Talking With The Boss About Security

Talking With The Boss About Security

Darlene Quackenbush, James Madison UniversityShirley Payne, University of Virginia

EDUCAUSE Security Professionals ConferenceApril 4th, 2005

2

We must all become much more vigilant in the provision of secure systems, in intrusion detection, in rapid response, and especially in education. We must practice, teach, and infuse all aspects of security into campus lives.

Dr. Linwood H. RosePresident, James Madison University“Information Security: A Difficult Balance”EDUCAUSE Review, September/October 2004

3

Agenda

• The Executive Audience

• Benefits of Effective Communication

• Obstacles To Effective Communication

• Leveraging Institutional Culture

• Communication Strategies & Examples

4

The Executive Audience

• Boards of Trustees• Presidents• Vice Presidents & Provosts• Deans & Department Heads• Chiefs of Staff

5

Perceived Barriers To IT Security

0% 10% 20% 30% 40% 50% 60% 70% 80%

Resources

Awareness

Academic Freedom

Culture of Decentralization

Absence of Policies

Enforcement of Policies

Senior Management Support

Technology

Legal Lags Technology

Individual Privacy

Vendor Hardware/Software

Freedom of Speech

Information Technology Security StudyEDUCAUSE Center for Applied Research, Sept. 2003

6

Benefit: Appropriate Strategies

0% 10% 20% 30% 40% 50% 60% 70% 80%

Resources

Awareness

Academic Freedom


Absence of Policies



Technology


Individual Privacy


Freedom of Speech


7

Privacy and academic freedom are critical components of campus culture; it is vital that decisions on policies and procedures regarding security and related issues be carefully vetted, understood, and authorized by both the highest levels of the campus leadership and the representatives of the campus community. The executive role in all of these matters is crucial if internal dissension and unnecessary strife are to be avoided.

“Presidential Leadership for IT” David Ward and Brian L. HawkinsEDUCAUSE Review, May/June 2003

8

Benefit: Effective Policies

0% 10% 20% 30% 40% 50% 60% 70% 80%

Resources

Awareness

Academic Freedom


Absence of Policies



Technology


Individual Privacy


Freedom of Speech


9

Benefit: Clear Assignment of Responsibilities

0% 10% 20% 30% 40% 50% 60% 70% 80%

Resources

Awareness

Academic Freedom


Absence of Policies



Technology


Individual Privacy


Freedom of Speech


10

Benefit: Executive Role Model

0% 10% 20% 30% 40% 50% 60% 70% 80%

Resources

Awareness

Academic Freedom


Absence of Policies



Technology


Individual Privacy


Freedom of Speech


11

If you can get the president to set the right tone, a majority on campus will likely follow her or his lead in supporting the changes and improvements you recommend.

“Gaining the President’s Support for IT Initiative at Small Colleges.”Laurence W. Mazzeno, President, Alvernia College EDUCAUSE Quarterly, Number 1, 2004

12

Benefit: Investment Aligned With Risk Profile

0% 10% 20% 30% 40% 50% 60% 70% 80%

Resources

Awareness

Academic Freedom


Absence of Policies


Senior Management support

Technology


Individual Privacy


Freedom of Speech


13

Additional Benefits

• Opportunity to establish appropriate expectations

• Constructive involvement should a security incident occur

14

In a time of crisis, it’s always good to have a boss smarter than you.

Joy Hughes, VP/CIO, George Mason University

15

Be Prepared For...

• Additional Work To:– tailor the information – provide status reports, possibly including

development of new metrics – respond to inquiries

• Increased accountability

16

Obstacle To Effective Communication: Who are you?

Responsibility for security is placed low in the organization

17

Obstacle To Effective Communication: IT security?

Significant lack of awareness

18

Obstacle To Effective Communication: Why spend my time on this?

Security not an institutional priority

19

Obstacle To Effective Communication: Why can’t you handle it yourself?

Executive role not clear

20

Obstacle To Effective Communication: What the heck is an IPS?

Techno-speak

21

Obstacle To Effective Communication: Where’s the ROI?

Lack of security metrics

22

Obstacle To Effective Communication: You again?

Security viewed as one-time fix-it project

23

Obstacle To Effective Communication: That’s not how we do things here?

Cultural Factors

24

What Defines Culture?

• Strategic Planning and Decision-Making– Examples:

• Top-down• Bottom-up• Consensus-based

• Institutional Values– Examples:

• Collegial working relationships• Emphasis on accountability at all levels of institution• Strong faculty influence• Student honor code

25

What Defines Culture?• Control of Operational Functions

– Examples:• Centralized

• Decentralized

• Long-term Institutional Priorities– Examples:

• Increase research• Increase community outreach• Compliance

• Other influences on culture?

26

A Good Blueprint

• A plan

• A function of environment

• Express one’s culture/desires

• Based on examples/knowledge of others

• Guide for communicating with others

27

Communication Strategies

Silence is NOT golden

Communicate early and often Build Awareness Build Trust

28


Prepare to communicate

Know your security goals Be prepared to educate Craft the message Have outcomes in mind

29

Communication StrategiesAdjust to change

Listen Draw linkages Monitor technical and regulatory changes Consider timing Promote agility

30

Communication StrategiesPrepare for the “long haul”

Manage expectations Embed security Communication as an investment Accountability

31

Communication StrategiesLeverage culture

Tools/Tailoring/Timing Compromise/ Consensus Compliance Shared ownership

32

Ideas For Using Culture

Consensus-based Decision-Making

Gain Mid-level Support First

University of Virginia LSP Program http://www.itc.virginia.edu/dcs/lsp

George Mason University SALT Group http://itu.gmu.edu/security/sysadmin/salt-description.html

33

Ideas For Using CultureIncreasing Emphasis on Compliance

Spotlight Federal Regulations Related to Security & Privacy

IT Security for Higher Education: A Legal Perspective http://www.educause.edu/ir/library/pdf/csd2746.pdf

Family Educational Rights & Privacy Acthttp://www.ed.gov/policy/gen/guid/fpcp/ferpa/index.html

Gramm Leach Bliley Acthttp://www.ftc.gov/privacy/glbact/index.html

Health Insurance Portability & Accountability Acthttp://www.hhs.gov/ocr.hipaa

http://www.educause.edu/ir/library/pdf/csd2746.pdf

http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

http://www.ftc.gov/privacy/glbact/index.html

34


Seize “opportunities”

Bad things will happen Anxiety is attention So is Contemplation Change culture

35

References

ACE Letter to Presidents Regarding Cybersecurity http://www.acenet.edu/washington/letters/2003/03march/cyber.cfmDeveloping Security Education and Awareness Programs http://www.educause.edu/ir/library/pdf/EQM0347.pdfGaining the President’s Support for IT Initiatives at Small Colleges http://www.educause.edu/apps/eq/eqm04/eqm0417.aspEDUCAUSE Information Security Governance Assessment Tool http://www.educause.edu/LibraryDetailPage/666?ID=SEC0421Information Security: A Difficult Balance http://www.educause.edu/pub/er/erm04/erm0456.aspInformation Security Governance: A Call to Action http://www.cyberpartnership.org/InfoSecGov4_04.pdfInformation Technology Security: Governance, Strategy, and Practice in Higher Education http://www.educause.edu/LibraryDetailPage/666?ID=ERS0305Presidential Leadership for Information Technology http://www.educause.edu/ir/library/pdf/erm0332.pdf

Documents

Talking With The Boss About Security