Abstract image of a woman sitting on books and studying on a laptop

How Do You Create A Successful Information Security Program Hire A Great Iso!!

Tammy Clark, profile picture
Tammy Clark

The document provides advice on how to create a successful information security program at a university. It recommends hiring an Information Security Officer (ISO) to develop a 3-5 year strategic security plan, prioritize needs, implement technical solutions and processes, and evangelize security to the campus community. The ISO should have leadership and technical skills, report to the CIO, and work to integrate security throughout the university's IT infrastructure and operations.

1 of 20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
How Do You Create a Successful Information Security Program? Hire a GREAT ISO!! Tammy L. Clark, CISSP, CISM, CISA Information Security Officer Georgia State University
A Little Background on Me… Hired as a consultant to design a security program for GSU in April 2000 Started the program in July 2000 Began with a strategic 3-5 year plan “ Sold” the program to campus constituents and implemented security solutions that would make an immediate impact--the big bang! Apathy has changed to empathy on our campus!
Developing an Information Security Program The best approach is a strategic one Throwing together various solutions without adequate planning may work in the short term, but is disastrous in the long term! Similar but more granular than the role the CIO plays in the overall IT organization—you need a CISO to lead your information security program The key is selecting the right person and empowering them to effect positive changes
Taking a Strategic View of Things START with a 3-5 year strategic security plan, as well as a plan outlining the tactical approach that will be taken, and annual project plans to project what priorities will be tackled and what resources and budget will be necessary each year OVER 95% of universities I’ve surveyed over the past 5 years do not have a strategic information security plan that details how the information security department or function will align itself as an enabler of the information technology, business and academic objectives PRIORITIZE your needs when it comes to budgeting for information security—unless you are one of those entities fortunate enough to have millions to spend on security solutions and endeavors, you will find it necessary to carefully select the solutions, resources, and program initiatives that your university will focus on each year
Confidentiality, Integrity, and Availability The goals of an effective program Develop clear and unambiguous policies, guidelines and standards Protect sensitive data Prevent unauthorized intrusions, access, tampering Ensure business continuity and operational efficiency Assess risks, threats and vulnerabilities accurately Detect and remediate security incidents quickly
People, Processes, and Technology Technical solutions without processes are ineffective Processes without trained and motivated people to implement them are useless People without training, motivation, or understanding can negate the effectiveness of technology and processes
An In-depth and Layered Defense The information security strategic, tactical and annual project plans should focus on developing an in-depth and layered approach to integrating information security tools into the existing network infrastructure, as well as making key decisions about how your university will choose to protect your information technology resources For example, at GSU, we’ve chosen to focus on a strategy of IPS and AV at the edge of the network, firewalls and ACLs to protect key segments of the campus, IPS and AV on desktops and many campus servers, VPN and Bluesocket boxes in the wireless areas, and the Perfigo security gateway solution to ensure that housing residents’ systems are running specific security software we require to grant them network access The tools we are leveraging today started with an overall strategy of securing campus hosts rather than deploying a network firewall at the edge, and have evolved over time as security solutions have seasoned and added new capabilities—we build relationships with the vendors we do business with and thoroughly evaluate a new vendor’s technology and their capacity to provide continued support and enhancements. We have limited dollars to spend and must do so wisely.
Evangelizing the Masses ALL it takes is hackers exploiting a single workstation or server that processes sensitive student information or stores user credit card info to land your university on the 6:00 p.m. newscast! CONFUSION reigns among many campus users about how to protect their workstations from the numerous methods employed to install backdoors, IRC bots, worms, and spyware—they seek leadership and guidance to help prevent these problems. THANKS to all the attention garnered by the MyDoom, Blaster, Sasser, etc., the university community as a whole cares more now about information security than ever before!
Why Committees and IT Staff Members Can Assist But Not Lead Important to include these constituents in policy, procedural and potentially security solutions evaluations—they are well suited to assist or provide feedback in these important areas BUT.. Generally speaking—committees are composed of individuals with responsibilities that are not focused around information security; therefore, their number one priority is their own job responsibilities, not developing and nurturing an information security program, which takes a huge amount of care and feeding upfront Information technology professionals often lack the business management background to tackle program issues from a C-level standpoint—additionally, many have built up expertise in one or two areas of technology and lack the overall breadth of information technology and specific information security experience to tackle the challenging role of the ISO
Why You Need an ISO Leadership Vision Integrity Dedication Catalyst for change Promote the perception of information security as a value add Negotiate effectively with security solutions vendors to procure the best solution for your university at the best price Evangelize the masses
