A New CISO's To-Do List
‘Make or break’ actions for a chief information security officer’s first year
Brian Nichols is the chief IT
security and policy officer at
Louisiana State University.
He advises the CIO and university
administration on technology
deployment, usage, and
and he directs
LSU’s IT Security
and Policy office.
His daily concerns
range from security
and policy administration,
response and disaster
planning. Nichols uses vehicles
such as technical risk assessment
security reviews, and consulting
to achieve his goals. He is
a member of the Educause/
Internet2 Computer and
Network Security Task Force,
and is active in community
efforts to improve overall
security in higher education.
As LSU’s first-ever CISO, he’s
navigated uncharted waters
during his first year on the job.
Here, he shares his top “to-do”
list for new CISOs.
Want to be considered for Campus Technology’s Top 10? Send your countdown and a brief background/bio summary to firstname.lastname@example.org
Find out what others are doing.
- Network: Attend conferences and visit other institutions.
- Pay particular attention to the mistakes others are willing to disclose.
- Develop a “safety net” of peers.
Exchange information on security-related events with the community.
- Join an Information Sharing and Analysis Center (ISAC) such as
Indiana University’s REN-ISAC.
- Information you report about attacks, viruses, and worms can have a positive
impact at the national level.
Request an independent, outside security audit.
- An audit should provide a benchmark of best practices in the field.
- As a new CISO, you’ll get a roadmap of what you’ll need to be successful.
Establish an IT security and policy advisory team.
- You’re not the Lone Ranger! Forget the macho efforts.
- Security is a shared responsibility, so draw in that “mind share” around campus.
- Create a communications pipeline so policies won’t be viewed as bureaucracy.
Develop an IT security and policy website.
- Alert people to incidents, and provide the full story.
- Share broad IT policy efforts and communicate best security practices.
Develop a plan to secure sensitive data and respond to security breaches.
- Distribute procedures for those who suspect an incident.
- Ensure legal obligations are being met by the university.
- Make sure you are empowered to act on behalf of the institution.
Advance a risk management strategy.
- Security must be proactively managed due to the changing nature of threats.
- Create an ongoing process for identifying risks and implementing plans to
- Remember, yours is a race with no finish line.
Continuously monitor, measure, and report security posture
to senior administration.
- Buy-in and support from senior administration is critical.
- Raise the “visibility” of security as a campuswide concern.
Develop methods and procedures for classifying, handling,
and disseminating information resources.
- It is better to store sensitive data on a centrally managed server.
- Perform reviews for data stored within colleges and departments.
- Provide education about why data should be classified.
Develop an IT disaster recovery plan.
- IT is a strategic asset, and loss of the IT environment can cripple an institution.
- Get input from the campus community and support from senior administration.
- Make sure your institution is prepared to recover critical resources on short
notice and can ensure continuity of operations.