution of Higher Education,A shaky track record for protecting information A culture of shared governance A penchant for distributed computing A desire for free and unfettered exchange of
4、 information across organizational boundaries,. . . in essence a formidable environment for those with campus responsibility for information security,November 9, 2005,Jack McCoy, East Carolina University,The Organization: University Accountability,Resistance to corporate type controls may arise beca
5、use a university is “not a business” Regardless of the culture or inherent challenges a university will be held accountable, just as any other organization (e.g., bank or and retailer) Accountability must trickle down to internal departments, groups, and individuals,November 9, 2005,Jack McCoy, East
6、 Carolina University,The Organization: University Accountability (cont),Challenges arise when the university community: Is not aware of risks to information and potential impacts to the university and its stakeholders Does not believe that the threats are realistic Thinks that someone in another bui
7、lding is taking care of the “security problem” for them Believes that other job duties and responsibilities always take priority over security,November 9, 2005,Jack McCoy, East Carolina University,The Strategic Challenges: Issues Likely to be Encountered,“IT” versus “Information” Security Security:
8、“technical” vs. “business” issue Executive awareness and involvement Governance structures and processes Evolving roles and skill sets of the ISO,The Evolving Role of the Campus ISO,November 9, 2005,Jack McCoy, East Carolina University,The Relationship of InfoSecurity Maturity, Structure, and Roles,
9、InfoSecurity Organizational Maturity,InfoSecurity Functions and Org Structure,ISO Roles, Responsibilities, and Authority,November 9, 2005,Jack McCoy, East Carolina University,Gartners InfoSecurity Maturity Model,Blissful Ignorance Awareness Correction Operational Excellence(Scholtz & Byrnes, 2005),O
10、rganizations and their security programs evolve through four phases of maturity:,November 9, 2005,Jack McCoy, East Carolina University,InfoSec Maturity - Blissful Ignorance,Extensive, but outdated policies Inadequate user awareness Breaches not reported Prevailing belief that the enterprise is secur
11、e No effective communication between the IT security function and business functions (Scholtz & Byrnes, 2005),November 9, 2005,Jack McCoy, East Carolina University,InfoSec Maturity - Awareness,An event leads to a sudden awareness that “something must be done” about security (Re)establishment of dedi
12、cated security team Efforts focus on policy review and update Some organizations assume policy is sufficient and regress to blissful ignorance phase Others develop security vision and strategy (Scholtz & Byrnes, 2005, p. 4),November 9, 2005,Jack McCoy, East Carolina University,InfoSec Maturity - Cor
13、rective,Strategic program launched, based on information security vision and strategy Security, risk, governance processes revamped New policies derived from business needs Corrective actions prioritized and funded Progress toward goals measured and reported through business and governance channels
14、(Scholtz & Byrnes, 2005),November 9, 2005,Jack McCoy, East Carolina University,InfoSec Maturity Operational Excellence,Information security “embedded into the culture of the organization” Security is driven by business processes Program metrics emphasize continuous improvement The organization under
15、stands and accepts residual risks (Scholtz & Byrnes, 2005, p. 4),November 9, 2005,Jack McCoy, East Carolina University,A Gartner Recommendation,Organizations must be aware of and understand the evolving maturity of their security programs.(Scholtz & Byrnes, 2005),November 9, 2005,Jack McCoy, East Ca
16、rolina University,Information Security Functional Structures,An organizations security function depends on its size, business, culture, regulatory requirements Functional structure types: Technical Technical / Management Management (Kobus, 2005),November 9, 2005,Jack McCoy, East Carolina University,
17、“Technical” Information Security Structure,No formal security function Security responsibilities assigned to technicians in IT operational areas Networking Operations Development Reports to IT infrastructure or operational area (Kobus, 2005),November 9, 2005,Jack McCoy, East Carolina University,Aspe
18、cts of a Technical ISO Role,Relegated to a purely technical role, e.g., “firewall jockey” Often has few resources and little authority The reason for hiring a ISO may be to address a regulation, audit, or other requirement or to “sit on the bomb” (Berinato, 2004),November 9, 2005,Jack McCoy, East Ca
19、rolina University,The “Technician” ISO,* Security functions in blue. The designated ISO may reside in any of these areas.,CIO,Network,Systems,App. Dev.,System Adm, Sys Prog, Acct Mgmt,Firewall, Router, IPS Admin,Application Programmer, Developer,November 9, 2005,Jack McCoy, East Carolina University,
