Are We Ready for a Chief Information Security Officer? The Challenges and Evolution of the Campus IT Security Officer Jack McCoy, Ed.D., MBA, CISM Information Security Officer East Carolina University The Security Officer Alphabet ISO – Information Security Officer Often an “IT” Security Officer Designated official, dedicated to information security CISO – Chief Information Security Officer “C” level executive, a strategic business partner CSO – Chief Security Officer Corporate security, a convergence of information, asset, and physical security November 9, 2005 Jack McCoy, East Carolina University 2 The Challenges of the Campus ISO The Environment: The Institution of Higher Education A shaky track record for protecting information A culture of shared governance A penchant for distributed computing A desire for free and unfettered exchange of information across organizational boundaries . . . in essence a formidable environment for those with campus responsibility for information security November 9, 2005 Jack McCoy, East Carolina University 4 The Organization: University Accountability Resistance to corporate type controls may arise because a university is “not a business” Regardless of the culture or inherent challenges a university will be held accountable, just as any other organization (e.g., bank or and retailer) Accountability must trickle down to internal departments, groups, and individuals November 9, 2005 Jack McCoy, East Carolina University 5 The Organization: University Accountability (cont’) Challenges arise when the university community: Is not aware of risks to information and potential impacts to the university and its stakeholders Does not believe that the threats are realistic Thinks that someone in another building is taking care of the “security problem” for them Believes that other job duties and responsibilities always take priority over security November 9, 2005 Jack McCoy, East Carolina University 6 The Strategic Challenges: Issues Likely to be Encountered “IT” versus “Information” Security Security: “technical” vs. “business” issue Executive awareness and involvement Governance structures and processes Evolving roles and skill sets of the ISO November 9, 2005 Jack McCoy, East Carolina University 7 The Evolving Role of the Campus ISO The Relationship of InfoSecurity Maturity, Structure, and Roles InfoSecurity Organizational Maturity InfoSecurity Functions and Org Structure ISO Roles, Responsibilities, and Authority November 9, 2005 Jack McCoy, East Carolina University 9 Gartner’s InfoSecurity Maturity Model Organizations and their security programs evolve through four phases of maturity: Blissful Ignorance Awareness Correction Operational Excellence (Scholtz & Byrnes, 2005) November 9, 2005 Jack McCoy, East Carolina University 10 InfoSec Maturity - Blissful Ignorance Extensive, but outdated policies Inadequate user awareness Breaches not reported Prevailing belief that the enterprise is secure No effective communication between the IT security function and business functions (Scholtz & Byrnes, 2005) November 9, 2005 Jack McCoy, East Carolina University 11 InfoSec Maturity - Awareness An event leads to a sudden awareness that “something must be done” about security (Re)establishment of dedicated security team Efforts focus on policy review and update Some organizations assume policy is sufficient and regress to blissful ignorance phase Others develop security vision and strategy (Scholtz & Byrnes, 2005, p. 4) November 9, 2005 Jack McCoy, East Carolina University 12 InfoSec Maturity - Corrective Strategic program launched, based on information security vision and strategy Security, risk, governance processes revamped New policies derived from business needs Corrective actions prioritized and funded Progress toward goals measured and reported through business and governance channels (Scholtz & Byrnes, 2005) November 9, 2005 Jack McCoy, East Carolina University 13 InfoSec Maturity – Operational Excellence Information security “embedded into the culture of the organization” Security is driven by business processes Program metrics emphasize continuous improvement The organization understands and accepts residual risks (Scholtz & Byrnes, 2005, p. 4) November 9, 2005 Jack McCoy, East Carolina University 14 A Gartner Recommendation