The Career of the IT Security Officer in Higher Education

Transcription

1 The Career of the IT Security Officer in Higher Education Marilu Goodyear, ECAR and University of Kansas Gail Salaway, ECAR Mark R. Nelson, ECAR and National Association of College Stores Rodney Petersen, EDUCAUSE Shannon Portillo, George Mason University ECAR Occasional Paper June 2009 Occasional Paper from the EDUCAUSE Center for Applied Research

2 This occasional paper is available online at the ECAR website ( Walnut Street, Suite 206 Boulder, Colorado

3 The Career of the IT Security Officer in Higher Education

4 EDUCAUSE is a nonprofit association whose mission is to advance higher education by promoting the intelligent use of information technology. The mission of the EDUCAUSE Center for Applied Research is to foster better decision making by conducting and disseminating research and analysis about the role and implications of information technology in higher education. ECAR will systematically address many of the challenges brought more sharply into focus by information technologies. Copyright 2009 EDUCAUSE. All rights reserved. This ECAR occasional paper is proprietary and intended for use only by subscribers and those who have purchased this study. Reproduction, or distribution of ECAR occasional papers to those not formally affiliated with the subscribing organization, is strictly prohibited unless prior written permission is granted by EDUCAUSE. Requests for permission to reprint or distribute should be sent to ecar@educause.edu.

5 Contents Chapter 1 Introduction...5 Research Methodology u Overview of Respondent Characteristics Chapter 2 The Position and the Person Reporting Line u Previous Position u ISO Demographics u Conclusion Chapter 3 Responsibilities, Skill Sets, and Professional Development Position Responsibilities u Analysis of Job Announcements u Reaching Out for Advice and Counsel u Conclusion Chapter 4 Chapter 5 Appendix A Authority, Challenges, and Program Strategies...29 Authority and Challenges u Security Program Strategies u Conclusion Conclusion...39 Institutional Respondents to the Online Survey...43 Appendix B Position Titles of ISO Respondents to the Online Survey Appendix C Bibliography...49 EDUCAUSE Center for Applied Research 3

6

7 1 Introduction In 2003 the EDUCAUSE Center for Applied Research (ECAR) culminated a year of research with the publication of Information Technology Security: Governance, Strategy, and Practice in Higher Education by Robert B. Kvavik and John Voloudakis. That study chronicled the end of an era in which interpersonal and institutional trust and the academic penchant for openness guided information technology (IT) security strategy at many college and university campuses. Three months prior to the publication of the study, many institutions of higher learning were laid low by the Slammer worm, one of the most malicious and destructive intrusions of its day. The 2003 study indicated that Slammer represents a turning point in IT security in higher education. Slammer opened the door to a new view of IT security, a view that protecting academic networked resources in many cases trumped openness when it came to network design and architecture. Colleges and universities in large numbers began in earnest to invest in IT security and to develop a cadre of professionals who would be trained in and responsible for achieving security in IT policy and operations. During , ECAR again looked deeply at this topic and, in 2006, published Safeguarding the Tower: IT Security in Higher Education by Robert B. Kvavik, with John Voloudakis. This study reported extraordinary progress in securing higher education s IT assets and information. Since 2006, IT security has continued to rise in importance in higher education, a rise that is reflected in the development of widespread campus IT security programs and national programs sponsored by federal and state governments as well as the development of programs by professional associations. Initially, IT security programs focused on the use and abuse of technology, both hardware and software, and on ensuring reliability and availability of information systems. More recently, these programs have focused on data and information management. Concerns about confidentiality, integrity, and availability of data and the need to manage the risks of institutional embarrassment that come with breaches have been cited as reasons for organizational leaders choosing to invest in IT security programs. Confidentiality refers to the protection of information, including personally identifiable information or intellectual property, from unauthorized use or disclosure. Integrity means protecting information from unauthorized, unanticipated, or unintentional modification. Availability refers to the expectation that computers, systems, and networks will be available on a timely basis to meet organizational mission requirements or to avoid substantial losses (e.g., loss 2009 EDUCAUSE. Reproduction by permission only. EDUCAUSE Center for Applied Research 5

