User Awareness for Regulatory Compliance

advertisement
Are We Ready for a
Chief Information Security
Officer?
The Challenges and Evolution of
the Campus IT Security Officer
Jack McCoy, Ed.D., MBA, CISM
Information Security Officer
East Carolina University
The Security Officer Alphabet

ISO – Information Security Officer
Often an “IT” Security Officer
 Designated official, dedicated to information
security


CISO – Chief Information Security Officer


“C” level executive, a strategic business partner
CSO – Chief Security Officer

Corporate security, a convergence of information,
asset, and physical security
November 9, 2005
Jack McCoy, East Carolina University
2
The Challenges
of the Campus ISO
The Environment:
The Institution of Higher Education




A shaky track record for protecting information
A culture of shared governance
A penchant for distributed computing
A desire for free and unfettered exchange of
information across organizational boundaries
. . . in essence a formidable environment for those
with campus responsibility for information security
November 9, 2005
Jack McCoy, East Carolina University
4
The Organization:
University Accountability



Resistance to corporate type controls may arise
because a university is “not a business”
Regardless of the culture or inherent challenges
a university will be held accountable, just as any
other organization (e.g., bank or and retailer)
Accountability must trickle down to internal
departments, groups, and individuals
November 9, 2005
Jack McCoy, East Carolina University
5
The Organization:
University Accountability (cont’)
Challenges arise when the university community:




Is not aware of risks to information and potential
impacts to the university and its stakeholders
Does not believe that the threats are realistic
Thinks that someone in another building is taking
care of the “security problem” for them
Believes that other job duties and responsibilities
always take priority over security
November 9, 2005
Jack McCoy, East Carolina University
6
The Strategic Challenges:
Issues Likely to be Encountered





“IT” versus “Information” Security
Security: “technical” vs. “business” issue
Executive awareness and involvement
Governance structures and processes
Evolving roles and skill sets of the ISO
November 9, 2005
Jack McCoy, East Carolina University
7
The Evolving Role of the
Campus ISO
The Relationship of InfoSecurity
Maturity, Structure, and Roles
InfoSecurity
Organizational
Maturity
InfoSecurity
Functions and
Org Structure
ISO Roles,
Responsibilities,
and Authority
November 9, 2005
Jack McCoy, East Carolina University
9
Gartner’s
InfoSecurity Maturity Model
Organizations and their security programs evolve
through four phases of maturity:




Blissful Ignorance
Awareness
Correction
Operational Excellence
(Scholtz & Byrnes, 2005)
November 9, 2005
Jack McCoy, East Carolina University
10
InfoSec Maturity - Blissful Ignorance





Extensive, but outdated policies
Inadequate user awareness
Breaches not reported
Prevailing belief that the enterprise is secure
No effective communication between the IT
security function and business functions
(Scholtz & Byrnes, 2005)
November 9, 2005
Jack McCoy, East Carolina University
11
InfoSec Maturity - Awareness





An event leads to a sudden awareness that
“something must be done” about security
(Re)establishment of dedicated security team
Efforts focus on policy review and update
Some organizations assume policy is sufficient
and regress to blissful ignorance phase
Others develop security vision and strategy
(Scholtz & Byrnes, 2005, p. 4)
November 9, 2005
Jack McCoy, East Carolina University
12
InfoSec Maturity - Corrective





Strategic program launched, based on
information security vision and strategy
Security, risk, governance processes revamped
New policies derived from business needs
Corrective actions prioritized and funded
Progress toward goals measured and reported
through business and governance channels
(Scholtz & Byrnes, 2005)
November 9, 2005
Jack McCoy, East Carolina University
13
InfoSec Maturity – Operational
Excellence




Information security “embedded into the culture
of the organization”
Security is driven by business processes
Program metrics emphasize continuous
improvement
The organization understands and accepts
residual risks
(Scholtz & Byrnes, 2005, p. 4)
November 9, 2005
Jack McCoy, East Carolina University
14
A Gartner Recommendation
Organizations must be aware of and understand the
evolving maturity of their security programs.
(Scholtz & Byrnes, 2005)
November 9, 2005
Jack McCoy, East Carolina University
15
Information Security
Functional Structures