Real World Examples A university without an ISO charges the network manager to deploy some security solutions—since they are a Cisco “shop,” the manager buys a number of Cisco’s security tools including some Pix firewalls, IDS, and the Cisco Security Agents. A year later, the hardware procured is in a storage closet and the CSA’s have not been deployed. The manager is of the opinion that this will have to wait until necessary funding for training can happen. A CIO decides that “something” has to be done about the university’s lack of a way to detect or prevent attacks on the network and lately, the network has been crippled by Sasser infections, IRC bots, P2P distributions and spyware running on university workstations. He talks to a firewall vendor and the vendor talks him into placing a firewall appliance at the edge of the campus network to block all the “bad” stuff. After a couple of days of numerous help desk calls and complaints, the firewall is basically configured to allow rather than permit most traffic coming in and out of the campus
What is it Going to Cost You… It may actually cost you more to deploy various security solutions without a clear and focused strategy or evaluation from a technical, risk, and business continuity standpoint than it would to hire an ISO! Time and time again, I’ve seen universities buying solutions without having a strategic security plan in place, without evaluating these tools, without integrating and layering them into the existing network infrastructure ONLY to have to replace these solutions or abandon them and spend money to buy new ones Uncontained RPC worm infections, IRC bots, illegal warez servers, given the man hours (in terms of salary dollars for IT staff members) that must be spent reinstalling compromised workstations or fixing network performance problems caused by denial of service attacks and other security related problems are a recovery cost that you want to avoid. Hire an ISO and start tackling these problems NOW!
Selecting an ISO Choose wisely as this position is pivotal to the success of your information security program. Look for a wide breadth of information technology experience, solid evidence of leadership, project management, business management and/or analysis skills and training, and (optionally) security certifications. HIRE an ISO who can evaluate and deploy numerous types of security (IDS/IPS/firewall) solutions. The ISO needs to have the skill set to analyze and understand the data culled from various security solutions and logs in order to develop effective incident prevention and management strategies. HIRE an ISO who can write sound policies and procedures, communicate effectively with diverse constituent groups, develop strategic and project plans, security awareness presentations and materials, facilitate and create committees and working groups, provide direction and guidance to information technology employees responsible
Typical Duties of an ISO Develop policies and guidelines Incident prevention, response and management Security awareness Security tool selection and deployment Security audits and reviews Focal point for providing information and guidance to the campus about threats and vulnerabilities Management of key security operational systems, such as anti virus, IDS/IPS, firewalls
Most Effective Reporting Structure Although there are ISO’s (including myself) who report to a director or manager level information technology staff member, the measure of influence that can be gained by being aligned underneath the CIO is invaluable However, if you are able to get your “message” across to multiple constituent groups and build strong alliances on campus with information technology staff members, faculty, students, and campus leaders in the police, legal affairs, public relations, human resources, student information and financial organizations, you can also effect positive outcomes and really motivate these organizations and people to collaborate with you in ensuring your information security program is accomplishing major goals and objectives established By the way, your “message” needs to address and appeal to the issues and needs of each constituent organization or individual that you deal with—One message does not fit all!
What Background is Most Desirable? Harry Shah, CISO of Marsh, a risk and insurance services provider, sums it up this way: "A CSO has to be a futurist, an evangelist, a technology manager, a cheerleader, a change agent, a good bureaucrat, a very good policy-maker, a negotiator and a legal expert. And on a good day, he also has to be a security engineer."
Are Certifications Important? CISSP – Certified Information Systems Security Professional SSCP – Systems Security Certified Practitioner CISM – Certified Information Security Manager CISA – Certified Information Systems Auditor GIAC – Global Information Assurance Certification CPP – Certified Protection Professional CompTIA Security+ Certification Forensics and Ethical Hacking (various) Vendor security certifications (ISS, Cisco, etc.)
Specific and Unique Qualities Actively seeks challenges and obstacles to overcome Embraces the need to dynamically evolve and stay current in knowledge of the technology and information security arenas Able to think outside the box Strong at problem solving, multi-tasking, juggling multiple projects and conflicting priorities Understands the role technology plays in furthering the mission of the academic, business, financial, and administrative units and how to integrate and align strategic goals and objectives of these areas with those in the information security organization
The “Ideal” Security Staff In terms of numbers of dedicated staff, you may find that you never have all the resources that you require Therefore, it is critical to hire security staff members with diverse backgrounds and skill sets that you can leverage along with existing information technology staff to manage and handle the requirements of various programs and initiatives created, such as security awareness, incident response, security tool implementation and management, policy and procedure development, security reviews and audits…
Wrapping Up… A great Information Security Officer can evolve and shape your campus information security program into a dynamic and effective entity! This individual will have a major focus on bringing needed attention to campus security problems and needs and will effectively promote the information security program and seek funding for major initiatives. Don’t take a piecemeal and fractured approach—with various constituent groups developing policies and other groups buying security tools. Hire a leader for your program, develop a sound 3-5 year strategy and integrate security into the existing framework.

