The Rise of the CISO

The 'chief information security officer' role is increasingly important for higher ed, as new cyber security challenges loom on the horizon.

Security THE LATE 1980s was an exciting time to be a CIO in higher education. Computing was being decentralized as microcomputers replaced mainframes, networking was emerging, and the National Science Foundation Network (NSFNET) was introducing the concept of an “internet” to hundreds of thousands of new users. Security wasn’t much of an issue; the big debate on campus was whether to regulate access to the alt.sex newsgroups. An institution’s systems group handled IT security as an afterthought. None of us had a “chief information security officer”—or anything like it.

Now, two decades later, cyber security is routinely identified as the top concern of higher ed CIOs, according to the Campus Computing Project’s 2006 National Survey of Information Technology in US Higher Education. And with good reason: The CDW-G Higher Education IT Security Report Card 2006 (newsroom.cdwg.com/ features/feature-10-10-06.html) indicates that 56 percent of all higher ed institutions have experienced at least one security incident in the last year.

The CISO in Higher Ed

With the growing importance of security, it is not surprising that the responsibility for IT security has moved to senior IT management or dedicated IT security professionals. Forty percent of institutions now have a formally designated chief information security officer, up from 22 percent in 2003, according to Safeguarding the Tower: IT Security in Higher Education 2006, a study from the Educause Center for Applied Research (ECAR).

The person responsible for IT and information security (as well as related audits) may have a variety of titles: information security officer (ISO), IT security manager, or director of information security. Although common in the corporate world, the use of the functional descriptor “chief security officer” (CSO) or “chief information security officer” (CISO) is less common in higher ed. Because the term “chief security officer” is used by many companies for a position that is also responsible for physical security and the safety of employees, the term “chief information security officer” is becoming more prevalent for individuals with an exclusive cyber security focus.

At the same time, the role of the CISO is evolving from a technologist responsible for computer systems administration, to someone with campuswide responsibility for information security policy, regulatory compliance, and financial tradeoffs, as well as technically oriented computer/network security and incident response, says Stan Gatewood, CISO at the University of Georgia. He has addressed this broader role by implementing a five-point information security strategy based on risk management; business continuity and disaster recovery planning; policy and management compliance; incident response; and security awareness, training, and education. This comprehensive, integrated approach allows the CISO office to go beyond a computer- and network- centric view of security, and take into account overall policy, regulatory, financial, political, and social issues. This broader view better serves the institution’s mission by assuring confidentiality, integrity, and availability of the school’s information and information systems.

Breaking Through Cyber Security Barriers

In the CDW-G report, respondents identified lack of funding, too few staff resources, and the higher education culture as the top three barriers to improving cyber security in higher ed. Fortunately, IT officers in the trenches are working to overcome such challenges, and as a result, dedicated security groups and institutional self-evaluation efforts have emerged in higher ed.

Shortly after assuming the position of information security manager at the University of South Carolina in 2006, Jason Richardson identified the lack of a dedicated security group as a critical problem. At the time, Richardson and several others within the networking group split their time between networking and security duties. To help convince his management of the need for a dedicated security team, Richardson conducted an informal survey of staff resources devoted to IT security at other campuses (his full results are available here). He received 40 responses in two weeks. The number of full-time staff dedicated to information security ranged from zero to 13, and though there was some correlation between institution size and the number of staff, there were numerous cases of small colleges with the same staffing as large research universities. Yet, the growing support for information security was clear. South Carolina now has a dedicated security group (consisting of Richardson and three others) that reports to the deputy CIO. They are developing a comprehensive security program based on best practices and standards such as ISO 17799 and ISO 27001.

Though higher ed’s culture of openness can be difficult to reconcile with better security, it’s not impossible, says Georgia’s Gatewood. For example, the University of Georgia has enhanced its security strategy with a program called ASSETS: Automated Security Self-Evaluation Tools, for identifying and evaluating risks to data and computers in UGA’s highly decentralized and research-oriented environment.

3 Tips: Hiring a CISO

1:: Look to other industries. A 2005 CSO magazine survey, weighted to corporate responses, found that 63 percent of CISOs have an information security background, 35 percent come from corporate security, and 32 percent are from the military.

2:: Consider peer advice. Louisiana State University’s Brian Voss, CIO, and Brian Nichols, chief IT security and policy officer, will discuss the role of the CISO in a session entitled “Introducing: The New CISO on Campus,” at Campus Technology 2007, July 30- Aug. 2, in Washington, DC.

Tammy Clark, information security officer at Georgia State University, also presented a number of useful tips in her 2004 Educause conference presentation, "How Do You Create a Successful Information Security Program? Hire a Great ISO!"

3:: KYCA: Know Your Certification Acronyms. There are a number of certifications available. For example, the Information Systems Security Certification Consortium offers the Certified Information Systems Security Professional (CISSP) and Systems Security Certified Practitioner (SSCP) certifications. However, the widely used CISSP certification is based on a broad understanding of security principles and does not measure in-depth technical knowledge.

