Outside the Box A Longform Series on New Roles in Higher Ed IT

Evolution & Ascent
of the CISO

Over the past decade we've seen increasing executive interest in understanding risks, protecting privacy, and mitigating the impacts of cyber threats. As a result, a new range of positions have been added to the “C-Suite.” Chief information security officers (CISOs) have emerged as a way for organizations to amplify attention to these and other concerns. In the following article, seven experts from higher education will share their thoughts on “the most secure job on campus.”

In 1984, Willis H. Ware, an early pioneer of privacy and security, wrote an article for the predecessor of EDUCAUSE Review. In it he noted:

“Security and privacy issues are ones for top administrative levels of the educational community, not ones to be buried deeply in the administration, research or teaching hierarchy.”

Now, fast-forward 30 years to today. Can we look back at this passage and say, “mission accomplished,” or do we have more work to do?

Sol Bermann

The cliche of neverending journeys is apt

There is no “mission accomplished” banner in terms of driving home the importance of security and privacy. That said, the rise of CISOs, CPOs (chief privacy officers), and similar roles in the organizational hierarchy of our institutions absolutely reflects some level of success. These endeavors are reported annually to the “top administrative levels” at the University of Michigan, including our executive officers and regents.

Kim Cary

Signs of progress can certainly be found in well-crafted policies put forward by security and privacy officers throughout higher education. These policies often require attention and ratification from those at the top levels of university administration. Still, the CISO role is young and evolving, mostly operates below the CIO, and doesn’t routinely interface with boards or presidents’ councils, which suggests to me that security and privacy haven’t yet elevated to the level of Willis H. Ware’s vision. We still have a long way to go.

Hunter Ely

When I first started working in security, the CISO never ventured out of the central IT shop to meet with administrators. Fast-forward 10 years and you find that CISOs now commonly brief general counsel, risk management, and even the chancellor or president on security issues and situations. That is a marked shift in visibility and certainly demonstrates some changing attitudes toward security.

Given all the risks, how do you sleep at night? (Or perhaps, put another way, with all the things that could keep you awake at night, how caffeinated are you right now?)

Jodi Ito

Sleep doesn’t come easily! We are already behind the curve in the “information security race.” With the implementation of new technologies (without adequate risk assessment), outsourcing to the “cloud” (because it’s cheaper, faster, better), and the increase in “attackers” (from novice script kiddies to sophisticated, well-funded nation states), it’s a neverending battle.

We are always a hair trigger away from an attack and breach.

It is increasingly important to ensure that everyone understands the risks that accompany any gains in convenience and productivity. The threat landscape keeps expanding, as do the vulnerabilities and, by extension, the skills required to maintain the integrity of our digital infrastructure.

Kris Monroe

I like my caffeine as much as anyone, but I like it a lot less when it is accompanied by a late-night incident response.

coffeecup with foamy power icon -- derived from Flickr Photo 6855919503

Ultimately, I think we’ve got to understand the risk we’re willing to accept as an institution. For priority risk and compliance issues, we simply have to understand the timelines we’re using to invest in the people, process, and technologies that can help us reduce our exposure.

Armed with an institutional understanding of our risks, we can all be caffeinated (or not) based on our own individual tastes.

Cathy Bates

You will not be facing the risks alone

You have to keep perspective — there are so many competing risks, and we have a finite pool of resources. This is why it is critical that security and IT risk are addressed at the C-level of the institution. If you maintain excellent relationships with your stakeholders, you will not be facing the risks alone.

Thomas Siu

The risk profile I’ve seen in higher education often requires us to take our lumps and carry on. In many cases, I’d relate our situation to canoeing in a wide river that is only knee deep. There is a lot of room to maneuver, and if you flip [your canoe], you can stand up, hang onto your paddle, and get back in.

Sol Berman

How do I sleep? (When a potentially major incident is not occurring anyway ...)

  1. We have a layered, defense-in-depth approach that strives to protect those things most worth protecting.
  2. I lived through what was then the largest breach in state government history, which provides perspective.
  3. Breaches are inevitable, especially given the decentralized nature of higher ed and the ethos for open networks and data sharing.

Schools from every state have been affected in one form or another, and that's why organizations like HEISC (Higher Education Information Security Council) are so important. We can count on our colleagues to understand what's unique about higher education and share ideas, policies, and procedures.

