This article was written by Senior Consultant Joanna Gramma and originally appeared in EdScoop in September 2018. This posts excerpts highlights from the article.
For higher education chief information security officers (CISOs) and campus chief business officers (CBOs), information security threats that target institutional funds, the personally identifiable information of students, faculty, and staff, and institutional research data and intellectual property poses a special concern. So much so, in fact, that information security is the No. 1 issue on the 2018 EDUCAUSE Top 10 IT Issues list.
Fortunately, by their very nature CISOs and CBOs speak a common language and share common perspectives that especially suit them to form an effective partnership to improve an institution’s information security posture.
5 Things that CISOs and CBOs Have in Common
CISOs and CBOs have overlapping responsibilities and they both:
- Understand the language of risk and how to implement controls to mitigate risk
- Realize that the institution has resources (tangible and intangible) that must be protected from different types of risk, whether that risk is of a compliance, financial, system, operational, reputational, or strategic nature
- Accept that their roles involve reducing and mitigating risk in a way that matches the institution’s risk posture
- Are used to and comfortable dealing with complicated compliance requirements
- Know how to maximize the use of limited resources (such as equipment, budget and staff) to create efficiencies and value for their institutions
This common framework and perspective can help form the foundation for a CISO-CBO partnership that can dramatically reduce an organization’s information security risk profile.
More specifically, there are 3 things that both CISOs and CBOs can do to form a more effective partnership with each other:
3 Things a CISO Can Do to Be a Better Partner
- Learn more about the institution’s business and financial processes. Assess where those processes are susceptible to threats and vulnerabilities that may compromise information security, and work with the CBO to identify workable controls for avoiding those risks
- Educate business office units and staff about the types of scams and attempted compromises that they are most likely to see in the course of their work and provide concrete and actionable tips for avoiding scams
- Assist the CBO in identifying and implementing technological solutions that protect institutional data and allow for efficient business processes
3 Things a CBO Can Do to Be a Better Partner
- Invite the CISO to discussions about business processes and technologies. Insist that security be considered early in any process change so that solutions can be elegantly designed to protect institutional data
- Encourage staff members to engage in information security awareness training and help the CISO understand where information security training needs to be improved to meet unit needs
- Assist the CISO in identifying opportunities to partner with other campus stakeholders to improve institutional information security practices
At the end of the day, the outcome of a tighter partnership is that the CISO and CBO will better understand how business processes use institutional data and IT resources, and will be better poised to mitigate information security risks to those processes, data, and IT resources.