8 of use of the campus information system). The concern for availability is closely aligned with business continuity issues, which have become paramount in recent years due to the dramatic examples of institutional vulnerability to environmental disasters. 1 At this writing, it is abundantly clear that IT security is an institutional imperative, has critical policy and operational aspects, involves the engagement of important elements of the institution s leadership CIO, general counsel, internal auditor and demands an increasingly knowledgeable and specialized professional workforce. As a result, the 2006 ECAR study reveals that higher education institutions have invested funds, developed policy, implemented technology, and hired IT security staff to meet the rising challenge. Central to this complex environment is the individual who is given the responsibility to lead and manage the IT security program for the entire organization. On many campuses, keeping the campus network functional was paramount. 2 Given the immediate challenges to the network, initially it was often the network staff who began working in the area of IT security. Their focus and knowledge, of course, concerned network security. In recent years, the IT security role has grown increasingly complex and now extends well beyond networking and the IT units. The responsible individual now often plays a broad role within the institution, working with administrators, faculty, and staff at all levels. These individuals are involved in compliance and technical operations, but they also play an important role in policy development, user education, and data/information management. This study seeks to document and understand this role as well as understand the strategies used to further the work of IT security within their institutions. As IT security programs develop, it has become common to create positions to lead and manage security programs for the entire organization. These positions are being created not only in higher education but also in federal and state governments and in the private sector. 3 The title information security officer (ISO) is commonly applied to this position, frequently modified as chief information security officer to highlight the individual s responsibility across the whole organization. The terminology used, however, varies on the basis of the specific responsibilities assigned to the position and local protocols for titles. In addition, the results of the survey that informed this study suggest that management responsibility for IT security is still often assumed by an individual with other significant responsibilities (including CIOs) at institutions that lack a distinct ISO position. The previous ECAR studies mentioned have documented the development of this role. Our 2003 study on IT security found that among those holding the position responsible for day-to-day management of IT security, 22.4% held the title chief IT security officer or equivalent. 4 Using slightly different terminology, our 2006 study (based on a 2005 survey) reported that 34.9% of those assigned day-to-day management responsibility for central IT security held the title IT security officer or equivalent. 5 Though the somewhat more inclusive title used in the later survey may account for some of the difference, we strongly suspect that most of the change was the result of growth in the position itself. Certainly our 2006 survey found other indicators of rising attention to IT security in both its technical and cultural aspects. 6 This growth was one reason ECAR chose to conduct this study on the ISO role. Research Methodology This study employed multiple research strategies, including quantitative and qualitative methods, to study the role of the ISO. The methodology included four major components: a literature review, an analysis of job announcements and descriptions, a web-based quantitative survey, and qualita- 6

9 tive interviews with individuals who answered the survey and agreed to be contacted for additional information. The resulting data set comprises information from more than 300 institutions that are addressing IT security needs in higher education. The literature search assisted us in understanding the national landscape for IT security professionals. Information from IT security professional associations 7 and governmental information was reviewed. Information from the National Cyber Security Division of the Department of Homeland Security was particularly helpful in understanding the responsibilities of the role. 8 In an effort to understand this role, we reviewed and analyzed job announcements for IT security management positions from past years. The EDUCAUSE job listing service was used as the source for this analysis. All job announcements posted from January 1999 to April 2008 that included the word security were reviewed. Of the 3,317 job announcements posted during this time period, 391 were directly related to the security function and 167 were seeking applicants for IT security managers as indicated by the title of the position. Titles selected for inclusion in this phase of the analysis included the words security and information or information technology (or simply IT) and an additional word that would commonly indicate a management role. The words used for this managerial role were director, officer, administrator, manager, coordinator, or chief. A random sample of these positions by year was taken, and the responsibilities and qualifications for positions were analyzed. A total of 59 position announcements were analyzed. A web-based survey of members from EDUCAUSE higher education institutions was conducted in early ECAR sent invitations to participate in the survey to 1,685 institutions, through their EDUCAUSE or ECAR institutional representatives (typically the CIO). The invitee was asked to refer the survey to the person who is assigned the day-to-day management responsibility for central IT security in your institution. Individuals from 311 institutions responded to the survey (Appendix A). Figure 1-1 provides data for these institutions, by EDUCAUSE membership and Carnegie class. This figure points out that the survey group was weighted in the direction of doctoral and master s institutions. Note that much of the analysis in this study 1,800 1,739 1,600 1,400 Number of Institutions 1,200 1, ,145 Figure 1-1. Survey Respondents, by EDUCAUSE Membership and Carnegie Class DR MA BA AA Other Carnegie Canada 74 0 Survey respondents EDUCAUSE members Carnegie institutions Carnegie Class EDUCAUSE Center for Applied Research 7

