Educause Security Discussion mailing list archives
CISO reporting relationship survey from CIO listserv
From: Brian Kelly <bkelly () EDUCAUSE EDU>
Date: Thu, 6 Jun 2019 16:36:30 +0000
Sharing Mark’s email below as a cross post from the CIO list and adding input from Leah Lang and EDUCAUSE CDS data. Brian We recently published a 2019 Information Security Almanac<https://library.educause.edu/resources/2019/4/the-educause-information-security-almanac-2019> using CDS data. In here you’ll find that 83% of dedicated, full-time information security leaders report to the Highest-ranking IT administrator/officer (e.g., CIO) in central IT 4% report to an other IT manager 3% report to the director of networking When speaking more broadly about the person with primary responsibility for information security (both full-time and part-time roles), here’s how the reporting lines fall (image from the CDS portal using All U.S. nonspecialized institutions): Around 63% of individuals with primary responsibility for information security report to the CIO (up from 60% in 2016). Around 10% of individuals with primary responsibility for information security report to the president – I’m guessing these are CIOs who have primary responsibility for information security among their other responsibilities. It’s the end of May so we’re ramping up for our July 2019 launch of the EDUCAUSE Core Data Service (CDS)<http://www.educause.edu/coredata>. I hope you’ll all consider contributing to this valuable resource! [cid:image001.png@01D5122A.E9879180] Leah Lang Director of Analytics Services EDUCAUSE<http://www.educause.edu/> Uncommon Thinking for the Common Good direct: 303.939.0339 | main: 202.872.4200 | fax: 202.872.4318 | educause.edu<http://www.educause.edu/> Twitter: meahlarie Enhance decision making with the EDUCAUSE Core Data Service (CDS)<http://www.educause.edu/coredata> and EDUCAUSE Technology Research in the Academic Community (ETRAC)<http://www.educause.edu/etrac> - benchmarking data to inform IT planning. Become an EDUCAUSE Ambassador Program Details<https://www.educause.edu/about/discover-membership/educause-ambassador-program> – Connect colleagues with resources From: The EDUCAUSE CIO Community Group Listserv <CIO () LISTSERV EDUCAUSE EDU> On Behalf Of Mark Roman Sent: Sunday, June 2, 2019 9:52 PM To: CIO () LISTSERV EDUCAUSE EDU Subject: Re: [CIO] CISO reporting relationship Thanks for all the responses to the CISO reporting relationship question. I’ve compiled the answers to the question posed on the EDUCAUSE and CUCCIO (Canadian) list-serves in the attached spreadsheet and the overall results are shown in the chart below. Of the 51 responses received, 88% reported the CISO or equivalent reporting directly into the CIO. Some institutions had their CISO or equivalent report to a level below the CIO, such as a Director, and one respondent reported outside of IT. 6% of the respondents reported not having a CISO, but in each case they are working towards a shared CISO in their region. [cid:image001.png@01D51960.855CE470] There were also several interesting links suggested so I have copied them here for anyone interested in investigating further: EDUCAUSE CISO studies https://library.educause.edu/resources/2019/1/the-higher-education-chief-information-security-officer-study-reports-2014-2017 EDUCAUSE 2019 Information Security Almanac https://library.educause.edu/resources/2019/4/the-educause-information-security-almanac-2019 EDUCAUSE CDS 2015 https://library.educause.edu/~/media/files/library/2016/3/ewg1601.pdf European Benchmarking http://www.eunis.org/task-forces/benchmarking/<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eunis.org%2Ftask-forces%2Fbenchmarking%2F&data=02%7C01%7C%7Ca87503d414284a99342508d6e839667a%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636951730572332307&sdata=EqjRy7LA8A9Mzv57sLjxFfSKYw9n4WqHe0k1s2Nc2cw%3D&reserved=0> Georgia Tech Governance of Cyber Security Report https://www.paloaltonetworks.com/resources/techbriefs/governance-of-cybersecurity.html<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fresources%2Ftechbriefs%2Fgovernance-of-cybersecurity.html&data=02%7C01%7C%7Ca87503d414284a99342508d6e839667a%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636951730572342299&sdata=LeIi8%2BzMAvTBJMnCElxdHaragJNMVb491yE0CK0Xq3E%3D&reserved=0> Discussion blog https://blogs.wsj.com/cio/2015/02/06/data-breaches-spark-debates-on-ciso-cio-dynamic/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblogs.wsj.com%2Fcio%2F2015%2F02%2F06%2Fdata-breaches-spark-debates-on-ciso-cio-dynamic%2F&data=02%7C01%7C%7Ca87503d414284a99342508d6e839667a%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636951730572352295&sdata=Z1GGr1l6H96jo2jjRcautZNypIkzfvp9w%2BrNZvIf52k%3D&reserved=0> Mark Roman Chief Information Officer Simon Fraser University | Strand Hall 3166 8888 University Dr., Burnaby, B.C. V5A 1S6 778.237.0135 | sfu.ca/itservices Twitter: @sfu_it [cid:image004.png@01D51960.855CE470] I respectfully acknowledge that SFU is located on traditional territories of the Coast Salish peoples of the Musqueam, Squamish, and Tsleil-Waututh Nations. From: The EDUCAUSE CIO Community Group Listserv <CIO () LISTSERV EDUCAUSE EDU<mailto:CIO () LISTSERV EDUCAUSE EDU>> On Behalf Of Mark Roman Sent: May 24, 2019 8:35 AM To: CIO () LISTSERV EDUCAUSE EDU<mailto:CIO () LISTSERV EDUCAUSE EDU> Subject: [CIO] CISO reporting relationship We have been having an interesting conversation at our institution about where the CISO should report. In your institution, does the CISO report to the: 1. CIO? 2. Below the CIO (such as a Director)? 3. Outside of IT? Is anyone aware of any research in higher ed about CISO reporting relationships? Mark Roman Chief Information Officer Simon Fraser University | Strand Hall 3166 8888 University Dr., Burnaby, B.C. V5A 1S6 778.237.0135 | sfu.ca/itservices Twitter: @sfu_it [cid:image004.png@01D51960.855CE470] I respectfully acknowledge that SFU is located on traditional territories of the Coast Salish peoples of the Musqueam, Squamish, and Tsleil-Waututh Nations. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Attachment:
CISO Survey.xlsx
Description: CISO Survey.xlsx
Current thread:
- CISO reporting relationship survey from CIO listserv Brian Kelly (Jun 06)