An organization’s security function depends on its
size, business, culture, regulatory requirements
Functional structure types:
Technical
 Technical / Management
 Management
(Kobus, 2005)

November 9, 2005
Jack McCoy, East Carolina University
16
“Technical”
Information Security Structure


No formal security function
Security responsibilities assigned to technicians
in IT operational areas
Networking
 Operations
 Development


Reports to IT infrastructure or operational area
(Kobus, 2005)
November 9, 2005
Jack McCoy, East Carolina University
17
Aspects of a
Technical ISO Role



Relegated to a purely technical role, e.g.,
“firewall jockey”
Often has few resources and little authority
The reason for hiring a ISO may be to
address a regulation, audit, or other requirement
 or to “sit on the bomb”

(Berinato, 2004)
November 9, 2005
Jack McCoy, East Carolina University
18
The “Technician”
ISO
CIO
Network
Systems
App. Dev.
Firewall,
Router, IPS
Admin
System Adm,
Sys Prog,
Acct Mgmt
Application
Programmer,
Developer
* Security functions in blue. The designated ISO may reside in any of these areas.
November 9, 2005
Jack McCoy, East Carolina University
19
“Technical / Management”
Information Security Structure


Designated security team
Responsibilities cover range of issues:
Technical
 Management
 Strategic enterprise


Reports to an operational manager
(Kobus, 2005)
November 9, 2005
Jack McCoy, East Carolina University
20
The “Security Coordinator”
ISO
CIO
ISO
Network
Systems
Acct Mgmt,
IT Policy,
Awareness
Firewall,
Router, IPS
Admin
System
Admin,
Sys Prog
November 9, 2005
Jack McCoy, East Carolina University
App Dev
Application
Programmer,
Developer
21
“Management”
Information Security Structure


Designated security team
Responsibilities include:
Enterprise oversight of security programs
 Security governance processes



Technical security responsibilities shift back to
IT operations
Information security may report outside of IT
(Kobus, 2005)
November 9, 2005
Jack McCoy, East Carolina University
22
The “Management Advisor”
ISO
Security Council
CIO
ISO
Network
Systems
App Dev
Governance,
Risk Mgmt,
Corp Policy
Firewall,
Router, IPS
Admin
System
Admin,
Sys Prog
App
Programmer,
Developer
November 9, 2005
Jack McCoy, East Carolina University
23
The “Strategic Business Partner”
ISO
Security Council
CFO, COO, RMO
CISO
Governance,
Risk Mgmt,
Corp Policy
November 9, 2005
CIO
ISO
(Bus. Unit)
Operational
Directors
Acct Mgt, IT
Policy, Projects
Technical
security
Jack McCoy, East Carolina University
24
More than One ISO?

Organizations are creating two security positions:




CISO – bridges the gap between business process and policy
directives, and technical security
BISO – business unit (e.g., IT) representative, implements
process & policy directives
CISO consults with business units on implementation of
policy and process directives
CISO advises senior executives on the management of
risks brought about by the use of technology
(Witty, 2001)
November 9, 2005
Jack McCoy, East Carolina University
25
Information Security
Maturity, Structure, ISO Role
Gartner’s
Maturity Model
Kobus’ Funct.
Structure
ISO Role
Characterization
Blissful Ignorance
Technical
“Technician”
Awareness
Technical /
Management
Corrective
Management
Operational
Excellence
Management +
“Security
Coordinator”
“Management
Advisor”
“Strategic Business
Partner”
November 9, 2005
Jack McCoy, East Carolina University
26
The “Debate”
Who is Really in Charge?
Who Should Be?
Who is Responsible
for Campus IT Security?

In 2002 Gartner predicted 60% of higher ed
ISOs would report outside of IT by 2005 (Hurley,
Harris, Zastrocky, & Yanosky, 2002)
In 2003 94.5% of IT security functions reported to
the top IT adm (Hawkins, Rudy, & Madsen, 2003)
 In 2004 95.2% of IT security functions reported to
the top IT adm (Hawkins, Rudy, & Nicolich, 2004)



We’re not on track to realize Gartner’s prediction
The top IT administrator is ultimately responsible
November 9, 2005
Jack McCoy, East Carolina University
28
Reporting to the CIO Advantages
Advantages of the “Security” CIO:
Access to executive leadership
 “C” level skills and organizational awareness
 Ability to initiate change in the IT infrastructure to
enhance information security
 Represents greater influence and value for the CIO
position

