A New CISO's To-Do List

‘Make or break’ actions for a chief information security officer’s first year

Brian NicholsBrian Nichols is the chief IT security and policy officer at Louisiana State University. He advises the CIO and university administration on technology deployment, usage, and security issues, and he directs LSU’s IT Security and Policy office. His daily concerns range from security standards and policy administration, to incident response and disaster recovery/business continuity planning. Nichols uses vehicles such as technical risk assessment programs, forensics, security reviews, and consulting to achieve his goals. He is a member of the Educause/ Internet2 Computer and Network Security Task Force, and is active in community efforts to improve overall security in higher education. As LSU’s first-ever CISO, he’s navigated uncharted waters during his first year on the job. Here, he shares his top “to-do” list for new CISOs.

Want to be considered for Campus Technology’s Top 10? Send your countdown and a brief background/bio summary to [email protected]

10

Find out what others are doing.

  • Network: Attend conferences and visit other institutions.
  • Pay particular attention to the mistakes others are willing to disclose.
  • Develop a “safety net” of peers.
9

Exchange information on security-related events with the community.

  • Join an Information Sharing and Analysis Center (ISAC) such as Indiana University’s REN-ISAC.
  • Information you report about attacks, viruses, and worms can have a positive impact at the national level.
8

Request an independent, outside security audit.

  • An audit should provide a benchmark of best practices in the field.
  • As a new CISO, you’ll get a roadmap of what you’ll need to be successful.
7

Establish an IT security and policy advisory team.

  • You’re not the Lone Ranger! Forget the macho efforts.
  • Security is a shared responsibility, so draw in that “mind share” around campus.
  • Create a communications pipeline so policies won’t be viewed as bureaucracy.
6

Develop an IT security and policy website.

  • Alert people to incidents, and provide the full story.
  • Share broad IT policy efforts and communicate best security practices.
5

Develop a plan to secure sensitive data and respond to security breaches.

  • Distribute procedures for those who suspect an incident.
  • Ensure legal obligations are being met by the university.
  • Make sure you are empowered to act on behalf of the institution.
4

Advance a risk management strategy.

  • Security must be proactively managed due to the changing nature of threats.
  • Create an ongoing process for identifying risks and implementing plans to address them.
  • Remember, yours is a race with no finish line.
3

Continuously monitor, measure, and report security posture to senior administration.

  • Buy-in and support from senior administration is critical.
  • Raise the “visibility” of security as a campuswide concern.
2

Develop methods and procedures for classifying, handling, and disseminating information resources.

  • It is better to store sensitive data on a centrally managed server.
  • Perform reviews for data stored within colleges and departments.
  • Provide education about why data should be classified.
1

Develop an IT disaster recovery plan.

  • IT is a strategic asset, and loss of the IT environment can cripple an institution.
  • Get input from the campus community and support from senior administration.
  • Make sure your institution is prepared to recover critical resources on short notice and can ensure continuity of operations.

Featured

  • MathGPT

    MathGPT AI Tutor Now Out of Beta

    Ed tech provider GotIt! Education has announced the general availability of MathGPT, an AI tutor and teaching assistant for foundational math support.

  • landscape photo with an AI rubber stamp on top

    California AI Watermarking Bill Garners OpenAI Support

    ChatGPT creator OpenAI is backing a California bill that would require tech companies to label AI-generated content in the form of a digital "watermark." The proposed legislation, known as the "California Digital Content Provenance Standards" (AB 3211), aims to ensure transparency in digital media by identifying content created through artificial intelligence. This requirement would apply to a broad range of AI-generated material, from harmless memes to deepfakes that could be used to spread misinformation about political candidates.

  • Two shadowy figures sit at computers with glowing screens, surrounded by floating digital codes in a dark, high-tech environment

    Reports Note Increasing Threat of Nation-State-Sponsored Cyber Attacks

    A bevy of new cybersecurity reports point to the continuing problem of nation-state-sponsored threat actors. The primary culprits have long been Russia, China, Iran, and North Korea, which all show up in recently published reports from Microsoft, IBM, Tenable, and Fortinet.

  • stylized illustration of an open laptop displaying the ChatGPT interface

    'Early Version' of ChatGPT Windows App Now Available to Paid Users

    OpenAI has announced the release of the ChatGPT Windows desktop app, about five months after the macOS version became available.