Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Role of the CISO in Higher Education

Presentation from the Jisc security conference 2016

www.jisc.ac.uk

  • Login to see the comments

  • Be the first to like this

Role of the CISO in Higher Education

  1. 1. Role of the CISO in Higher Education University of Edinburgh 1/11/2016
  2. 2. Role of the CISO in Higher Education Experiences from University of Edinburgh
  3. 3. PrincipalPrincipal Information Services Group Information Services Group Corporate Services Group Corporate Services Group University Secretary’s Group University Secretary’s Group College of Science and Engineering College of Science and Engineering College of Art, Humanities and Social Sciences College of Art, Humanities and Social Sciences College of Medicine and Veterinary Medicine College of Medicine and Veterinary Medicine
  4. 4. Background to Appointment of CISO • Structure of University allows for high degree of local prioritisation of information security risk profile, with limited central direction. • Senior Academic review (eg Kenway Report) recognised benefits of central senior focus. • Appointment of new CIO brought renewed focus to requirement for CISO to cover all aspects of information security risk rather than previous alignment to IT security. • Risk and Audit Committee, and senior staff, buy-in and support crucial to success – mandate from the top.
  5. 5. Recruitment • Selection process supported by external recruitment agency to broaden candidate pool. • Interview panel included senior academics and directors from within ISG – adds to broad engagement. • Appointment in early 2016, took up post in February 2016.
  6. 6. CISO – Main Responsibilities • Leads and owns the information security strategy for the university. • Drives and owns the information security risk posture, taking a risk-based, holistic approach to managing information security risk. • Leads pan-University information security activities, managing the information security risk to IT facilities from internal and external threats. • Advices the University on strategic existing and emerging information security threats. • Owns, manages and develops appropriate information security policies, procedures, controls and the overall information security governance framework.
  7. 7. Initial Priorities • Recruitment of team with necessary skills – challenge of competing against private sector. • Increased focus on user. • Overhaul of information security risk governance to focus on risk based approach. • Support to strategic/key projects (Service Excellence Programme, Data Safe Haven, Network Refresh, Data Sciences, Alan Turing Institute, Student analytics, distance learning and eExams.)
  8. 8. Keys to Success • Alignment to University 2016 Strategy – supporting plans for Digital Transformation and Data and Partnerships with Industry. • Buy-in from individual Colleges and Support Groups – need to recognise requirement for ‘individual’ solutions – outcome based. • Ensure that business areas know their responsibilities – won’t do security ‘to’ or ‘for’ them – they own the risks. • Provision of supporting services and not about saying ‘No’. • External and internal collaboration and information sharing.

×