A New CISO's To-Do List

‘Make or break’ actions for a chief information security officer’s first year

Brian NicholsBrian Nichols is the chief IT security and policy officer at Louisiana State University. He advises the CIO and university administration on technology deployment, usage, and security issues, and he directs LSU’s IT Security and Policy office. His daily concerns range from security standards and policy administration, to incident response and disaster recovery/business continuity planning. Nichols uses vehicles such as technical risk assessment programs, forensics, security reviews, and consulting to achieve his goals. He is a member of the Educause/ Internet2 Computer and Network Security Task Force, and is active in community efforts to improve overall security in higher education. As LSU’s first-ever CISO, he’s navigated uncharted waters during his first year on the job. Here, he shares his top “to-do” list for new CISOs.

Want to be considered for Campus Technology’s Top 10? Send your countdown and a brief background/bio summary to [email protected]

10

Find out what others are doing.

  • Network: Attend conferences and visit other institutions.
  • Pay particular attention to the mistakes others are willing to disclose.
  • Develop a “safety net” of peers.
9

Exchange information on security-related events with the community.

  • Join an Information Sharing and Analysis Center (ISAC) such as Indiana University’s REN-ISAC.
  • Information you report about attacks, viruses, and worms can have a positive impact at the national level.
8

Request an independent, outside security audit.

  • An audit should provide a benchmark of best practices in the field.
  • As a new CISO, you’ll get a roadmap of what you’ll need to be successful.
7

Establish an IT security and policy advisory team.

  • You’re not the Lone Ranger! Forget the macho efforts.
  • Security is a shared responsibility, so draw in that “mind share” around campus.
  • Create a communications pipeline so policies won’t be viewed as bureaucracy.
6

Develop an IT security and policy website.

  • Alert people to incidents, and provide the full story.
  • Share broad IT policy efforts and communicate best security practices.
5

Develop a plan to secure sensitive data and respond to security breaches.

  • Distribute procedures for those who suspect an incident.
  • Ensure legal obligations are being met by the university.
  • Make sure you are empowered to act on behalf of the institution.
4

Advance a risk management strategy.

  • Security must be proactively managed due to the changing nature of threats.
  • Create an ongoing process for identifying risks and implementing plans to address them.
  • Remember, yours is a race with no finish line.
3

Continuously monitor, measure, and report security posture to senior administration.

  • Buy-in and support from senior administration is critical.
  • Raise the “visibility” of security as a campuswide concern.
2

Develop methods and procedures for classifying, handling, and disseminating information resources.

  • It is better to store sensitive data on a centrally managed server.
  • Perform reviews for data stored within colleges and departments.
  • Provide education about why data should be classified.
1

Develop an IT disaster recovery plan.

  • IT is a strategic asset, and loss of the IT environment can cripple an institution.
  • Get input from the campus community and support from senior administration.
  • Make sure your institution is prepared to recover critical resources on short notice and can ensure continuity of operations.

Featured

  • glowing digital brain-shaped neural network surrounded by charts, graphs, and data visualizations

    Google Releases Advanced AI Model for Complex Reasoning Tasks

    Google has released Gemini 2.5 Deep Think, an advanced artificial intelligence model designed for complex reasoning tasks.

  • abstract pattern of cybersecurity, ai and cloud imagery

    OpenAI Report Identifies Malicious Use of AI in Cloud-Based Cyber Threats

    A report from OpenAI identifies the misuse of artificial intelligence in cybercrime, social engineering, and influence operations, particularly those targeting or operating through cloud infrastructure. In "Disrupting Malicious Uses of AI: June 2025," the company outlines how threat actors are weaponizing large language models for malicious ends — and how OpenAI is pushing back.

  • cybersecurity book with a shield and padlock

    NIST Proposes New Cybersecurity Guidelines for AI Systems

    The National Institute of Standards and Technology has unveiled plans to issue a new set of cybersecurity guidelines aimed at safeguarding artificial intelligence systems, citing rising concerns over risks tied to generative models, predictive analytics, and autonomous agents.

  • magnifying glass highlighting a human profile silhouette, set over a collage of framed icons including landscapes, charts, and education symbols

    AWS, DeepBrain AI Launch AI-Generated Multimedia Content Detector

    Amazon Web Services (AWS) and DeepBrain AI have introduced AI Detector, an enterprise-grade solution designed to identify and manage AI-generated content across multiple media types. The collaboration targets organizations in government, finance, media, law, and education sectors that need to validate content authenticity at scale.