10 refers to a subset of 123 respondents who reported ISO-related titles; see Overview of Respondent Characteristics below. Four interviews were conducted at the beginning of the study. The results of these interviews were used to inform and develop the survey. Six individuals who have ISO responsibilities reviewed a draft of the survey and provided advice on the survey before it was released. Qualitative interviews were conducted with 16 individuals who indicated on the initial survey a willingness to discuss their role further. These interviews focused on campus strategy for IT security programs and individual officer approaches to gaining cooperation from both other IT staff and users. Because of the potentially sensitive nature of the material we discussed with these interviewees, we have not identified them in this study. All quotes in the study, however, have been verified with the original interviewees. Overview of Respondent Characteristics Though respondents said that they were the individual assigned day-to-day management responsibility for central IT security, they held a wide variety of positions. To identify a group clearly holding ISO positions, we segmented the data into four groups using the Other, 19.2% job title provided by the survey respondent. Each job title was analyzed to determine its primary role within the institution. Four title categories were created: senior-most IT leader, ISOs, security or network positions (non- ISO), and other positions that did not fit into the previous three categories. For this study we were most interested in identifying the individuals who appeared to be the institution s ISO. Appendix B provides a list of titles included in the ISO category. Figure 1-2 shows the distribution of respondents into these four groups and indicates that 39.9% (123 individuals) of the total respondent base were identified as the ISO group. Titles of 93 respondents indicated that they held a position that included security or network responsibilities, but they could not be identified as playing a management role. Therefore, we chose not to include these individuals in the ISO title category. One in 10 (10.7%) of the respondents held the senior-most IT leader position in their institution. The breakdown by Carnegie class and student enrollment shows that the majority of the senior-most IT leaders who responded to the survey work at MA and BA institutions and at Senior-most IT leader, 10.7% Figure 1-2. Title Category (N = 308) Security or network position (non-iso), 30.2% Information security officer (ISO), 39.9% 8

11 institutions with 4,000 or fewer students (Table 1-1). Most respondents in the ISO category come from larger institutions, with more than 8,000 enrolled students, and from DR and MA institutions. About two-thirds of respondents come from public institutions, and the distribution between public and private institutions is fairly consistent across the four title categories. Most of the data reported in this study is from the group of 123 individuals whose titles indicate that they are their institution s ISO. Given that the study is focused on this emerging profession and provides data on career patterns and institutional role, it is important that we limit our analysis to that group. We are aware that the use of title has its limitations and that our selection method probably excluded some ISOs within the overall respondent group, but we believe that this categorization will provide the best analysis of the data for the profession. We refer to this group as ISOs throughout the rest of the study. The survey asked questions about the individuals, their reporting lines, and their career plans, as well as respondents training needs and the skill sets necessary to perform this function. We asked about areas of responsibility assigned to the ISOs by their institutions as well as the actions they were authorized to take. Data about the information-seeking patterns of the officers were gathered by looking at their participation in organizations and the advice they sought from individuals within and outside their institutions. Lastly, we sought to learn about the strategies used by the officers to improve security on their campuses, establish their credibility, and respond to challenges to their authority from their constituents. Who are these individuals who play the ISO role? What is their career history and how are their positions defined in the institutional context? These are the questions we explore in Chapter 2. Table 1-1. Profile of Respondents Institutions, by Title Category Carnegie Class Senior-Most IT Leader (N = 33) Information Security Officer (ISO) (N = 123) Security or Network Position (Non-ISO) (N = 93) Other (N = 59) Total (N = 308) DR 3.1% 51.2% 30.1% 16.9% 33.2% MA 34.4% 22.0% 28.0% 30.5% 26.7% BA 37.5% 4.9% 21.5% 18.6% 16.0% AA 15.6% 8.1% 10.8% 15.3% 11.1% Other Carnegie 6.3% 9.8% 6.5% 8.5% 8.1% Canada 3.1% 4.1% 3.2% 10.2% 4.9% Student FTE Enrollment 1 2, % 5.9% 17.4% 23.2% 15.8% 2,001 4, % 7.6% 22.8% 21.4% 17.8% 4,001 8, % 20.2% 23.9% 26.8% 22.5% 8,001 15, % 26.1% 20.7% 12.5% 19.5% More than 15, % 40.3% 15.2% 16.1% 24.5% Control Private 37.5% 32.2% 38.0% 27.6% 33.7% Public 62.5% 67.8% 62.0% 72.4% 66.3% EDUCAUSE Center for Applied Research 9

12 Endnotes 1. Robert B. Kvavik, with John Voloudakis, Safeguarding the Tower: IT Security in Higher Education 2006 (Research Study, Vol. 6) (Boulder, CO: EDUCAUSE Center for Applied Research, 2006), 13 14, available from 2. Robert B. Kvavik and John Voloudakis, with Judith B. Caruso, Richard N. Katz, Paula King, and Judith A. Pirani, Information Technology Security: Governance, Strategy, and Practice in Higher Education (Research Study, Vol. 5) (Boulder, CO: EDUCAUSE Center for Applied Research, 2003), 59, available from and Kvavik, 2006, The Federal Information Security Management Act (FISMA)[0] mandates that federal agencies appoint a chief security officer. 4. Kvavik and Voloudakis, Information Technology Security, Kvavik, Safeguarding the Tower, Ibid., Associations and institutions included in the review are Computer Security Institute, the EDUCAUSE/ Internet2 Security Task Force, the Information Systems Security Association, REN-ISAC, US-CERT, SANS, and multiple federal agencies and standards organizations. 8. Office of Cybersecurity and Communications, National Cyber Security Division, Information Technology ( IT) Security Essential Body of Knowledge (EBK): A Competency of Functional Framework for IT Security Workforce Development (Washington, DC: Department of Homeland Security, September 2008), 10

