The Career of the IT Security Officer in Higher Education

Transcription

1 The Career of the IT Security Officer in Higher Education Marilu Goodyear, ECAR and University of Kansas Gail Salaway, ECAR Mark R. Nelson, ECAR and National Association of College Stores Rodney Petersen, EDUCAUSE Shannon Portillo, George Mason University ECAR Occasional Paper June 2009 Occasional Paper from the EDUCAUSE Center for Applied Research

2 This occasional paper is available online at the ECAR website ( Walnut Street, Suite 206 Boulder, Colorado

3 The Career of the IT Security Officer in Higher Education

4 EDUCAUSE is a nonprofit association whose mission is to advance higher education by promoting the intelligent use of information technology. The mission of the EDUCAUSE Center for Applied Research is to foster better decision making by conducting and disseminating research and analysis about the role and implications of information technology in higher education. ECAR will systematically address many of the challenges brought more sharply into focus by information technologies. Copyright 2009 EDUCAUSE. All rights reserved. This ECAR occasional paper is proprietary and intended for use only by subscribers and those who have purchased this study. Reproduction, or distribution of ECAR occasional papers to those not formally affiliated with the subscribing organization, is strictly prohibited unless prior written permission is granted by EDUCAUSE. Requests for permission to reprint or distribute should be sent to [email protected].

5 Contents Chapter 1 Introduction...5 Research Methodology u Overview of Respondent Characteristics Chapter 2 The Position and the Person Reporting Line u Previous Position u ISO Demographics u Conclusion Chapter 3 Responsibilities, Skill Sets, and Professional Development Position Responsibilities u Analysis of Job Announcements u Reaching Out for Advice and Counsel u Conclusion Chapter 4 Chapter 5 Appendix A Authority, Challenges, and Program Strategies...29 Authority and Challenges u Security Program Strategies u Conclusion Conclusion...39 Institutional Respondents to the Online Survey...43 Appendix B Position Titles of ISO Respondents to the Online Survey Appendix C Bibliography...49 EDUCAUSE Center for Applied Research 3

6

7 1 Introduction In 2003 the EDUCAUSE Center for Applied Research (ECAR) culminated a year of research with the publication of Information Technology Security: Governance, Strategy, and Practice in Higher Education by Robert B. Kvavik and John Voloudakis. That study chronicled the end of an era in which interpersonal and institutional trust and the academic penchant for openness guided information technology (IT) security strategy at many college and university campuses. Three months prior to the publication of the study, many institutions of higher learning were laid low by the Slammer worm, one of the most malicious and destructive intrusions of its day. The 2003 study indicated that Slammer represents a turning point in IT security in higher education. Slammer opened the door to a new view of IT security, a view that protecting academic networked resources in many cases trumped openness when it came to network design and architecture. Colleges and universities in large numbers began in earnest to invest in IT security and to develop a cadre of professionals who would be trained in and responsible for achieving security in IT policy and operations. During , ECAR again looked deeply at this topic and, in 2006, published Safeguarding the Tower: IT Security in Higher Education by Robert B. Kvavik, with John Voloudakis. This study reported extraordinary progress in securing higher education s IT assets and information. Since 2006, IT security has continued to rise in importance in higher education, a rise that is reflected in the development of widespread campus IT security programs and national programs sponsored by federal and state governments as well as the development of programs by professional associations. Initially, IT security programs focused on the use and abuse of technology, both hardware and software, and on ensuring reliability and availability of information systems. More recently, these programs have focused on data and information management. Concerns about confidentiality, integrity, and availability of data and the need to manage the risks of institutional embarrassment that come with breaches have been cited as reasons for organizational leaders choosing to invest in IT security programs. Confidentiality refers to the protection of information, including personally identifiable information or intellectual property, from unauthorized use or disclosure. Integrity means protecting information from unauthorized, unanticipated, or unintentional modification. Availability refers to the expectation that computers, systems, and networks will be available on a timely basis to meet organizational mission requirements or to avoid substantial losses (e.g., loss 2009 EDUCAUSE. Reproduction by permission only. EDUCAUSE Center for Applied Research 5

8 of use of the campus information system). The concern for availability is closely aligned with business continuity issues, which have become paramount in recent years due to the dramatic examples of institutional vulnerability to environmental disasters. 1 At this writing, it is abundantly clear that IT security is an institutional imperative, has critical policy and operational aspects, involves the engagement of important elements of the institution s leadership CIO, general counsel, internal auditor and demands an increasingly knowledgeable and specialized professional workforce. As a result, the 2006 ECAR study reveals that higher education institutions have invested funds, developed policy, implemented technology, and hired IT security staff to meet the rising challenge. Central to this complex environment is the individual who is given the responsibility to lead and manage the IT security program for the entire organization. On many campuses, keeping the campus network functional was paramount. 2 Given the immediate challenges to the network, initially it was often the network staff who began working in the area of IT security. Their focus and knowledge, of course, concerned network security. In recent years, the IT security role has grown increasingly complex and now extends well beyond networking and the IT units. The responsible individual now often plays a broad role within the institution, working with administrators, faculty, and staff at all levels. These individuals are involved in compliance and technical operations, but they also play an important role in policy development, user education, and data/information management. This study seeks to document and understand this role as well as understand the strategies used to further the work of IT security within their institutions. As IT security programs develop, it has become common to create positions to lead and manage security programs for the entire organization. These positions are being created not only in higher education but also in federal and state governments and in the private sector. 3 The title information security officer (ISO) is commonly applied to this position, frequently modified as chief information security officer to highlight the individual s responsibility across the whole organization. The terminology used, however, varies on the basis of the specific responsibilities assigned to the position and local protocols for titles. In addition, the results of the survey that informed this study suggest that management responsibility for IT security is still often assumed by an individual with other significant responsibilities (including CIOs) at institutions that lack a distinct ISO position. The previous ECAR studies mentioned have documented the development of this role. Our 2003 study on IT security found that among those holding the position responsible for day-to-day management of IT security, 22.4% held the title chief IT security officer or equivalent. 4 Using slightly different terminology, our 2006 study (based on a 2005 survey) reported that 34.9% of those assigned day-to-day management responsibility for central IT security held the title IT security officer or equivalent. 5 Though the somewhat more inclusive title used in the later survey may account for some of the difference, we strongly suspect that most of the change was the result of growth in the position itself. Certainly our 2006 survey found other indicators of rising attention to IT security in both its technical and cultural aspects. 6 This growth was one reason ECAR chose to conduct this study on the ISO role. Research Methodology This study employed multiple research strategies, including quantitative and qualitative methods, to study the role of the ISO. The methodology included four major components: a literature review, an analysis of job announcements and descriptions, a web-based quantitative survey, and qualita- 6

9 tive interviews with individuals who answered the survey and agreed to be contacted for additional information. The resulting data set comprises information from more than 300 institutions that are addressing IT security needs in higher education. The literature search assisted us in understanding the national landscape for IT security professionals. Information from IT security professional associations 7 and governmental information was reviewed. Information from the National Cyber Security Division of the Department of Homeland Security was particularly helpful in understanding the responsibilities of the role. 8 In an effort to understand this role, we reviewed and analyzed job announcements for IT security management positions from past years. The EDUCAUSE job listing service was used as the source for this analysis. All job announcements posted from January 1999 to April 2008 that included the word security were reviewed. Of the 3,317 job announcements posted during this time period, 391 were directly related to the security function and 167 were seeking applicants for IT security managers as indicated by the title of the position. Titles selected for inclusion in this phase of the analysis included the words security and information or information technology (or simply IT) and an additional word that would commonly indicate a management role. The words used for this managerial role were director, officer, administrator, manager, coordinator, or chief. A random sample of these positions by year was taken, and the responsibilities and qualifications for positions were analyzed. A total of 59 position announcements were analyzed. A web-based survey of members from EDUCAUSE higher education institutions was conducted in early ECAR sent invitations to participate in the survey to 1,685 institutions, through their EDUCAUSE or ECAR institutional representatives (typically the CIO). The invitee was asked to refer the survey to the person who is assigned the day-to-day management responsibility for central IT security in your institution. Individuals from 311 institutions responded to the survey (Appendix A). Figure 1-1 provides data for these institutions, by EDUCAUSE membership and Carnegie class. This figure points out that the survey group was weighted in the direction of doctoral and master s institutions. Note that much of the analysis in this study 1,800 1,739 1,600 1,400 Number of Institutions 1,200 1, ,145 Figure 1-1. Survey Respondents, by EDUCAUSE Membership and Carnegie Class DR MA BA AA Other Carnegie Canada 74 0 Survey respondents EDUCAUSE members Carnegie institutions Carnegie Class EDUCAUSE Center for Applied Research 7

