Educause Security Discussion mailing list archives
Re: Recommendations On Cabinet Level InfoSec position
From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Tue, 15 Jul 2003 08:35:52 -0500
In that case, anything you report to the CIO is subserviant. :-) 1) A very good CIO is what is required to make this work. A CIO that doesn't have broad experiences and can't use good judgement about setting priorities, assigning resources, and resolving conflicts isn't a good CIO. 2) A good Security Officer gets involved in physical security of IT resources as well (we do, heavily, and are expected to do so by our good CIO :) and interacts often with physical facilities staff as well as police. M. -- Mark S. Bruhn, CISSP Chief IT Security and Policy Officer Interim Director, Research and Educational Networking Information Sharing and Analysis Center (ren-isac () iu edu) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: Jim Wilcox [mailto:jim () WILCOXS NET] Sent: Monday, July 14, 2003 5:05 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Recommendations On Cabinet Level InfoSec position Just my two cents. First, how do you ensure information security if you can't ensure security in the other (e.g., physical) domains? That being the case, it makes no sense to create a CISO. Second, if your CISO (presuming that one makes that mistake) reports to the CIO, you are making security subservient. I liken it to routers and firewalls. Routers are all about providing access to information (this is a simplistic comparison for the sake of making a point); firewalls are all about controlling information. Which is more important? Neither. But, when the CISO reports to the CIO, security will often (if not always) be an afterthought. In the end, we all have to do what our organizations will allow us to do, but in terms of organizational architecture, it is pretty easy to draw the cause and effect drawing on this one. Once security is integrated into how we do everything, the CSO role may become unnecessary. We are far from that. Cheers, James R. Wilcox, CISSP 10433 SW 53rd Ave Portland, OR 97219-5837 503 245-6934 jim () wilcoxs net -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bruhn, Mark S. Sent: Monday, July 14, 2003 2:55 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Recommendations On Cabinet Level InfoSec position Frankly, I'm not completely sure I understand this. Most campuses have a security department or police department, or hire that out to a guard services company. Are you suggesting that whomever leads this unit also be responsible for IT security, and that this person report to the President or CEO? A lot of campuses haven't even been successful in getting the person responsible for security to report to the CIO yet. In any case, the person responsible for all of IT on campus or within the university or college should report to the President, and is the person to whom the IT security officer should report. That's the only realistic situation, inasmuch as what Dan says is true: there is a need for continuous interactions between the CIO and the security officer, as they are the partnership that will (and must) know what the issues are and how to translate those into insitutional risks (there I go again), and will ultimately cause an improvement of IT security on the campus. They have the focus as part of their responsibilities. A president is mired in far too broad a resposibility set to participate in such a partnership. M. -- Mark S. Bruhn, CISSP Chief IT Security and Policy Officer Interim Director, Research and Educational Networking Information Sharing and Analysis Center (ren-isac () iu edu) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: Jim Wilcox [mailto:jim () WILCOXS NET] Sent: Saturday, July 12, 2003 7:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Recommendations On Cabinet Level InfoSec position The CSO should definitely *not* report to the CIO, but to the CEO/President. For one thing, as Howard Schmidt emphasized while he was at Microsoft (not touting MS as a paragon of security, but Howard left that gig to work for the President of the US via Richard Clarke and is the former President of the ISSA Int'l.), there is no such thing as a CISO. Therefore, subjugating a CSO to a CIO not only diminishes the position, but also ignores the 80% of the job that does not relate to information technology. James R. Wilcox, CISSP 10433 SW 53rd Ave Portland, OR 97219-5837 503 245-6934 jim () wilcoxs net -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of art Sent: Thursday, July 10, 2003 5:43 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Recommendations On Cabinet Level InfoSec position Here at the U of New Mexico we are close to advertising for an information security officer, functionally the mosr senior one on campus, ans this individual will report initially to the highest ranking IT official on campus (currently an Associate VP), but eventually to the CIO when that position is created. Art St. George --On Wednesday, July 09, 2003 5:25 PM -0500 Dan Updegrove <updegrove () MAIL UTEXAS EDU> wrote:
Jim, It's hard for me to imagine that a President's group would have advocated another direct report, especially in a domain that most of them would consider to be (as William F. Buckley said of ocean sailing) "90% boredom and 10% terror." IMHO, the appropriate reporting line for ISO is the to CIO -- and the CIO should be at the cabinet level. I simply cannot imagine that an ISO would receive from a president the supervision and support needed to be effective. In practice, such a "cabinet level" ISO would report to a "deputy to the president," who is also too busy and non-technical
to provide support. Regards, Dan Updegrove At 05:15 PM 7/9/2003, Jim Moore wrote:At the Educause security professionals workshop, I believe that someone mentioned that a college/university presidents group had a task force which made the recommendation that a cabinet level position for Information Security be created at colleges/universities. Does anyone have a reference? Does anyone have the text of the report/recommendation letter? Jim -- -- Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Telephone: (585)475-5406 Fax: (585)475-7950 PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.VP for Information Technology Phone (512) 232-9610 The University of Texas at Austin Fax (512) 232-9607 FAC 248 (Mail code: G9800) d.updegrove () its utexas edu P.O. Box 7407 http://wnt.utexas.edu/~danu/ Austin, TX 78713-7407 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Recommendations On Cabinet Level InfoSec position Jim Moore (Jul 09)
- <Possible follow-ups>
- Re: Recommendations On Cabinet Level InfoSec position Dan Updegrove (Jul 09)
- Re: Recommendations On Cabinet Level InfoSec position art (Jul 10)
- Re: Recommendations On Cabinet Level InfoSec position Jim Wilcox (Jul 12)
- Re: Recommendations On Cabinet Level InfoSec position Angel L Cruz (Jul 12)
- Re: Recommendations On Cabinet Level InfoSec position Chief Information Security Officer (Jul 12)
- Re: Recommendations On Cabinet Level InfoSec position Bruhn, Mark S. (Jul 14)
- Re: Recommendations On Cabinet Level InfoSec position Jim Wilcox (Jul 14)
- Re: Recommendations On Cabinet Level InfoSec position Schmidt, Eric W (Jul 15)
- Re: Recommendations On Cabinet Level InfoSec position Bruhn, Mark S. (Jul 15)
- Re: Recommendations On Cabinet Level InfoSec position Ariel Silverstone (Jul 15)
- Re: Recommendations On Cabinet Level InfoSec position Rodney Petersen (Jul 15)