More Related Content

PDF
How to Build and Implement your Company's Information Security Program
Financial Poise
 
PPT
Protecting Donor Privacy
Raymond Cunningham
 
PPT
Implementing an Information Security Program
Raymond Cunningham
 
PDF
Cissp notes
Jagbir Singh
 
PPTX
New York Department of Financial Services Cybersecurity Regulations
Shawn Tuma
 
PPT
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers
 
PPTX
Cybersecurity: What does Cyber Insurance Cover?
Next Dimension Inc.
 
PDF
CMW Cyber Liability Presentation
Sean Graham
 
How to Build and Implement your Company's Information Security Program
Financial Poise
 
Protecting Donor Privacy
Raymond Cunningham
 
Implementing an Information Security Program
Raymond Cunningham
 
Cissp notes
Jagbir Singh
 
New York Department of Financial Services Cybersecurity Regulations
Shawn Tuma
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers
 
Cybersecurity: What does Cyber Insurance Cover?
Next Dimension Inc.
 
CMW Cyber Liability Presentation
Sean Graham
 

What's hot (20)

PPTX
Banks and cybersecurity v2
Semir Ibrahimovic
 
PDF
Simplifying the data privacy governance quagmire building automated privacy ...
Avinash Ramineni
 
PPTX
Cyber Insurance CLE
Sarah Stogner
 
PPTX
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
saurnou
 
PPTX
Information security governance
Koen Maris
 
PPT
Data Risks In A Digital Age
padler01
 
PPT
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Eric Vanderburg
 
PDF
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
DOCX
The Role of Information Security Policy
Robot Mode
 
PPTX
Information Security - Back to Basics - Own Your Vulnerabilities
Jack Nichelson
 
PDF
Cisa 2013 ch5
Aladdin Dandis
 
PDF
Information Security Benchmarking 2015
Capgemini
 
PPTX
A Brave New World of Cyber Security and Data Breach
Jim Brashear
 
PPTX
Information Systems Policy
Ali Sadhik Shaik
 
PDF
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 
PDF
Fadi Mutlak - Information security governance
nooralmousa
 
PDF
Cybersecurity in ME April 25 slides
American Chamber of Commerce in Bahrain
 
PDF
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
festival ICT 2016
 
PPTX
Best practices to mitigate data breach risk
Livingstone Advisory
 
PPTX
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Government Technology and Services Coalition
 
Banks and cybersecurity v2
Semir Ibrahimovic
 
Simplifying the data privacy governance quagmire building automated privacy ...
Avinash Ramineni
 
Cyber Insurance CLE
Sarah Stogner
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
saurnou
 
Information security governance
Koen Maris
 
Data Risks In A Digital Age
padler01
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Eric Vanderburg
 
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
The Role of Information Security Policy
Robot Mode
 
Information Security - Back to Basics - Own Your Vulnerabilities
Jack Nichelson
 
Cisa 2013 ch5
Aladdin Dandis
 
Information Security Benchmarking 2015
Capgemini
 
A Brave New World of Cyber Security and Data Breach
Jim Brashear
 
Information Systems Policy
Ali Sadhik Shaik
 
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 
Fadi Mutlak - Information security governance
nooralmousa
 
Cybersecurity in ME April 25 slides
American Chamber of Commerce in Bahrain
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
festival ICT 2016
 
Best practices to mitigate data breach risk
Livingstone Advisory
 
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Government Technology and Services Coalition
 

Viewers also liked (8)

PPTX
New Hire Orientation 2010
madeiraetc
 
PPT
Security Awareness Training for Community Colleges 2009
Donald E. Hester
 
PDF
Business case for Information Security program
William Godwin
 
PPT
Data Protection: We\'re In This Together
myeaton
 
PPTX
New hire orientation
caparton
 
PPT
New Hire Information Security Awareness
hubbargf
 
PDF
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
North Texas Chapter of the ISSA
 
PDF
NTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard
North Texas Chapter of the ISSA
 
New Hire Orientation 2010
madeiraetc
 
Security Awareness Training for Community Colleges 2009
Donald E. Hester
 
Business case for Information Security program
William Godwin
 
Data Protection: We\'re In This Together
myeaton
 
New hire orientation
caparton
 
New Hire Information Security Awareness
hubbargf
 
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard
North Texas Chapter of the ISSA
 

Similar to How Do You Create A Successful Information Security Program Hire A Great Iso!! (20)

PPTX
UCISA cyber incident response toolkit.pptx
ucisa
 
PPT
Information Security Awareness And Training Business Case For Web Based Solut...
Michael Kaishar, MSIA | CISSP
 
PDF
ICISS Newsletter Sept 14
Capt SB Tyagi, COAC'CC*,FISM,CSC,
 
DOCX
Advisory from Professionals Preparing Information .docx
katherncarlyle
 
DOCX
Advisory from Professionals Preparing Information .docx
daniahendric
 
PPTX
Optimizing Security Operations: 5 Keys to Success
Sirius
 
PPTX
Does Anyone Remember Enterprise Security Architecture?
rbrockway
 
PDF
Information Security Analyst- Infosec train
InfosecTrain
 
PDF
Virtual Chief Information Security Officer | VCISO | Cyber Security
Cyber Security Experts
 
PDF
Exploration Draft Document- CEM Machine Learning & AI Project 2018
Leslie McFarlin
 
PPTX
Business value of Enterprise Security Architecture
Ajay Kumar Uppal
 
PDF
New technologies - Amer Haza'a
Fahmi Albaheth
 
PDF
Core Needs of Cybersecurity Companies (1).pptx (1).pdf
apurvar399
 
PDF
Core Needs of Cybersecurity Companies (1).pptx (2).pdf
apurvar399
 
PDF
Security operations center inhouse vs outsource
Netmagic Solutions Pvt. Ltd.
 
PDF
Security operations center inhouse vs outsource
Netmagic Solutions Pvt. Ltd.
 
