Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CISO?

From: Angel L Cruz <cruz () AUSTIN UTEXAS EDU>
Date: Wed, 21 Jan 2004 17:08:01 -0600
Phil:

My opinion --

In both of my ISO positions, it was the specific influence of the lead
IT person (Director at one, VPIT at another) that made the difference in
getting the position created.

Audit recommendations in light of compliance requirements such as HIPAA,
G-L-B, and State law help also, but the IT leader must be the champion
for establishing the position.

Who fills the position is often a matter of what is important to the
organization (audit, technical, or diplomatic skills, certifications,
educations, x years of experience in similar environments, etc.), what
needs to be done (Policies in place? Security technology installed
where? Disaster recovery plan created?), who is available with the
desired skill set, and the luck of the draw.

-Angel Cruz

Mr. Angel L. Cruz, CISSP
Director & University ISO
The University of Texas at Austin
1 University Station
MAI 26 G0900
Austin, TX 78712
(512) 475-9462
a.cruz () its utexas edu

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rodrigues, Philip
Sent: Wednesday, January 21, 2004 3:58 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] CISO?

Hi all,

I am a Network Security Analyst - you know, a low-level technical grunt.
:-)  The management structure above me is a little fuzzy, but the longer
I work here the more apparent one thing becomes:

We do not have a senior management-level Information Security position.
(And no, I am not looking for a position to be promoted into!)

For those of you who do have a CISO position on your campus, how did you
go about getting the position created?  Was there a watershed event or
was it just a natural evolution?  Have you had a CISO for a while now or
was it just recently you saw a need for one?

For those of you without a CISO-type position on your campus, do you
think you need one?  Do you plan on creating one?  Does your technical
staff fill that role, or has senior IT management assumed those
responsibilities?

Sorry if my questions are a little fuzzy - this is hardly a scientific
survey.  I am trying to figure out how to communicate what I see as a
need here to senior University administration, and I always like to see
if someone else has tackled this first.

Thanks in advance for any advice!

Phil
--

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues () uconn edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: