Educause Security Discussion mailing list archives

Re: CISO?

From: David Escalante <david.escalante () BC EDU>
Date: Mon, 16 Feb 2004 13:02:21 -0500

Very late reply, but assuming you still don't have the position ;-)

I'm the CISO-equivalent at BC.  Probably see you at the BU Security Camp
if you want.  Answers below.

Rodrigues, Philip wrote:

For those of you who do have a CISO position on your campus, how did you
go about getting the position created?  Was there a watershed event or
was it just a natural evolution?  Have you had a CISO for a while now or
was it just recently you saw a need for one?

There was a watershed event -- a student hacked passwords, used LDAP to
get tons of additional ones, reprogrammed ID cards to steal food and
bookstore supplies, etc.  Then they looked around and went, "Hmmm, who
was supposed to be concerned about this sort of thing...?"

Position has existed for about a year.

For those of you without a CISO-type position on your campus, do you
think you need one?  Do you plan on creating one?  Does your technical
staff fill that role, or has senior IT management assumed those
responsibilities?

Having seen what I've seen since arriving here, I'd say any decent-sized
school needs someone thinking about security.  There are vast security
problems at most universities that are straightforward to solve from the
security "book" that, as you probably know or you wouldn't have written
this message, go well beyond the role of network staff or systems staff
in addressing.  A big part of the problem is how to justify it.  I'd say
you can do so at least partially via reputation.  Most schools seem
concerned to keep out of the press in a negative story -- it doesn't
help applications to have the stories on the front page about student
injuries, suicides, cheating scandals, etc.  Similarly, it's a negative
to be hacked, to have your main web site defaced, to have your
admissions system penetrated, to have identity theft information stolen,
etc.  That kind of thing is beyond the scope of just a network security
analyst or a sysadmin because you need defense in depth and application
expertise, too.  So I'd go after it on an insurance basis -- the cost of
the position is cheap relative to say having the FBI on your campus like
the Kansas/SEVIS incident (we had a SEVIS incident and I managed it such
that there was no such assistance from the Feds...).

Hope this helps a bit.
--
Dave Escalante
Boston College

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

CISO? Rodrigues, Philip (Jan 21)
- <Possible follow-ups>
- Re: CISO? Gordon D. Wishon (Jan 21)
- Re: CISO? Melissa Guenther (Jan 21)
- Re: CISO? Michael G Carr (Jan 21)
- Re: CISO? Angel L Cruz (Jan 21)
- Re: CISO? Rodney Petersen (Jan 23)
- Re: CISO? David Escalante (Feb 16)