13 2 The Position and the Person The importance of the IT security function within the higher education environment has been well documented. As institutions seek to fulfill their obligations in this area, a critical component of the institutional strategy is to recruit and retain qualified individuals to perform the position responsibilities of the information security officer. Given that this is a new subfield within IT, there has not been a clearly defined path for CIOs to follow when recruiting for this position. In this chapter, we explore the personal characteristics of the individuals who hold the ISO position, their career paths, and their career plans. Reporting Line The data from this ECAR survey show that 64.2% of the ISOs reported to the CIO (or equivalent) and another 8.1% reported to a vice president or vice provost (Figure 2-1). Reporting lines to the chief technology officer (CTO) were reported by 8.1% of the ISOs, and an additional 5.7% reported to an associate/ assistant/deputy CIO. Previous studies have documented the historical link between ISOs and networking. In this instance, we found that only 6.5% of the ISOs had a reporting line to the director of networking. ISOs who had experienced reporting to the networking director and now reported to the CIO level discussed the benefits of that direct line of communication in our qualitative interviews. One officer noted, When I was in the networking group, I think that my request went as far as the director level and maybe didn t reach the CIO. Now that I have the ear of the VP and she lives in my world and I live in hers, she helps me understand the business processes. I think they get more done. I think I m more effective. Previous Position In an attempt to understand where institutions are finding the individuals with the right skill sets to fill the ISO position, we asked about the officer s previous position (this might refer to a different position in the same institution). We found that the vast majority (95.9%) held a previous position in IT. In addition, as Figure 2-2 shows, a majority of them (62.6%) came from a previous position within higher education, although almost one-fourth (22.8%) came from the private sector. CIOs might find these results interesting if they are seeking to fill an ISO position and are having a difficult time finding the appropriate skill 2009 EDUCAUSE. Reproduction by permission only. EDUCAUSE Center for Applied Research 11

14 Chief information officer (or equivalent) 64.2 Chief technology officer (or equivalent) 8.1 Vice president/vice provost (non-cio) 8.1 Director of networking 6.5 Figure 2-1. Position ISO Reports To (N = 123) Associate/assistant/deputy chief information officer Other IT management Director of academic computing 1.6 Other non-it management 0.8 Director of administrative computing 0.8 Associate/assistant/deputy chief technology officer 0.8 0% 10% 20% 30% 40% 50% 60% 70% Percentage of Respondents 70% % 50% Figure 2-2. Sector of ISO Previous Position (N = 123) Percentage of Respondents 40% 30% 20% % 1.6 0% Higher education Private sector not higher education Public sector not higher education Other 12

15 set within higher education. Fewer ISOs came from the non-higher-education public sector (13.0%). We were also interested in the level of the ISO s previous position. As Figure 2-3 shows, the top-two levels of previous positions are director and middle manager, accounting for a majority of ISO respondents (56.9%). This suggests that institutions are recruiting their ISOs from the IT managerial ranks. Nineteen percent of the ISOs held a frontline technology position before becoming an ISO. In the interviews, ISOs discussed their technical background and also the need to develop a broader skill set. One ISO noted, When I started my career I was in a highly technical role I started programming large mainframes. It is very different from what I do now, and it has forced me to not spend as much time on the technical details, the things I enjoyed previously. And now I focus on the things that can move the program forward on the broader administrative, communication, and coordination activities. I think we need some recognition and understanding of the technical fundamentals, but in order to move forward you need these other characteristics, skills, and experience. I think it is a natural evolution of the security professional that you start [with a] very strong technical background, and then to move forward, if you want to take on the broader information security role, you have to be able to move beyond that and develop those other skills being able to understand the technical part but also being comfortable with moving away from that. If I had the day-to-day management of servers or a cluster, I would initially struggle, but that is the cost of taking on the broader role. ISO Demographics The path by which the officers come to their jobs, largely through the technical ranks of IT organizations and with an emphasis on managerial and networking positions, predicts the biographical profile of the ISO group. Like other IT professional groups, an overwhelmingly number of them are male (79.5%). The mean age of the ISOs is 43.3 Director 31.0 Middle manager 25.9 Frontline technology professional 19.0 Team leader Vice president/provost/vice provost (non-cio) Figure 2-3. Level of ISO Previous Position (N = 116) Associate/assistant/deputy chief information officer 5.2 Chief information officer (or equivalent) 3.4 0% 5% 10% 15% 20% 25% 30% 35% Percentage of Respondents EDUCAUSE Center for Applied Research 13

