Educause Security Discussion mailing list archives

Re: Security training/conference for senior executives

From: Charles Curtis <ccurtis () AUSTINCOLLEGE EDU>
Date: Wed, 30 Aug 2017 16:43:13 +0000

I have had some success using an alumnus with robust cybersecurity job experience to help leaders pay attention to key 
security-related messages; alumni tend to carry more credibility but don’t usually cost anything and are somewhat more 
“controllable”.

Charles

Charles Curtis
Executive Director of Information Technology
Austin College
900 North Grand Avenue
Sherman, TX 75090-4400
Phone: 903.813.2088
www.austincollege.edu<http://www.austincollege.edu/>

[http://www.austincollege.edu/images/AusColl_Logo_Email.gif]



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Frank 
Barton
Sent: Wednesday, August 30, 2017 11:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security training/conference for senior executives

Brad, While I agree that you should have face-to-face meetings with senior executives, all too often I've seen IT folks 
preach the same message over and over again, and it falls on deaf ears.

the flip side of that is: when Senior Management signed the PO/Check/etc. to have an outside group preach the same 
thing, they listen. Even though the same things get said. One other advantage is that the third-party groups can also 
bring in specific subject matter experts (usually lawyers that have dealt with specific issues previously) and can 
speak to specific risk-based questions from a larger perspective.

Both approaches are very important, and finding the right balance between the two is the difficult part.

Frank

On Wed, Aug 30, 2017 at 12:01 PM, Brad Judy <brad.judy () cu edu<mailto:brad.judy () cu edu>> wrote:
Personally, I would not send senior executives to third-party security training.  Develop your own training session 
that covers your institutions risks, policies, resources, etc. in the context of the broader information security 
landscape.  Help them make the connections between what they might hear in the news and what that means to your campus. 
 Give them a chance to ask about how it impacts specific topics of concern to them.  Get more in-person time with them 
to build trust.

It also forces you to be able to answer a lot of questions they might have:


•         Does (HIPAA, GLBA, EU GDPR, FISMA, PCI, etc.) apply to us?

•         What would a breach cost us?

•         Would our insurance cover that?

•         How many records with SSNs do we have?

•         How much do we spend on information security?

•         What things do we do to protect data?

•         Do we store sensitive information with third-parties?

•         How/when do we engage with law enforcement?

•         What about this thing I heard in the news?

Even if it means spending a good chunk of time getting multiple face-to-face meetings scheduled, spending 30-60 minutes 
with each senior executive (or them as a group) can have immense value in building their understanding of the issues 
and their trust in you to chart a path to address them.

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293<tel:(303)%20860-4293>
Fax: (303) 860-4302<tel:(303)%20860-4302>
www.cu.edu<http://www.cu.edu/>

[u-logo_fl]



From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Alan 
Bowen <abowen () FANDM EDU<mailto:abowen () FANDM EDU>>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Wednesday, August 30, 2017 at 8:13 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] Security training/conference for senior executives

Hello,

Can anyone recommend a short training session or conference for senior executive(s) that are not information security 
practitioners?  The goal is to raise their level of knowledge about information security topics. I’ve had the benefit 
of attending SANS training but the appropriate classes seem to be five days long and that’s simply not going to work.

—
Alan Bowen
Chief Information Security Officer
Franklin and Marshall College







--
Frank Barton
Security+, ACMT
IT Systems Administrator
Husson University

Current thread:

Security training/conference for senior executives Alan Bowen (Aug 30)
- Re: Security training/conference for senior executives Jones, Justin (Aug 30)
- Re: Security training/conference for senior executives Brad Judy (Aug 30)
  - Re: Security training/conference for senior executives Frank Barton (Aug 30)
    - Re: Security training/conference for senior executives Charles Curtis (Aug 30)
- Re: Security training/conference for senior executives Radhakrishnan, Rashmi (Aug 30)
- Re: Security training/conference for senior executives Greg Williams (Aug 30)
- <Possible follow-ups>
- Re: Security training/conference for senior executives John Kristoff (Aug 30)