Re: Recommendations On Cabinet Level InfoSec position

[Jim Wilcox <jim () WILCOXS NET>]

The CSO should definitely *not* report to the CIO, but to the
CEO/President.

For one thing, as Howard Schmidt emphasized while he was at Microsoft
(not touting MS as a paragon of security, but Howard left that gig to
work for the President of the US via Richard Clarke and is the former
President of the ISSA Int'l.), there is no such thing as a CISO.
Therefore, subjugating a CSO to a CIO not only diminishes the position,
but also ignores the 80% of the job that does not relate to information
technology.

James R. Wilcox, CISSP
10433 SW 53rd Ave
Portland, OR 97219-5837
503 245-6934
jim () wilcoxs net

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of art
Sent: Thursday, July 10, 2003 5:43 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Recommendations On Cabinet Level InfoSec
position


Here at the U of New Mexico we are close to advertising for an
information security officer, functionally the mosr senior one on
campus, ans this individual will report initially to the highest ranking
IT official on campus (currently an Associate VP), but eventually to the
CIO when that position is created.

Art St. George

--On Wednesday, July 09, 2003 5:25 PM -0500 Dan Updegrove
<updegrove () MAIL UTEXAS EDU> wrote:

> Jim,
>
> It's hard for me to imagine that a President's group would have
> advocated another direct report, especially in a domain that most of
> them would consider to be (as William F. Buckley said of ocean
> sailing) "90% boredom and 10% terror."
>
> IMHO, the appropriate reporting line for ISO is the to CIO -- and the
> CIO should be at the cabinet level. I simply cannot imagine that an
> ISO would receive from a president the supervision and support needed
> to be effective. In practice, such a "cabinet level" ISO would report
> to a "deputy to the president," who is also too busy and non-technical

> to provide support.
>
> Regards,
> Dan Updegrove
>
>
> At 05:15 PM 7/9/2003, Jim Moore wrote:
> > At the Educause security professionals workshop, I believe that
> > someone mentioned that a college/university presidents group had a
> > task force which made the recommendation that a cabinet level
> > position for Information Security be created at
> > colleges/universities.
> >
> > Does anyone have a reference?
> >
> > Does anyone have the text of the report/recommendation letter?
> >
> > Jim
> > --
> > --
> > Jim Moore, CISSP, IAM
> > Information Security Officer
> > Rochester Institute of Technology
> > 13 Lomb Memorial Drive
> > Rochester, NY 14623-5603
> > Telephone: (585)475-5406
> > Fax:       (585)475-7950
> >
> > PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C
> > D0C0
> >
> > **********
> > Participation and subscription information for this EDUCAUSE
> > Discussion Group discussion list can be found at
> > http://www.educause.edu/memdir/cg/.
>
>
> VP  for Information Technology          Phone (512) 232-9610
> The University of Texas at Austin       Fax (512) 232-9607
> FAC 248 (Mail code: G9800)              d.updegrove () its utexas edu
> P.O. Box 7407
> http://wnt.utexas.edu/~danu/ Austin, TX 78713-7407
>
> **********
> Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.