In addition, individual vendors such as Cisco Systems and Internet Security Systems offer more technically based certifications for their products.

Some other common certifications include Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA) from the Information Systems Audit and Control Association; Global Information Assurance Certification; and Certified Protection Professional (CPP) from ASIS International.

Caveat: Certifications are only a crude measure of qualification and do not substitute for good personnel and hiring

CISO Challenge: Emerging Optical Networks

What is the impact of optical networks such as the National LambdaRail and Internet2’s NewNet on information security and the role of the CISO? These networks not only provide traditional internet connectivity at much higher speed, but also add the ability to provision dedicated wavelengths (called lambdas) between two points. In technical terms, internet connectivity provides the user with layer-3 services, whereas a dedicated lambda provides the user with layer-1 services. By analogy, traditional internet connectivity gives the user control of a car running on a highway system that he or she does not control. A dedicated lambda gives the user control of the highway, which can now be used for a car, a semi, or as a walking path.

The flexibility and power of optical networks elicit the question: Are these new optical networks more or less secure than current networks? Joe St Sauver, director of user services and network applications at the University of Oregon, has the following Zen-like answer: “They add no new security issues and they add many new security issues.” Other security experts agree.

But South Carolina’s Richardson points out that “data is data”: The basic security issues don’t change. Although faster networks will require faster firewalls and network appliances, the underlying policy structures and access control mechanisms remain the same. Yet Terry Gray, associate VP of technology engineering, computing, and communications at the University of Washington, notes that a denial of service (DoS) attack by hundreds of bots connected at 10GB would qualitatively “up the ante.”

Coming Soon: Special Supplement!

CISOs and CSOs alike will want to keep their eyes open for the exclusive Campus Technology special supplement coming in July. A first-ever roadmap to integrating information and facilities security, "Securing the Campus" will offer readers 24 pages crammed with in-depth case studies, indispensible resource information, "shows to know," and the latest IT and physical security product news. Editorial queries to [email protected].

Supporting this view, St Sauver adds, “The new networks significantly increase higher education’s responsibilities for the physical facilities needed to support level-1 networking, and consequently increase our security obligations.” He notes that because provisioning and maintaining optical facilities is so expensive, there is increased consolidation and aggregation of equipment, which results in a reduction in path and equipment redundancy—meaning fewer but higher-value targets. In short, we have more eggs in a single basket.

Paul Schopis, director of network engineering at OARnet (the networking division of the Ohio Supercomputer Center), outlines another way that the emerging optical networks introduce new security problems. In the past, he notes, IP networks were run over synchronous optical networking (SONET), which did not use IP for the signaling channel. But IP won out, and many new data networks use Ethernet and IP for the control channel, which introduces the possibility of attacking a network at layer 1. “Why attack routers when you can wipe out the optical layer?” Schopis points out. OARnet has addressed this threat via more robust authentication and authorization, and by ensuring that the IP addresses of the control plane are not publicly routable.

Coming to Campus Technology 2007

University of Texas-Austin's Daniel Updegrove, special assistant, VP for IT, academic technology services, will moderate a panel on high-speed networking initiatives such as LONI and SURAnet, entitled "Research Institutions: Leading Regional Networking Initiatives," at Campus Technology 2007 in Washington, DC, July 30-Aug. 2.

UW’s Gray has observed that some of the impetus for optical networks may be a reaction to improved network security on our current networks, and is part of a more general and cyclical process. He argues that when we introduce network appliances such as firewalls, or we restrict access or impose more restrictive policies, we also add friction to the system. Campus firewalls, which often break videoconferencing and multicast, are a common example. Researchers respond by seeking their own dedicated lambdas that free them from real and perceived restrictions. But as they add other researchers as well as commodity internet links to their private networks, they are faced with access control issues and the threat of network attacks. The circle is completed as traffic-disrupting appliances and policies are added to improve security. The only way to break the cycle is for the IT staff to understand and address the concerns of the researcher and the tradeoffs between performance and security.

St Sauver sums it up best by recalling a line perhaps best known from the 2002 movie Spider-Man: “With great power comes great responsibility.”

Current and Future Trends

Three clear trends have emerged within the higher ed community:

  1. The designation of a single senior individual to be responsible for all aspects of information security. (Emerging optical networks will only accelerate this trend.)
  2. The centralization of the IT security function to a single operational unit.
  3. Increased staffing for security.

But UGA’s Gatewood has suggested a fourth long-term trend: He believes that security in higher education is becoming more like security in the private and military sectors. In particular, he foresees hiring more people with business and financial experience to augment traditional technology skills. Gatewood goes so far as to suggest that in the future, the IT security function may be split into two pieces: 1) an operational piece that would not fall under the CISO but, rather, revert back to the IT operations group; and 2) a strategic security piece that would fall under the CISO and might report to someone other than the CIO.

Regardless of how information security is organized, the function is only going to grow in importance and institutions must develop strategies for addressing these new security challenges. Information security as an afterthought is no longer a viable option.

Featured