PDF
Enterprise Architecture - Information Security
Ajay Kumar Uppal
 
PDF
Fissea09 mgupta-day3-panel process-program-build-effective-training
Swati Gupta
 
PDF
CISSO Certification| CISSO Training | CISSO
SagarNegi10
 
PDF
CISSO Certification | CISSO Training | CISSO
SagarNegi10
 
UCISA cyber incident response toolkit.pptx
ucisa
 
Information Security Awareness And Training Business Case For Web Based Solut...
Michael Kaishar, MSIA | CISSP
 
ICISS Newsletter Sept 14
Capt SB Tyagi, COAC'CC*,FISM,CSC,
 
Advisory from Professionals Preparing Information .docx
katherncarlyle
 
Advisory from Professionals Preparing Information .docx
daniahendric
 
Optimizing Security Operations: 5 Keys to Success
Sirius
 
Does Anyone Remember Enterprise Security Architecture?
rbrockway
 
Information Security Analyst- Infosec train
InfosecTrain
 
Virtual Chief Information Security Officer | VCISO | Cyber Security
Cyber Security Experts
 
Exploration Draft Document- CEM Machine Learning & AI Project 2018
Leslie McFarlin
 
Business value of Enterprise Security Architecture
Ajay Kumar Uppal
 
New technologies - Amer Haza'a
Fahmi Albaheth
 
Core Needs of Cybersecurity Companies (1).pptx (1).pdf
apurvar399
 
Core Needs of Cybersecurity Companies (1).pptx (2).pdf
apurvar399
 
Security operations center inhouse vs outsource
Netmagic Solutions Pvt. Ltd.
 
Security operations center inhouse vs outsource
Netmagic Solutions Pvt. Ltd.
 
Enterprise Architecture - Information Security
Ajay Kumar Uppal
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Swati Gupta
 
CISSO Certification| CISSO Training | CISSO
SagarNegi10
 
CISSO Certification | CISSO Training | CISSO
SagarNegi10
 

More from Tammy Clark (10)

PPT
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
 
PPTX
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
Tammy Clark
 
PPT
The Impact Of Breaches On Higher Ed Tlc 27 Sep09
Tammy Clark
 
PPT
Developing A Risk Based Information Security Program
Tammy Clark
 
PPT
Giving The Heave Ho To Worms, Spyware, And Bots!
Tammy Clark
 
PPT
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Tammy Clark
 
PPT
How Technology, People, And Processes Converged To Achieve A 95 Percent Reduc...
Tammy Clark
 
PPT
How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
Tammy Clark
 
PPT
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...
Tammy Clark
 
PPT
Start With A Great Information Security Plan!
Tammy Clark
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
 
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
Tammy Clark
 
The Impact Of Breaches On Higher Ed Tlc 27 Sep09
Tammy Clark
 
Developing A Risk Based Information Security Program
Tammy Clark
 
Giving The Heave Ho To Worms, Spyware, And Bots!
Tammy Clark
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Tammy Clark
 
How Technology, People, And Processes Converged To Achieve A 95 Percent Reduc...
Tammy Clark
 
How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
Tammy Clark
 
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...
Tammy Clark
 
Start With A Great Information Security Plan!
Tammy Clark
 

How Do You Create A Successful Information Security Program Hire A Great Iso!!

