Download - Role of the CISO in Higher Education
![Page 1: Role of the CISO in Higher Education](https://reader036.vdocuments.site/reader036/viewer/2022081604/5872eb361a28abfa548b70db/html5/thumbnails/1.jpg)
Role of the CISO in Higher EducationUniversity of Edinburgh
1/11/2016
![Page 2: Role of the CISO in Higher Education](https://reader036.vdocuments.site/reader036/viewer/2022081604/5872eb361a28abfa548b70db/html5/thumbnails/2.jpg)
Role of the CISO in Higher Education
Experiences from University of Edinburgh
![Page 3: Role of the CISO in Higher Education](https://reader036.vdocuments.site/reader036/viewer/2022081604/5872eb361a28abfa548b70db/html5/thumbnails/3.jpg)
Principal
Information Services Group
Corporate Services Group
University Secretary’s Group
College of Science and Engineering
College of Art, Humanities and Social Sciences
College of Medicine and
Veterinary Medicine
![Page 4: Role of the CISO in Higher Education](https://reader036.vdocuments.site/reader036/viewer/2022081604/5872eb361a28abfa548b70db/html5/thumbnails/4.jpg)
Background to Appointment of CISO• Structure of University allows for high degree of local
prioritisation of information security risk profile, with limited central direction.
• Senior Academic review (eg Kenway Report) recognised benefits of central senior focus.
• Appointment of new CIO brought renewed focus to requirement for CISO to cover all aspects of information security risk rather than previous alignment to IT security.
• Risk and Audit Committee, and senior staff, buy-in and support crucial to success – mandate from the top.
![Page 5: Role of the CISO in Higher Education](https://reader036.vdocuments.site/reader036/viewer/2022081604/5872eb361a28abfa548b70db/html5/thumbnails/5.jpg)
Recruitment
• Selection process supported by external recruitment agency to broaden candidate pool.
• Interview panel included senior academics and directors from within ISG – adds to broad engagement.
• Appointment in early 2016, took up post in February 2016.
![Page 6: Role of the CISO in Higher Education](https://reader036.vdocuments.site/reader036/viewer/2022081604/5872eb361a28abfa548b70db/html5/thumbnails/6.jpg)
CISO – Main Responsibilities• Leads and owns the information security strategy for the
university. • Drives and owns the information security risk posture, taking a
risk-based, holistic approach to managing information security risk.
• Leads pan-University information security activities, managing the information security risk to IT facilities from internal and external threats.
• Advices the University on strategic existing and emerging information security threats.
• Owns, manages and develops appropriate information security policies, procedures, controls and the overall information security governance framework.
![Page 7: Role of the CISO in Higher Education](https://reader036.vdocuments.site/reader036/viewer/2022081604/5872eb361a28abfa548b70db/html5/thumbnails/7.jpg)
Initial Priorities• Recruitment of team with necessary skills –
challenge of competing against private sector.• Increased focus on user.• Overhaul of information security risk governance
to focus on risk based approach.• Support to strategic/key projects (Service
Excellence Programme, Data Safe Haven, Network Refresh, Data Sciences, Alan Turing Institute, Student analytics, distance learning and eExams.)
![Page 8: Role of the CISO in Higher Education](https://reader036.vdocuments.site/reader036/viewer/2022081604/5872eb361a28abfa548b70db/html5/thumbnails/8.jpg)
Keys to Success• Alignment to University 2016 Strategy – supporting plans for
Digital Transformation and Data and Partnerships with Industry.
• Buy-in from individual Colleges and Support Groups – need to recognise requirement for ‘individual’ solutions – outcome based.
• Ensure that business areas know their responsibilities – won’t do security ‘to’ or ‘for’ them – they own the risks.
• Provision of supporting services and not about saying ‘No’.• External and internal collaboration and information sharing.