20、“Technical / Management” Information Security Structure,Designated security team Responsibilities cover range of issues: Technical Management Strategic enterprise Reports to an operational manager (Kobus, 2005),November 9, 2005,Jack McCoy, East Carolina University,The “Security Coordinator” ISO,CIO,
21、Network,Systems,App Dev,Firewall, Router, IPS Admin,System Admin, Sys Prog,Application Programmer, Developer,ISO,Acct Mgmt, IT Policy, Awareness,November 9, 2005,Jack McCoy, East Carolina University,“Management” Information Security Structure,Designated security team Responsibilities include: Enterp
22、rise oversight of security programs Security governance processes Technical security responsibilities shift back to IT operations Information security may report outside of IT (Kobus, 2005),November 9, 2005,Jack McCoy, East Carolina University,The “Management Advisor” ISO,CIO,Network,Systems,App Dev
23、,Governance, Risk Mgmt, Corp Policy,Security Council,ISO,App Programmer, Developer,Firewall, Router, IPS Admin,System Admin, Sys Prog,November 9, 2005,Jack McCoy, East Carolina University,The “Strategic Business Partner” ISO,CIO,Operational Directors,Acct Mgt, IT Policy, Projects,Security Council,IS
24、O (Bus. Unit),Technical security,CFO, COO, RMO,CISO,Governance, Risk Mgmt, Corp Policy,November 9, 2005,Jack McCoy, East Carolina University,More than One ISO?,Organizations are creating two security positions: CISO bridges the gap between business process and policy directives, and technical securi
25、ty BISO business unit (e.g., IT) representative, implements process & policy directives CISO consults with business units on implementation of policy and process directives CISO advises senior executives on the management of risks brought about by the use of technology (Witty, 2001),November 9, 2005
26、,Jack McCoy, East Carolina University,Information Security Maturity, Structure, ISO Role,The “Debate” Who is Really in Charge? Who Should Be?,November 9, 2005,Jack McCoy, East Carolina University,Who is Responsible for Campus IT Security?,In 2002 Gartner predicted 60% of higher ed ISOs would report
27、outside of IT by 2005 (Hurley, Harris, Zastrocky, & Yanosky, 2002) In 2003 94.5% of IT security functions reported to the top IT adm (Hawkins, Rudy, & Madsen, 2003) In 2004 95.2% of IT security functions reported to the top IT adm (Hawkins, Rudy, & Nicolich, 2004) Were not on track to realize Gartne
28、rs prediction The top IT administrator is ultimately responsible,November 9, 2005,Jack McCoy, East Carolina University,Reporting to the CIO - Advantages,Advantages of the “Security” CIO: Access to executive leadership “C” level skills and organizational awareness Ability to initiate change in the IT
29、 infrastructure to enhance information security Represents greater influence and value for the CIO position,November 9, 2005,Jack McCoy, East Carolina University,Reporting to the CIO - Disadvantages,Disadvantages of the “Security” CIO Information security oversight is a part-time role Increased CIO
30、workload may lead to the neglect other strategic objectives Conflicts of interest arise when security controls impede the timely delivery of projects and services Difficult to conduct unbiased investigations of IT operations (Koch, 2004),November 9, 2005,Jack McCoy, East Carolina University,If Infor
31、mation Security Moves Out of IT,Accountability must follow responsibility CIOs do not want accountability without authority Security must report to an executive with “broad managerial responsibilities” for the organization, For example, the CEO, CFO, COO Information Security and IT must work closely
32、 together as a team (Koch, 2004),The Future of the Campus ISO,November 9, 2005,Jack McCoy, East Carolina University,The Future of the ISO A View from Gartner,More companies are appointing a CISO with “decreasing responsibility for day-to-day security operations, and a greater level of participation
33、in strategic business decisions” (Gartner, 2005),November 9, 2005,Jack McCoy, East Carolina University,State of the Industry,A 2005 Global State of Information Security1 study: 34% of respondents employ a CSO/CISO More security executives report to the CEO or Board than the CIO 46% report to the CEO
34、/Board 36% report to the CIO (CSO, 2005),1A joint study of PricewaterhouseCoopers and CIO Magazine, representing a range of industries, e.g., computer-related manufacturing & software, consulting & professional services, financial services, education, health care, telecommunications, & transportatio
35、n.,November 9, 2005,Jack McCoy, East Carolina University,The Emerging CISO Role,Technical security is becoming an operational issue Information security is emerging as a strategic business issue, addressed through risk management processes Resulting in “more authority and influence being invested in