10 refers to a subset of 123 respondents who reported ISO-related titles; see Overview of Respondent Characteristics below. Four interviews were conducted at the beginning of the study. The results of these interviews were used to inform and develop the survey. Six individuals who have ISO responsibilities reviewed a draft of the survey and provided advice on the survey before it was released. Qualitative interviews were conducted with 16 individuals who indicated on the initial survey a willingness to discuss their role further. These interviews focused on campus strategy for IT security programs and individual officer approaches to gaining cooperation from both other IT staff and users. Because of the potentially sensitive nature of the material we discussed with these interviewees, we have not identified them in this study. All quotes in the study, however, have been verified with the original interviewees. Overview of Respondent Characteristics Though respondents said that they were the individual assigned day-to-day management responsibility for central IT security, they held a wide variety of positions. To identify a group clearly holding ISO positions, we segmented the data into four groups using the Other, 19.2% job title provided by the survey respondent. Each job title was analyzed to determine its primary role within the institution. Four title categories were created: senior-most IT leader, ISOs, security or network positions (non- ISO), and other positions that did not fit into the previous three categories. For this study we were most interested in identifying the individuals who appeared to be the institution s ISO. Appendix B provides a list of titles included in the ISO category. Figure 1-2 shows the distribution of respondents into these four groups and indicates that 39.9% (123 individuals) of the total respondent base were identified as the ISO group. Titles of 93 respondents indicated that they held a position that included security or network responsibilities, but they could not be identified as playing a management role. Therefore, we chose not to include these individuals in the ISO title category. One in 10 (10.7%) of the respondents held the senior-most IT leader position in their institution. The breakdown by Carnegie class and student enrollment shows that the majority of the senior-most IT leaders who responded to the survey work at MA and BA institutions and at Senior-most IT leader, 10.7% Figure 1-2. Title Category (N = 308) Security or network position (non-iso), 30.2% Information security officer (ISO), 39.9% 8

11 institutions with 4,000 or fewer students (Table 1-1). Most respondents in the ISO category come from larger institutions, with more than 8,000 enrolled students, and from DR and MA institutions. About two-thirds of respondents come from public institutions, and the distribution between public and private institutions is fairly consistent across the four title categories. Most of the data reported in this study is from the group of 123 individuals whose titles indicate that they are their institution s ISO. Given that the study is focused on this emerging profession and provides data on career patterns and institutional role, it is important that we limit our analysis to that group. We are aware that the use of title has its limitations and that our selection method probably excluded some ISOs within the overall respondent group, but we believe that this categorization will provide the best analysis of the data for the profession. We refer to this group as ISOs throughout the rest of the study. The survey asked questions about the individuals, their reporting lines, and their career plans, as well as respondents training needs and the skill sets necessary to perform this function. We asked about areas of responsibility assigned to the ISOs by their institutions as well as the actions they were authorized to take. Data about the information-seeking patterns of the officers were gathered by looking at their participation in organizations and the advice they sought from individuals within and outside their institutions. Lastly, we sought to learn about the strategies used by the officers to improve security on their campuses, establish their credibility, and respond to challenges to their authority from their constituents. Who are these individuals who play the ISO role? What is their career history and how are their positions defined in the institutional context? These are the questions we explore in Chapter 2. Table 1-1. Profile of Respondents Institutions, by Title Category Carnegie Class Senior-Most IT Leader (N = 33) Information Security Officer (ISO) (N = 123) Security or Network Position (Non-ISO) (N = 93) Other (N = 59) Total (N = 308) DR 3.1% 51.2% 30.1% 16.9% 33.2% MA 34.4% 22.0% 28.0% 30.5% 26.7% BA 37.5% 4.9% 21.5% 18.6% 16.0% AA 15.6% 8.1% 10.8% 15.3% 11.1% Other Carnegie 6.3% 9.8% 6.5% 8.5% 8.1% Canada 3.1% 4.1% 3.2% 10.2% 4.9% Student FTE Enrollment 1 2, % 5.9% 17.4% 23.2% 15.8% 2,001 4, % 7.6% 22.8% 21.4% 17.8% 4,001 8, % 20.2% 23.9% 26.8% 22.5% 8,001 15, % 26.1% 20.7% 12.5% 19.5% More than 15, % 40.3% 15.2% 16.1% 24.5% Control Private 37.5% 32.2% 38.0% 27.6% 33.7% Public 62.5% 67.8% 62.0% 72.4% 66.3% EDUCAUSE Center for Applied Research 9

12 Endnotes 1. Robert B. Kvavik, with John Voloudakis, Safeguarding the Tower: IT Security in Higher Education 2006 (Research Study, Vol. 6) (Boulder, CO: EDUCAUSE Center for Applied Research, 2006), 13 14, available from 2. Robert B. Kvavik and John Voloudakis, with Judith B. Caruso, Richard N. Katz, Paula King, and Judith A. Pirani, Information Technology Security: Governance, Strategy, and Practice in Higher Education (Research Study, Vol. 5) (Boulder, CO: EDUCAUSE Center for Applied Research, 2003), 59, available from and Kvavik, 2006, The Federal Information Security Management Act (FISMA)[0] mandates that federal agencies appoint a chief security officer. 4. Kvavik and Voloudakis, Information Technology Security, Kvavik, Safeguarding the Tower, Ibid., Associations and institutions included in the review are Computer Security Institute, the EDUCAUSE/ Internet2 Security Task Force, the Information Systems Security Association, REN-ISAC, US-CERT, SANS, and multiple federal agencies and standards organizations. 8. Office of Cybersecurity and Communications, National Cyber Security Division, Information Technology ( IT) Security Essential Body of Knowledge (EBK): A Competency of Functional Framework for IT Security Workforce Development (Washington, DC: Department of Homeland Security, September 2008), 10

13 2 The Position and the Person The importance of the IT security function within the higher education environment has been well documented. As institutions seek to fulfill their obligations in this area, a critical component of the institutional strategy is to recruit and retain qualified individuals to perform the position responsibilities of the information security officer. Given that this is a new subfield within IT, there has not been a clearly defined path for CIOs to follow when recruiting for this position. In this chapter, we explore the personal characteristics of the individuals who hold the ISO position, their career paths, and their career plans. Reporting Line The data from this ECAR survey show that 64.2% of the ISOs reported to the CIO (or equivalent) and another 8.1% reported to a vice president or vice provost (Figure 2-1). Reporting lines to the chief technology officer (CTO) were reported by 8.1% of the ISOs, and an additional 5.7% reported to an associate/ assistant/deputy CIO. Previous studies have documented the historical link between ISOs and networking. In this instance, we found that only 6.5% of the ISOs had a reporting line to the director of networking. ISOs who had experienced reporting to the networking director and now reported to the CIO level discussed the benefits of that direct line of communication in our qualitative interviews. One officer noted, When I was in the networking group, I think that my request went as far as the director level and maybe didn t reach the CIO. Now that I have the ear of the VP and she lives in my world and I live in hers, she helps me understand the business processes. I think they get more done. I think I m more effective. Previous Position In an attempt to understand where institutions are finding the individuals with the right skill sets to fill the ISO position, we asked about the officer s previous position (this might refer to a different position in the same institution). We found that the vast majority (95.9%) held a previous position in IT. In addition, as Figure 2-2 shows, a majority of them (62.6%) came from a previous position within higher education, although almost one-fourth (22.8%) came from the private sector. CIOs might find these results interesting if they are seeking to fill an ISO position and are having a difficult time finding the appropriate skill 2009 EDUCAUSE. Reproduction by permission only. EDUCAUSE Center for Applied Research 11

14 Chief information officer (or equivalent) 64.2 Chief technology officer (or equivalent) 8.1 Vice president/vice provost (non-cio) 8.1 Director of networking 6.5 Figure 2-1. Position ISO Reports To (N = 123) Associate/assistant/deputy chief information officer Other IT management Director of academic computing 1.6 Other non-it management 0.8 Director of administrative computing 0.8 Associate/assistant/deputy chief technology officer 0.8 0% 10% 20% 30% 40% 50% 60% 70% Percentage of Respondents 70% % 50% Figure 2-2. Sector of ISO Previous Position (N = 123) Percentage of Respondents 40% 30% 20% % 1.6 0% Higher education Private sector not higher education Public sector not higher education Other 12

15 set within higher education. Fewer ISOs came from the non-higher-education public sector (13.0%). We were also interested in the level of the ISO s previous position. As Figure 2-3 shows, the top-two levels of previous positions are director and middle manager, accounting for a majority of ISO respondents (56.9%). This suggests that institutions are recruiting their ISOs from the IT managerial ranks. Nineteen percent of the ISOs held a frontline technology position before becoming an ISO. In the interviews, ISOs discussed their technical background and also the need to develop a broader skill set. One ISO noted, When I started my career I was in a highly technical role I started programming large mainframes. It is very different from what I do now, and it has forced me to not spend as much time on the technical details, the things I enjoyed previously. And now I focus on the things that can move the program forward on the broader administrative, communication, and coordination activities. I think we need some recognition and understanding of the technical fundamentals, but in order to move forward you need these other characteristics, skills, and experience. I think it is a natural evolution of the security professional that you start [with a] very strong technical background, and then to move forward, if you want to take on the broader information security role, you have to be able to move beyond that and develop those other skills being able to understand the technical part but also being comfortable with moving away from that. If I had the day-to-day management of servers or a cluster, I would initially struggle, but that is the cost of taking on the broader role. ISO Demographics The path by which the officers come to their jobs, largely through the technical ranks of IT organizations and with an emphasis on managerial and networking positions, predicts the biographical profile of the ISO group. Like other IT professional groups, an overwhelmingly number of them are male (79.5%). The mean age of the ISOs is 43.3 Director 31.0 Middle manager 25.9 Frontline technology professional 19.0 Team leader Vice president/provost/vice provost (non-cio) Figure 2-3. Level of ISO Previous Position (N = 116) Associate/assistant/deputy chief information officer 5.2 Chief information officer (or equivalent) 3.4 0% 5% 10% 15% 20% 25% 30% 35% Percentage of Respondents EDUCAUSE Center for Applied Research 13

16 years. However, Figure 2-4 shows that the ISO ages spanned what we would normally call early career through midcareer; only 12.0% of ISOs were 55 or older and therefore near retirement age. Education and Certification Figure 2-5 illustrates the educational attainment of the ISOs who responded to the survey. They are well educated, with 41.0% holding an advanced degree and 50.0% holding a baccalaureate degree. We asked respondents to note the disciplines of their highest earned degree(s). Table 2-1 shows that among the most common degree fields were, as expected, management information systems, IT, and computer science. 1 As higher education has begun to recognize the new subfield of information security, institutions have begun to offer majors in this area as well. Two of the ISOs reported that they hold degrees in information assurance, and one specified information security, potentially a trend 25% 20% Figure 2-4. ISO Age (N = 117) Percentage of Respondents 15% 10% % % Age High school diploma 4.9% Associate 4.1% Doctorate (PhD, JD, EdD, MD) 4.9% Figure 2-5. ISO Highest Earned Degree (N = 122) Master s 36.1% Baccalaureate 50.0% 14

17 for the future of the profession. A highest earned degree in business was reported by 17.1% of the ISOs. The importance of business process analysis, noted later in this report, to the security function suggests that this background could be very useful to an ISO. A variety of other degree fields were also reported, reflecting the general state of the higher education IT community wherein individuals find careers in IT from a variety of paths and through no single entry point. The ISO respondents have acquired additional education to augment their degrees and work experience. The survey inquired about four of the most common certifications: Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), Global Information A ssurance Certification (GIAC), and Certified Information Security Manager (CISM). As Table 2-2 indicates, the CISSP is the most commonly held certification among the 123 ISOs who responded to the survey, with 50 of them reporting that they held this certificate. The other certificates included on the survey are not as common; fewer than 20% of the ISOs held these certificates. It appears that the individuals who pursue one certificate Table 2-1. Field of ISO Highest Earned Degree (N = 111) N Percentage Management information systems and information technology % Computer science % Business % Physical sciences, including math % Humanities % Social sciences % Engineering 7 6.3% Other 6 5.4% Education, including physical education 3 2.7% Life/biological sciences, including agriculture and health sciences 2 1.8% Fine arts 2 1.8% Table 2-2. ISO Certification (N = 123) N Percentage Type of Certification Certified Information Systems Security Professional (CISSP) % Global Information Assurance Certification (GIAC) % Certified Information Security Manager (CISM) % Certified Information Systems Auditor (CISA) % Number of Certifications None % One % Two % Three 9 7.3% EDUCAUSE Center for Applied Research 15

18 are more likely to obtain an additional one. Of those with a CISSP certificate, 58.0% had one or more of the other three certificates; of those without a CISSP certificate, only 27.4% had one or more of the other three certificates. Overall, more than half of ISO respondents (56.9%) reported holding one or more certificates. Time in Position and Career Plans More than one-quarter (28.4%) of the respondents indicated that they have held their present position one year or less (Table 2-3). Another 35.8% reported holding their position two to three years, indicating that the ISO position is new or that individuals are moving from position to position. The study gathered data on the stability of the individuals in their current position and whether they planned to remain in an IT security position. Table 2-4 indicates that 56.6% of the ISOs planned to stay six years or more in an IT security position. This is good news for CIOs who are concerned about retention for the ISO position. However, ISO plans in relation to their present position show less stability, with 36.0% reporting that they planned to remain six years or more. The ISOs were also asked if they planned to stay in higher education for the remainder of their career, and 48.7% said yes. However, the survey data also finds that a number of current ISOs are unsure of their career path. Fully one-fourth of the respondents indicated that they didn t know how long they would stay in their current position, and one-fourth didn t know how long they would stay in an IT security position. In addition, 44.5% didn t know whether they planned to stay in higher education for the remainder of their career. Given that so many ISOs are unsure of their direction but many others seem to find long-term prospects in the field, this indicates an opportunity for the IT profession and higher education institutions to win over the don tknows in their career decisions. Table 2-3. Years ISO Has Worked in Current Position (N = 123) Time N Percentage 1 year or less % 2 3 years % 4 5 years % 6 10 years % years 3 2.4% More than 15 years 3 2.4% Table 2-4. Years ISO Plans to Stay in Positions Time Remain in Current Position (N = 117) Remain in IT Security Position (N = 118) 1 year or less 8.5% 1.6% 2 3 years 18.8% 7.2% 4 5 years 11.1% 9.3% 6 10 years 24.0% 27.1% years 7.7% 11.0% years 2.6% 8.5% More than 20 years 2.7% 10.0% Don't know 24.7% 25.4% 16

19 Although many did not know whether they would stay in higher education, in an IT security position, or in their present position, the ISOs were more certain about their career ambitions. Asked to describe their ultimate career goal, most officers indicated that they were looking to advance in their careers, with more than half (54.5%) looking to a higherlevel position within the IT profession. Table 2-5 indicates that 31.4% were looking to advance within IT security. Given that these individuals were the ISOs currently, this might indicate an ambition to move to a different institution in order to gain a higher-level position. Another 23.1% had a career goal of a higher-level position within IT but not in IT security. The qualitative interviewees spoke to this issue. ISOs reported that as they were given more responsibility for campus-wide coordination and communication within the IT security program, they gained confidence in their planning and communication skill sets. They also were able to build relationships and reputations for successful collaboration that assisted them in developing a campus-wide profile. This part of the ISO position prepares the individuals for the collaboration that is necessary for higherlevel IT leadership positions. Only 10.0% of ISOs reported that they had no ultimate career goal (or don t know), and 15 individuals answered other, potentially indicating that they were undecided or had career goals that didn t include another position, like retirement. Salary Figure 2-6 shows salary levels for the identified ISO respondents answering this survey. The data indicate a wide range of salary levels, with one-third of the ISOs in the $90,000 to $109,999 range. Salary levels were also analyzed by institution size. Table 2-6 indicates that ISO pay appears to be higher in respondent institutions with more than 8,000 FTE enrollment. Conclusion The profile of the ISOs who responded to our survey appears to be quite typical of what ECAR has found in previous studies for IT security officers and IT managers. Generally, these individuals have come from higher education and have technical backgrounds, and they are mostly male. They are midcareer, with an average age of 43.3 years. They are highly educated and are continuing that education by obtaining IT security certificates. Before becoming ISOs, these individuals tended to be in IT managerial positions, although a number also came directly from the technical ranks. Table 2-5. ISO Ultimate Career Goal (N = 121) Position N Percentage IT Security Lateral position 2 1.7% Higher-level position % Another IT Area Lateral position 1 0.8% Higher-level position % Outside IT Lateral position 1 0.8% Higher-level position 6 5.0% Current Position % Other % No Plan/Don t Know % EDUCAUSE Center for Applied Research 17

20 $30,000 49, $50,000 69, $70,000 89, Figure 2-6. ISO Salary (N = 113) $90, ,999 $110, , $130, , $150, , $170, , % 5% 10% 15% 20% 25% 30% 35% Percentage of Respondents Table 2-6. ISO Salary, by Student FTE Enrollment (N = 109) Student FTE Enrollment N Median Range 1 4, $70,000 79,999 4,001 8, $70,000 79,999 8,001 15, $80,000 89,999 More than 15, $90,000 99,999 The ISOs indicated that they were looking to advance in their careers, with many continuing to focus on the IT security area or general IT management. The ISO position most often reported to the CIO, verifying that responsibility for IT security mostly rests at the highest level, but within the IT organization. The data our study collected from ISOs confirms that the role is moving from emergent status to one that is increasingly firmly established as a profession. The creation of specific educational credentials such as the CISSP is an indicator of the profession s maturation. Our interviews confirm that ISOs now have a distinct professional identity and relate to each other as colleagues. Although the ISOs are educating themselves for this role and, as noted in Chapter 3, relating to each other as peers, more than half of the ISOs responding to the survey aspired to a higher position in IT. It is possible that the broad nature of their responsibilities combined with a direct reporting line to the CIO is giving the ISOs confidence in their ability to make that next step. In the next chapter we explore those responsibilities and how officers gain the information they need to be successful in their role. Endnote 1. This data comes from respondents written answers to the survey question, In what field is your highest earned degree? Several of the respondents held more than one degree; therefore the total of all the fields is larger than the number of respondents. 18

21 3 Responsibilities, Skill Sets, and Professional Development One of the more interesting aspects of a fairly new profession such as information security officer is how the responsibilities are defined. CIOs who are identifying the qualifications for the role seek assistance in defining the skill sets needed to be successful. Given that this role is fairly new, CIOs have less information about the responsibilities because literature to support the role is less developed. In this circumstance, individuals can depend more on their supervisors to define their roles and also depend on the informal network of individuals who are also engaged in this role on their campus. For these reasons, our survey explored the responsibilities, skill sets, professional development needs, and qualifications respondents thought were needed in the ISO role. We also examined announcements for ISO positions to learn how the position is being advertised and whether announcements are in accord with ISOs views of the profession. Although previous ECAR IT security studies have touched on the ISO role, for the first time within the higher education sector, this study explored how officers obtain the training and information they believe they need to be successful. Position Responsibilities In 2007, the U.S. Department of Homeland Security issued a report on the competencies needed in the ISO role. 1 This study defined the ISO role as follows: The ISO is charged with the development and subsequent enforcement of the company s security policies and procedures, security awareness program, business continuity and disaster recovery plans, and all industry and governmental compliance issues. 2 ECAR s survey explored the position responsibilities of officers within the higher education environment, using the first draft of these federally defined competencies as a guide. One of the points made by ISOs in our initial interviews was that the ISO position is changing from a primarily technical position to one that combines both technical and managerial functions. Therefore, we included both technical and managerial responsibilities in our questions. The survey explored whether the respondents held primary responsibility for an area, provided support for that area, or held no responsibility for it. As Table 3-1 shows, the ISOs had primary responsibility for many functions central to the IT security enterprise. The primary responsibilities for the ISO appear to emphasize the policy, analysis, and educational aspects of the position. Less commonly they had primary responsibility for the technical and managerial items asked about on the survey; in these areas, ISOs appear to have support responsibilities EDUCAUSE. Reproduction by permission only. EDUCAUSE Center for Applied Research 19

22 Table 3-1. ISO Areas of Responsibility Most ISOs Have Primary Responsibility N Primary Support No Responsibility Incident management % 8.9% 0.8% Training and awareness of users about security issues % 16.3% 0.0% Policy development and administration % 22.8% 0.8% Risk assessment and management % 23.6% 1.6% Regulation and standards compliance % 29.3% 2.4% Digital forensics % 26.0% 5.7% Security architecture % 33.3% 0.8% Coordination with law enforcement % 34.1% 4.1% Some ISOs Have Primary Responsibility Data and information management (classification, retention, destruction) % 48.8% 2.4% Supervision of employees % 21.3% 33.6% Systems security % 56.9% 6.5% Network security and firewall management % 52.0% 13.8% Access controls % 53.7% 13.8% Authentication and authorization controls % 58.0% 12.6% Disaster recovery % 57.7% 14.6% Budget and fiscal management % 41.8% 31.1% Application security % 64.8% 9.0% Identity management % 63.4% 10.6% Few ISOs Have Primary Responsibility Database security % 69.1% 10.6% Procurement of systems, software, and services % 58.5% 24.4% Change management % 61.0% 28.5% Personnel clearances or background checks % 24.4% 72.4% Items for which fewer than half of respondents reported primary responsibility largely consisted of IT security functions for which the ISO would logically play a support role. They are responsibilities that are often performed in other parts of the IT unit, such as networking or operations. Responsibilities such as application and systems security, network security, access controls, authentication and authorization controls, and identity management are all functions in which the ISOs played a supporting role, as shown in the support column of Table 3-1. This result was consistent with many of the interviews conducted for the study, wherein ISOs described joint responsibility with other IT managers more often in these areas than those areas in the first category. Almost a third of ISO survey respondents reported no responsibility for budget or fiscal management, and 41.8% reported only a support responsibility. In our 20

