Educause Security Discussion mailing list archives
Re: CISO?
From: David Escalante <david.escalante () BC EDU>
Date: Mon, 16 Feb 2004 13:02:21 -0500
Very late reply, but assuming you still don't have the position ;-) I'm the CISO-equivalent at BC. Probably see you at the BU Security Camp if you want. Answers below. Rodrigues, Philip wrote:
For those of you who do have a CISO position on your campus, how did you go about getting the position created? Was there a watershed event or was it just a natural evolution? Have you had a CISO for a while now or was it just recently you saw a need for one?
There was a watershed event -- a student hacked passwords, used LDAP to get tons of additional ones, reprogrammed ID cards to steal food and bookstore supplies, etc. Then they looked around and went, "Hmmm, who was supposed to be concerned about this sort of thing...?" Position has existed for about a year.
For those of you without a CISO-type position on your campus, do you think you need one? Do you plan on creating one? Does your technical staff fill that role, or has senior IT management assumed those responsibilities?
Having seen what I've seen since arriving here, I'd say any decent-sized school needs someone thinking about security. There are vast security problems at most universities that are straightforward to solve from the security "book" that, as you probably know or you wouldn't have written this message, go well beyond the role of network staff or systems staff in addressing. A big part of the problem is how to justify it. I'd say you can do so at least partially via reputation. Most schools seem concerned to keep out of the press in a negative story -- it doesn't help applications to have the stories on the front page about student injuries, suicides, cheating scandals, etc. Similarly, it's a negative to be hacked, to have your main web site defaced, to have your admissions system penetrated, to have identity theft information stolen, etc. That kind of thing is beyond the scope of just a network security analyst or a sysadmin because you need defense in depth and application expertise, too. So I'd go after it on an insurance basis -- the cost of the position is cheap relative to say having the FBI on your campus like the Kansas/SEVIS incident (we had a SEVIS incident and I managed it such that there was no such assistance from the Feds...). Hope this helps a bit. -- Dave Escalante Boston College ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.