  • 1. How Do You Create a Successful Information Security Program? Hire a GREAT ISO!! Tammy L. Clark, CISSP, CISM, CISA Information Security Officer Georgia State University
  • 2. A Little Background on Me… Hired as a consultant to design a security program for GSU in April 2000 Started the program in July 2000 Began with a strategic 3-5 year plan “ Sold” the program to campus constituents and implemented security solutions that would make an immediate impact--the big bang! Apathy has changed to empathy on our campus!
  • 3. Developing an Information Security Program The best approach is a strategic one Throwing together various solutions without adequate planning may work in the short term, but is disastrous in the long term! Similar but more granular than the role the CIO plays in the overall IT organization—you need a CISO to lead your information security program The key is selecting the right person and empowering them to effect positive changes
  • 4. Taking a Strategic View of Things START with a 3-5 year strategic security plan, as well as a plan outlining the tactical approach that will be taken, and annual project plans to project what priorities will be tackled and what resources and budget will be necessary each year OVER 95% of universities I’ve surveyed over the past 5 years do not have a strategic information security plan that details how the information security department or function will align itself as an enabler of the information technology, business and academic objectives PRIORITIZE your needs when it comes to budgeting for information security—unless you are one of those entities fortunate enough to have millions to spend on security solutions and endeavors, you will find it necessary to carefully select the solutions, resources, and program initiatives that your university will focus on each year
  • 5. Confidentiality, Integrity, and Availability The goals of an effective program Develop clear and unambiguous policies, guidelines and standards Protect sensitive data Prevent unauthorized intrusions, access, tampering Ensure business continuity and operational efficiency Assess risks, threats and vulnerabilities accurately Detect and remediate security incidents quickly
  • 6. People, Processes, and Technology Technical solutions without processes are ineffective Processes without trained and motivated people to implement them are useless People without training, motivation, or understanding can negate the effectiveness of technology and processes
  • 7. An In-depth and Layered Defense The information security strategic, tactical and annual project plans should focus on developing an in-depth and layered approach to integrating information security tools into the existing network infrastructure, as well as making key decisions about how your university will choose to protect your information technology resources For example, at GSU, we’ve chosen to focus on a strategy of IPS and AV at the edge of the network, firewalls and ACLs to protect key segments of the campus, IPS and AV on desktops and many campus servers, VPN and Bluesocket boxes in the wireless areas, and the Perfigo security gateway solution to ensure that housing residents’ systems are running specific security software we require to grant them network access The tools we are leveraging today started with an overall strategy of securing campus hosts rather than deploying a network firewall at the edge, and have evolved over time as security solutions have seasoned and added new capabilities—we build relationships with the vendors we do business with and thoroughly evaluate a new vendor’s technology and their capacity to provide continued support and enhancements. We have limited dollars to spend and must do so wisely.
  • 8. Evangelizing the Masses ALL it takes is hackers exploiting a single workstation or server that processes sensitive student information or stores user credit card info to land your university on the 6:00 p.m. newscast! CONFUSION reigns among many campus users about how to protect their workstations from the numerous methods employed to install backdoors, IRC bots, worms, and spyware—they seek leadership and guidance to help prevent these problems. THANKS to all the attention garnered by the MyDoom, Blaster, Sasser, etc., the university community as a whole cares more now about information security than ever before!
  • 9. Why Committees and IT Staff Members Can Assist But Not Lead Important to include these constituents in policy, procedural and potentially security solutions evaluations—they are well suited to assist or provide feedback in these important areas BUT.. Generally speaking—committees are composed of individuals with responsibilities that are not focused around information security; therefore, their number one priority is their own job responsibilities, not developing and nurturing an information security program, which takes a huge amount of care and feeding upfront Information technology professionals often lack the business management background to tackle program issues from a C-level standpoint—additionally, many have built up expertise in one or two areas of technology and lack the overall breadth of information technology and specific information security experience to tackle the challenging role of the ISO
  • 10. Why You Need an ISO Leadership Vision Integrity Dedication Catalyst for change Promote the perception of information security as a value add Negotiate effectively with security solutions vendors to procure the best solution for your university at the best price Evangelize the masses
  • 11. Real World Examples A university without an ISO charges the network manager to deploy some security solutions—since they are a Cisco “shop,” the manager buys a number of Cisco’s security tools including some Pix firewalls, IDS, and the Cisco Security Agents. A year later, the hardware procured is in a storage closet and the CSA’s have not been deployed. The manager is of the opinion that this will have to wait until necessary funding for training can happen. A CIO decides that “something” has to be done about the university’s lack of a way to detect or prevent attacks on the network and lately, the network has been crippled by Sasser infections, IRC bots, P2P distributions and spyware running on university workstations. He talks to a firewall vendor and the vendor talks him into placing a firewall appliance at the edge of the campus network to block all the “bad” stuff. After a couple of days of numerous help desk calls and complaints, the firewall is basically configured to allow rather than permit most traffic coming in and out of the campus