23 interviews, ISOs who did have control of a security budget indicated that their ability to allocate funds enhanced their efforts to improve the technical security profile of the institution by funding projects that they felt were important even though those projects had been declared low priority by an IT unit manager. However, these results show that this type of leverage is not available to many ISOs. The one area in which fewer than half of ISOs held either primary or support responsibility is personnel background checks. Analysis of Job Announcements As noted in the methodology section of this report, we also looked at position announcements for the ISO position from 1999 to This let us compare the survey responses to data generated by those seeking to fill an ISO position. The reader should remember that the survey was a snapshot in time and the position announcements were posted over a period of almost 10 years. Responsibilities most often sought in the announcements included risk assessment (54.2%), planning (61.0%), and policy development (69.5%). Focus on these areas reflects what was found in the survey in that both risk assessment and policy development were included in the survey results as areas where most ISOs have primary responsibility. Also included in more than 35% of the announcements were business continuity and disaster recovery, campus consultation, incident response, liaison to law enforcement, security architecture, and security awareness. The survey did not include responsibility choices for planning, overall business continuity, or liaison and campus consultation, but the results of the position announcements analysis indicate that employers view these areas as important. Importance of Skills To fulfill these responsibilities, ISOs need a variety of skills. Our research explored needed skill sets in two ways: by analyzing position announcement qualifications, and by asking a skills-rating question on our survey. The textual analysis of position announcements found that a combination of technical and managerial skills were listed; these included technical knowledge and experience (69.5%), baccalaureate or master s degrees (66.1%), communication skills (54.2%), security certifications (39.0%), leadership skills (32.2%), and higher education experience (27.1%). These areas of qualifications match well with what we found on our survey. The survey asked officers to rate the importance of various skills and areas of expertise that they needed to succeed in their position (Table 3-2). For this analysis we used responses only from ISOs who indicated that they had responsibility in each area (but note that a few skills items did not appear in our responsibilities list). Communication and presentation skills averaged 4.52 (between high and very high importance), which appears to be consistent with the mix of reported responsibilities in Table 3-1. Eight other areas with mean ratings of high to very high importance represent a mix of skills that directly relate to management of the security operation, such as incident management and security architecture, and skills that relate more to leadership of the security program, such as planning skills and risk assessment. The more technical skills all average below 4.0 (high importance) but above 3.0 (moderate importance), indicating that they may be secondary but are nonetheless important. Clearly, communication and analysis skills are primary to being an ISO. EDUCAUSE Center for Applied Research 21

24 Table 3-2. Importance of Skills to ISO Success High to Very High Importance N Mean* Std. Deviation Communication and presentation skills Knowledge of regulations and standards Incident management Knowledge of the higher education environment Policy development and administration Planning skills Risk assessment and management Security architecture Supervisory skills Moderate to High Importance Systems security Data and information management Business process analysis Security technologies (firewall, IDS) Identity management and access controls Application security Disaster recovery Budget and fiscal management Digital forensics Procurement of systems, software, and services Note: Calculations include only ISOs who have responsibility for an area. * Scale: 1 = very low importance, 2 = low importance, 3 = moderate importance, 4 = high importance, 5 = very high importance The survey also asked what other skill sets were important to success in the position. Forty-one of the 71 ISOs who provided written responses to this question mentioned what management theorists often refer to as soft skills. These skills include items such as collaboration skills, political skills, and negotiation. Also mentioned were interpersonal attributes such as patience, trust, and fairness. A similar range of soft skills, such as the ability to work collaboratively across campus and to negotiate with users, was noted in our interviews as important to ISO success. The interviews included a number of stories relating how the ISO used these types of soft skills to successfully collaborate with a variety of campus players. The ISOs appear to find value in these soft skills as well as in those we asked about in the survey. Education and Training The survey explored the education and training needs of the officers. As Figure 3-1 indicates, no area was selected by more than half of the ISOs as one of their top-five needs for education and training (from a list of 19 areas). However, five areas were identified by at least 25% of the respondents. Risk assessment management, which, as we report in Chapter 4, ISOs identified as an important strategy for gaining campus support for IT security programs, was the most frequently 22

25 mentioned area of training need. Digital forensics, another of the top areas, is potentially an increasing need, given the new attention being paid to digital legal issues such as e-discovery. Application security was mentioned often in the ISO interviews as a core need to protect enterprise systems and data within institutions, but also as an area that was difficult for the ISOs to keep up with, given all of their other responsibilities. The interviewees also mentioned that they depended on their knowledge in this area to establish their credibility with their central IT colleagues. Given the active environment in relation to federal and state legislation and regulation, it is understandable that ISOs see a need for training in the knowledge of regulations and standards. Both risk assessment and knowledge of regulations were rated relatively high as skills needed for success. However, two of the other items ranking high among training needs, digital forensics and application security, were rated relatively low in skills importance. It might be that ISOs believe they need to develop this expertise for the future, or perhaps they just want to be more knowl- Risk assessment and management Digital forensics Application security Knowledge of regulations and standards Identity management and access controls Security architecture Policy development and administration 22.0 Business process analysis Security technologies (firewall, IDS) Incident management Budget and fiscal management Planning skills Figure 3-1. ISO Need for Training and Education (N = 123) (5 Responses Allowed) Systems security Knowledge of the higher education environment Communication and presentation skills Disaster recovery Data and information management Supervisory skills 8.1 Procurement of systems, software, and services 3.3 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Percentage of Respondents EDUCAUSE Center for Applied Research 23

26 edgeable in these areas because they have neglected them in favor of other, higherpriority skills. There are, of course, many ways for individuals to make up for the information deficits they may feel they have. Given that the ISO role is a new IT profession, it is particularly interesting how the individuals in these positions are obtaining the information they need to do their jobs. Where do ISOs go for information? We asked a number of questions geared toward learning where ISOs obtain the information they need to be successful in their positions. Conferences clearly represent an important professional opportunity for ISOs. As Figure 3-2 shows, only 6.5% of the ISOs did not attend at least one conference in the past three years. In fact, 13.1% of the ISOs attended conferences from four different organizations in this time period, and another 28.7% attended conferences sponsored by three different organizations. The reader will note that a third (32.8%) of ISO respondents listed other for the organization sponsorship of a conference they attended. From the responses we received to another question inquiring about IT security groups that the ISOs regularly participate in, we can speculate that many of the conferences referred to in this category were sponsored by state/ regional security groups. In qualitative interviews, ISOs reported that attending conferences not only provides value from the content of the sessions but also helps them gain perspective. This person s view is typical: EDUCAUSE has helped me understand a lot. A lot of that has been understanding that we are not unique, or my situation is not unique. But I know there are other institutions out there that are doing it far better than we are, so I learned that we are in the middle; before, I thought that it was just me. Gaining an understanding of where a campus fits in comparison with others can help the ISOs adjust their expectations of what EDUCAUSE 63.9 SANS Institute 45.9 Figure 3-2. IT Security Conferences ISO Attended in Past Three Years (N = 123) Commercial vendor State/regional higher education conference Other ISSA ISACA 13.1 RSA Did not attend a conference % 10% 20% 30% 40% 50% 60% 70% Percentage of Respondents 24

