Educause Security Discussion mailing list archives
Re: Security training/conference for senior executives
From: Charles Curtis <ccurtis () AUSTINCOLLEGE EDU>
Date: Wed, 30 Aug 2017 16:43:13 +0000
I have had some success using an alumnus with robust cybersecurity job experience to help leaders pay attention to key security-related messages; alumni tend to carry more credibility but don’t usually cost anything and are somewhat more “controllable”. Charles Charles Curtis Executive Director of Information Technology Austin College 900 North Grand Avenue Sherman, TX 75090-4400 Phone: 903.813.2088 www.austincollege.edu<http://www.austincollege.edu/> [http://www.austincollege.edu/images/AusColl_Logo_Email.gif] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Frank Barton Sent: Wednesday, August 30, 2017 11:25 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Security training/conference for senior executives Brad, While I agree that you should have face-to-face meetings with senior executives, all too often I've seen IT folks preach the same message over and over again, and it falls on deaf ears. the flip side of that is: when Senior Management signed the PO/Check/etc. to have an outside group preach the same thing, they listen. Even though the same things get said. One other advantage is that the third-party groups can also bring in specific subject matter experts (usually lawyers that have dealt with specific issues previously) and can speak to specific risk-based questions from a larger perspective. Both approaches are very important, and finding the right balance between the two is the difficult part. Frank On Wed, Aug 30, 2017 at 12:01 PM, Brad Judy <brad.judy () cu edu<mailto:brad.judy () cu edu>> wrote: Personally, I would not send senior executives to third-party security training. Develop your own training session that covers your institutions risks, policies, resources, etc. in the context of the broader information security landscape. Help them make the connections between what they might hear in the news and what that means to your campus. Give them a chance to ask about how it impacts specific topics of concern to them. Get more in-person time with them to build trust. It also forces you to be able to answer a lot of questions they might have: • Does (HIPAA, GLBA, EU GDPR, FISMA, PCI, etc.) apply to us? • What would a breach cost us? • Would our insurance cover that? • How many records with SSNs do we have? • How much do we spend on information security? • What things do we do to protect data? • Do we store sensitive information with third-parties? • How/when do we engage with law enforcement? • What about this thing I heard in the news? Even if it means spending a good chunk of time getting multiple face-to-face meetings scheduled, spending 30-60 minutes with each senior executive (or them as a group) can have immense value in building their understanding of the issues and their trust in you to chart a path to address them. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293<tel:(303)%20860-4293> Fax: (303) 860-4302<tel:(303)%20860-4302> www.cu.edu<http://www.cu.edu/> [u-logo_fl] From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Alan Bowen <abowen () FANDM EDU<mailto:abowen () FANDM EDU>> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Wednesday, August 30, 2017 at 8:13 AM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: [SECURITY] Security training/conference for senior executives Hello, Can anyone recommend a short training session or conference for senior executive(s) that are not information security practitioners? The goal is to raise their level of knowledge about information security topics. I’ve had the benefit of attending SANS training but the appropriate classes seem to be five days long and that’s simply not going to work. — Alan Bowen Chief Information Security Officer Franklin and Marshall College -- Frank Barton Security+, ACMT IT Systems Administrator Husson University
Current thread:
- Security training/conference for senior executives Alan Bowen (Aug 30)
- Re: Security training/conference for senior executives Jones, Justin (Aug 30)
- Re: Security training/conference for senior executives Brad Judy (Aug 30)
- Re: Security training/conference for senior executives Frank Barton (Aug 30)
- Re: Security training/conference for senior executives Charles Curtis (Aug 30)
- Re: Security training/conference for senior executives Frank Barton (Aug 30)
- Re: Security training/conference for senior executives Radhakrishnan, Rashmi (Aug 30)
- Re: Security training/conference for senior executives Greg Williams (Aug 30)
- <Possible follow-ups>
- Re: Security training/conference for senior executives John Kristoff (Aug 30)