1 / 35

Talking With The Boss About Security

Talking With The Boss About Security. Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals Conference April 4 th , 2005.

nevaeh
Download Presentation

Talking With The Boss About Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals Conference April 4th, 2005

  2. We must all become much more vigilant in the provision of secure systems, in intrusion detection, in rapid response, and especially in education. We must practice, teach, and infuse all aspects of security into campus lives. Dr. Linwood H. Rose President, James Madison University “Information Security: A Difficult Balance” EDUCAUSE Review, September/October 2004

  3. Agenda • The Executive Audience • Benefits of Effective Communication • Obstacles To Effective Communication • Leveraging Institutional Culture • Communication Strategies & Examples

  4. The Executive Audience • Boards of Trustees • Presidents • Vice Presidents & Provosts • Deans & Department Heads • Chiefs of Staff

  5. Perceived Barriers To IT Security Information Technology Security Study EDUCAUSE Center for Applied Research, Sept. 2003

  6. Benefit: Appropriate Strategies Information Technology Security Study EDUCAUSE Center for Applied Research, Sept. 2003

  7. Privacy and academic freedom are critical components of campus culture; it is vital that decisions on policies and procedures regarding security and related issues be carefully vetted, understood, and authorized by both the highest levels of the campus leadership and the representatives of the campus community. The executive role in all of these matters is crucial if internal dissension and unnecessary strife are to be avoided. “Presidential Leadership for IT” David Ward and Brian L. Hawkins EDUCAUSE Review, May/June 2003

  8. Benefit: Effective Policies Information Technology Security Study EDUCAUSE Center for Applied Research, Sept. 2003

  9. Benefit: Clear Assignment of Responsibilities Information Technology Security Study EDUCAUSE Center for Applied Research, Sept. 2003

  10. Benefit: Executive Role Model Information Technology Security Study EDUCAUSE Center for Applied Research, Sept. 2003

  11. If you can get the president to set the right tone, a majority on campus will likely follow her or his lead in supporting the changes and improvements you recommend. “Gaining the President’s Support for IT Initiative at Small Colleges.” Laurence W. Mazzeno, President, Alvernia College EDUCAUSE Quarterly, Number 1, 2004

  12. Benefit: Investment Aligned With Risk Profile Information Technology Security Study EDUCAUSE Center for Applied Research, Sept. 2003

  13. Additional Benefits • Opportunity to establish appropriate expectations • Constructive involvement should a security incident occur

  14. In a time of crisis, it’s always good to have a boss smarter than you. Joy Hughes, VP/CIO, George Mason University

  15. Be Prepared For... • Additional Work To: • tailor the information • provide status reports, possibly including development of new metrics • respond to inquiries • Increased accountability

  16. Obstacle To Effective Communication: Who are you? Responsibility for security is placed low in the organization

  17. Obstacle To Effective Communication: IT security? Significant lack of awareness

  18. Obstacle To Effective Communication: Why spend my time on this? Security not an institutional priority

  19. Obstacle To Effective Communication: Why can’t you handle it yourself? Executive role not clear

  20. Obstacle To Effective Communication: What the heck is an IPS? Techno-speak

  21. Obstacle To Effective Communication: Where’s the ROI? Lack of security metrics

  22. Obstacle To Effective Communication: You again? Security viewed as one-time fix-it project

  23. Obstacle To Effective Communication: That’s not how we do things here? Cultural Factors

  24. What Defines Culture? • Strategic Planning and Decision-Making • Examples: • Top-down • Bottom-up • Consensus-based • Institutional Values • Examples: • Collegial working relationships • Emphasis on accountability at all levels of institution • Strong faculty influence • Student honor code

  25. What Defines Culture? • Control of Operational Functions • Examples: • Centralized • Decentralized • Long-term Institutional Priorities • Examples: • Increase research • Increase community outreach • Compliance • Other influences on culture?

  26. A Good Blueprint • A plan • A function of environment • Express one’s culture/desires • Based on examples/knowledge of others • Guide for communicating with others

  27. Communication Strategies Silence is NOT golden  Communicate early and often  Build Awareness  Build Trust

  28. Communication Strategies Prepare to communicate  Know your security goals  Be prepared to educate  Craft the message  Have outcomes in mind

  29. Communication Strategies Adjust to change  Listen  Draw linkages  Monitor technical and regulatory changes  Consider timing  Promote agility

  30. Communication Strategies Prepare for the “long haul”  Manage expectations  Embed security  Communication as an investment  Accountability

  31. Communication Strategies Leverage culture  Tools/Tailoring/Timing  Compromise/ Consensus  Compliance  Shared ownership

  32. Ideas For Using Culture Consensus-based Decision-Making Gain Mid-level Support First University of Virginia LSP Program http://www.itc.virginia.edu/dcs/lsp George Mason University SALT Group http://itu.gmu.edu/security/sysadmin/salt-description.html

  33. Ideas For Using Culture Increasing Emphasis on Compliance Spotlight Federal Regulations Related to Security & Privacy IT Security for Higher Education: A Legal Perspective http://www.educause.edu/ir/library/pdf/csd2746.pdf Family Educational Rights & Privacy Act http://www.ed.gov/policy/gen/guid/fpcp/ferpa/index.html Gramm Leach Bliley Act http://www.ftc.gov/privacy/glbact/index.html Health Insurance Portability & Accountability Act http://www.hhs.gov/ocr.hipaa

  34. Communication Strategies Seize “opportunities”  Bad things will happen  Anxiety is attention  So is Contemplation Change culture

  35. References ACE Letter to Presidents Regarding Cybersecurity http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm Developing Security Education and Awareness Programs http://www.educause.edu/ir/library/pdf/EQM0347.pdf Gaining the President’s Support for IT Initiatives at Small Colleges http://www.educause.edu/apps/eq/eqm04/eqm0417.asp EDUCAUSE Information Security Governance Assessment Tool http://www.educause.edu/LibraryDetailPage/666?ID=SEC0421 Information Security: A Difficult Balance http://www.educause.edu/pub/er/erm04/erm0456.asp Information Security Governance: A Call to Action http://www.cyberpartnership.org/InfoSecGov4_04.pdf Information Technology Security: Governance, Strategy, and Practice in Higher Education http://www.educause.edu/LibraryDetailPage/666?ID=ERS0305 Presidential Leadership for Information Technology http://www.educause.edu/ir/library/pdf/erm0332.pdf

More Related