As Universities return for the beginning of a new academic year, never has the role of Chief Information Security Officers (CISOs) been more important. Some will be continuing an ongoing strategic campaign while others may be settling into new roles and, quite frankly, may be wondering what on earth they have let themselves in for.
Because not only are they expected to be responsible for the strategic leadership of the University’s information security program, they are also required to anticipate and respond to the fastest-moving environment on campus without ever getting it wrong. For just one breach will have huge financial consequences and a catastrophic impact on the reputation of the University.
Like any business, a University’s reputation is a precious, and marketable, asset. And like any other business, its employees have other jobs to concentrate on. Those who work in a University environment know that academics are not always the most collaborative of souls; some even likening managing whole-campus efforts to that most difficult of tasks, namely herding cats.
Yet, working in collaboration with everyone from the maintenance crew to the senior professors is essential. Because, without their full involvement, precious information cannot be protected from some of the most intelligent and ingenious minds of a generation who, for whatever reason, have opted to use their talents for the Dark Side. Cyber criminals and the webs they weave are not only brilliantly clever, they are also constantly evolving.
So, where should a newly appointed CISO begin? Here is a suggested plan of action for the first 30 days:
- People: get to know the people you need to have good working relationships with. These will include your colleagues in the IT department as well as key stakeholders across all other departments;
- Job description: review your job description. This will tell you what is expected of you but it is important to ascertain what may have been omitted so that you can pre-empt any resource issues;
- Resource: assess the resources of the IT security department and review its existing services and activities. Now is the time to establish what you have or are reasonably able to establish as well as what additional resource or expertise you may need to contract in;
- Guidance: access all available guidance but be cautious about believing everything you read. Prioritise advice provided by industry experts with a proven track record and experience in this particular field;
- Belt and braces: think strategically about how your department can, from the outset, fulfil its designated role: ensuring the safety of all personal data, information and systems. The buck stops here.
- Register with SRM to receive updates on the role of CISOs in Universities.