Organizations must be aware of and understand the evolving maturity of their security programs. (Scholtz & Byrnes, 2005) November 9, 2005 Jack McCoy, East Carolina University 15 Information Security Functional Structures An organization’s security function depends on its size, business, culture, regulatory requirements Functional structure types: Technical Technical / Management Management (Kobus, 2005) November 9, 2005 Jack McCoy, East Carolina University 16 “Technical” Information Security Structure No formal security function Security responsibilities assigned to technicians in IT operational areas Networking Operations Development Reports to IT infrastructure or operational area (Kobus, 2005) November 9, 2005 Jack McCoy, East Carolina University 17 Aspects of a Technical ISO Role Relegated to a purely technical role, e.g., “firewall jockey” Often has few resources and little authority The reason for hiring a ISO may be to address a regulation, audit, or other requirement or to “sit on the bomb” (Berinato, 2004) November 9, 2005 Jack McCoy, East Carolina University 18 The “Technician” ISO CIO Network Systems App. Dev. Firewall, Router, IPS Admin System Adm, Sys Prog, Acct Mgmt Application Programmer, Developer * Security functions in blue. The designated ISO may reside in any of these areas. November 9, 2005 Jack McCoy, East Carolina University 19 “Technical / Management” Information Security Structure Designated security team Responsibilities cover range of issues: Technical Management Strategic enterprise Reports to an operational manager (Kobus, 2005) November 9, 2005 Jack McCoy, East Carolina University 20 The “Security Coordinator” ISO CIO ISO Network Systems Acct Mgmt, IT Policy, Awareness Firewall, Router, IPS Admin System Admin, Sys Prog November 9, 2005 Jack McCoy, East Carolina University App Dev Application Programmer, Developer 21 “Management” Information Security Structure Designated security team Responsibilities include: Enterprise oversight of security programs Security governance processes Technical security responsibilities shift back to IT operations Information security may report outside of IT (Kobus, 2005) November 9, 2005 Jack McCoy, East Carolina University 22 The “Management Advisor” ISO Security Council CIO ISO Network Systems App Dev Governance, Risk Mgmt, Corp Policy Firewall, Router, IPS Admin System Admin, Sys Prog App Programmer, Developer November 9, 2005 Jack McCoy, East Carolina University 23 The “Strategic Business Partner” ISO Security Council CFO, COO, RMO CISO Governance, Risk Mgmt, Corp Policy November 9, 2005 CIO ISO (Bus. Unit) Operational Directors Acct Mgt, IT Policy, Projects Technical security Jack McCoy, East Carolina University 24 More than One ISO? Organizations are creating two security positions: CISO – bridges the gap between business process and policy directives, and technical security BISO – business unit (e.g., IT) representative, implements process & policy directives CISO consults with business units on implementation of policy and process directives CISO advises senior executives on the management of risks brought about by the use of technology (Witty, 2001) November 9, 2005 Jack McCoy, East Carolina University 25 Information Security Maturity, Structure, ISO Role Gartner’s Maturity Model Kobus’ Funct. Structure ISO Role Characterization Blissful Ignorance Technical “Technician” Awareness Technical / Management Corrective Management Operational Excellence Management + “Security Coordinator” “Management Advisor” “Strategic Business Partner” November 9, 2005 Jack McCoy, East Carolina University 26 The “Debate” Who is Really in Charge? Who Should Be? Who is Responsible for Campus IT Security? In 2002 Gartner predicted 60% of higher ed ISOs would report outside of IT by 2005 (Hurley, Harris, Zastrocky, & Yanosky, 2002) In 2003 94.5% of IT security functions reported to the top IT adm (Hawkins, Rudy, & Madsen, 2003) In 2004 95.2% of IT security functions reported to the top IT adm (Hawkins, Rudy, & Nicolich, 2004) We’re not on track to realize Gartner’s prediction The top IT administrator is ultimately responsible November 9, 2005 Jack McCoy, East Carolina University 28 Reporting to the CIO Advantages Advantages of the “Security” CIO: Access to executive leadership “C” level skills and organizational