Open Menu Close Menu

A New CISO's To-Do List

‘Make or break’ actions for a chief information security officer’s first year

Brian NicholsBrian Nichols is the chief IT security and policy officer at Louisiana State University. He advises the CIO and university administration on technology deployment, usage, and security issues, and he directs LSU’s IT Security and Policy office. His daily concerns range from security standards and policy administration, to incident response and disaster recovery/business continuity planning. Nichols uses vehicles such as technical risk assessment programs, forensics, security reviews, and consulting to achieve his goals. He is a member of the Educause/ Internet2 Computer and Network Security Task Force, and is active in community efforts to improve overall security in higher education. As LSU’s first-ever CISO, he’s navigated uncharted waters during his first year on the job. Here, he shares his top “to-do” list for new CISOs.

Want to be considered for Campus Technology’s Top 10? Send your countdown and a brief background/bio summary to [email protected]


Find out what others are doing.

  • Network: Attend conferences and visit other institutions.
  • Pay particular attention to the mistakes others are willing to disclose.
  • Develop a “safety net” of peers.

Exchange information on security-related events with the community.

  • Join an Information Sharing and Analysis Center (ISAC) such as Indiana University’s REN-ISAC.
  • Information you report about attacks, viruses, and worms can have a positive impact at the national level.

Request an independent, outside security audit.

  • An audit should provide a benchmark of best practices in the field.
  • As a new CISO, you’ll get a roadmap of what you’ll need to be successful.

Establish an IT security and policy advisory team.

  • You’re not the Lone Ranger! Forget the macho efforts.
  • Security is a shared responsibility, so draw in that “mind share” around campus.
  • Create a communications pipeline so policies won’t be viewed as bureaucracy.

Develop an IT security and policy website.

  • Alert people to incidents, and provide the full story.
  • Share broad IT policy efforts and communicate best security practices.

Develop a plan to secure sensitive data and respond to security breaches.

  • Distribute procedures for those who suspect an incident.
  • Ensure legal obligations are being met by the university.
  • Make sure you are empowered to act on behalf of the institution.

Advance a risk management strategy.

  • Security must be proactively managed due to the changing nature of threats.
  • Create an ongoing process for identifying risks and implementing plans to address them.
  • Remember, yours is a race with no finish line.

Continuously monitor, measure, and report security posture to senior administration.

  • Buy-in and support from senior administration is critical.
  • Raise the “visibility” of security as a campuswide concern.

Develop methods and procedures for classifying, handling, and disseminating information resources.

  • It is better to store sensitive data on a centrally managed server.
  • Perform reviews for data stored within colleges and departments.
  • Provide education about why data should be classified.

Develop an IT disaster recovery plan.

  • IT is a strategic asset, and loss of the IT environment can cripple an institution.
  • Get input from the campus community and support from senior administration.
  • Make sure your institution is prepared to recover critical resources on short notice and can ensure continuity of operations.
comments powered by Disqus