“Trick or treat! It’s your CISO. I’m here with some scary stories to convince you to give me some (information security) treats!”
It’s not easy being a CISO in higher education. Our systems, networks, and data face constant attacks of varying sophistication levels, initiated by everyone from our own students to hostile nation states. New threats emerge multiple times every day, generating log data, alarms, and calls to the help desk. At the same time, the ever-growing security industry keeps amplifying these threats and telling everyone from the president to the junior network analyst to buy their products…or live to regret it! Senior leadership and trustees often have unachievable expectations—like asking the CISO to guarantee that the campus is breach-proof—while being reluctant to find or provide the resources needed to protect the institution. It’s all quite spooky when you get right down to it.
In this environment, the CISO may feel in the position of trick-or-treater, standing at the CIO’s door with a bag, dressed in armor, asking for the favor of just a few more dollars to buy the latest essential security tool or funding for one more employee to be able to be less reactive and more proactive. Or perhaps the request is for that long-desired policy change that will make it a little easier for the institution to protect itself. The flip side is the implied trick: if the CIO doesn’t come up with the resources to buy this tool or make a necessary change, the institution may get haunted, invaded, or worse. Aah!
When this dynamic exists—and I’ve seen it in many institutions—it’s no wonder that the relationship between the CIO and CISO suffers. The CIO feels that the CISO is constantly begging and threatening, and the CISO feels the CIO just doesn’t understand or sympathize with the untenable situation she or he faces. Even the most well-meaning CIOs and CISOs can fall into this trap if they’re not careful.
This Halloween let’s talk about how to make this relationship much less frightening. Here are a few suggestions to help CIOs and CISOs align their work so that they present a unified front against the ghoulish security threats knocking at their door.
Advice for CIOs
- Listen sympathetically, understand your CISOs position, and never punish honest concern. Yes, you’ve got a lot of goodie bags to fill and stakeholders to serve, but recognize the CISO’s unique role (and unique value she or he provides). Keep your door open and reassure your CISO that you’re getting the message. Help the CISO understand resource and political realities while demonstrating that you are committed to solving difficult problems together.
- Help your CISO understand the institution’s mission and priorities as well as your own. You can’t expect a CISO to align to your vision if you don’t share it. Don’t isolate your CISO and then expect that the right priorities will be set. Treat your CISO as an institutional leader and demonstrate that you expect two-way communication and accountability.
Advice for CISOs
- Speak to the CIO in a language of risks, not absolutes. Not every information security risk is created equally, and very few situations are truly absolute. Instead of, “We have to do this because if we don’t, we’re in trouble,” try: “Here’s what may happen, and I don’t think we want to go forward without reducing this risk.” Adopting industry models for infosec program maturity, performing assessments guided by these models, and providing objective data on risks and gaps can provide a more objective view into the institution’s challenges.
- Strive to understand your institution’s vision, mission, and culture, and align yourself to it. CISOs with extensive experience outside higher education often find the rules for making and enforcing policy, and allocating budgets in higher ed, byzantine and opaque. Let your CIO help you understand the realities (and opportunities) created by the environment of your institution and learn to align your programs and priorities to higher education in general and to your institution in particular.
Advice for Both CIOs and CISOs
The more you listen to each other and understand the unique roles you each play, the more you can proceed together to make the best choices for your institution. Take off the mask, get a little vulnerable, and share your hopes and fears—including the difficult realities of protecting your campus from information security threats.
It’s possible to move beyond a trick-or-treat mentality and create a genuine collaboration between CIO and CISO. As we reach the end of Cybersecurity Awareness Month, let’s commit to a unified, strategic, and effective approach to continuously improving the way we tackle this challenging issue.
Every October, Cybersecurity Awareness Month reminds us how important it is to stay safe online. Launched by the U.S. Department of Homeland Security and the National Cybersecurity Alliance, the initiative has grown to educate everyone—from students to business leaders to other organizations—on protecting themselves from cyber threats. The theme this year, “Secure Our World,” focuses on simple steps to secure your digital life. Whether it’s creating strong passwords, being careful about what you share online, or learning how to spot scams, these small actions can make a big difference. Cybersecurity Awareness Month aims to help you, your family, and your organization stay safe in an increasingly digital world. At Vantage, we proudly support this initiative because we believe that cybersecurity awareness and training is for everyone, and especially in higher education, can make the world a better, safer place.
This post was authored by Executive Strategic Consultant Michael Berman, who advises clients on strategic planning, organizational assessments and development, CIO executive advisory services, culture and engagement, and much more.
Need Help?
Our team of higher education experts is available to facilitate strategic planning and other services with your organization.