Re: Recommendations On Cabinet Level InfoSec position

[Angel L Cruz <cruz () AUSTIN UTEXAS EDU>]

May I comment?

Most would agree it was a good idea to move the senior IT person out
from under CFOs. I for one feel the same cannot be said for moving the
senior info sec person out from under the CIO.

The esteemed Mr. Schmidt's opinion notwithstanding, few if any academic
ISOs are in charge of the 80% that is not info security related (though
they may be engaged in supporting them) -- we're just NOT CSOs. Also, I
feel few academic institutions would support a new cabinet level
position with all flavors of security management in their portfolio.

As to the CISO, this is a new title for a position 100% dedicated to a
critical support role (info sec supports the mission by assuring IT's
availability, confidentiality, integrity, ... you've heard the dogma).
While CxO may connote reporting to the chief executive, many CISOs are
really just senior info sec types who have given themselves (or talked
someone into giving them) that title. ISOs will still, at best, report
to the top IT person (granted, some report to audit or legal departments
but in academia this is clearly not the prevailing case).

IMHO, those in academic information security leadership roles realize
just how hard the job is, without having to deal with job title
gymnastics. The ISO focus should be on promoting solid info security
principles both with core IT folks and with the entire campus community.
The most effective organizational mapping is a director-level ISO
reporting to the top IT person -- especially to a cabinet level CIO.
Why? The ISO needs the CIO's positional influence to get appropriate
info security programs, services, and operations up, running, and
effective - again so info sec supports IT and for IT to support the
institution's mission.

Thanks for listening.

Angel L. Cruz, USN Retired
Director & University Information Security Officer
The University of Texas at Austin
a.cruz () its utexas edu

-----Original Message-----
From: Jim Wilcox [mailto:jim () WILCOXS NET] 
Sent: Saturday, July 12, 2003 7:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Recommendations On Cabinet Level InfoSec
position

The CSO should definitely *not* report to the CIO, but to the
CEO/President.

For one thing, as Howard Schmidt emphasized while he was at Microsoft
(not touting MS as a paragon of security, but Howard left that gig to
work for the President of the US via Richard Clarke and is the former
President of the ISSA Int'l.), there is no such thing as a CISO.
Therefore, subjugating a CSO to a CIO not only diminishes the position,
but also ignores the 80% of the job that does not relate to information
technology.

James R. Wilcox, CISSP
10433 SW 53rd Ave
Portland, OR 97219-5837
503 245-6934
jim () wilcoxs net

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of art
Sent: Thursday, July 10, 2003 5:43 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Recommendations On Cabinet Level InfoSec
position


Here at the U of New Mexico we are close to advertising for an
information security officer, functionally the mosr senior one on
campus, ans this individual will report initially to the highest ranking
IT official on campus (currently an Associate VP), but eventually to the
CIO when that position is created.

Art St. George

--On Wednesday, July 09, 2003 5:25 PM -0500 Dan Updegrove
<updegrove () MAIL UTEXAS EDU> wrote:

> Jim,
>
> It's hard for me to imagine that a President's group would have
> advocated another direct report, especially in a domain that most of
> them would consider to be (as William F. Buckley said of ocean
> sailing) "90% boredom and 10% terror."
>
> IMHO, the appropriate reporting line for ISO is the to CIO -- and the
> CIO should be at the cabinet level. I simply cannot imagine that an
> ISO would receive from a president the supervision and support needed
> to be effective. In practice, such a "cabinet level" ISO would report
> to a "deputy to the president," who is also too busy and non-technical

> to provide support.
>
> Regards,
> Dan Updegrove
>
>
> At 05:15 PM 7/9/2003, Jim Moore wrote:
> > At the Educause security professionals workshop, I believe that
> > someone mentioned that a college/university presidents group had a
> > task force which made the recommendation that a cabinet level
> > position for Information Security be created at
> > colleges/universities.
> >
> > Does anyone have a reference?
> >
> > Does anyone have the text of the report/recommendation letter?
> >
> > Jim
> > --
> > --
> > Jim Moore, CISSP, IAM
> > Information Security Officer
> > Rochester Institute of Technology
> > 13 Lomb Memorial Drive
> > Rochester, NY 14623-5603
> > Telephone: (585)475-5406
> > Fax:       (585)475-7950
> >
> > PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C
> > D0C0
> >
> > **********
> > Participation and subscription information for this EDUCAUSE
> > Discussion Group discussion list can be found at
> > http://www.educause.edu/memdir/cg/.
>
>
> VP  for Information Technology          Phone (512) 232-9610
> The University of Texas at Austin       Fax (512) 232-9607
> FAC 248 (Mail code: G9800)              d.updegrove () its utexas edu
> P.O. Box 7407
> http://wnt.utexas.edu/~danu/ Austin, TX 78713-7407
>
> **********
> Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.