Universities Affected by Breaches Since 2005

That said, when I look at the chart above, I am content to be “losing” this rendition of the Michigan-Ohio rivalry.;-)

Contrasts & Comparisons

Earlier in his article Ware also noted, “There is little to distinguish security and privacy issues on the campus from those of the private sector or government.” Do you think that still applies today? What are some key differences between the CISO role in an academic setting as compared to your counterparts in government or in large corporations?

Sol Bermann

Broadly speaking, we face the same challenges: protecting our “customer” data, protecting key IT systems, staying compliant with key regulations and industry practices, trying to stay ahead of attackers, responding to potential security breaches, etc. That said, there are also some key differences.

Higher ed is an extremely decentralized environment. It is also by definition and tradition an open network for discourse, research, and the sharing of ideas. As a result, CISOs need to be as much an ambassador and advocate of security and compliance as a provider of security and compliance tools and resources.

Chart showing balance of risk and openness

As a 2014 study from ECAR shows, we MUST be balanced in our approach, leveraging relationships with governance groups, actively engaging university leadership, and not being seen as a roadblock to the “business” of the university. It also might mean accepting more risk than our colleagues in other sectors.

Kris Monroe

Having worked for a number of years outside higher education, I’d like to echo many of Sol’s sentiments and chime in with some other observations.

As Sol noted, we’re often challenged to strike a delicate balance between risk and openness, or security and usability. Another axis: privacy. Higher education often goes to great lengths to protect the privacy of the groups it serves. Large corporations often want to hold large amounts of identifiable data about users’ behavior … data that can be sold or otherwise exploited for commercial purposes. In education, we have a much different relationship with our customers. Our conservative data collection and retention policies often counterbalance the risks we are willing to absorb by being so open.

Universities Affected by Breaches Since 2005

Learn more about the ECAR’s analysis of breaches in higher education.

Jodi Ito

As others have stated, the main difference in academia is the high degree of decentralization, along with the autonomy that accompanies independent funding. A research unit with large grants may often develop their own policies and procedures. They’re often granted the authority (expressed or implied) to set up their own technology infrastructure — independent of any oversight to ensure the security of those systems. As a result, we’re challenged to spend time and resources identifying ways to mitigate the risks they pose.

There is a fair amount of discussion and debate about where the CISO reports. What have you seen, what do you like, and what are some of the pros and cons?

Hunter Ely

The role of the CISO has changed dramatically. Ten years ago, the CISO (if there was a dedicated security role) dealt with enterprise systems and their security. We are now seen as a driver of security across the entire campus or system and as “risk managers,” particularly when it comes to compliance issues. In some cases I’ve seen the CISO report to their CIO and have a “dotted line” to the top risk executive. Regardless of the reporting structure, we’re being tapped to provide guidance on a range of issues.

Thomas Siu

“Is information security an IT function or is it a broader business function of its own?” I would answer,
“It is both.”

A 2014 Gartner report by Tom Scholtz suggests a meta-trend in senior corporate security officials reporting outside IT. Some of the advantages in having the CISO report outside IT include an enhanced profile, greater authority, and influence — especially in decentralized and federated organizations. It would also change the perception that information security is “an IT problem.”

Conversely, the advantages of having the CISO report to IT include proximity to key infrastructure support (where most information is maintained during its life cycle) and the ability to be in close contact with functional groups from an operational, tactical, and strategic perspective.

Kim Cary

I’ve happily reported to both the CIO and CTO roles in my career. In some institutions, the CISO is complemented by a cadre of more specialized data, privacy, and/or risk officers. At others, the CISO’s responsibilities encompass all of those duties. Still, there is nothing wrong with a more IT-independent CISO role that reports to general counsel or risk management.

Contrasts & Comparisons

In his article from 30 years ago, Ware also bemoaned the lack of a comprehensive body of knowledge about policies and best practices supporting security operations. How close are we to transcending that state? Can you talk about your own growth and professional development resources you’ve come to rely on over the years?

Jodi Ito

The number of standards and resources for information security have increased tremendously. SANS has continually expanded their cybersecurity courses and security awareness training. And industry-specific ISACs (Information Sharing and Analysis Centers) have increased both in number and activity. The REN-ISAC (Research and Education Network ISAC) provides valuable, vetted information to the academic community.