awareness Ability to initiate change in the IT infrastructure to enhance information security Represents greater influence and value for the CIO position November 9, 2005 Jack McCoy, East Carolina University 29 Reporting to the CIO Disadvantages Disadvantages of the “Security” CIO Information security oversight is a part-time role Increased CIO workload may lead to the neglect other strategic objectives Conflicts of interest arise when security controls impede the timely delivery of projects and services Difficult to conduct unbiased investigations of IT operations (Koch, 2004) November 9, 2005 Jack McCoy, East Carolina University 30 If Information Security Moves Out of IT Accountability must follow responsibility Security must report to an executive with “broad managerial responsibilities” for the organization, CIOs do not want accountability without authority For example, the CEO, CFO, COO Information Security and IT must work closely together as a team (Koch, 2004) November 9, 2005 Jack McCoy, East Carolina University 31 The Future of the Campus ISO The Future of the ISO A View from Gartner More companies are appointing a CISO with “decreasing responsibility for day-to-day security operations, and a greater level of participation in strategic business decisions” (Gartner, 2005) November 9, 2005 Jack McCoy, East Carolina University 33 State of the Industry A 2005 Global State of Information Security1 study: 34% of respondents employ a CSO/CISO More security executives report to the CEO or Board than the CIO 46% report to the CEO/Board 36% report to the CIO (CSO, 2005) 1A joint study of PricewaterhouseCoopers and CIO Magazine, representing a range of industries, e.g., computer-related manufacturing & software, consulting & professional services, financial services, education, health care, telecommunications, & transportation. November 9, 2005 Jack McCoy, East Carolina University 34 The Emerging CISO Role Technical security is becoming an operational issue Information security is emerging as a strategic business issue, addressed through risk management processes Resulting in “more authority and influence being invested in the security manager or CISO” More CISOs are participating in “crucial business decisions” and are reporting outside of IT Ceding turf to a “more powerful security function also raises political issues,” especially with the CIO position (Vijayan, 2004) November 9, 2005 Jack McCoy, East Carolina University 35 The Emerging CISO Role (cont’) Experts are divided over whether the CIO, CSO, or CISO should be responsible for security However, it is clear that the IT industry is moving toward “shared responsibilities for security” So, “whether the roles of the CIO and the CSO are mutually exclusive or gradually merging into a mutually beneficial relationships still is not evident.” (Germain, 2005) November 9, 2005 Jack McCoy, East Carolina University 36 Looking Further Into The Future Gartner predicts: “there will be a new breed of security expert who will be trusted to protect the organisation of the future, and in many companies, this person will be given the title of the Risk Management Officer” (Gartner, 2005) November 9, 2005 Jack McCoy, East Carolina University 37 Is Your Campus Ready for a CISO? Factors to Consider The organizational maturity of your institution’s information security program Executive awareness, security culture, etc. Your institution’s size, resources, and culture The nature of your institutions governance framework and enterprise risk management processes November 9, 2005 Jack McCoy, East Carolina University 39 Factors to Consider (cont’) The university CIO is the person typically responsible for security. So consider: The CIO’s workload, operational priorities, and strategic objectives The working relationship of the CIO and ISO ISO access to executive leadership ISO “C” level skills: e.g., business acumen, political savvy, and organizational awareness November 9, 2005 Jack McCoy, East Carolina University 40 A Peek Into My Crystal Ball For the immediate future many CIOs will retain responsibility for security, leveraging their “C” level skills and organizational contacts for good effect Higher education institutions will eventually embrace the corporate CISO model -- but not overnight! Larger institutions with greater