Re: Security training/conference for senior executives

[Frank Barton <bartonf () HUSSON EDU>]

Brad, While I agree that you should have face-to-face meetings with senior
executives, all too often I've seen IT folks preach the same message over
and over again, and it falls on deaf ears.

the flip side of that is: when Senior Management signed the PO/Check/etc.
to have an outside group preach the same thing, they listen. Even though
the same things get said. One other advantage is that the third-party
groups can also bring in specific subject matter experts (usually lawyers
that have dealt with specific issues previously) and can speak to specific
risk-based questions from a larger perspective.

Both approaches are very important, and finding the right balance between
the two is the difficult part.

Frank

On Wed, Aug 30, 2017 at 12:01 PM, Brad Judy <brad.judy () cu edu> wrote:

> Personally, I would not send senior executives to third-party security
> training.  Develop your own training session that covers your institutions
> risks, policies, resources, etc. in the context of the broader information
> security landscape.  Help them make the connections between what they might
> hear in the news and what that means to your campus.  Give them a chance to
> ask about how it impacts specific topics of concern to them.  Get more
> in-person time with them to build trust.
>
>
>
> It also forces you to be able to answer a lot of questions they might have:
>
>
>
> ·         Does (HIPAA, GLBA, EU GDPR, FISMA, PCI, etc.) apply to us?
>
> ·         What would a breach cost us?
>
> ·         Would our insurance cover that?
>
> ·         How many records with SSNs do we have?
>
> ·         How much do we spend on information security?
>
> ·         What things do we do to protect data?
>
> ·         Do we store sensitive information with third-parties?
>
> ·         How/when do we engage with law enforcement?
>
> ·         What about this thing I heard in the news?
>
>
>
> Even if it means spending a good chunk of time getting multiple
> face-to-face meetings scheduled, spending 30-60 minutes with each senior
> executive (or them as a group) can have immense value in building their
> understanding of the issues and their trust in you to chart a path to
> address them.
>
>
>
> Brad Judy
>
>
>
> Information Security Officer
>
> Office of Information Security
>
> University of Colorado
> 1800 Grant Street, Suite 300
> Denver, CO  80203
>
> Office: (303) 860-4293
>
> Fax: (303) 860-4302
>
> www.cu.edu
>
>
>
> [image: u-logo_fl]
>
>
>
>
>
>
>
> *From: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of
> Alan Bowen <abowen () FANDM EDU>
> *Reply-To: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
> *Date: *Wednesday, August 30, 2017 at 8:13 AM
> *To: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
> *Subject: *[SECURITY] Security training/conference for senior executives
>
>
>
> Hello,
>
>
>
> Can anyone recommend a short training session or conference for senior
> executive(s) that are not information security practitioners?  The goal is
> to raise their level of knowledge about information security topics. I’ve
> had the benefit of attending SANS training but the appropriate classes seem
> to be five days long and that’s simply not going to work.
>
>
>
> —
>
> Alan Bowen
>
> Chief Information Security Officer
>
> Franklin and Marshall College



-- 
Frank Barton
Security+, ACMT
IT Systems Administrator
Husson University