Educause Security Discussion mailing list archives
Re: CISO?
From: Angel L Cruz <cruz () AUSTIN UTEXAS EDU>
Date: Wed, 21 Jan 2004 17:08:01 -0600
Phil: My opinion -- In both of my ISO positions, it was the specific influence of the lead IT person (Director at one, VPIT at another) that made the difference in getting the position created. Audit recommendations in light of compliance requirements such as HIPAA, G-L-B, and State law help also, but the IT leader must be the champion for establishing the position. Who fills the position is often a matter of what is important to the organization (audit, technical, or diplomatic skills, certifications, educations, x years of experience in similar environments, etc.), what needs to be done (Policies in place? Security technology installed where? Disaster recovery plan created?), who is available with the desired skill set, and the luck of the draw. -Angel Cruz Mr. Angel L. Cruz, CISSP Director & University ISO The University of Texas at Austin 1 University Station MAI 26 G0900 Austin, TX 78712 (512) 475-9462 a.cruz () its utexas edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rodrigues, Philip Sent: Wednesday, January 21, 2004 3:58 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] CISO? Hi all, I am a Network Security Analyst - you know, a low-level technical grunt. :-) The management structure above me is a little fuzzy, but the longer I work here the more apparent one thing becomes: We do not have a senior management-level Information Security position. (And no, I am not looking for a position to be promoted into!) For those of you who do have a CISO position on your campus, how did you go about getting the position created? Was there a watershed event or was it just a natural evolution? Have you had a CISO for a while now or was it just recently you saw a need for one? For those of you without a CISO-type position on your campus, do you think you need one? Do you plan on creating one? Does your technical staff fill that role, or has senior IT management assumed those responsibilities? Sorry if my questions are a little fuzzy - this is hardly a scientific survey. I am trying to figure out how to communicate what I see as a need here to senior University administration, and I always like to see if someone else has tackled this first. Thanks in advance for any advice! Phil -- ======================================= Philip A. Rodrigues Network Analyst, UITS University of Connecticut email: phil.rodrigues () uconn edu phone: 860.486.3743 fax: 860.486.6580 web: http://www.security.uconn.edu ======================================= ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.