resources will lead the change November 9, 2005 Jack McCoy, East Carolina University 41 A Peek Into My Crystal Ball (cont’) “Security” CIOs will continue to serve as unofficial campus CISOs, but . . . Eventually, even “Security” CIOs will hand information security over to another “C” level position The role of the campus ISO will evolve rapidly, offering many opportunities for advancement November 9, 2005 Jack McCoy, East Carolina University 42 A Survival Kit of Skills for the Campus ISO Grounded in multiple protection disciplines Capable project/program manager Life long passion to learn Business acumen Diplomatic and adaptable Adept at framing issues as risk management Professional training and certifications (Boni, 2005) November 9, 2005 Jack McCoy, East Carolina University 43 References Boni, W. (2005, April 5). The role of the CSO: An industry perspective. Presented at the EDUCAUSE Security Professionals Conference 2005. Washington, DC. Retrieved November 2, 2005 from the EDUCAUSE Web site http://www.educause.edu/LibraryDetailPage/666?ID=SPC0528 Berinato, S. (2004, July). CISO role: Locked out. Retrieved November 2, 2005 from the CSO Online Web site http://www.csoonline.com/read/070104/cisco.html CSO. (2005). The state of information security, 2005: A worldwide study conducted by CIO Magazine and PricewaterhouseCooper. Retrieved November 2, 2005 from the CSO Online Web site http://www.csoonline.com/csoresearch/report93.html CSO. (2004). What is a chief security officer? Retrieved September 30, 2005 from the CSO Online Web site http://www.csoonline.com/research/leadership/cso_role.html EDUCAUSE (2002). Higher education contribution to national strategy to secure cyberspace. Retrieved August 17, 2005, from http://www.educause.edu/ir/library/pdf/NET0027.pdf November 9, 2005 Jack McCoy, East Carolina University 44 References (continued) Gartner (2005, September 15). Gartner highlights the evolving role of CISO in the new security order. Retrieved November 2, 2005 from the Gartner Web site http://www.gartner.com/press_releases/asset_135714_11.html Germain, J. (2005, October 13). Your next job title: CISO? Retrieved November 2, 2005 from the Newsfactor Magazine Web site http://www.ciotoday.com/story.xhtml?story_title=Your_Next_Job_Title__CISO_&story_id =38430 Hawkins, B. L., Rudy, J. A., & Madsen J. W. (2003). EDUCAUSE core data report: 2003 summary report. Retrieved September 30, 2005 from the EDUCAUSE Web site http://www.educause.edu/ir/library/pdf/pub8001c.pdf Hawkins, B. L., Rudy, J. A., & Nicolich, R. (2004). EDUCAUSE core data report: 2004 summary report. Retrieved November 2, 2005 from the EDUCAUSE Web site http://www.educause.edu/ir/library/pdf/pub8002.pdf Hurley, D., Harris, M., Zastrocky, M., & Yanosky, R. (2002, December 9). Information security officers needed in higher education. Retrieved November 2, 2005 from the Gartner Web site http://www.gartner.com November 9, 2005 Jack McCoy, East Carolina University 45 References (continued) Kobus, W. S. (2005, November 1). Security management. Presented at the ISSA Triangle InfoSeCon conference on November 1, 2005 in Cary, NC. Koch, C. (2004, April 15). Hand over security. Retrieved November 3, 2005 from the CSO Online Web site http://www.cio.com/archive/041504/homeland.html MacLean. R. (2004, May 18). Defining the role of the security officer in higher education. The Security Professional’s Workshop May 16-18, 2004. Washington, DC. Retrieved September 30, 2005 from the EDUCAUSE Web site http://www.educause.edu/LibraryDetailPage/666?ID=SPC0417 Scholtz, T. & Byrnes, F. C. (2005, June 27). Use information security program maturity timeline as an analysis tool. Retrieved November 2, 2005 from the Gartner Web site http://www.gartner.com Vijayan, J. (2004, October 4). Rise of the CISO: Chief information security officers have more influence -- and greater challenges -- than ever before. Retrieved November 4, 2005 from the Computerworld Web site http://www.computerworld.com/securitytopics/security/story/0,10801,9629 1,00.html November 9, 2005 Jack McCoy, East Carolina University 46 References (continued) Witty, R. J. (2001). The Role of the Chief Information Security Officer. Retrieved November 2, 2005 from the Gartner Web site http://www.gartner.com November 9, 2005 Jack McCoy, East Carolina University 47