November 9, 2005
Jack McCoy, East Carolina University
29
Reporting to the CIO Disadvantages
Disadvantages of the “Security” CIO
Information security oversight is a part-time role
 Increased CIO workload may lead to the neglect
other strategic objectives
 Conflicts of interest arise when security controls
impede the timely delivery of projects and services
 Difficult to conduct unbiased investigations of IT
operations

(Koch, 2004)
November 9, 2005
Jack McCoy, East Carolina University
30
If Information Security
Moves Out of IT

Accountability must follow responsibility


Security must report to an executive with “broad
managerial responsibilities” for the organization,


CIOs do not want accountability without authority
For example, the CEO, CFO, COO
Information Security and IT must work closely
together as a team
(Koch, 2004)
November 9, 2005
Jack McCoy, East Carolina University
31
The Future of the Campus ISO
The Future of the ISO
A View from Gartner
More companies are appointing a CISO with
“decreasing responsibility for day-to-day security
operations, and a greater level of participation in
strategic business decisions”
(Gartner, 2005)
November 9, 2005
Jack McCoy, East Carolina University
33
State of the Industry
A 2005 Global State of Information Security1 study:
 34% of respondents employ a CSO/CISO
 More security executives report to the CEO or
Board than the CIO
46% report to the CEO/Board
 36% report to the CIO

(CSO, 2005)
1A
joint study of PricewaterhouseCoopers and CIO Magazine, representing a range of
industries, e.g., computer-related manufacturing & software, consulting & professional
services, financial services, education, health care, telecommunications, & transportation.
November 9, 2005
Jack McCoy, East Carolina University
34
The Emerging CISO Role



Technical security is becoming an operational issue
Information security is emerging as a strategic business
issue, addressed through risk management processes
Resulting in “more authority and influence being
invested in the security manager or CISO”


More CISOs are participating in “crucial business decisions”
and are reporting outside of IT
Ceding turf to a “more powerful security function also
raises political issues,” especially with the CIO position
(Vijayan, 2004)
November 9, 2005
Jack McCoy, East Carolina University
35
The Emerging CISO Role (cont’)



Experts are divided over whether the CIO, CSO, or
CISO should be responsible for security
However, it is clear that the IT industry is moving
toward “shared responsibilities for security”
So, “whether the roles of the CIO and the CSO are
mutually exclusive or gradually merging into a mutually
beneficial relationships still is not evident.”
(Germain, 2005)
November 9, 2005
Jack McCoy, East Carolina University
36
Looking Further Into The Future
Gartner predicts:
“there will be a new breed of security expert who
will be trusted to protect the organisation of the
future, and in many companies, this person will be
given the title of the Risk Management Officer”
(Gartner, 2005)
November 9, 2005
Jack McCoy, East Carolina University
37
Is Your Campus Ready
for a CISO?
Factors to Consider

The organizational maturity of your institution’s
information security program



Executive awareness, security culture, etc.
Your institution’s size, resources, and culture
The nature of your institutions governance
framework and enterprise risk management
processes
November 9, 2005
Jack McCoy, East Carolina University
39
Factors to Consider (cont’)
The university CIO is the person typically
responsible for security. So consider:




The CIO’s workload, operational priorities, and
strategic objectives
The working relationship of the CIO and ISO
ISO access to executive leadership
ISO “C” level skills: e.g., business acumen,
political savvy, and organizational awareness
November 9, 2005
Jack McCoy, East Carolina University
40
A Peek Into My Crystal Ball


For the immediate future many CIOs will
retain responsibility for security, leveraging
their “C” level skills and organizational
contacts for good effect
Higher education institutions will eventually
embrace the corporate CISO model -- but
not overnight!