16 years. However, Figure 2-4 shows that the ISO ages spanned what we would normally call early career through midcareer; only 12.0% of ISOs were 55 or older and therefore near retirement age. Education and Certification Figure 2-5 illustrates the educational attainment of the ISOs who responded to the survey. They are well educated, with 41.0% holding an advanced degree and 50.0% holding a baccalaureate degree. We asked respondents to note the disciplines of their highest earned degree(s). Table 2-1 shows that among the most common degree fields were, as expected, management information systems, IT, and computer science. 1 As higher education has begun to recognize the new subfield of information security, institutions have begun to offer majors in this area as well. Two of the ISOs reported that they hold degrees in information assurance, and one specified information security, potentially a trend 25% 20% Figure 2-4. ISO Age (N = 117) Percentage of Respondents 15% 10% % % Age High school diploma 4.9% Associate 4.1% Doctorate (PhD, JD, EdD, MD) 4.9% Figure 2-5. ISO Highest Earned Degree (N = 122) Master s 36.1% Baccalaureate 50.0% 14

17 for the future of the profession. A highest earned degree in business was reported by 17.1% of the ISOs. The importance of business process analysis, noted later in this report, to the security function suggests that this background could be very useful to an ISO. A variety of other degree fields were also reported, reflecting the general state of the higher education IT community wherein individuals find careers in IT from a variety of paths and through no single entry point. The ISO respondents have acquired additional education to augment their degrees and work experience. The survey inquired about four of the most common certifications: Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), Global Information A ssurance Certification (GIAC), and Certified Information Security Manager (CISM). As Table 2-2 indicates, the CISSP is the most commonly held certification among the 123 ISOs who responded to the survey, with 50 of them reporting that they held this certificate. The other certificates included on the survey are not as common; fewer than 20% of the ISOs held these certificates. It appears that the individuals who pursue one certificate Table 2-1. Field of ISO Highest Earned Degree (N = 111) N Percentage Management information systems and information technology % Computer science % Business % Physical sciences, including math % Humanities % Social sciences % Engineering 7 6.3% Other 6 5.4% Education, including physical education 3 2.7% Life/biological sciences, including agriculture and health sciences 2 1.8% Fine arts 2 1.8% Table 2-2. ISO Certification (N = 123) N Percentage Type of Certification Certified Information Systems Security Professional (CISSP) % Global Information Assurance Certification (GIAC) % Certified Information Security Manager (CISM) % Certified Information Systems Auditor (CISA) % Number of Certifications None % One % Two % Three 9 7.3% EDUCAUSE Center for Applied Research 15

18 are more likely to obtain an additional one. Of those with a CISSP certificate, 58.0% had one or more of the other three certificates; of those without a CISSP certificate, only 27.4% had one or more of the other three certificates. Overall, more than half of ISO respondents (56.9%) reported holding one or more certificates. Time in Position and Career Plans More than one-quarter (28.4%) of the respondents indicated that they have held their present position one year or less (Table 2-3). Another 35.8% reported holding their position two to three years, indicating that the ISO position is new or that individuals are moving from position to position. The study gathered data on the stability of the individuals in their current position and whether they planned to remain in an IT security position. Table 2-4 indicates that 56.6% of the ISOs planned to stay six years or more in an IT security position. This is good news for CIOs who are concerned about retention for the ISO position. However, ISO plans in relation to their present position show less stability, with 36.0% reporting that they planned to remain six years or more. The ISOs were also asked if they planned to stay in higher education for the remainder of their career, and 48.7% said yes. However, the survey data also finds that a number of current ISOs are unsure of their career path. Fully one-fourth of the respondents indicated that they didn t know how long they would stay in their current position, and one-fourth didn t know how long they would stay in an IT security position. In addition, 44.5% didn t know whether they planned to stay in higher education for the remainder of their career. Given that so many ISOs are unsure of their direction but many others seem to find long-term prospects in the field, this indicates an opportunity for the IT profession and higher education institutions to win over the don tknows in their career decisions. Table 2-3. Years ISO Has Worked in Current Position (N = 123) Time N Percentage 1 year or less % 2 3 years % 4 5 years % 6 10 years % years 3 2.4% More than 15 years 3 2.4% Table 2-4. Years ISO Plans to Stay in Positions Time Remain in Current Position (N = 117) Remain in IT Security Position (N = 118) 1 year or less 8.5% 1.6% 2 3 years 18.8% 7.2% 4 5 years 11.1% 9.3% 6 10 years 24.0% 27.1% years 7.7% 11.0% years 2.6% 8.5% More than 20 years 2.7% 10.0% Don't know 24.7% 25.4% 16

