Chief Information Security Officers: Moving Away from IT

The CISO role in higher education is evolving, putting more emphasis on enterprise risk management and policy development.

As data breaches and cybercrime gain a higher profile in higher education, the role of the chief information security officer is changing — and broadening beyond IT. The increasing sense of urgency is bringing people from different backgrounds to the CISO post, and is raising questions about budgets and reporting structures as well.

"Higher education is starting to recognize that cyber risk is the same as other types of business risk," said Brian Kelly, CISO at Quinnipiac University (CT). "It is the same type of consideration as someone falling down a staircase. We are closer to those cabinet-level conversations around risk. It has gone beyond being an IT problem."

Kelly's own experience at Quinnipiac provides an interesting example. Before coming to higher education, he had worked in security both in the U.S. Air Force and at Aetna, a large insurance company. Almost 10 years ago he was named information security officer at Quinnipiac, and in his first year on the job he was placed in charge of the networking group. "At the time I thought it was this wonderful promotion, right?" But in reality, he said, it created a split personality. The security person wants everything to be secure, while the networking person just wants it to work. "The network guys are focused on uptime and operations. The security person is often seen as slowing it down or making it more difficult to access," he said. "It was unusual for someone to be in charge of both."

He eventually shed the networking group responsibility and is now focused on creating a roadmap for projects under an identity and access management umbrella and looking at tools to help determine when a credential has been compromised. He is also spending time getting familiar with cyber liability insurance and how it is making its way into higher education.

A Business Role

Joanne Martin, CISO advisory practice lead for Baltimore-based Hartman Executive Advisors, said the changes taking place in higher education follow trends that happened first in Fortune 500 companies and then started happening in other sectors.

"After the first high-profile data breaches happened in 2010 or 2011, the role of CISO changed pretty drastically from being someone who came out of networking and implemented firewalls and network perimeter devices to somebody who looks at things from a business perspective and analyzes the risks to the organization," she said. "It became a business role."

Universities, Martin added, have very specific security challenges that require a leader who is able to articulate those issues and get people to come on board.

Wayne Brown, whose Center for Higher Education Chief Information Officer Studies (CHECS) does annual surveys of both CIOs and CISOs, said he believes the next generation of CIOs could include executives moving from the CISO position. "They are not in a stovepipe," he said. "They have a broader view of the institution than others in IT stovepipes. They could be part of a fantastic pipeline to fill CIO positions in the future."

Attracting people with CISO experience in the private sector to university campuses has proven to be challenging. First, the salaries may not match up. Second, universities tend to have more distributed levels of governance that make implementing policy changes more difficult. Martin said CISO searches are more likely to be successful when they find someone with a predisposition to be part of university life. "In other words, you might want a university person who likes to do security rather than a security person considering a university position."

The Gender Divide

One issue the CHECS research has called attention to is the lack of gender diversity in the CISO position. In the latest CHECS CISO survey, only 11 percent of respondents in higher education were women, compared to 21 percent in the commercial sector. Brown said a lot of CISOs have traditionally come up through the network department on campus, which is usually male-dominated. He said he has worked at five different campuses and only seen a few women working in a network group.

One woman who has molded the CISO position at her university over the last decade is Theresa Semmens at North Dakota State University in Fargo. She learned to get used to being one of the few women in higher education cybersecurity. "I remember in 2005, I took a week-long SANS Institute course at Virginia Tech. There were 165 attendees and only seven were female," she said. Over the years, she added, her position has morphed from dealing primarily with compromised machines or copyright infringement to focusing more on cyber threats, policies, procedures, training and legal software license review. The university also has added records management and retention to her responsibilities.

Semmens said one of her biggest challenges is that cybersecurity has no specific budget on campus. "We should have a department at least four times larger to do things appropriately," she said. "My budget consists of our salaries and the money to pay for vulnerability scans. That's it. I would like to do so much more, but funding is tight and there are other priorities on campus."

Enterprise-wide Security

William Perry, CISO for the California State University system for the past four years, has sought to bring an enterprise view of security to a system of 23 campuses. "Many times because of specific risks, a campus will act in a manner that is particular to their campus and not particularly effective for the system," he said. "I explain that we are all in this together. We need to look at risk to the enterprise and not just to the campus, although we try to do both."

Each Cal State campus has its own information security officer. They meet monthly by phone and two to four times a year in person. "We talk about systemwide policies, standards and opportunities to leverage buying power on contracts," Perry said.

Perry said that not only has the nature of the threat evolved, so has the nature of the users. "We have students from everywhere around the world. They go home and need to access systems that are here. We need to work to make sure our constituents have the access they need, our staff and faculty can still do their job wherever they are in the world, but still protect the data. So we are looking at defense systems that essentially implement that."

New Reporting Structures

Most CISOs report to their CIO, but many of them believe they will eventually report directly to higher-level executives or boards. "I think that over time you will see the CISO move out of IT," said Perry, who currently reports to his systemwide CIO. "[Our CIO] is very engaged in security, but more and more the role of the CISO is moving away from just IT security relative to tools and more into processes and policies regarding risk to the organization," he added. "I am not sure exactly who the CISO will report to, but I just know we are in a transition across both public and private sectors. I have many colleagues in the private sector telling me the same thing, because we have to look at the risk to an organization and not just IT, where most of us come from."

Quinnipiac's Kelly said there may not be a clear answer about reporting lines, but there are times when there is a conflict between the CISO and CIO strategy and budget requirements. "We have run into issues where my top three budget requests and priorities might not be the CIO's top three," he said. "From a budgetary standpoint it matters, but I don't think one size fits all."

North Dakota State's Semmens said that IT is not necessarily the best place to put someone with the CISO role. "A CISO should be at the same level as the CIO. They should be partners and report to the same person."

Many smaller campuses can't afford to hire a CISO, and one person is charged with being both the IT director and head of IT security. Kelly said people in that dual-hatted position can get help by getting engaged in consortia and other communities of professionals. CISOs in Connecticut, for example, created a group called the Connecticut Higher Education Roundtable on Information Security (CHERIS) so that people from the 24 higher education institutions in the state can get together to talk about what is working well for them. "Higher education fosters that type of collaboration," Kelly said. "They shouldn't be out there struggling alone. There is group therapy available."

Featured