27 can be accomplished on their own campus. They also can find common ground with other officers, resulting in a feeling of not being alone with their struggles. The role of ISO is a combination of policy, analytical, and technical work. The technology supporting security operations changes rapidly, and remaining up to date is important to officers. Respondent ISOs participated heavily in training activities, with 74.8% indicating that they had attended a training session related to IT security in the past two years, either in person or online. Figure 3-3 shows that training provided by the SANS Institute was listed by the most respondents, with 43.1% taking advantage of the institute s training offerings; also, a third of ISOs (33.3%) attended IT vendor training. In addition to formal conferences and training activities, the survey explored where the ISOs found the information they needed to perform their position responsibilities. Figure 3-4 shows that for information about IT security, ISO respondents turned to a wide variety of groups. The frequency of accessing the SANS Institute and EDUCAUSE for information was particularly high. Reaching Out for Advice and Counsel Given that the ISO role is fairly new within the IT profession, the advice and counsel of others could be particularly important. Research in the area of mentoring has shown that interpersonal relationships are an important information source on the job. 3 This is particularly true when employees are doing something new and have less confidence in their ability to accomplish the task. As part of our interest in where ISOs get the information they need to perform their responsibilities, we were interested in their habits of seeking advice and counsel from other individuals. ECAR s survey asked respondents which person in the organization senior to themselves they turned to for advice and counsel on how to do their jobs. Eighty-one percent of the respondents identified their supervisor as that person 57% identifying the campus CIO and 24% identifying a supervisor who was not the CIO. Of equal interest is the development of the peer network among the officers. We asked if there was at least one peer to whom the respondents turned for SANS 43.1 IT vendor 33.3 Other Did not attend training EDUCAUSE Computer Security Institute Figure 3-3. IT Security Technical Training ISO Attended in Past Two Years (N = 123) REN-ISAC 9.8 Internet % 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Percentage of Respondents EDUCAUSE Center for Applied Research 25

28 SANS Institute (N = 119) 4.08 EDUCAUSE (N = 120) 3.85 Figure 3-4. Frequency of ISO Use of Information Sources US-CERT (N = 117) 3.56 REN-ISAC (N = 111) (ISC)2 (N = 110) InfraGard (N = 114) 2.39 Internet2 (N = 109) Mean* * Scale: 1 = very rarely or never, 2 = rarely, 3 = occasionally, 4 = frequently, 5 = very frequently or always advice and counsel on how to do their job, and 79.7% of the ISOs answered yes. It is also possible, of course, that ISOs turn to more than one peer for advice and counsel. Mentoring literature classifies this type of advice and counsel into two categories: career support and psychosocial support. On the basis of standardized questions from the mentoring literature, the survey asked the ISOs about the type of assistance they received. 4 Figure 3-5 shows the results for the career dimensions of mentoring. The ISOs appear to receive career mentoring from the senior person they identified, agreeing most with the statement that this person helps them learn about other parts of the organization. Research done on peer mentoring has found that traditional mentors (those who are in a senior position) provide more career assistance than peers. 5 In fact, respondents agreed more with some statements in regard to career support from the senior position. We found the two dimensions on which ISOs reported the least agreement that they receive peer mentoring to be particularly relevant to senior/junior career mentoring: running interference and helping the person to be more visible. Research on peer mentoring indicates that peers provide more psychosocial support than career support. 6 However, we did not find strong differences between the way ISOs rated supervisors and peers on these dimensions, although confiding in peers received a rating above agree by the ISOs. Figure 3-6 indicates that the ISOs agreed that both the senior mentor and the peer mentor provided support and encouragement. They agreed somewhat less that these advisers served as role models. ISOs turned to their supervisors for advice and counsel on the career dimensions, although more so for organizational issues than for career and professional concerns. The need to understand the organization is consistent with the rest of the study findings relating to their responsibilities in the policy area. Understanding the organization and how to influence it was also a theme in our interviews. This type of information can only come from an internal source, so it makes sense that ISOs turn to their supervisors, as opposed to peers who might be external to the organization, for help in this area. 26

29 Helps me learn about other parts of the organization Runs interference for me Figure 3-5. Counsel ISO Helps me be more visible in the profession Receives Career Dimensions Guides my professional development Counsel from a peer (N = 95) Counsel from a senior person (N = 118) Mean* * Scale: 1 = strongly disagree, 2 = disagree, 3 = neutral, 4 = agree, 5 = strongly agree Provides support and encouragement Is someone I can confide in Serves as a role model for me Figure 3-6. Counsel ISO Receives Psychosocial Dimensions Guides my personal development Mean* Counsel from a peer (N = 97) Counsel from a senior person (N = 117) * Scale: 1 = strongly disagree, 2 = disagree, 3 = neutral, 4 = agree, 5 = strongly agree Conclusion The position of the ISO has a broad array of responsibilities that encompass technical as well as administrative and managerial responsibilities. ISOs coordinate and manage security programs and perform technical functions. The results of the survey in the area of responsibilities show an emphasis on analytical and policy dimensions. Technical aspects, while important, receive less emphasis. When they rated the importance of particular skills to their success in the ISO position, respondents assigned (on average) at least moderate importance to a wide range of skills but gave their highest marks to commu- EDUCAUSE Center for Applied Research 27

30 nication and presentation skills, and to policyand planning-related skills. Announcements for ISO positions emphasize technical knowledge and experience, but also communication skills, leadership skills, and higher education experience. In the position announcements analyzed, requirements for degrees and security certifications were common. ISOs are very active professionally, participating in a number of national, regional, and state groups as well as attending conferences and technical training. ISOs have identified a number of training needs in technical, managerial, and policy areas. ISOs seek advice and counsel from both their supervisors and their peers. Respondents reported they utilize supervisors for both career advice and for psychosocial support, particularly when attempting to understand their organization. Supervisors are probably in the best position to provide this type of information, as opposed to a peer who might be working in another institution. ISOs also use the peer network for support and encouragement. In the next chapter, we explore ISO interactions with peer IT staff and IT users, specifically, the authority that ISOs have and how it is challenged. Endnotes 1. Office of Cybersecurity and Communications, National Cyber Security Division, Information Technology (IT) Security Essential Body of Knowledge (EBK): A Competency of Functional Framework for IT Security Workforce Development (Washington, DC: Department of Homeland Security, September 2008), 2. Ibid., Kathy E. Kram, Mentoring at Work: Developmental Relationships in Organizational Life (Glenview, IL: Scott Foresman, 1985). 4. Stephanie L. Castro and Terri A. Scandura, An Empirical Evaluation of the Construct Validity of Two Multidimensional Mentoring Measures (paper presented at the Southern Management Association meeting, San Antonio, TX, 2004). 5. Kathy E. Kram and L. A. Isabella, Mentoring Alternatives: The Role of Peer Relationships in Career Development, Academy of Management Journal 28 (1985): ; and E. A. Ensher, C. Thomas, and S. E. Murphy, Comparison of Traditional, Step- Ahead, and Peer Mentoring on Protégés Support, Satisfaction, and Perceptions of Career Success: A Social Exchange Perspective, Journal of Business and Psychology 15 (2001): Ibid. 28

31 4 Authority, Challenges, and Program Strategies The role the information security officer plays within the institution s strategy for IT security is critical as campuses struggle to secure their data and systems. As the data in Chapter 3 indicate, ISO responsibilities include not just technical work but also a broad range of management and collaboration activities aimed at securing campus data and systems. As the ISOs perform their responsibilities, they interact daily with the faculty, students, and staff of their institutions. This chapter explores the authority of the ISOs, along with how they deal with challenges to that authority. In addition, we review the strategies used to move IT security programs forward, as reported by the survey respondents. Authority and Challenges The authority held and used by ISOs is an important tool in accomplishing campus-wide IT security goals. It is particularly important in the context of incident management, where the actions of the ISO become the front line of the approach to security. The survey asked a number of questions relating to ISO authority used to ensure the security of campus systems and information actions that the ISOs (or those under their direction) are authorized to do, how they establish credibility, how often and in what ways their authority is challenged, and their strategies for dealing with challenges to authority. The data show that the ISOs generally have broad authority to protect campus networks. Three of the top items included in Figure 4-1 relate to keeping campus networks viable: removing a device from the network, scanning a device for conformance with policy, and monitoring network traffic. More than 80% of the officers report holding authority to perform these actions. Protecting the campus environment from bad actors is also a common authority, with 78.0% of the ISOs able to remove a user s access privileges. Utilization of authority often rests upon institutional policy, which many of the ISOs (82.1%) had the ability to enforce. Although authority was robust when it related to protecting the network and when it was incident related, authority of the ISO was less clear during the follow-up to such incidents. A slight majority of ISOs (53.7%) were authorized to inspect users files or , but fewer than half (45.5%) had the authority to confiscate a device that violated policy. Interviews with ISOs indicated that although they were involved in inspecting users files and in confiscating devices, when appropriate, they were not typically vested with the decisionmaking authority to authorize these types of actions. Such authority often rests with a senior administrator, legal counsel, or law 2009 EDUCAUSE. Reproduction by permission only. EDUCAUSE Center for Applied Research 29

