Educause Security Discussion mailing list archives
Re: Member question re: board presentations on security
From: Alfred Barker <Alfred.Barker () USG EDU>
Date: Thu, 15 Dec 2016 13:35:56 +0000
In addition to Brad’s wonderful comments, I’ve had great success by first understanding the key motivators of the “board.” For example, our Chancellor has three imperatives that are held dear: 1) commitment to academic excellence and degree completion, 2) commitment to economic development and world class research and 3) commitment to accountability, efficiency, and innovation in higher education. Understanding this, when presenting I craft my discussion around these imperatives showing either how we align, advance and bring value or how we might be missing the mark and may risk not achieving the imperatives. Also, do not underestimate the power of quantitative analysis… having hard empirical in lieu on anecdotal information builds credibility. Lastly, prepare and rehearse “elevator” proposals – a nod to Brad’s comment to have “succinct” responses to potential questions. This is also helpful if you are fortunate to have follow-on discussions resulting from your presentation. Preparation is Key… Great Success! Alfred S. Barker, MSIS Assistant Vice Chancellor / CISO Cybersecurity, Board of Regents University System of Georgia 2500 Daniels Bridge Rd. Building 300 Athens, Georgia 30606 706-583-2032 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brad Judy Sent: Wednesday, December 14, 2016 1:48 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Member question re: board presentations on security Make sure to ask about the preferred format and length of time for presenting to the board. Many boards still like hard copies of documents and agendas might be very tightly run for time. For an initial presentation, a very high level (just a few minutes) overview of the structure of your information security program is a great place to start. The content depends highly on the type of program you have, but simple statements like these are probably good to consider: (who are you, what do you do, where are we now, where are we headed, how will we know when we get there) · Very high level review of your team/program’s scope and responsibilities · High level overview of process for establishing these policies/procedures/standards o Ownership of security policies/procedures/standards resides with group X o Input and feedback for these policies/procedures/standards includes representation from these groups… o Final approval is given by this group/individual… o New items and changes are communicated in this way… · We have established policies/processes for these high level areas: acceptable use, incident response, data classification, etc. (don’t dig into details even if asked – defer to following up with documents via email) · The high level goals for the program over the coming year are… · We intend to measure our progress and success through these methods…. · We would like to return to report on our progress toward these goals in X months… Keep each top level bullet to 1-2 minutes for a total of less than 10 minutes. Anticipate as many questions ahead of time as you can so you have quick, succinct answers. What are the hot topics which executives in your organization at the moment? How do they connect to your program? Have there been any recent major security news items and how would you answer “could this happen to us?” or “does this impact us?”? Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu<http://www.cu.edu/> [u-logo_fl] From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Joanna Grama <jgrama () EDUCAUSE EDU<mailto:jgrama () EDUCAUSE EDU>> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Wednesday, December 14, 2016 at 11:31 AM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: [SECURITY] Member question re: board presentations on security Hello, I received a request from a member today, who wishes to remain anonymous, to ask this group the following question: What types of information would you provide to your institution’s board in an information security presentation/report? Especially if it were the first-ever information security report to the board? For context, this was a request to present for informational purposes only and not in response to an institutional breach. For those of you that are veterans of reporting to your institutional boards, what advice do you have to share? Kind regards, Joanna Joanna Grama, JD, CISSP, CRISC, CIPT Director of Cybersecurity and IT GRC Programs EDUCAUSE Uncommon Thinking for the Common Good 282 Century Place, Suite 5000, Louisville, CO 80027 direct: 720.406.6769 | main: 303.449.4430 | jgrama () educause edu<mailto:jgrama () educause edu>
Current thread:
- Member question re: board presentations on security Joanna Grama (Dec 14)
- <Possible follow-ups>
- Re: Member question re: board presentations on security Brad Judy (Dec 14)
- Re: Member question re: board presentations on security Alfred Barker (Dec 15)
- Re: Member question re: board presentations on security Brian Basgen (Dec 14)