Tips to Leverage the Investment in the Shared CISO

In April this year, Georgia Institute of Technology announced that they suffered a security breach leading to unlawful access to personally identifiable information of about 1.3 million students and staff. An internal investigation found that the unauthorized access to their network occurred in December 2018.          

When breaches at this scale and this level of sophistication occur, organizations suffer grave financial and reputational losses.

Information loss or breaches can never be treated as the cost of doing business. Even if security budgets are modest, there are several steps smaller organizations and businesses can implement to ensure they can safeguard their ability to continue operations. In the case of universities,installing Data Loss Prevention (DLP) tools, creating detailed cyber-threat strategies and fixes, and hiring an emergency security team are essential investments that will bolster information security significantly.

Experts have always warned that because universities are custodians of large quantities of personally identifiable data and research, among others, such institutions are particularly susceptible to security breaches.

A shared Chief Information Security Officer (CISO) can be invaluable to the university cyber defense team. This dedicated skilled manager can be particularly valuable forover seeing the arduous process of strategy implementation and institutional compliance. CISO agreements are expected to be commonplace in years to come as more institutions become drawn into cyber warfare.

Leveraging the Benefits of CISOs

Usually, CISOs either take on the role as an advisor or as an executive with a specified level of authority and decision-making power. The shared CISO is not meant to be a permanent full-time employee of the organization. Instead, these professionals are appointed to provide thought leadership, focus, and attention required for this specialist undertaking.

Naturally, this is no small feat. Here are some tips on minimizing the probability for potential conflict within teams and leveraging the availability of such a resource.

1. Collaborate during the analysis stage: Institutions should be transparent about their needs and expectations. Similarly, their shared CISO should be empowered to point out flaws in the security strategy. Successful projects depend on securing agreement on the overarching goal of meeting security expectations.

2. Agree on the shared definitions: CISOs usually have a high level of affinity with the language and nomenclature of applications and tools to be used. This can often result in language barriers. At the outset, therefore, project partners should use the definitions provided by the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO).

3. Set uniform metrics and uniform understanding of metrics: Following agreement on terms and definitions, the ISO will assist in designing metrics for determining infrastructure and network cyber risk and preparedness levels. By setting performance indicators to be evaluated by the end of the year, the entire staff can properly review their progress on a weekly or monthly basis. This also keeps staff more alert and more likely to report any possible cyber-threats.

4. Encourage IT participation in determining risk management vs. risk avoidance decisions: It is not unusual for a degree of tension to exist between the CISO and the IT department. The focus of the CISO is risk avoidance, while IT is focused on ease of access to information and data to facilitate smooth running operations.

Organizations benefit greatly from these two interests agreeing on the eventual risk management strategy.

5. Have everyone involved: Developing the right cyber security strategy for any educational institution will require agreement on administrative policies and software solutions. Every staff in the university should be involved and responsive when using or testing new software and drafting emergency response policies.

Because the CISO works closely with all parties involved, the whole organization develops a better understanding of cyber security issues and risks. For educational institutions, CISOs recommend what software to install and what programs fit best with their system. Having a shared understanding of common goals creates effective collaboration. Now that more and more organizations are becoming risk-aware, there is a growing demand for an expert they can rely on. For universities, this is beneficial for students and faculty members to learn in a safe environment. A shared CISO can bridge that gap between your key performance indicators and your cyber security needs.