role of the ciso in higher education

Role of the CISO in Higher EducationUniversity of Edinburgh

1/11/2016

Role of the CISO in Higher Education

Experiences from University of Edinburgh

Principal

Information Services Group

Corporate Services Group

University Secretary’s Group

College of Science and Engineering

College of Art, Humanities and Social Sciences

College of Medicine and

Veterinary Medicine

Background to Appointment of CISO• Structure of University allows for high degree of local

prioritisation of information security risk profile, with limited central direction.

• Senior Academic review (eg Kenway Report) recognised benefits of central senior focus.

• Appointment of new CIO brought renewed focus to requirement for CISO to cover all aspects of information security risk rather than previous alignment to IT security.

• Risk and Audit Committee, and senior staff, buy-in and support crucial to success – mandate from the top.

Recruitment

• Selection process supported by external recruitment agency to broaden candidate pool.

• Interview panel included senior academics and directors from within ISG – adds to broad engagement.

• Appointment in early 2016, took up post in February 2016.

CISO – Main Responsibilities• Leads and owns the information security strategy for the

university. • Drives and owns the information security risk posture, taking a

risk-based, holistic approach to managing information security risk.

• Leads pan-University information security activities, managing the information security risk to IT facilities from internal and external threats.

• Advices the University on strategic existing and emerging information security threats.

• Owns, manages and develops appropriate information security policies, procedures, controls and the overall information security governance framework.

Initial Priorities• Recruitment of team with necessary skills –

challenge of competing against private sector.• Increased focus on user.• Overhaul of information security risk governance

to focus on risk based approach.• Support to strategic/key projects (Service

Excellence Programme, Data Safe Haven, Network Refresh, Data Sciences, Alan Turing Institute, Student analytics, distance learning and eExams.)

Keys to Success• Alignment to University 2016 Strategy – supporting plans for

Digital Transformation and Data and Partnerships with Industry.

• Buy-in from individual Colleges and Support Groups – need to recognise requirement for ‘individual’ solutions – outcome based.

• Ensure that business areas know their responsibilities – won’t do security ‘to’ or ‘for’ them – they own the risks.

• Provision of supporting services and not about saying ‘No’.• External and internal collaboration and information sharing.