The EDUCAUSE Higher Education Information Security Council (HEISC) has been a leader in developing resources tailored for higher education institutions. Chief among them is the Information Security Guide, which provides a detailed matrix of effective practices from academic institutions that have been mapped to a range of information security standards. The EDUCAUSE Security Professionals Conference also provides an excellent forum to learn what challenges other institutions face and to network with peers to see how they are addressing their security concerns.

Kris Monroe

There is no predominant approach to managing governance, risk, and compliance in higher education. Analyses from CHECS, ECAR, and the Core Data Service help us contextualize approaches and right-size them for our own campus environments. I particularly appreciate the Information Security Guide and the annual security conference hosted by EDUCAUSE, which represents a great place to compare battle scars, share effective practices, and advance solutions that weave a common thread through the unique set of challenges often found in institutions of higher education.

Hunter Ely

I first relied on vendor training to support specific security technologies, moved on to SANS training, and now rely more heavily on both HEISC and the REN-ISAC to check my progress against my peers.

HEISC in particular has grown into a much more comprehensive body of knowledge specific to the needs of security in a higher ed environment. I believe the EDUCAUSE Information Security Professionals conference is the richest professional development available for me and my staff, with all the talks and panels directly applicable to higher ed. It’s particularly powerful to network with our peers and discuss the problems we are facing and how each institution tackles those problems.

Funding & Budgets

In his 1984 article, Ware asserted that: "Educational institutions must commit to spending the resources needed to protect information processeses which give it life; they must institute information policies needed to guide faculty, administrations and students."

Any thoughts on the investments being made in information security?

Sol Bermann

Obtaining the appropriate level of funding, especially in the absence of a breach, is a constant challenge. We’re often in a position of exchanging some technical solutions for policy-based security.

Kris Monroe

As the chart below illustrates, and as the 2014 CDS Spotlight on Information Security reveals so well, there’s a stark difference between the funding that security receives in higher education and in other organizations.

Security Spending Per Employee

That, combined with the fact that our organizations place a disproportionately high value on openness, creates conditions that can sometimes stymie the effectiveness of security programs. As the perceived value of big data and student analytics increases, we may find a lever for correcting the imbalance in funding we experience today.

Kim Cary

The security office needs to practice three things to create a favorable environment for funding:

  1. Continually reinforce that security makes the most of what it has been given in terms of systems and relationships with other IT groups and business departments. This creates a lasting impression that “money spent in security has a solid return” and that the security office is a good colleague, not a separate kingdom.
  2. Demonstrate that you are a good steward of the university’s resources. Evaluate systems at renewal for efficiencies made possible by advances in technology or vendor competition (balanced against the cost of re-implementing an existing solution).
  3. Make sure that leadership is aware of a prioritized list of specific unmet needs and their costs. A well-defined wishlist gives us the opportunity to take advantage of funds as they become available.

SURPRISE! You've just recieved an email from your president announcing a $1 million dollar bump in your budget.

And no, this wasn't an email from a prince of a foreign government. And yes, your president sent you the message using an encrypted email. Now, how are you going to use it?
 

If your budget were to shrink and you could only implement one technique for improving security on your campus, what would it be and why?

Sol Bermann

Besides unplugging the Internet?!?! ;-) Seriously though, good security means defense-in-depth and a "layered" approach. Absent that, I would invest in the best incident response team I could.

Kim Cary

If I could only use one system, I would keep our automated systems for updating and configuring our servers and personal computers because, as Superman would agree, invulnerability is the best defense. However, if you’re down to just one layer of defense, someone will find your Kryptonite before long.

Kris Monroe

I’d probably look to open-source solutions so as not to lose what Sol described above as a defense-in-depth layered approach. With those savings I’d hope to invest more in security awareness training.

Jodi Ito

People are still our weakest link.

I’m torn between two different approaches. One approach would be to implement a technical solution, such as a data loss prevention system that would keep unencrypted sensitive data from leaving our network. The second approach would be to invest in a robust, customizable information security awareness training program that would integrate into our authentication system and certification tracking system — and be mandatory for all faculty, staff, and students.

One final question: Ware noted, “There must be a national concern for providing adequate security protections in our public and private information systems and for attending to the new privacy issues that arise.” Looking forward, where do you think we’re going? What’s keeping you engaged and excited about the future?

