The Rise of the CISO
The 'chief information security officer' role is increasingly important
for higher ed, as new cyber security challenges loom on the horizon.
THE LATE 1980s was an exciting time to be a CIO
in higher education. Computing was being decentralized
as microcomputers replaced mainframes,
networking was emerging, and the National Science
Foundation Network (NSFNET) was introducing
the concept of an “internet” to hundreds of
thousands of new users. Security wasn’t much of
an issue; the big debate on campus was whether to
regulate access to the alt.sex newsgroups. An institution’s
systems group handled IT security as an
afterthought. None of us had a “chief information
security officer”—or anything like it.
Now, two decades later, cyber security is routinely
identified as the top concern of higher ed CIOs,
according to the Campus Computing Project’s 2006
National Survey of Information Technology in US
Higher Education. And
with good reason: The CDW-G Higher Education IT
Security Report Card 2006 (newsroom.cdwg.com/
features/feature-10-10-06.html) indicates that 56
percent of all higher ed institutions have experienced
at least one security incident in the last year.
The CISO in Higher Ed
With the growing importance of security, it is not surprising
that the responsibility for IT security has moved to senior IT
management or dedicated IT security professionals. Forty
percent of institutions now have a formally designated chief
information security officer, up from 22 percent in 2003,
according to Safeguarding the Tower: IT Security in Higher
Education 2006, a study from the Educause Center for
Applied Research (ECAR).
The person responsible for IT and information security (as
well as related audits) may have a variety of titles: information
security officer (ISO), IT security manager, or director of
information security. Although common in the corporate
world, the use of the functional descriptor “chief security
officer” (CSO) or “chief information security officer” (CISO)
is less common in higher ed. Because the term “chief security
officer” is used by many companies for a position that is
also responsible for physical security and the safety of
employees, the term “chief information security officer” is
becoming more prevalent for individuals with an exclusive
cyber security focus.
At the same time, the role of the CISO is evolving from a
technologist responsible for computer systems administration,
to someone with campuswide responsibility for information
security policy, regulatory compliance, and financial
tradeoffs, as well as technically oriented computer/network
security and incident response, says Stan Gatewood, CISO
at the University of Georgia. He has addressed this broader
role by implementing a five-point information security strategy based on risk management; business continuity and disaster
recovery planning; policy and management compliance;
incident response; and security awareness, training,
and education. This comprehensive, integrated approach
allows the CISO office to go beyond a computer- and network-
centric view of security, and take into account overall
policy, regulatory, financial, political, and social issues. This
broader view better serves the institution’s mission by assuring
confidentiality, integrity, and availability of the school’s
information and information systems.
Breaking Through Cyber Security Barriers
In the CDW-G report, respondents identified lack of funding,
too few staff resources, and the higher education culture
as the top three barriers to improving cyber security in
higher ed. Fortunately, IT officers in the trenches are working
to overcome such challenges, and as a result, dedicated
security groups and institutional self-evaluation efforts
have emerged in higher ed.
Shortly after assuming the position of information security
manager at the University of South Carolina in 2006,
Jason Richardson identified the lack of a dedicated security
group as a critical problem. At the time, Richardson
and several others within the networking group split their
time between networking and security duties. To help convince
his management of the need for a dedicated security
team, Richardson conducted an informal survey of staff
resources devoted to IT security at other campuses (his
full results are available here). He received 40 responses in two
weeks. The number of full-time staff dedicated to information
security ranged from zero to 13, and though there was
some correlation between institution size and the number of
staff, there were numerous cases of small colleges with the
same staffing as large research universities. Yet, the growing
support for information security was clear. South Carolina
now has a dedicated security group (consisting of
Richardson and three others) that reports to the deputy
CIO. They are developing a comprehensive security program
based on best practices and standards such as ISO 17799 and ISO 27001.
Though higher ed’s culture of openness can be difficult to
reconcile with better security, it’s not impossible, says Georgia’s
Gatewood. For example, the University of Georgia has
enhanced its security strategy with a program called
ASSETS: Automated Security Self-Evaluation Tools, for identifying and evaluating
risks to data and computers in UGA’s highly decentralized
and research-oriented environment.
3 Tips: Hiring a CISO
1:: Look to other industries. A 2005 CSO magazine survey,
weighted to corporate responses, found that 63 percent of CISOs have
an information security background, 35 percent come from corporate
security, and 32 percent are from the military.
2:: Consider peer advice. Louisiana State University’s Brian
Voss, CIO, and Brian Nichols, chief IT security and policy officer,
will discuss the role of the CISO in a session entitled “Introducing:
The New CISO on Campus,” at Campus Technology 2007, July 30-
Aug. 2, in Washington, DC.
Tammy Clark, information security officer at Georgia State University,
also presented a number of useful tips in her 2004 Educause
conference presentation, "How Do You Create a Successful Information
Security Program? Hire a Great ISO!"
3:: KYCA: Know Your Certification Acronyms. There are a number
of certifications available. For example, the Information Systems
Security Certification Consortium offers the Certified
Information Systems Security Professional (CISSP) and Systems Security
Certified Practitioner (SSCP) certifications. However, the widely
used CISSP certification is based on a broad understanding of security
principles and does not measure in-depth technical knowledge.
