Re: Mandatory Security Training in Higher Education - NEW RELATED DISCUSSION

[Jim Dillon <Jim.Dillon () CUSYS EDU>]

The source of this problem (the distributed security dilemma) has a lot
to do with our election of ERP systems and adoption of highly accessible
Web based resources.  By empowering the end user to do increasingly
powerful things, and by putting more and more responsibility to manage
"enterprise administrative" data back to levels closer to the end user,
we've really created a monster.  Empowerment is a neat sounding concept,
and the belief that those closest to the data can make the best use of
it so let's allow/help them to do so sells well even today.  And boy
wasn't it a load off the central service organizations and a reduction
in admin and overhead costs when that work was farmed back close to
home.  It even allowed for better controls and improved processes.

 

The cost of empowerment is increased local responsibility.  This
includes the knowledge to do all things empowered well, to supply all
the necessary resources, and to manage/govern the outcome at an
increasing lower level of the organization.  We didn't reallocate the
assets to ensure this would happen (and by we I mean Higher Ed and
Corporate America) and thus we have put firearms in the hands of
toddlers in many cases.  Not only have we increased the workload, we've
changed the job requirement from being a low trained functional
paper-pusher to being an educated process owner and manager.  The end
employees must know more, do more, and be integrated more firmly in the
entire process.  It sounds good but it is a stretch on resource and I
maintain we didn't as a country-wide standard make the kinds of
investments necessary to do the job properly.  Thus most departments are
managing shadow systems on their own, developing their own Web and
E-Commerce tools, and getting in way over their head by not knowing the
regulatory environment, not having the IT experience necessary for
quality development and change control, not being able to properly
secure things appropriately, and not even being able to use the new
glorious ERP tools to great advantage.

 

Thus the current necessity to start pulling in the reins on distributed
computing and the present trend towards centralization of more and more
resources and services.  This will continue until we find that
centralized services are failing to meet the needs of the end
departments and once again we will be enlightened and think that
empowerment of the end user will be the panacea answer.

 

My only reasons for blogging this philosophical banter is to take the
sting out of my frustration with end users who won't step up to their
responsibilities - we shouldn't require so many to have to - and to
hopefully encourage a very thoughtful consideration of moderate
reorganization somewhere between the radical ends of centralized and
decentralized computing.  I don't know the answer, but I've been part of
a couple of these swings as technology charges forward, and the only way
to right-size for the consequences lies somewhere in the space between
the ends.  I'm afraid we won't like the cost of the answer when we get
there, and I believe it is running from that cost that gets us into
trouble.  A better TCO (total cost of operations) understanding is
needed, and a stronger governance of technology application.  What that
looks like and how to provide it with sufficient freedom to make a few
mistakes and discover better methods is the challenge ahead.

 

OK, that's as far as I go with trying to be level headed about security,
training, and the constant struggle to get folks to understand their
NECESSARY participation in the process.  I hope there are some brilliant
someone's out there that can make sense of this tail-chasing and get us
headed down a better path.  I'll try to shut up for awhile, I've
consumed a few too many list electrons for my quota.

 

JD

 

*****************************************

Jim Dillon, CISA, CISSP

IT Audit Manager, CU Internal Audit

jim.dillon () cusys edu

303-492-9734

*****************************************

 

 

________________________________

From: Chad McDonald [mailto:chad.mcdonald () GCSU EDU] 
Sent: Wednesday, October 18, 2006 6:27 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Mandatory Security Training in Higher Education

 

Connie, 

We are traveling down this rock road also.  We have managed to work with
our human resources department (thanks to an IT Audit - Scott, If you're
reading this - THANKS!) to have a base level training course
incorporated into the new employee orientation program right alongside
the mandatory sexual harassment course and benefits information session.
Where I fear we will hit a stumbling block is with the entrenched
faculty who see this as another bureaucratic hoop that they must jump
through.  As for how we accomplish training, an "introductory" course is
offered through our CMS that records the score and other pertinent
information.  We are working to have more advanced courses developed
that focus on specific areas of interest.

 

Chad McDonald, CISSP, CISA

Chief Information Security Officer

Georgia College & State University

Office  478.445.4473

Cell                  478.454.8250

Email   chad.mcdonald () gcsu edu

 

On Oct 18, 2006, at 5:56 PM, Sadler, Connie wrote:





 

Having come from a background in the Corporate world, where security
training is *mandatory*, I'm wondering how many institutions of higher
ed require security training for staff and/or faculty. We are planning
to require it for our ERP system users (and all staff soon), but the
question always comes up - "What are others doing"? So I'd appreciate
information about how you folks have approached your senior
administration in terms of why mandatory training is so important. If
you are not yet requiring training, I'd be interested in the barriers
you still face. It seems particularly challenging for faculty.

Thanks much! 

Connie 

Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC 
IT Security Officer
Brown University Box 1885, Providence, RI 02912
Connie_Sadler () Brown edu <mailto:Connie_Sadler () Brown edu> 
Office: 401-863-7266
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB
<http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB> 
PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA 91E3 8EFB