19 Although many did not know whether they would stay in higher education, in an IT security position, or in their present position, the ISOs were more certain about their career ambitions. Asked to describe their ultimate career goal, most officers indicated that they were looking to advance in their careers, with more than half (54.5%) looking to a higherlevel position within the IT profession. Table 2-5 indicates that 31.4% were looking to advance within IT security. Given that these individuals were the ISOs currently, this might indicate an ambition to move to a different institution in order to gain a higher-level position. Another 23.1% had a career goal of a higher-level position within IT but not in IT security. The qualitative interviewees spoke to this issue. ISOs reported that as they were given more responsibility for campus-wide coordination and communication within the IT security program, they gained confidence in their planning and communication skill sets. They also were able to build relationships and reputations for successful collaboration that assisted them in developing a campus-wide profile. This part of the ISO position prepares the individuals for the collaboration that is necessary for higherlevel IT leadership positions. Only 10.0% of ISOs reported that they had no ultimate career goal (or don t know), and 15 individuals answered other, potentially indicating that they were undecided or had career goals that didn t include another position, like retirement. Salary Figure 2-6 shows salary levels for the identified ISO respondents answering this survey. The data indicate a wide range of salary levels, with one-third of the ISOs in the $90,000 to $109,999 range. Salary levels were also analyzed by institution size. Table 2-6 indicates that ISO pay appears to be higher in respondent institutions with more than 8,000 FTE enrollment. Conclusion The profile of the ISOs who responded to our survey appears to be quite typical of what ECAR has found in previous studies for IT security officers and IT managers. Generally, these individuals have come from higher education and have technical backgrounds, and they are mostly male. They are midcareer, with an average age of 43.3 years. They are highly educated and are continuing that education by obtaining IT security certificates. Before becoming ISOs, these individuals tended to be in IT managerial positions, although a number also came directly from the technical ranks. Table 2-5. ISO Ultimate Career Goal (N = 121) Position N Percentage IT Security Lateral position 2 1.7% Higher-level position % Another IT Area Lateral position 1 0.8% Higher-level position % Outside IT Lateral position 1 0.8% Higher-level position 6 5.0% Current Position % Other % No Plan/Don t Know % EDUCAUSE Center for Applied Research 17

20 $30,000 49, $50,000 69, $70,000 89, Figure 2-6. ISO Salary (N = 113) $90, ,999 $110, , $130, , $150, , $170, , % 5% 10% 15% 20% 25% 30% 35% Percentage of Respondents Table 2-6. ISO Salary, by Student FTE Enrollment (N = 109) Student FTE Enrollment N Median Range 1 4, $70,000 79,999 4,001 8, $70,000 79,999 8,001 15, $80,000 89,999 More than 15, $90,000 99,999 The ISOs indicated that they were looking to advance in their careers, with many continuing to focus on the IT security area or general IT management. The ISO position most often reported to the CIO, verifying that responsibility for IT security mostly rests at the highest level, but within the IT organization. The data our study collected from ISOs confirms that the role is moving from emergent status to one that is increasingly firmly established as a profession. The creation of specific educational credentials such as the CISSP is an indicator of the profession s maturation. Our interviews confirm that ISOs now have a distinct professional identity and relate to each other as colleagues. Although the ISOs are educating themselves for this role and, as noted in Chapter 3, relating to each other as peers, more than half of the ISOs responding to the survey aspired to a higher position in IT. It is possible that the broad nature of their responsibilities combined with a direct reporting line to the CIO is giving the ISOs confidence in their ability to make that next step. In the next chapter we explore those responsibilities and how officers gain the information they need to be successful in their role. Endnote 1. This data comes from respondents written answers to the survey question, In what field is your highest earned degree? Several of the respondents held more than one degree; therefore the total of all the fields is larger than the number of respondents. 18

21 3 Responsibilities, Skill Sets, and Professional Development One of the more interesting aspects of a fairly new profession such as information security officer is how the responsibilities are defined. CIOs who are identifying the qualifications for the role seek assistance in defining the skill sets needed to be successful. Given that this role is fairly new, CIOs have less information about the responsibilities because literature to support the role is less developed. In this circumstance, individuals can depend more on their supervisors to define their roles and also depend on the informal network of individuals who are also engaged in this role on their campus. For these reasons, our survey explored the responsibilities, skill sets, professional development needs, and qualifications respondents thought were needed in the ISO role. We also examined announcements for ISO positions to learn how the position is being advertised and whether announcements are in accord with ISOs views of the profession. Although previous ECAR IT security studies have touched on the ISO role, for the first time within the higher education sector, this study explored how officers obtain the training and information they believe they need to be successful. Position Responsibilities In 2007, the U.S. Department of Homeland Security issued a report on the competencies needed in the ISO role. 1 This study defined the ISO role as follows: The ISO is charged with the development and subsequent enforcement of the company s security policies and procedures, security awareness program, business continuity and disaster recovery plans, and all industry and governmental compliance issues. 2 ECAR s survey explored the position responsibilities of officers within the higher education environment, using the first draft of these federally defined competencies as a guide. One of the points made by ISOs in our initial interviews was that the ISO position is changing from a primarily technical position to one that combines both technical and managerial functions. Therefore, we included both technical and managerial responsibilities in our questions. The survey explored whether the respondents held primary responsibility for an area, provided support for that area, or held no responsibility for it. As Table 3-1 shows, the ISOs had primary responsibility for many functions central to the IT security enterprise. The primary responsibilities for the ISO appear to emphasize the policy, analysis, and educational aspects of the position. Less commonly they had primary responsibility for the technical and managerial items asked about on the survey; in these areas, ISOs appear to have support responsibilities EDUCAUSE. Reproduction by permission only. EDUCAUSE Center for Applied Research 19

