Thrown into the Deep End

• 07/11/06

Brian T. Nichols, Louisiana State University

Many institutions have created high-level positions with responsibility for IT security and policy –and some are newly established posts. What’s required to navigate these relatively uncharted waters?Brian Nichols shares lessons learned after nearly one year as Louisiana State University’s very first chief security and policy officer.

Brian T. Nichols is the chief IT security and
policy officer at Louisiana State University.

When appointed as Louisiana State University’s first chief IT security and policy officer last year, I was energetic and ready to go. I can recall sitting across the table from the CIO when I accepted. “Brian, you’re the first of your kind here, so there’s no roadmap to follow,” he told me. “Hmm,” I thought, “I’m being thrown into the deep end. I hope I learn to swim fast!”

As I complete my first year I’d like to share some thoughts on what any new CISO needs to know. Those long in the profession will certainly relate, but perhaps my observations will have greater value for anyone starting out, or considering a career as a CISO. Here are seven things I wish I’d known as I hit the water “in the deep end.”

1. Find out what others are doing. This is a growing profession, with many opportunities to get together with peers. My first month on the job, I attended conferences and visited a university known for its state-of-the-art security and policy function. The conferences and on-site visit provided opportunities to network, meet colleagues, learn how others had established security and policy functions, and more importantly, what mistakes others had made. It gave a vision of what I was striving to build at my institution – a model home if you will. What I learned was that others had experienced “growing pains” in establishing security and policy functions. I learned I wasn’t alone in the deep end!

2. Share information. Part of becoming a member of this community is giving back as you’re taking from it. One way to share information is to join an Information Sharing and Analysis Center (ISAC). ISACs provide a means to obtain information from reliable sources, report anonymously, and obtain expertise. The REN-ISAC at Indiana University’s Global Network Operations Center is an effort to improve network security in higher education. By “linking up” with an ISAC, you’re no longer in the deep end by yourself.

3. Request an independent, outside security audit. My CIO offered to provide funding to review IT policy and security. I accepted, but admit my initial reaction was anxiety-laden. I was wary that when the boss brings in an outside consultant to look at your area, polish up your resume! But I had just started, so surely this wasn’t the point, right? It was actually the best thing that could have happened. The review provided an objective look at the state of IT security and input into our IT strategic planning process – our Flagship IT Strategy. It provided recommendations to construct a roadmap for needed changes to help me begin my way out of the deep end.

4. Establish an IT Security and Policy Advisory Team. CISOs often feel alone in efforts on our campuses because we want to be the “lone gun” trying to solve problems single-handedly. Security is a shared responsibility that requires diligence from everyone. Hence, it makes sense to draw participation from the campus to expand the breadth of “mind-share.” One way is to do this is establishing committees to create a communication pipeline so efforts aren’t viewed as actions of a bureaucracy. In January 2006, I established an IT Security and Policy Advisory Committee that enabled the implementation of policies and provided input for security plans. Security has now become a leading-edge issue in establishing relationships between our IT organization and other departments. Here, again, I’m teaming up with others, bringing them into the “deep end” to help me stay afloat while we all learn to swim!

5. Develop an IT Security and Policy Web Site. One of the best ways to communicate is via the Web. Developing an IT security Web site provides a means of sharing information. The Web site becomes a reference desk that alerts people of incidents and provides the full story. We’re using our IT security and policy Web site to communicate best practices and to share IT policy efforts. The longer the site is up, the more hits it’s getting from our community. We’re definitely starting to make our way out of the “deep end!”

6. Develop a plan to secure sensitive data and respond to security breaches. The rise in incidences of identity theft makes it imperative that measures be taken to protect data. Our role must involve developing and distributing procedures that outline what to do when sensitive data may have been compromised, acting as coordinators of handling incidents, and ensuring that the university fulfills obligations under the law. We’ve put effort into developing our Web site to include information about security breach laws and worked with our provost so that the CIO, as well as myself, as CISO, are empowered to act on behalf of the institution. This is a key step that defines our role and helps ensure a path out of this very deep part of the “deep end.”

7. Continuously monitor, measure, and report security posture to senior administration. Buy-in and support from senior administration is critical in establishing an IT security and policy function. We must develop a forum for identifying topics of concern as a means of raising the “visibility” of security. At my urging, my CIO makes a short statement about the state of security at senior staff meetings. So having succinct, executive-style sound-bytes helps my CIO to “sell the point” and ensures that top levels of the institution are engaged as partners.

Completing the first year in the “deep end”

So have I made it out of the deep end? Well, no, not yet. In fact, I don’t think I’ll ever be out of the deep end! Because this isn’t about getting out of these deep waters, but learning how to survive in the threatening environment of higher education IT security and policy. The goal of any first year CISO, in my opinion, should be to learn to swim. We have to learn to make waters safer, but because of the open nature of university environments, the task is learning how to remain true to our function, and through process, policy, techniques, and communication, to make it a safer place. We can’t control how deep the water will be, but we can learn to control how we manage to exist in those deep, deep waters.