Being a CISO at a higher education institution
by Zeljka Zorz - Managing Editor - 17 June 2014.
We see a lot of storage in the cloud and SaaS solutions that present a unique challenge for information security. For years, people relied on IT for storage and software installations. This allowed us to thoroughly evaluate technical security controls before they were in production. Today, individuals have the ability to find a service and immediately acquire it in the cloud without proper risk reviews being completed. We focus a lot of time ensuring that we are aware of our customers’ needs so that we are a partner in that decision making process. We also rely heavily on application layer controls designed to block SaaS and other applications that have not been evaluated. In large organizations, some solutions may bypass the vendor management process, so having application layer visibility is crucial in preventing data loss.

How does the role of CISO differ from business organizations to educational institutions? What advice would you give to CISOs working in other educational institutions?

The biggest difference is going to be the large amount of unmanaged devices connecting to the network. It is pretty common in other industries to limit access to corporate-owned devices only. That is not the case in educational environments. Your obligation to secure information becomes much more difficult when you have little control over the end points that connect to the network. We are meeting the challenge through technologies such as ForeScout's NAC, Fortinet's UTM Firewalls, Virtual Applications and MDM.

The best advice I would give to other CISOs in educational institutions would be to expand their scope of services to meet all areas of information risk. The internal technical controls are very important, but they should not be the sole focus of our efforts. The second piece of advice that I would give would be to make sure that you have the visibility needed in order to make strategic decisions. We utilize NAC and our SIEM to understand everything connected and the security threats that they pose. If you do not have the visibility into your environment, it makes it very difficult to know what you are up against.

What, if any, are the things that would make your job easier and your users safer?

We've seen a large increase in security-aware users over the last five years. As the world moves toward new technologies, such as Big Data and the Internet of Everything, it will require additional awareness. The privacy concerns and security threats will continue to expand. We need to ensure that information security as a community evolves to meet these challenges and that our users are aware of these new threats. Information security and privacy education is absolutely invaluable when protecting against new threats.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th