32 Remove a device from the network 84.6 Scan a device for conformance with policy 82.1 Enforce policy 82.1 Figure 4-1. Authorized ISO Actions (N = 123) Monitor network traffic Remove a user s access privileges Inspect private user files or Recommend disciplinary action for users 48.0 Confiscate a device that violates policy 45.5 Mandate security awareness training % 10% 20% 30% 40% 50% 60% 70% 80% 90% Percentage of Respondents enforcement. Likewise, most ISOs did not have the authority to recommend disciplinary action. Interviewees reported that the ISO role is most often focused on investigation of incidents, and then information is passed on to human resource professionals and higherlevel administrators for further action. Finally, among survey authority items, only 36.6% of respondents said they had the authority to mandate security awareness training, although ISOs interviewed often expressed their belief in its benefit for convincing users to pay attention to security issues. ISOs appear to establish their credibility by referring frequently to a variety of authority sources. As Figure 4-2 shows, respondent ISOs frequently used internal sources, such as institutional policy, and external sources, such as laws and mandates. However, officers also depended on their personal expertise. These general sources of authority are used more than specific authority given in a particular situation, such as direction from a university officer and internal audit findings. We also found that ISOs who more often utilized federal laws and regulations as sources of authority were more likely to rate the knowledge of such laws and regulations (Table 3-2) as important for their success than ISOs who used this source of authority less often. Another way of establishing their credibility on campus is for ISOs to participate in the academic life of the campus. One of the ISOs reports, I ve always been in the classroom. When I was a student, I was a student worker and a student assistant, and so I ve always taught along with other things. Usually it was one class a semester. It helps you stay in touch with the students, and in the end that s what university is all about, and it forces you to constantly review your material. Teaching brings the ISO into contact with students but also allows officers to develop a more in-depth understanding of the faculty role. Another important benefit is building credibility with faculty. In interviews, ISOs reported that if they can relate to faculty as a fellow teacher, it assists them in building positive faculty relationships. 30

33 Institutional policy 4.18 Laws or mandates from state government 4.16 Federal laws and regulations Contractual obligations (e.g., PCI DSS) Personal expertise Industry standards Relationships I have developed Figure 4-2. Frequency of ISO Use of Sources of Authority (N = 120) Direction issued by university official 3.50 Findings from internal audit Mean* * Scale: 1 = very rarely or never, 2 = rarely, 3 = occasionally, 4 = frequently, 5 = very frequently or always Successful interactions with users can be a key to building the reputation and therefore the ultimate success of a security program and the ISO. Our survey explored how often ISOs experience challenges to their authority from different types of individuals (Table 4-1). Thankfully, ISOs reported that their authority was not often challenged, given that the mean frequency-of-challenge ratings for most types of individuals fall in the rarely to occasionally range. ISOs reported that the highest frequency of challenges to their authority is from faculty members. This is not surprising, given the culture of faculty independence that characterizes higher education and the need for control to achieve IT security (more discussion on this later in the chapter). Note the relatively higher standard deviation for the faculty members group, as well as for the central IT staff members group, indicating higher variance among ISO respondents (and likely campuses) for these two groups. The survey also asked what types of challenges ISOs experience in their positions (Table 4-2). The most common type of challenge was passive evasion of a directive or decision, averaging in the range between occasionally and frequently. Ratings for four other types of challenges experienced by the ISOs averaged between rarely and occasionally. This is indeed good news for ISOs, particularly given that the most direct and defiant forms of challenge appear to be experienced the least. The reported means and standard deviations are very low for formal grievance and legal action, indicating that these are very rare occurrences. ISOs who reported higher frequencies of non-it people (faculty, non-it staff, and non-it administrators) challenging their authority also reported a higher frequency of using the strategy of citing a rule (discussed in the next section). Therefore, it appears that these ISOs depend on rules for authority when dealing with challenges from individuals outside the IT operation. EDUCAUSE Center for Applied Research 31

34 Table 4-1. Frequency of Types of Individuals Challenging ISO Authority N Mean* Std. Deviation Faculty members Departmental IT staff members Administrators who work in IT Central IT staff members Non-IT administrators Students Non-IT staff members Parents of a student * Scale: 1 = very rarely or never, 2 = rarely, 3 = occasionally, 4 = frequently, 5 = very frequently or always Table 4-2. Frequency of Types of Challenges to ISO Authority N Mean* Std. Deviation Passive evasion of a directive or decision (undisclosed noncompliance) Questioning whether a person in my job should have the authority to make a directive or decision Questioning whether I have enough information or the right expertise to make a directive or decision Active evasion of a directive or decision (e.g., going to my supervisor or other manager) Direct defiance of a directive Formal grievance Legal action * Scale: 1 = very rarely or never, 2 = rarely, 3 = occasionally, 4 = frequently, 5 = very frequently or always The strategies used by ISOs to gain compliance and acceptance of their directives and programs are a critical component of IT security programs. Acknowledging this, the survey asked ISOs what strategies they use when their authority is challenged (Table 4-3). Explaining the reason behind the request and citing a rule, policy, or mandate are frequently used strategies. These results highlight the importance institutional policy and legal compliance play in assisting officers to accomplish the directives they believe necessary, specifically when their authority is challenged. In Chapter 3, we reported that communication and knowledge of regulations were rated high as necessary skill sets, and this appears to be borne out in the strategies reported here. The ISO role also requires an interpersonal approach to handling these types of situations. ISOs indicated that they used both ends of the interpersonal spectrum by both acting assertively and using humor to defuse a situation. Less often, ISOs resorted to citing their expertise, invoking their official position, or escalating the situation to others. The ISOs appear to be reporting that they are seeking colleague status within their institutions and less frequently relying on their official position. 32

35 Table 4-3. Frequency of Strategies Used When ISO Authority Is Challenged N Mean* Std. Deviation Explaining the reason behind the request Citing a rule, policy, or mandate from the institution, law, or audit Acting assertively Using humor to defuse the situation Citing your expertise Escalating the situation to your supervisor Invoking your official position Escalating the situation to another administrator who is not your supervisor Referring the situation to another university group or office * Scale: 1 = very rarely or never, 2 = rarely, 3 = occasionally, 4 = frequently, 5 = very frequently or always Security Program Strategies A systematic approach to information security involves attention to people, process, and technology. A common theme in the higher education security literature has been the difficulty of the match between the decentralized higher education culture and the culture of control needed for effective IT security. Although technology solutions have moved IT security forward in recent years, the individuals interviewed for this study acknowledged that improving process and gaining cooperation of faculty, students, and staff remain a challenge. It appears that people and process are increasingly a focus for IT security programs. A goal of the study was to learn what strategies ISOs use on their campuses to advance security programs. Survey respondents were asked a simple free-text question about strategies they use to gain institutional leadership support for the security programs on their campuses. In response, officers not only shared strategies but also discussed elements of the higher education environment that, in their view, pose challenges to the implementation of security programs. In this section, we report on these answers and also include illustrations from the interviews conducted during the study. A common critique of the higher education environment is its emphasis on decentralization and autonomy for academic units and faculty. The ISOs saw these elements of the environment as challenges to their attempts to gain support and cooperation for a campus-wide security program. In addition, they contrasted the desire for the campuses to maintain an open technology profile with strategies in the private sector, where technology environments are highly controlled and closed. ISOs also noted that funding for security programs is tight in higher education, leaving them unable to implement the latest technology in service of the programs. However, of all the characteristics of higher education that mitigate security programs, faculty behavior was discussed by the interviewees most often. As noted earlier in this chapter, the group that had the highest average rating for frequency of challenging ISOs was faculty. ISOs reported that the faculty members they interact with demonstrate a desire for independence from central authority, a tendency to reject centrally mandated EDUCAUSE Center for Applied Research 33

