How does the role of CISO differ from business organizations to educational institutions? What advice would you give to CISOs working in other educational institutions?
The biggest difference is going to be the large amount of unmanaged devices connecting to the network. It is pretty common in other industries to limit access to corporate-owned devices only. That is not the case in educational environments. Your obligation to secure information becomes much more difficult when you have little control over the end points that connect to the network. We are meeting the challenge through technologies such as ForeScout's NAC, Fortinet's UTM Firewalls, Virtual Applications and MDM.
The best advice I would give to other CISOs in educational institutions would be to expand their scope of services to meet all areas of information risk. The internal technical controls are very important, but they should not be the sole focus of our efforts. The second piece of advice that I would give would be to make sure that you have the visibility needed in order to make strategic decisions. We utilize NAC and our SIEM to understand everything connected and the security threats that they pose. If you do not have the visibility into your environment, it makes it very difficult to know what you are up against.
What, if any, are the things that would make your job easier and your users safer?
We've seen a large increase in security-aware users over the last five years. As the world moves toward new technologies, such as Big Data and the Internet of Everything, it will require additional awareness. The privacy concerns and security threats will continue to expand. We need to ensure that information security as a community evolves to meet these challenges and that our users are aware of these new threats. Information security and privacy education is absolutely invaluable when protecting against new threats.