Larger institutions with greater resources will
lead the change
November 9, 2005
Jack McCoy, East Carolina University
41
A Peek Into My Crystal Ball (cont’)



“Security” CIOs will continue to serve as
unofficial campus CISOs, but . . .
Eventually, even “Security” CIOs will hand
information security over to another “C” level
position
The role of the campus ISO will evolve rapidly,
offering many opportunities for advancement
November 9, 2005
Jack McCoy, East Carolina University
42
A Survival Kit of Skills
for the Campus ISO







Grounded in multiple protection disciplines
Capable project/program manager
Life long passion to learn
Business acumen
Diplomatic and adaptable
Adept at framing issues as risk management
Professional training and certifications
(Boni, 2005)
November 9, 2005
Jack McCoy, East Carolina University
43
References
Boni, W. (2005, April 5). The role of the CSO: An industry perspective. Presented at the
EDUCAUSE Security Professionals Conference 2005. Washington, DC.
Retrieved November 2, 2005 from the EDUCAUSE Web site
http://www.educause.edu/LibraryDetailPage/666?ID=SPC0528
Berinato, S. (2004, July). CISO role: Locked out. Retrieved November 2, 2005 from
the CSO Online Web site
http://www.csoonline.com/read/070104/cisco.html
CSO. (2005). The state of information security, 2005: A worldwide study conducted by CIO
Magazine and PricewaterhouseCooper. Retrieved November 2, 2005 from the CSO
Online Web site http://www.csoonline.com/csoresearch/report93.html
CSO. (2004). What is a chief security officer? Retrieved September 30, 2005 from the
CSO Online Web site
http://www.csoonline.com/research/leadership/cso_role.html
EDUCAUSE (2002). Higher education contribution to national strategy to secure cyberspace.
Retrieved August 17, 2005, from
http://www.educause.edu/ir/library/pdf/NET0027.pdf
November 9, 2005
Jack McCoy, East Carolina University
44
References (continued)
Gartner (2005, September 15). Gartner highlights the evolving role of CISO in the new
security order. Retrieved November 2, 2005 from the Gartner Web site
http://www.gartner.com/press_releases/asset_135714_11.html
Germain, J. (2005, October 13). Your next job title: CISO? Retrieved November 2,
2005 from the Newsfactor Magazine Web site http://www.ciotoday.com/story.xhtml?story_title=Your_Next_Job_Title__CISO_&story_id
=38430
Hawkins, B. L., Rudy, J. A., & Madsen J. W. (2003). EDUCAUSE core data report:
2003 summary report. Retrieved September 30, 2005 from the EDUCAUSE
Web site http://www.educause.edu/ir/library/pdf/pub8001c.pdf
Hawkins, B. L., Rudy, J. A., & Nicolich, R. (2004). EDUCAUSE core data report:
2004 summary report. Retrieved November 2, 2005 from the EDUCAUSE Web
site http://www.educause.edu/ir/library/pdf/pub8002.pdf
Hurley, D., Harris, M., Zastrocky, M., & Yanosky, R. (2002, December 9).
Information security officers needed in higher education. Retrieved November 2, 2005
from the Gartner Web site http://www.gartner.com
November 9, 2005
Jack McCoy, East Carolina University
45
References (continued)
Kobus, W. S. (2005, November 1). Security management. Presented at the ISSA
Triangle InfoSeCon conference on November 1, 2005 in Cary, NC.
Koch, C. (2004, April 15). Hand over security. Retrieved November 3, 2005 from
the CSO Online Web site
http://www.cio.com/archive/041504/homeland.html
MacLean. R. (2004, May 18). Defining the role of the security officer in higher education.
The Security Professional’s Workshop May 16-18, 2004. Washington, DC.
Retrieved September 30, 2005 from the EDUCAUSE Web site
http://www.educause.edu/LibraryDetailPage/666?ID=SPC0417
Scholtz, T. & Byrnes, F. C. (2005, June 27). Use information security program maturity
timeline as an analysis tool. Retrieved November 2, 2005 from the Gartner Web
site http://www.gartner.com
Vijayan, J. (2004, October 4). Rise of the CISO: Chief information security officers have
more influence -- and greater challenges -- than ever before. Retrieved November 4,
2005 from the Computerworld Web site
http://www.computerworld.com/securitytopics/security/story/0,10801,9629
1,00.html
November 9, 2005
Jack McCoy, East Carolina University
46
References (continued)
Witty, R. J. (2001). The Role of the Chief Information Security Officer. Retrieved
November 2, 2005 from the Gartner Web site http://www.gartner.com
November 9, 2005
Jack McCoy, East Carolina University
47
Download