educationtechnologyinsights

How does a Chief Information Security Officer Sleep?

By Luis Brown, CISSP, C| MBA, Chief Information Security Officer, Central New Mexico Community College

Luis Brown, CISSP, C| MBA, Chief Information Security Officer, Central New Mexico Community College

One of the questions generally asked of a CISO is “How do you sleep at night?” The answer is “generally well with periods of sheer terror!” I can personally attest to this as a CISO in the higher education field.

Let me start with the idea that we generally spend considerable time making sure that we have put into place good policies and procedures, along with technical controls to repel most attacks. For example, we employ anti-malware/anti-phishing/anti-spam technology in our email environment that deflect more than 80% of the email targeted at our domain. We employ many “best practices” controls as well.

But beyond this, I always go back to a statement made by a commercial banking professor whom I admired very much. When discussing the financial crisis of 2008, Ward Hickey stated that “Banks failed to manage risk!” Of course, this should also be applied directly to the field of cyber security.  It is all about assessing, controlling, mitigating and transferring risk.

While my job consists of the normal duties involving policy development, staffing, training and deploying controls in our environment, I would say that nearly half of my job involves managing risk. When new systems, ideas or upgrades are proposed for review, I always like to find a way to support the business model that’s in alignment with my institution. This requires assessing and controlling the associated risks. Many firms and institutions have ended up in the news, for the wrong reasons, because their cyber security teams failed to adequately manage risks.

For information that has a sensitive or restricted nature, then well-planned controls and monitoring must be employed to minimize the risk.  We use a combination of advanced controls and monitoring technologies to protect our information.  This also requires a highly capable technical staff of analysts and administrators to maintain, monitor and respond to alerts provided by this technology. You also have to be careful not to “chase the dream” solution by purchasing more technology than your staff can handle.

"While my job consists of the normal duties involving policy development, staffing, training and deploying controls in our environment, I would say that nearly half of my job involves managing risk"

This brings us to the training requirements that must be provided. Your staff is only as good as the knowledge they are given in the pursuit of cyber security. Failure to provide adequate training will invalidate your program as effectively as not having a program at all!  I will also point out that a good CISO works closely with IT Operations to ensure that they are properly informed and trained to mitigate threats within the environment. You can, and should, use assessment tools such as vulnerability scanners and penetration testing.  However, if your IT staff is not prepared to respond to discovered risks, then your effectiveness will be severely diminished.

Finally, about that sleep…  All you can do is your best.  Mistakes will be made, and breaches will occur. It is how you respond to these situations that determines your resolve and your willingness to constantly evolve and improve. To quote Jack Kennedy; “We choose to do these things not because they are easy, but because they are hard!”

Check out: Top Sleep Disorder Care Solutions Companies

Read Also

Preventing Cyber-Attacks in Universities with Operational Collaboration

Preventing Cyber-Attacks in Universities with Operational Collaboration

Michael Corn, Deputy CIO & CISO, Brandeis University
People First Technology

People First Technology

William Ingram, CIO, Belmont University
Injecting Advanced Technology in the Education Industry

Injecting Advanced Technology in the Education Industry

Sharon P. Pitt, AVP & CIO, Binghamton University
Skills Within the IT Security Organization

Skills Within the IT Security Organization

Mark Cather, JD, CISSP, Chief Information Security Officer, University of Maryland Baltimore County

Weekly Brief

Top 10 Security Solution Companies - 2018