1 / 34

Talking With The Boss About Security

Talking With The Boss About Security. Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Conference October 21 st , 2005.

buck
Download Presentation

Talking With The Boss About Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Conference October 21st, 2005

  2. We must all become much more vigilant in the provision of secure systems, in intrusion detection, in rapid response, and especially in education. We must practice, teach, and infuse all aspects of security into campus lives. Dr. Linwood H. Rose President, James Madison University “Information Security: A Difficult Balance” EDUCAUSE Review, September/October 2004

  3. Agenda • The Executive Audience • Benefits of Effective Communication • Obstacles To Effective Communication • Communication Strategies & Examples • References

  4. The Executive Audience • Boards of Trustees • Presidents • Vice Presidents & Provosts • Deans & Department Heads • Chiefs of Staff

  5. Perceived Barriers To IT Security Information Technology Security Study EDUCAUSE Center for Applied Research, Sept. 2003

  6. Perceived Barriers To IT Security Executives can help define appropriate security/privacy balance Information Technology Security Study EDUCAUSE Center for Applied Research, Sept. 2003

  7. Privacy and academic freedom are critical components of campus culture; it is vital that decisions on policies and procedures regarding security and related issues be carefully vetted, understood, and authorized by both the highest levels of the campus leadership and the representatives of the campus community. The executive role in all of these matters is crucial if internal dissension and unnecessary strife are to be avoided. “Presidential Leadership for IT” David Ward and Brian L. Hawkins EDUCAUSE Review, May/June 2003

  8. Perceived Barriers To IT Security Executives can enhance policy quality & acceptance Information Technology Security Study EDUCAUSE Center for Applied Research, Sept. 2003

  9. Perceived Barriers To IT Security Executives can help determine/clarify responsibilities Information Technology Security Study EDUCAUSE Center for Applied Research, Sept. 2003

  10. Perceived Barriers To IT Security Executives can influence others to change Information Technology Security Study EDUCAUSE Center for Applied Research, Sept. 2003

  11. If you can get the president to set the right tone, a majority on campus will likely follow her or his lead in supporting the changes and improvements you recommend. “Gaining the President’s Support for IT Initiative at Small Colleges.” Laurence W. Mazzeno, President, Alvernia College EDUCAUSE Quarterly, Number 1, 2004

  12. Perceived Barriers To IT Security Executives can determine resources based on risks, if they know them Information Technology Security Study EDUCAUSE Center for Applied Research, Sept. 2003

  13. Additional Benefits • Opportunity to establish appropriate expectations • Constructive involvement should a security incident occur

  14. In a time of crisis, it’s always good to have a boss smarter than you. Joy Hughes, VP/CIO, George Mason University

  15. Be Prepared For... • Additional Work To: • tailor the information • provide status reports, possibly including development of new metrics • respond to inquiries • Increased accountability

  16. Obstacles To Effective Communication Security, Security, Etc.

  17. Alarmist view or straight facts? What’s his experience level? Obstacle: Responsibility for security placed low in the organization

  18. What do computers have to do with identity theft? Why is he talking about fishing? Obstacle: Significant lack of awareness

  19. IPS = International Primatological Society “Compromised” computer? Obstacle: Unclear terminology

  20. This doesn’t help attract research $$ This doesn’t enhance student life Obstacle: Security not an institutional priority

  21. Is the situation really getting worse? How do we compare with others? Obstacle: Lack of security metrics

  22. But we trained the workforce three years ago! You’ve had your turn at the well. Obstacle: Security viewed as one-time fix-it project

  23. There will be an insurrection if we centralize server management! What do the faculty think of this idea? Obstacle: Cultural factors

  24. I’m not a techie. How could I possibly help? So what are we paying the CIO to do? Obstacle: Executive role not clear

  25. Effectively Talking With the Boss About Security Requires… • Establishing trust • Building awareness • Losing the jargon • Linking security to institutional priorities • Solidifying business case with metrics • Setting appropriate expectations • Addressing cultural issues • Emphasizing importance of executive level involvement

  26. Communication Strategies“getting it done” Good communication doesn’t just happen On-going attention

  27. A Project Plan . . . • Review the landscape • Set a target • Managed communication • Maintaining communication

  28. ISO or Security Practioner Operational Focused Technical Executive Governance Broad Mission-focused Differing Viewpoints

  29. Targeting NirvanaSource: Governing for Enterprise Security, Julia Allen, June 2005 • Enterprise level • Expected and respected topic • Treated as a business requirement • Appears regularly on the executive agenda • Addressed in strategic and operational planning

  30. Targeting Nirvana (continued) • Discussion and debate are encouraged • Regular benchmarking • Leaders are respected as value contributors • Business enabler • Integrated into the enterprise • Not solely an IT responsibility • Full understanding of individual roles and responsibilities

  31. Strategies • Advocate security as risk management • Identify risks at an the executive level • Craft the security message • Prepare to inform and educate • Engage others • Remain open • Accommodate the culture • Communicate for the long-term

  32. Maintenance • Stay informed • Be persistent • Remain agile • Be honest

  33. Positive Achievement Commuication among parties that are informed, persistently committed, agile in their views and honest in dealing with information security Communications Nirvana Real Value for Security

  34. References ACE Letter to Presidents Regarding Cybersecurity http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm Developing Security Education and Awareness Programs http://www.educause.edu/ir/library/pdf/EQM0347.pdf Gaining the President’s Support for IT Initiatives at Small Colleges http://www.educause.edu/apps/eq/eqm04/eqm0417.asp Governing for Enterprise Security http://www.sei.cmu.edu/pub/documents/05.reports/pdf/05tn023.pdf EDUCAUSE Information Security Governance Assessment Tool http://www.educause.edu/LibraryDetailPage/666?ID=SEC0421 Information Security: A Difficult Balance http://www.educause.edu/pub/er/erm04/erm0456.asp Information Security Governance: A Call to Action http://www.cyberpartnership.org/InfoSecGov4_04.pdf Information Technology Security: Governance, Strategy, and Practice in Higher Education http://www.educause.edu/LibraryDetailPage/666?ID=ERS0305 Presidential Leadership for Information Technology http://www.educause.edu/ir/library/pdf/erm0332.pdf Report of the Best Practices and Metrics Teams www.incits.org/tc_home/CS1/2005docs/cs1050005.pdf

More Related