22 Table 3-1. ISO Areas of Responsibility Most ISOs Have Primary Responsibility N Primary Support No Responsibility Incident management % 8.9% 0.8% Training and awareness of users about security issues % 16.3% 0.0% Policy development and administration % 22.8% 0.8% Risk assessment and management % 23.6% 1.6% Regulation and standards compliance % 29.3% 2.4% Digital forensics % 26.0% 5.7% Security architecture % 33.3% 0.8% Coordination with law enforcement % 34.1% 4.1% Some ISOs Have Primary Responsibility Data and information management (classification, retention, destruction) % 48.8% 2.4% Supervision of employees % 21.3% 33.6% Systems security % 56.9% 6.5% Network security and firewall management % 52.0% 13.8% Access controls % 53.7% 13.8% Authentication and authorization controls % 58.0% 12.6% Disaster recovery % 57.7% 14.6% Budget and fiscal management % 41.8% 31.1% Application security % 64.8% 9.0% Identity management % 63.4% 10.6% Few ISOs Have Primary Responsibility Database security % 69.1% 10.6% Procurement of systems, software, and services % 58.5% 24.4% Change management % 61.0% 28.5% Personnel clearances or background checks % 24.4% 72.4% Items for which fewer than half of respondents reported primary responsibility largely consisted of IT security functions for which the ISO would logically play a support role. They are responsibilities that are often performed in other parts of the IT unit, such as networking or operations. Responsibilities such as application and systems security, network security, access controls, authentication and authorization controls, and identity management are all functions in which the ISOs played a supporting role, as shown in the support column of Table 3-1. This result was consistent with many of the interviews conducted for the study, wherein ISOs described joint responsibility with other IT managers more often in these areas than those areas in the first category. Almost a third of ISO survey respondents reported no responsibility for budget or fiscal management, and 41.8% reported only a support responsibility. In our 20

23 interviews, ISOs who did have control of a security budget indicated that their ability to allocate funds enhanced their efforts to improve the technical security profile of the institution by funding projects that they felt were important even though those projects had been declared low priority by an IT unit manager. However, these results show that this type of leverage is not available to many ISOs. The one area in which fewer than half of ISOs held either primary or support responsibility is personnel background checks. Analysis of Job Announcements As noted in the methodology section of this report, we also looked at position announcements for the ISO position from 1999 to This let us compare the survey responses to data generated by those seeking to fill an ISO position. The reader should remember that the survey was a snapshot in time and the position announcements were posted over a period of almost 10 years. Responsibilities most often sought in the announcements included risk assessment (54.2%), planning (61.0%), and policy development (69.5%). Focus on these areas reflects what was found in the survey in that both risk assessment and policy development were included in the survey results as areas where most ISOs have primary responsibility. Also included in more than 35% of the announcements were business continuity and disaster recovery, campus consultation, incident response, liaison to law enforcement, security architecture, and security awareness. The survey did not include responsibility choices for planning, overall business continuity, or liaison and campus consultation, but the results of the position announcements analysis indicate that employers view these areas as important. Importance of Skills To fulfill these responsibilities, ISOs need a variety of skills. Our research explored needed skill sets in two ways: by analyzing position announcement qualifications, and by asking a skills-rating question on our survey. The textual analysis of position announcements found that a combination of technical and managerial skills were listed; these included technical knowledge and experience (69.5%), baccalaureate or master s degrees (66.1%), communication skills (54.2%), security certifications (39.0%), leadership skills (32.2%), and higher education experience (27.1%). These areas of qualifications match well with what we found on our survey. The survey asked officers to rate the importance of various skills and areas of expertise that they needed to succeed in their position (Table 3-2). For this analysis we used responses only from ISOs who indicated that they had responsibility in each area (but note that a few skills items did not appear in our responsibilities list). Communication and presentation skills averaged 4.52 (between high and very high importance), which appears to be consistent with the mix of reported responsibilities in Table 3-1. Eight other areas with mean ratings of high to very high importance represent a mix of skills that directly relate to management of the security operation, such as incident management and security architecture, and skills that relate more to leadership of the security program, such as planning skills and risk assessment. The more technical skills all average below 4.0 (high importance) but above 3.0 (moderate importance), indicating that they may be secondary but are nonetheless important. Clearly, communication and analysis skills are primary to being an ISO. EDUCAUSE Center for Applied Research 21