  • 12. What is it Going to Cost You… It may actually cost you more to deploy various security solutions without a clear and focused strategy or evaluation from a technical, risk, and business continuity standpoint than it would to hire an ISO! Time and time again, I’ve seen universities buying solutions without having a strategic security plan in place, without evaluating these tools, without integrating and layering them into the existing network infrastructure ONLY to have to replace these solutions or abandon them and spend money to buy new ones Uncontained RPC worm infections, IRC bots, illegal warez servers, given the man hours (in terms of salary dollars for IT staff members) that must be spent reinstalling compromised workstations or fixing network performance problems caused by denial of service attacks and other security related problems are a recovery cost that you want to avoid. Hire an ISO and start tackling these problems NOW!
  • 13. Selecting an ISO Choose wisely as this position is pivotal to the success of your information security program. Look for a wide breadth of information technology experience, solid evidence of leadership, project management, business management and/or analysis skills and training, and (optionally) security certifications. HIRE an ISO who can evaluate and deploy numerous types of security (IDS/IPS/firewall) solutions. The ISO needs to have the skill set to analyze and understand the data culled from various security solutions and logs in order to develop effective incident prevention and management strategies. HIRE an ISO who can write sound policies and procedures, communicate effectively with diverse constituent groups, develop strategic and project plans, security awareness presentations and materials, facilitate and create committees and working groups, provide direction and guidance to information technology employees responsible
  • 14. Typical Duties of an ISO Develop policies and guidelines Incident prevention, response and management Security awareness Security tool selection and deployment Security audits and reviews Focal point for providing information and guidance to the campus about threats and vulnerabilities Management of key security operational systems, such as anti virus, IDS/IPS, firewalls
  • 15. Most Effective Reporting Structure Although there are ISO’s (including myself) who report to a director or manager level information technology staff member, the measure of influence that can be gained by being aligned underneath the CIO is invaluable However, if you are able to get your “message” across to multiple constituent groups and build strong alliances on campus with information technology staff members, faculty, students, and campus leaders in the police, legal affairs, public relations, human resources, student information and financial organizations, you can also effect positive outcomes and really motivate these organizations and people to collaborate with you in ensuring your information security program is accomplishing major goals and objectives established By the way, your “message” needs to address and appeal to the issues and needs of each constituent organization or individual that you deal with—One message does not fit all!
  • 16. What Background is Most Desirable? Harry Shah, CISO of Marsh, a risk and insurance services provider, sums it up this way: "A CSO has to be a futurist, an evangelist, a technology manager, a cheerleader, a change agent, a good bureaucrat, a very good policy-maker, a negotiator and a legal expert. And on a good day, he also has to be a security engineer."
  • 17. Are Certifications Important? CISSP – Certified Information Systems Security Professional SSCP – Systems Security Certified Practitioner CISM – Certified Information Security Manager CISA – Certified Information Systems Auditor GIAC – Global Information Assurance Certification CPP – Certified Protection Professional CompTIA Security+ Certification Forensics and Ethical Hacking (various) Vendor security certifications (ISS, Cisco, etc.)
  • 18. Specific and Unique Qualities Actively seeks challenges and obstacles to overcome Embraces the need to dynamically evolve and stay current in knowledge of the technology and information security arenas Able to think outside the box Strong at problem solving, multi-tasking, juggling multiple projects and conflicting priorities Understands the role technology plays in furthering the mission of the academic, business, financial, and administrative units and how to integrate and align strategic goals and objectives of these areas with those in the information security organization
  • 19. The “Ideal” Security Staff In terms of numbers of dedicated staff, you may find that you never have all the resources that you require Therefore, it is critical to hire security staff members with diverse backgrounds and skill sets that you can leverage along with existing information technology staff to manage and handle the requirements of various programs and initiatives created, such as security awareness, incident response, security tool implementation and management, policy and procedure development, security reviews and audits…
  • 20. Wrapping Up… A great Information Security Officer can evolve and shape your campus information security program into a dynamic and effective entity! This individual will have a major focus on bringing needed attention to campus security problems and needs and will effectively promote the information security program and seek funding for major initiatives. Don’t take a piecemeal and fractured approach—with various constituent groups developing policies and other groups buying security tools. Hire a leader for your program, develop a sound 3-5 year strategy and integrate security into the existing framework.