Educause Security Discussion mailing list archives
Re: CISO?
From: Rodney Petersen <rpetersen () EDUCAUSE EDU>
Date: Fri, 23 Jan 2004 11:18:35 -0700
Below are a few more resources in response to the original question and Gordon's response: -The EDUCAUSE Center for Applied Research security report revealed the following: 22.4% institutions of higher education have a chief IT security officer or equivalent; 90% of CSO's work at doctoral extensive or intensive institutions; 95 percent of the IT security officers report to a senior administrator in the IT office, including 50 percent who report to the CIO; respondents were asked when their institution created the IT security officer position and there is a clear, steady pattern of growth beginning in 1994; Director of Networking had day-to-day responsibility for security at over 30% of the institutions -The EDUCAUSE Center for Applied Research is considering a follow-up study to its recent Security Report or including longitudinal questions in an upcoming data networking study -There is a collection of IT Security Officer job descriptions at http://www.educause.edu/asp/doclib/detail_docs.asp?Detail_ID=6 -In a recent article, "Planning for Improved Security", by Mark Bruhn & myself published in EDUCAUSE Review (November/December 2003) (http://www.educause.edu/pub/er/erm03/erm036_articles.asp?id=10), we describe the importance of strategy and planning to the development of an information security program. We also provide examples from three institutions where in two of those cases the "planning" process resulted in the establishment of the position of an IT security officer -The recent book, Computer and Network Security in Higher Education (http://www.educause.edu/asp/doclib/abstract.asp?ID=PUB7008), contains a chapter written by Jeff Recor on "Organizing for Improved Security". The chapter desribes creating a security plan of action, obtaining support for the plan, establishing security leadership (which describes the private-sectors movement towards positions of Chief Security Officer), and an array of security job titles assigned to specific functions. Rodney Petersen Security Task Force Coordinator, EDUCAUSE -----Original Message----- From: Gordon D. Wishon [mailto:gwishon () ND EDU] Sent: Wednesday, January 21, 2004 5:14 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] CISO? Phil, There's some general information in the ECAR Security Study about the CISO position in higher education, but not enough to really help you answer the questions you have. However, you'll be happy to know that ECAR is conducting a follow up study that asks many of these same questions. Rodney Petersen may have some insight into when the results of that study will be available.... Rodney?? Gordon At 04:57 PM 1/21/2004 -0500, Rodrigues, Philip wrote:
Hi all, I am a Network Security Analyst - you know, a low-level technical grunt. :-) The management structure above me is a little fuzzy, but the
longer
I work here the more apparent one thing becomes: We do not have a senior management-level Information Security position.
(And no, I am not looking for a position to be promoted into!) For those of you who do have a CISO position on your campus, how did you go about getting the position created? Was there a watershed event
or was it just a natural evolution? Have you had a CISO for a while now or was it just recently you saw a need for one? For those of you without a CISO-type position on your campus, do you think you need one? Do you plan on creating one? Does your technical staff fill that role, or has senior IT management assumed those responsibilities? Sorry if my questions are a little fuzzy - this is hardly a scientific survey. I am trying to figure out how to communicate what I see as a need here to senior University administration, and I always like to see
if someone else has tackled this first. Thanks in advance for any advice! Phil -- ======================================= Philip A. Rodrigues Network Analyst, UITS University of Connecticut email: phil.rodrigues () uconn edu phone: 860.486.3743 fax: 860.486.6580 web: http://www.security.uconn.edu ======================================= ********** Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.