Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne,...
-
Upload
carmel-ferguson -
Category
Documents
-
view
221 -
download
0
description
Transcript of Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne,...
![Page 1: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/1.jpg)
Talking With The Boss About Security
Darlene Quackenbush, James Madison UniversityShirley Payne, University of Virginia
EDUCAUSE Security Professionals ConferenceApril 4th, 2005
![Page 2: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/2.jpg)
2
We must all become much more vigilant in the provision of secure systems, in intrusion detection, in rapid response, and especially in education. We must practice, teach, and infuse all aspects of security into campus lives.
Dr. Linwood H. RosePresident, James Madison University“Information Security: A Difficult Balance”EDUCAUSE Review, September/October 2004
![Page 3: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/3.jpg)
3
Agenda
• The Executive Audience• Benefits of Effective Communication• Obstacles To Effective Communication• Leveraging Institutional Culture• Communication Strategies & Examples
![Page 4: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/4.jpg)
4
The Executive Audience
• Boards of Trustees• Presidents• Vice Presidents & Provosts• Deans & Department Heads• Chiefs of Staff
![Page 5: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/5.jpg)
5
Perceived Barriers To IT Security
0% 10% 20% 30% 40% 50% 60% 70% 80%
Resources
Awareness
Academic Freedom
Culture of Decentralization
Absence of Policies
Enforcement of Policies
Senior Management Support
Technology
Legal Lags Technology
Individual Privacy
Vendor Hardware/Software
Freedom of Speech
Information Technology Security StudyEDUCAUSE Center for Applied Research, Sept. 2003
![Page 6: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/6.jpg)
6
Benefit: Appropriate Strategies
0% 10% 20% 30% 40% 50% 60% 70% 80%
Resources
Awareness
Academic Freedom
Culture of Decentralization
Absence of Policies
Enforcement of Policies
Senior Management Support
Technology
Legal Lags Technology
Individual Privacy
Vendor Hardware/Software
Freedom of Speech
Information Technology Security StudyEDUCAUSE Center for Applied Research, Sept. 2003
![Page 7: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/7.jpg)
7
Privacy and academic freedom are critical components of campus culture; it is vital that decisions on policies and procedures regarding security and related issues be carefully vetted, understood, and authorized by both the highest levels of the campus leadership and the representatives of the campus community. The executive role in all of these matters is crucial if internal dissension and unnecessary strife are to be avoided.
“Presidential Leadership for IT” David Ward and Brian L. HawkinsEDUCAUSE Review, May/June 2003
![Page 8: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/8.jpg)
8
Benefit: Effective Policies
0% 10% 20% 30% 40% 50% 60% 70% 80%
Resources
Awareness
Academic Freedom
Culture of Decentralization
Absence of Policies
Enforcement of Policies
Senior Management Support
Technology
Legal Lags Technology
Individual Privacy
Vendor Hardware/Software
Freedom of Speech
Information Technology Security StudyEDUCAUSE Center for Applied Research, Sept. 2003
![Page 9: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/9.jpg)
9
Benefit: Clear Assignment of Responsibilities
0% 10% 20% 30% 40% 50% 60% 70% 80%
Resources
Awareness
Academic Freedom
Culture of Decentralization
Absence of Policies
Enforcement of Policies
Senior Management Support
Technology
Legal Lags Technology
Individual Privacy
Vendor Hardware/Software
Freedom of Speech
Information Technology Security StudyEDUCAUSE Center for Applied Research, Sept. 2003
![Page 10: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/10.jpg)
10
Benefit: Executive Role Model
0% 10% 20% 30% 40% 50% 60% 70% 80%
Resources
Awareness
Academic Freedom
Culture of Decentralization
Absence of Policies
Enforcement of Policies
Senior Management Support
Technology
Legal Lags Technology
Individual Privacy
Vendor Hardware/Software
Freedom of Speech
Information Technology Security StudyEDUCAUSE Center for Applied Research, Sept. 2003
![Page 11: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/11.jpg)
11
If you can get the president to set the right tone, a majority on campus will likely follow her or his lead in supporting the changes and improvements you recommend.
“Gaining the President’s Support for IT Initiative at Small Colleges.”Laurence W. Mazzeno, President, Alvernia College EDUCAUSE Quarterly, Number 1, 2004
![Page 12: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/12.jpg)
12
Benefit: Investment Aligned With Risk Profile
0% 10% 20% 30% 40% 50% 60% 70% 80%
Resources
Awareness
Academic Freedom
Culture of Decentralization
Absence of Policies
Enforcement of Policies
Senior Management support
Technology
Legal Lags Technology
Individual Privacy
Vendor Hardware/Software
Freedom of Speech
Information Technology Security StudyEDUCAUSE Center for Applied Research, Sept. 2003
![Page 13: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/13.jpg)
13
Additional Benefits
• Opportunity to establish appropriate expectations
• Constructive involvement should a security incident occur
![Page 14: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/14.jpg)
14
In a time of crisis, it’s always good to have a boss smarter than you.