36、 the security manager or CISO” More CISOs are participating in “crucial business decisions” and are reporting outside of IT Ceding turf to a “more powerful security function also raises political issues,” especially with the CIO position (Vijayan, 2004),November 9, 2005,Jack McCoy, East Carolina Uni
37、versity,The Emerging CISO Role (cont),Experts are divided over whether the CIO, CSO, or CISO should be responsible for security However, it is clear that the IT industry is moving toward “shared responsibilities for security” So, “whether the roles of the CIO and the CSO are mutually exclusive or gr
38、adually merging into a mutually beneficial relationships still is not evident.” (Germain, 2005),November 9, 2005,Jack McCoy, East Carolina University,Looking Further Into The Future,Gartner predicts: “there will be a new breed of security expert who will be trusted to protect the organisation of the
39、 future, and in many companies, this person will be given the title of the Risk Management Officer” (Gartner, 2005),Is Your Campus Ready for a CISO?,November 9, 2005,Jack McCoy, East Carolina University,Factors to Consider,The organizational maturity of your institutions information security program
40、 Executive awareness, security culture, etc. Your institutions size, resources, and culture The nature of your institutions governance framework and enterprise risk management processes,November 9, 2005,Jack McCoy, East Carolina University,Factors to Consider (cont),The university CIO is the person
41、typically responsible for security. So consider: The CIOs workload, operational priorities, and strategic objectives The working relationship of the CIO and ISO ISO access to executive leadership ISO “C” level skills: e.g., business acumen, political savvy, and organizational awareness,November 9, 2
42、005,Jack McCoy, East Carolina University,A Peek Into My Crystal Ball,For the immediate future many CIOs will retain responsibility for security, leveraging their “C” level skills and organizational contacts for good effect Higher education institutions will eventually embrace the corporate CISO mode
43、l - but not overnight! Larger institutions with greater resources will lead the change,November 9, 2005,Jack McCoy, East Carolina University,A Peek Into My Crystal Ball (cont),“Security” CIOs will continue to serve as unofficial campus CISOs, but . . . Eventually, even “Security” CIOs will hand info
44、rmation security over to another “C” level position The role of the campus ISO will evolve rapidly, offering many opportunities for advancement,November 9, 2005,Jack McCoy, East Carolina University,A Survival Kit of Skills for the Campus ISO,Grounded in multiple protection disciplines Capable projec
45、t/program manager Life long passion to learn Business acumen Diplomatic and adaptable Adept at framing issues as risk management Professional training and certifications (Boni, 2005),November 9, 2005,Jack McCoy, East Carolina University,References,Boni, W. (2005, April 5). The role of the CSO: An in
46、dustry perspective. Presented at the EDUCAUSE Security Professionals Conference 2005. Washington, DC. Retrieved November 2, 2005 from the EDUCAUSE Web site http:/www.educause.edu/LibraryDetailPage/666?ID=SPC0528 Berinato, S. (2004, July). CISO role: Locked out. Retrieved November 2, 2005 from the CS
47、O Online Web site http:/ CSO. (2005). The state of information security, 2005: A worldwide study conducted by CIO Magazine and PricewaterhouseCooper. Retrieved November 2, 2005 from the CSO Online Web site http:/ CSO. (2004). What is a chief security officer? Retrieved September 30, 2005 from the CS
48、O Online Web site http:/ EDUCAUSE (2002). Higher education contribution to national strategy to secure cyberspace. Retrieved August 17, 2005, from http:/www.educause.edu/ir/library/pdf/NET0027.pdf,November 9, 2005,Jack McCoy, East Carolina University,References (continued),Gartner (2005, September 1
49、5). Gartner highlights the evolving role of CISO in the new security order. Retrieved November 2, 2005 from the Gartner Web site http:/ Germain, J. (2005, October 13). Your next job title: CISO? Retrieved November 2, 2005 from the Newsfactor Magazine Web site http:/www.cio- Hawkins, B. L., Rudy, J.
50、A., & Madsen J. W. (2003). EDUCAUSE core data report: 2003 summary report. Retrieved September 30, 2005 from the EDUCAUSE Web site http:/www.educause.edu/ir/library/pdf/pub8001c.pdf Hawkins, B. L., Rudy, J. A., & Nicolich, R. (2004). EDUCAUSE core data report: 2004 summary report. Retrieved November 2, 2005 from the EDUCAUSE Web site http:/www.educause.edu/ir/library/pdf/pub8002.pdf Hurley, D., Harris, M., Zastrocky, M., & Yanosky, R. (2002, December 9). Information security officers needed in higher education. Retrieved November 2, 2005 from the Gartner Web site http:/,