24 Table 3-2. Importance of Skills to ISO Success High to Very High Importance N Mean* Std. Deviation Communication and presentation skills Knowledge of regulations and standards Incident management Knowledge of the higher education environment Policy development and administration Planning skills Risk assessment and management Security architecture Supervisory skills Moderate to High Importance Systems security Data and information management Business process analysis Security technologies (firewall, IDS) Identity management and access controls Application security Disaster recovery Budget and fiscal management Digital forensics Procurement of systems, software, and services Note: Calculations include only ISOs who have responsibility for an area. * Scale: 1 = very low importance, 2 = low importance, 3 = moderate importance, 4 = high importance, 5 = very high importance The survey also asked what other skill sets were important to success in the position. Forty-one of the 71 ISOs who provided written responses to this question mentioned what management theorists often refer to as soft skills. These skills include items such as collaboration skills, political skills, and negotiation. Also mentioned were interpersonal attributes such as patience, trust, and fairness. A similar range of soft skills, such as the ability to work collaboratively across campus and to negotiate with users, was noted in our interviews as important to ISO success. The interviews included a number of stories relating how the ISO used these types of soft skills to successfully collaborate with a variety of campus players. The ISOs appear to find value in these soft skills as well as in those we asked about in the survey. Education and Training The survey explored the education and training needs of the officers. As Figure 3-1 indicates, no area was selected by more than half of the ISOs as one of their top-five needs for education and training (from a list of 19 areas). However, five areas were identified by at least 25% of the respondents. Risk assessment management, which, as we report in Chapter 4, ISOs identified as an important strategy for gaining campus support for IT security programs, was the most frequently 22

25 mentioned area of training need. Digital forensics, another of the top areas, is potentially an increasing need, given the new attention being paid to digital legal issues such as e-discovery. Application security was mentioned often in the ISO interviews as a core need to protect enterprise systems and data within institutions, but also as an area that was difficult for the ISOs to keep up with, given all of their other responsibilities. The interviewees also mentioned that they depended on their knowledge in this area to establish their credibility with their central IT colleagues. Given the active environment in relation to federal and state legislation and regulation, it is understandable that ISOs see a need for training in the knowledge of regulations and standards. Both risk assessment and knowledge of regulations were rated relatively high as skills needed for success. However, two of the other items ranking high among training needs, digital forensics and application security, were rated relatively low in skills importance. It might be that ISOs believe they need to develop this expertise for the future, or perhaps they just want to be more knowl- Risk assessment and management Digital forensics Application security Knowledge of regulations and standards Identity management and access controls Security architecture Policy development and administration 22.0 Business process analysis Security technologies (firewall, IDS) Incident management Budget and fiscal management Planning skills Figure 3-1. ISO Need for Training and Education (N = 123) (5 Responses Allowed) Systems security Knowledge of the higher education environment Communication and presentation skills Disaster recovery Data and information management Supervisory skills 8.1 Procurement of systems, software, and services 3.3 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Percentage of Respondents EDUCAUSE Center for Applied Research 23

26 edgeable in these areas because they have neglected them in favor of other, higherpriority skills. There are, of course, many ways for individuals to make up for the information deficits they may feel they have. Given that the ISO role is a new IT profession, it is particularly interesting how the individuals in these positions are obtaining the information they need to do their jobs. Where do ISOs go for information? We asked a number of questions geared toward learning where ISOs obtain the information they need to be successful in their positions. Conferences clearly represent an important professional opportunity for ISOs. As Figure 3-2 shows, only 6.5% of the ISOs did not attend at least one conference in the past three years. In fact, 13.1% of the ISOs attended conferences from four different organizations in this time period, and another 28.7% attended conferences sponsored by three different organizations. The reader will note that a third (32.8%) of ISO respondents listed other for the organization sponsorship of a conference they attended. From the responses we received to another question inquiring about IT security groups that the ISOs regularly participate in, we can speculate that many of the conferences referred to in this category were sponsored by state/ regional security groups. In qualitative interviews, ISOs reported that attending conferences not only provides value from the content of the sessions but also helps them gain perspective. This person s view is typical: EDUCAUSE has helped me understand a lot. A lot of that has been understanding that we are not unique, or my situation is not unique. But I know there are other institutions out there that are doing it far better than we are, so I learned that we are in the middle; before, I thought that it was just me. Gaining an understanding of where a campus fits in comparison with others can help the ISOs adjust their expectations of what EDUCAUSE 63.9 SANS Institute 45.9 Figure 3-2. IT Security Conferences ISO Attended in Past Three Years (N = 123) Commercial vendor State/regional higher education conference Other ISSA ISACA 13.1 RSA Did not attend a conference % 10% 20% 30% 40% 50% 60% 70% Percentage of Respondents 24