Kim Cary

What keeps me engaged and excited is the progress we’re making as an IT organization in moving the university toward an even more secure state. Funding will ebb and flow, and one has to be ready for that. The problems vary, but they make the job endlessly interesting — along with colleagues inside and outside the institution.

Hunter Ely

Privacy is built into the DNA of our universities, and I want to be a part of that push as we evolve and adapt our security policies and practices to protect both our systems and our users’ privacy. When Ware wrote his article, he likely didn’t realize how true his words would ring in today’s society of mass surveillance and state-sponsored data breaches.

Thomas Siu

The environmental conditions affecting privacy and security have changed considerably over the last 30 years. I recall in the ’90s we would etch our name and SSN on valuable items (such as cameras, cars, etc.) to help facilitate recovery if stolen. What used to be commonly shared information now is considered private.

On the other side of the spectrum, in exchange for online services people now share their innermost thoughts (overtly or inadvertently) online and with a worldwide audience. What was private then is now considered public.

We’ll need to remain vigilant and attentive to a continuum of new problems and solutions. It’s part of what makes this job so intriguing!

Jodi Ito

With 2014 turning out to be a banner year for breaches — Target, Home Depot, JP Morgan Chase, and a number of others — you can bet there is a lot of attention on information security. Our government also considers cybersecurity to be an important national issue, committing government resources, releasing the NIST Cybersecurity Framework, and increasing the availability of resources from the Department of Homeland Security.

Sol Bermann

Ware was prescient in pointing out the risks and tensions related to security and privacy in our current digital age. In 1984, the Internet, big data, Google, and cyber-terrorism were the stuff of sci-fi novels. The rise of the CISO in all sectors (private, government, higher ed) is a direct result of the concern for “providing adequate security protections in our public and private information systems.” And while privacy has lagged security, more people — especially students — now attend to “the new privacy issues that arise.”

What keeps me engaged from a security perspective is trying to meet increasingly complex challenges from determined actors. Like the Peace Corps slogan, "It’s the toughest job you’ll ever love."

Authors

Cathy Bates is currently Associate Vice Chancellor and Chief Information Officer at Appalachian State University. She is responsible for providing vision and senior leadership for the development, coordination, and use of technology to enable essential innovation in research, learning, and administrative processes. She has been involved in Higher Education since 1988, holding technology management and leadership positions at Plymouth State University, the University of New Hampshire and the University of Arizona.

With significant experience leading technology units in a constantly changing environment, she has been recognized for her ability to create and revitalize service organizations that support and enhance institutional strategic objectives, as well as inter-institutional collaborations. Ms. Bates has a Bachelor's degree in Applied Computer Science and a Master's Degree in Leadership and Technology.

Sol Bermann is the interim CISO, in addition to serving as the Privacy Officer with the University of Michigan. Previously, he was Director of Global Privacy for Walmart. In that role he provided subject matter expertise on national and international privacy and data protection laws, regulations, and best practices; assisted in developing awareness and training initiatives; and worked collaboratively across the Walmart enterprise on matters related to: uses of data, global data-flows, information security, emerging technology trends, and fraud and identity theft issues.

Before joining Walmart, Sol was the Chief Privacy Officer for the State of Ohio; the first ever specifically appointed state CPO. In that role, led the development, coordination, publication and implementation of statewide privacy and security policies, standards, and procedures.In addition, he gave guidance in the drafting of state data protection laws. He is former Associate Director of the Center for Interdisciplinary Law and Policy Studies at the Ohio State University's Moritz College of Law, and was an adjunct faculty member of OSU's International Studies Program, teaching on issues related to law, policy and civil liberties.

Sol is a frequent speaker on issues related to privacy and data security, and is co-author, with Professor Peter Swire, of the Official Reference for the Certified Information Privacy Professional. Sol received his B.A. from Beloit College, an M.A. in Foreign Affairs from the University of Virginia, and his J.D. from the Ohio State University's Moritz College of Law.

