Re: reporting structure

[Valerie Vogel <vvogel () EDUCAUSE EDU>]

Good afternoon,

Here is a link to the 2009 ECAR Research Bulletin, The Career of the IT
Security Officer in Higher Education, which covers reporting lines:
http://www.educause.edu/library/resources/career-it-security-officer-higher
-education 

Download the PDF here: https://net.educause.edu/ir/library/pdf/ECP0901.pdf

And here is some more recent information from the Core Data Service (CDS):

 
 
20% of institutions told us the CIO is the ³highest-ranking person with
primary responsibility for IT security².

 
Of those who have someone other than the CIO in this role, only 35% are
100% dedicated to the CISO role. (see attached image)
 

 
 
Of those 175 who are full-time CISOs (of one title or another), 69% report
to the CIO and 19% report to a first-line director in Central IT. Only 6%
report to someone at the C-level, who is not the CIO, and 1% report to the
President.

 
Board of Trustees/Regents: 0%
President/Chancellor: 1%
Provost/Chief Academic officer: 1%
Chief Administrative Officer: 3%
Chief Financial Officer: 2%
Director of Internal Audit: 0%
CIO: 69%
First-line director in central IT: 19%
Second-line manager in central IT: 3%
None of these: 14%


If you have any additional questions, please let me know.

Thank you,
Valerie

Valerie Vogel Program Manager

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5374 | main: 202.872.4200 | educause.edu




On 10/23/13 2:34 PM, "George Farah" <george.farah () QUEENSU CA> wrote:

> There is an EDUCAUSE publication that show various reports, CIOs,
> Chancellors, Legal counsel, VP ops and Finance and Provost directly are
> among the options.
>
> It all depends on your culture centralised vs. de-centralised
> environments and maturity of your IT and business organization.
>
> Hope that helps.
>
> George Farah, GIAC/GSEC Gold, CRISC, CISA
> University Information Systems Security Manager
> Queen's University,
> Kingston, Ontario, Canada k7l 3n6
> -----------------------------------------------------------
> CONFIDENTIALITY CAUTION:
> This communication and any attachments is for the use of the individual
> or entity to which it is addressed and may contain information that is
> privileged, proprietary, confidential and exempt from disclosure. If you
> are not the intended recipient you are notified that any dissemination,
> distribution, or copying of the communication is strictly prohibited. If
> you received this communication in error, please notify the sender and
> destroy this email immediately.
>
> AVERTISSEMENT RELATIF À LA CONFIDENTIALITÉ:
> Cet envoi (et toute pièce jointe) ne s'adresse qu'à la personne ou à
> l'entité à laquelle il est destiné. Il peut contenir des renseignements
> privilégiés, confidentiels et ne devant pas être divulgués. Si vous
> n'êtes pas le destinataire prévu,  nous vous avisons que toute
> dissémination, distribution ou copie de cet envoi est strictement
> interdite. Si vous receviez cet envoi par erreur, veuillez en aviser
> l'expéditeur et détruire ce courriel immédiatement.
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russ Leathe
> Sent: October-23-13 4:21 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] reporting structure
>
> Who does Information Security report to? Does the CSO or ISO report  to
> the CIO or somebody else?
>
> Thanks and Happy Cyber Security Month!
>
>
> Russ
> Gordon College
> russ () gordon edu