In addition, individual vendors such as Cisco Systems and Internet Security Systems offer more technically
based certifications for their products.
Some other common certifications include Certified Information
Security Manager (CISM) and Certified Information Systems Auditor
(CISA) from the Information Systems Audit and Control Association; Global Information Assurance Certification; and Certified Protection Professional (CPP) from
ASIS International.
Caveat: Certifications are only a crude measure of qualification
and do not substitute for good personnel and hiring
CISO Challenge: Emerging Optical Networks
What is the impact of optical networks such as the National LambdaRail and Internet2’s NewNet on information security and the role of the
CISO? These networks not only provide traditional internet
connectivity at much higher speed, but also add the ability to
provision dedicated wavelengths (called lambdas) between
two points. In technical terms, internet connectivity provides
the user with layer-3 services, whereas a dedicated lambda
provides the user with layer-1 services. By analogy, traditional
internet connectivity gives the user control of a car running
on a highway system that he or she does not control. A
dedicated lambda gives the user control of the highway,
which can now be used for a car, a semi, or as a walking path.
The flexibility and power of optical networks elicit the
question: Are these new optical networks more or less
secure than current networks? Joe St Sauver, director of
user services and network applications at the University of Oregon, has the following Zen-like answer: “They
add no new security issues and they add many new
security issues.” Other security experts agree.
But South Carolina’s Richardson points out that
“data is data”: The basic security issues don’t change.
Although faster networks will require faster firewalls
and network appliances, the underlying policy structures
and access control mechanisms remain the
same. Yet Terry Gray, associate VP of technology engineering,
computing, and communications at the University
of Washington, notes that a denial of service (DoS)
attack by hundreds of bots connected at 10GB would
qualitatively “up the ante.”
Coming Soon: Special Supplement!
CISOs and CSOs alike will want to keep their eyes open for the
exclusive Campus Technology special supplement coming in July.
A first-ever roadmap to integrating information and facilities
security, "Securing the Campus" will offer readers 24 pages
crammed with in-depth case studies, indispensible resource
information, "shows to know," and the latest IT and physical
security product news. Editorial queries to [email protected].
Supporting this view, St Sauver adds, “The new networks
significantly increase higher education’s responsibilities
for the physical facilities needed to support level-1
networking, and consequently increase our security obligations.”
He notes that because provisioning and maintaining
optical facilities is so expensive, there is increased
consolidation and aggregation of equipment, which results
in a reduction in path and equipment redundancy—meaning
fewer but higher-value targets. In short, we have more
eggs in a single basket.
Paul Schopis, director of network engineering at OARnet
(the networking division of the Ohio Supercomputer Center), outlines another way that the emerging
optical networks introduce new security problems. In the
past, he notes, IP networks were run over synchronous optical
networking (SONET), which did not use IP for the signaling
channel. But IP won out, and many new data networks
use Ethernet and IP for the control channel, which introduces
the possibility of attacking a network at layer 1. “Why attack
routers when you can wipe out the optical layer?” Schopis
points out. OARnet has addressed this threat via more robust
authentication and authorization, and by ensuring that the IP
addresses of the control plane are not publicly routable.
Coming to Campus Technology 2007
University of Texas-Austin's Daniel Updegrove, special assistant,
VP for IT, academic technology services, will moderate a panel on
high-speed networking initiatives such as LONI and SURAnet, entitled
"Research Institutions: Leading Regional Networking Initiatives," at
Campus Technology 2007 in Washington, DC, July 30-Aug. 2.
UW’s Gray has observed that some of the impetus for
optical networks may be a reaction to improved network
security on our current networks, and is part of a more general
and cyclical process. He argues that when we introduce
network appliances such as firewalls, or we restrict access
or impose more restrictive policies, we also add friction to the
system. Campus firewalls, which often break videoconferencing
and multicast, are a common example. Researchers
respond by seeking their own dedicated lambdas that free
them from real and perceived restrictions. But as they add
other researchers as well as commodity internet links to their
private networks, they are faced with access control issues
and the threat of network attacks. The circle is completed as
traffic-disrupting appliances and policies are added to
improve security. The only way to break the cycle is for the
IT staff to understand and address the concerns of the
researcher and the tradeoffs between performance and
security.
St Sauver sums it up best by recalling a line perhaps
best known from the 2002 movie Spider-Man: “With great
power comes great responsibility.”
Current and Future Trends
Three clear trends have emerged within the higher ed
community:
- The designation of a single senior individual to be
responsible for all aspects of information security.
(Emerging optical networks will only accelerate this
trend.)
- The centralization of the IT security function to a single
operational unit.
- Increased staffing for security.
But UGA’s Gatewood has suggested a fourth long-term
trend: He believes that security in higher education is
becoming more like security in the private and military sectors.
In particular, he foresees hiring more people with business
and financial experience to augment traditional
technology skills. Gatewood goes so far as to suggest that
in the future, the IT security function may be split into two
pieces: 1) an operational piece that would not fall under
the CISO but, rather, revert back to the IT operations group;
and 2) a strategic security piece that would fall under the
CISO and might report to someone other than the CIO.
Regardless of how information security is organized, the
function is only going to grow in importance and institutions
must develop strategies for addressing these new
security challenges. Information security as an afterthought
is no longer a viable option.