Kim Cary is currently Chief Information Security Officer at Pepperdine University in Malibu, California. His present work is focused on security policy, training and mission-friendly information security consulting. Projects he has led include, Campus-wide live-fire anti-phishing training (2014), Device Management System (co-lead 2013),Records Management Policy update (2012), CAS single single sign-on (2010), Acceptable Use Policy (2009), Campus-wide Computer Registration and Network Access Control (2008/9), Information Classification Policy (2008), Intrusion Detection System (2006/7), perimeter firewall (2006), data center firewall (2005), administration building in-place network replacement (2004), University SPAM filter (2004), wireless authentication (2003/4) and leading the IT Infrastructure design and construction at a new 40 acre campus, admin building and 5 floor office tower (2003/4). Kim enjoys all the varied roles he has played in security: liaison, policy champion, project manager, analyst, trainer, technical lead and/or team member. Kim completed his Ed.D. at Pepperdine in 2004. Kim holds current security certifications as CISSP, and as GIAC Firewall, Intrusion and Forensics Analyst and Incident Hander. He received his M.Div. at Biola in 1986, and a B.A. in Biology at UCLA, in 1979.

Hunter Ely is currently the Chief Information Security and Policy Officer at Tulane University covering all schools and campuses within the Tulane University umbrella. He holds CISSP, CFCE, GCIA, and CRISC certifications. Ely is a graduate of Louisiana State University with 15 years higher education and healthcare Information Technology experience and over 7 years of Information Security specialty. Ely also heads Tulane Technology Services'policy development. He manages the full lifecycle of policy development, collaboration, and implementation efforts for the department. Additionally, he heads the department's incident response team, both investigating and preventing security incidents across all Tulane campuses.

Jodi Ito is the Information Security Officer (ISO) at the University of Hawaii since 2000 and has been with the University of Hawaii since 1982. She is responsible for the development and implementation of the university's new information security program, investigations and analyses of cyber incidents and attacks, coordination of any remediation and response efforts including coordination with any law enforcement agencies, awareness & training of information security issues and enforcing university policy with respect to the university's technology resources.

Kris Monroe is a former Information Security Officer (ISO) at Ithaca College. He has over 18 years of experience in the field of information technology with more than 10 of those years in information security. He has held positions of responsibility in system administration, networking, and security over the course of his career.

Kris is a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and is a member of InfraGard, a founding member of the Southern Tier New York chapter of the Information Systems Security Association (ISSA), a member of the Central New York chapter of Information Systems Audit and Control Association (ISACA), and member of the Higher Education Information Security Council (HEISC) Awareness and Training Working Group.

Tom Siu is the Chief Information Security Officer at Case Western Reserve University in Cleveland, OH. Tom directs the Information Security Office, with responsibility for information security administration and operations in a research university environment. Tom also is responsible for Governance of Identity Management, IT Policy, and Security Policy at CWRU. He specializes in risk management practice, security strategy, emergency operations (including BCP and DR), and architectural requirements for information assurance in a research-intensive educational environment. Recent focus areas for CWRU Information Security have been clinical research environment security, identity management, and security operations in a Design-Build-Run IT organization.

Prior to Case, Tom was a Network Security Analyst with NASA Glenn Research Center, where he was the team leader for IT Security Risk Management. There, he integrated engineering risk practices into the IT security planning, was involved in the NASA-wide patch and vulnerability management projects, and received a NASA Group Achievement Award for the Columbia Accident Investigation support system.

Tom has also held leadership positions in the areas of software development, software process improvement, IT and information security, through managing the Software Engineering Process Group; QA and Automated Testing teams at Progressive Insurance; running medical information systems security testing for the Department of Defense; providing analysis for large scale security projects while at the US Navy Operational Test and Evaluation Force. He also served as a faculty member in the Chemistry Department at the United States Naval Academy.

Tom started along the information security pathway in 1990 with an appointment as one of the first ADP Security Officers while serving as a Naval Flight Officer in an E-2C Hawkeye squadron in the US Navy.

Tom is a member of the Executive Council for Northeast Ohio InfraGard, and holds a SANS GSEC Gold Certification and serves on the GIAC Advisor Board, and a participant in REN-ISAC. He also plays the bugle for military funerals and honors ceremonies, is a USSF Soccer Referee, and a homeschooling dad. The Siu family members are active participants and volunteers in the NCFCA, a speech and debate league for students.


© 2014 Cathy Bates, Sol Bermann, Kim Cary, Hunter Ely, Jodi Ito, Kris Monroe, and Thomas Siu. This work is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
EDUCAUSE Review, November 14, 2014

Comments

Stay in Touch

Feel free to e-mail us to provide feedback on on this page,
give us suggestions, or just say hello!