Upload
jisc
View
323
Download
1
Embed Size (px)
Citation preview
Role of the CISO in Higher EducationUniversity of Edinburgh
1/11/2016
Role of the CISO in Higher Education
Experiences from University of Edinburgh
Principal
Information Services Group
Corporate Services Group
University Secretary’s Group
College of Science and Engineering
College of Art, Humanities and Social Sciences
College of Medicine and
Veterinary Medicine
Background to Appointment of CISO• Structure of University allows for high degree of local
prioritisation of information security risk profile, with limited central direction.
• Senior Academic review (eg Kenway Report) recognised benefits of central senior focus.
• Appointment of new CIO brought renewed focus to requirement for CISO to cover all aspects of information security risk rather than previous alignment to IT security.
• Risk and Audit Committee, and senior staff, buy-in and support crucial to success – mandate from the top.
Recruitment
• Selection process supported by external recruitment agency to broaden candidate pool.
• Interview panel included senior academics and directors from within ISG – adds to broad engagement.
• Appointment in early 2016, took up post in February 2016.
CISO – Main Responsibilities• Leads and owns the information security strategy for the
university. • Drives and owns the information security risk posture, taking a
risk-based, holistic approach to managing information security risk.
• Leads pan-University information security activities, managing the information security risk to IT facilities from internal and external threats.
• Advices the University on strategic existing and emerging information security threats.
• Owns, manages and develops appropriate information security policies, procedures, controls and the overall information security governance framework.
Initial Priorities• Recruitment of team with necessary skills –
challenge of competing against private sector.• Increased focus on user.• Overhaul of information security risk governance
to focus on risk based approach.• Support to strategic/key projects (Service
Excellence Programme, Data Safe Haven, Network Refresh, Data Sciences, Alan Turing Institute, Student analytics, distance learning and eExams.)
Keys to Success• Alignment to University 2016 Strategy – supporting plans for
Digital Transformation and Data and Partnerships with Industry.
• Buy-in from individual Colleges and Support Groups – need to recognise requirement for ‘individual’ solutions – outcome based.
• Ensure that business areas know their responsibilities – won’t do security ‘to’ or ‘for’ them – they own the risks.
• Provision of supporting services and not about saying ‘No’.• External and internal collaboration and information sharing.