Re: We're number one! (Is that a good thing?)

[JT Ash <jtash () HAWAII EDU>]

Hi Michael,

 

                Thank you for bringing this topic up and allowing me to share my thoughts…. I’m HOPING that Security is 
always #1, because that’s where IT should always begin/end… Even though Information Security has been around for years, 
the “profession” has been evolving to keep up with the pace of business!!!  Until Security is integrated in everything 
BUSINESS (not IT) does, from business processes, workflows, classification/categorization of information, big data, 
predtictive analytics, project management, Infrastructure design, configuration management, portfolio management, 
software design & development, we’re ALWAYS going to try and “bolt” on Security after the fact…

 

                The day that Security is NOT #1, we’ve arrived because we’re fully integrated in every BUSINESS (I 
didn’t say IT) process…. Thank you again for letting me share my thoughts!

 

Aloha,

 

James T. (JT) Ash
HIPAA Compliance Officer
University of Hawaii - System
tel: (808) 956-7241
e-mail: jtash () hawaii edu

 

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Corn, Michael" 
<mcorn () UCSD EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Thursday, February 1, 2018 at 8:43 AM
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] We're number one! (Is that a good thing?)

 

Good morning (at least on the west coast) everyone,

As you might have noticed, EDUCAUSE released the Top 10 IT Issues list yesterday. The article and associated resources 
are available here: https://www.educause.edu/research-and-publications/research/top-10-it-issues-technologies-and-trends

Information Security is #1 on the list again, and a number of materials have been published in conjunction with the 
main IT Issues article to talk about information security:

*       An interview with HEISC co-leaders about information security in higher education: 
http://er.educause.edu/articles/2018/1/the-third-times-the-charm-information-security-at-the-top-of-the-list-again

*       A new guide on developing a security strategy: 
https://www.educause.edu/guides/developing-a-risk-based-security-strategy-in-higher-education

I'm curious what this security community thinks of security showing up at the top of the list means. Personally, I go 
back and forth between believing it means we're doing a great job at keeping attention on InfoSec, and believing we 
must be doing a terrible job if it's still getting this kind of attention. It's also tempting to ask if this ranking 
has something to do about how CISOs and CIOs communicate and what we're saying to each other (and what it says about 
the different perspectives of each).

 

In addition - regardless of why we remain on the top of the list, is there more we should be doing as a community to 
evolve higher ed information security practices? Should we be doing things differently? Is there some collective way to 
bring our industry forward? What should we focus on? What are the resources that we need (publications, guides, time, 
money, etc.) to effect change? How can we make the security discussion strategic and not merely another discussion 
around the operational control du jour.

 

Thoughts? Rants? It'd be great to get a conversation going in this forum,

MC

----------------------
Michael Corn | Chief Information Security Officer
mcorn () ucsd edu
University of California San Diego | ITS - Information Technology Services
10280 N. Torrey Pines Road, Suite 255 | La Jolla CA 92093 MC 0928
cybersecurity.ucsd.edu | esr.ucsd.edu