Joy Hughes, VP/CIO, George Mason University
![Page 15: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/15.jpg)
15
Be Prepared For...
• Additional Work To:– tailor the information – provide status reports, possibly including
development of new metrics – respond to inquiries
• Increased accountability
![Page 16: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/16.jpg)
16
Obstacle To Effective Communication: Who are you?
Responsibility for security is placed low in the organization
![Page 17: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/17.jpg)
17
Obstacle To Effective Communication: IT security?
Significant lack of awareness
![Page 18: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/18.jpg)
18
Obstacle To Effective Communication: Why spend my time on this?
Security not an institutional priority
![Page 19: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/19.jpg)
19
Obstacle To Effective Communication: Why can’t you handle it yourself?
Executive role not clear
![Page 20: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/20.jpg)
20
Obstacle To Effective Communication: What the heck is an IPS?
Techno-speak
![Page 21: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/21.jpg)
21
Obstacle To Effective Communication: Where’s the ROI?
Lack of security metrics
![Page 22: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/22.jpg)
22
Obstacle To Effective Communication: You again?
Security viewed as one-time fix-it project
![Page 23: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/23.jpg)
23
Obstacle To Effective Communication: That’s not how we do things here?
Cultural Factors
![Page 24: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/24.jpg)
24
What Defines Culture?
• Strategic Planning and Decision-Making– Examples:
• Top-down• Bottom-up• Consensus-based
• Institutional Values– Examples:
• Collegial working relationships• Emphasis on accountability at all levels of institution• Strong faculty influence• Student honor code
![Page 25: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/25.jpg)
25
What Defines Culture?• Control of Operational Functions
– Examples:• Centralized• Decentralized
• Long-term Institutional Priorities– Examples:
• Increase research• Increase community outreach• Compliance
• Other influences on culture?
![Page 26: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/26.jpg)
26
A Good Blueprint
• A plan• A function of environment• Express one’s culture/desires• Based on examples/knowledge of
others• Guide for communicating with others
![Page 27: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/27.jpg)
27
Communication StrategiesSilence is NOT golden
Communicate early and often Build Awareness Build Trust
![Page 28: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/28.jpg)
28
Communication StrategiesPrepare to communicate
Know your security goals Be prepared to educate Craft the message Have outcomes in mind
![Page 29: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/29.jpg)
29
Communication StrategiesAdjust to change
Listen Draw linkages Monitor technical and regulatory changes Consider timing Promote agility
![Page 30: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/30.jpg)
30
Communication StrategiesPrepare for the “long haul”
Manage expectations Embed security Communication as an investment Accountability
![Page 31: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/31.jpg)
31
Communication StrategiesLeverage culture
Tools/Tailoring/Timing Compromise/ Consensus Compliance Shared ownership
![Page 32: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/32.jpg)
32
Ideas For Using CultureConsensus-based Decision-Making
Gain Mid-level Support First
University of Virginia LSP Program http://www.itc.virginia.edu/dcs/lsp
George Mason University SALT Group http://itu.gmu.edu/security/sysadmin/salt-description.html
![Page 33: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/33.jpg)
33
Ideas For Using CultureIncreasing Emphasis on Compliance
Spotlight Federal Regulations Related to Security & Privacy
IT Security for Higher Education: A Legal Perspective http://www.educause.edu/ir/library/pdf/csd2746.pdf
Family Educational Rights & Privacy Acthttp://www.ed.gov/policy/gen/guid/fpcp/ferpa/index.html
Gramm Leach Bliley Acthttp://www.ftc.gov/privacy/glbact/index.html
Health Insurance Portability & Accountability Acthttp://www.hhs.gov/ocr.hipaa
![Page 34: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/34.jpg)
34
Communication StrategiesSeize “opportunities”
Bad things will happen Anxiety is attention So is Contemplation Change culture
![Page 35: Talking With The Boss About Security Darlene Quackenbush, James Madison University Shirley Payne, University of Virginia EDUCAUSE Security Professionals.](https://reader036.fdocuments.net/reader036/viewer/2022062503/5a4d1b0c7f8b9ab05998bf68/html5/thumbnails/35.jpg)
35
ReferencesACE Letter to Presidents Regarding Cybersecurity http://www.acenet.edu/washington/letters/2003/03march/cyber.cfmDeveloping Security Education and Awareness Programs http://www.educause.edu/ir/library/pdf/EQM0347.pdfGaining the President’s Support for IT Initiatives at Small Colleges http://www.educause.edu/apps/eq/eqm04/eqm0417.aspEDUCAUSE Information Security Governance Assessment Tool http://www.educause.edu/LibraryDetailPage/666?ID=SEC0421Information Security: A Difficult Balance http://www.educause.edu/pub/er/erm04/erm0456.aspInformation Security Governance: A Call to Action http://www.cyberpartnership.org/InfoSecGov4_04.pdfInformation Technology Security: Governance, Strategy, and Practice in Higher Education http://www.educause.edu/LibraryDetailPage/666?ID=ERS0305Presidential Leadership for Information Technology http://www.educause.edu/ir/library/pdf/erm0332.pdf