36 policy, and an attachment to intellectual freedom as a reason to assume utilization of technology in an unfettered way. ISOs felt that understanding faculty behavior and developing counter strategies is a key to success with security programs. One interviewee discussed a strategy that attempted to mirror academic processes familiar to faculty members: We need to work with the faculty, at least in my experience. You ask them what they re doing; you ask them for their feedback. Most of the time faculty care that they get a chance to provide feedback. They don t really care if you use it or not. You have to explain your objectives. It is okay with them if you don t use it as long as they have a chance to contribute. But you have to give them a reason why you re doing certain things and why you are not doing certain things; you just need to take the time to reason with them. It s like peer review. Like this ISO, many others noted that it is important to solicit feedback from faculty before decisions are made. Seeking input early involves faculty in the process of developing security policy or procedures and helps build consensus around those proposals. In the study interviews, more ISOs reported success with faculty after making appropriate adjustments in approaches and communication styles. One of the interviewees shared a story about becoming aware that communication with faculty needed to be different from communication with other IT staff. A shift from electronic communication to face-to-face was needed. The interviewee reported, I find that if I go to their office and sit face-to-face, I have very little resistance. Most of the time I find that the faculty just want you to listen to them. I ve never been to a faculty member s office for a meeting that went really bad. There was one instance about a year and a half ago where a faculty member and I just didn t agree. He had his views and I had mine, and at the end we just had to agree to disagree. When I got back to my office, he wrote me a note saying, I appreciate you spending the time to talk to me. Thanks. But we still disagreed. The faculty just really want someone to come to their office to sit down and listen to them. Talk to them about their work. If you don t do that, then you will very likely run into problems. When I send out , people sometimes find a way to read the wrong things into it. ISOs reported that good communication is a key to success not just with faculty but with the entire campus community. ISOs reported that they are constantly seeking new and creative ways to get their message across. Using humor is one strategy. An ISO noted, After instituting a policy on password requirements, I got some questions as to why we need to change our passwords. So we did a top-10 list like David Letterman does. Our top 10 was a combination of half jokes and half serious. We covered technical reasons why passwords needed to be changed with a mix of humor that referred to historical things that happened in the state. There were only a couple of people that still argued, saying they had so many passwords to remember. I said, You have a PhD, you can obviously remember things. That was stated with humor, but I also put techniques for remembering 34

37 passwords on a website and offered a well-respected open-source tool that is a password repository. Another interviewee took advantage of a walk across campus to communicate with IT users: When I walk to one of the other buildings on campus, I won t come directly back. I ll stop and informally meet with some of the departments on the way; I learn a lot of interesting things that way. I guess it s one of the old management concepts, you know, management by walking around. This is security by walking around; you get to know who s out there, what kind of things are working, current issues that are coming up. Speaking in the language of the user was an important theme, as was the need to focus on the things that are important to users. Comments focused on understanding and communicating about business process. One ISO noted, I encourage open dialogue, and I treat the business as a business and allow the technical implementation requirements to be as minimally invasive (almost transparent) to the business. Another ISO recommended taking a business-centric approach versus an IT-centric approach when discussing security issues. Communication is also extended into more long-term relationship building. The key to building these relationships is the development of consensus about the direction of the security program. A typical comment in this area was, Like most highered institutions, we rely on consensus to gain support. I try to build grassroots support for security through a user-level what s in it for me? style so that users see parallels between workplace and home. Much of the decision making in higher education takes place within governance groups. ISOs see that these groups play an important role in the development of security programs. One ISO noted that coordinating policy development through key internal governance bodies to keep significant opinions on the table, even if not fully addressed, is a good strategy. Several ISOs noted the development of IT-specific governance groups and the value of utilizing these groups to further the security program. 1 ISOs reported that the building of relationships on a daily basis with a few significant players on campus is important. ISOs discussed developing close relationships through incident investigations and policy development processes. Most often mentioned was the development of relationships with campus law enforcement professionals and legal counsel. In addition to developing relationships with colleagues across campus, ISOs also noted that developing positive supportive relationships with the institutional administration is important. They told us that they saw buy-in from key institutional administrators as a key component of success. The CIO played a critical role in gaining the attention of their peer administrators. Helping the higher education administrator understand security from his or her own reference point was a strategy reported by one ISO. An administrator s tour of the security office to view the technology used to perform security functions resulted in a fuller understanding of the impact of attacks on the campus network and fueled that administrator s desire for other administrators to also have this experience. Several ISOs noted that communication targeted at the highest levels of the institution was an important strategy for keeping IT security in mind. One respondent recommended, Regularly (annually) present to the board of trustees (most often the audit committee) to share progress and the state of the union. EDUCAUSE Center for Applied Research 35

38 In interviews and comments, ISOs saw educational programs as very important and reported public relations campaigns aimed at student awareness and educational sessions with academic and administrative departments. Many ISOs mentioned in the interviews that education and awareness are keys to the prevention of breaches. ISOs reported that it is hard to get the attention of campus IT users focused on security. One ISO reported that he started an educational program focused on personal machines; once these workshops gained the attention of staff, he shifted that newly built awareness to university resources. That ISO noted, Recently, we took the approach of giving them information that they could use at home. So our entire seminars are about home environments and have very little to do with work. Our approach was we just wanted to teach you to make your computer more secure at home. We thought [this way] we would get more people to come. Now, after coming, they acknowledge the importance to the environment. So in that scenario, everyone wins. While seeing education as a very positive aspect of security programs, ISOs also noted a downside. One interviewee noted that once technology users are educated, they place more demands on the security program and its staff, stretching the resources allocated to the office: The problem for me now is becoming a victim of my own success. We succeeded in raising awareness and people are asking the right questions, which is great, but my resources haven t increased at all. It s been a problem; the awareness across campus has gone up, but we re not increasing resources for security. So we are going to have to stop providing some of these outside services that we ve been providing or we ll have to turn people away, which you know will be really detrimental to our goal of raising awareness. Earlier in this study we noted that the role of the ISO is a combination of policy, analytical, and technical work. Many ISOs discussed the benefit of detailed data and analysis concerning risk for advancing their programs. Risk assessments and audits were often mentioned as strategies used with academic and administrative departments. Many ISOs use metrics, particularly as a feedback mechanism to departmental managers, and see them as effective. Once the departmental managers saw their own security data on a consistent basis, the ISOs reported that security issues received more consistent attention. All of these strategies appear to take advantage of the higher education environment s decentralized noncontrol attributes. By providing information and data, communicating risks, seeking to educate administrators and users, and building relationships, ISOs seek to influence campus views of the importance of security. These reported strategies are also borne out in the data on responding to challenges noted above. Some ISOs purposely utilize an influence strategy, avoiding an emphasis on risk and fear. One ISO noted success at developing a relationship of sensible security and specifically not engaging in [fear, uncertainty, doubt] to communicate security initiatives. However, others pointed out the effectiveness of a security breach, whether on that campus or by illustration at other campuses, in gaining the attention of campus players. One ISO reported employing a strategy of using every security incident as a learning tool to 36

39 engage senior management in risk-based decision processes. Another noted that fear of incidents and media attention to breaches did it all: Don t really need [a strategy]; the media and other schools do it for me. Respondents often mentioned that maintaining the reputation of the institution was a key to having a breach experience move a security program forward, as was the cost of dealing with a breach. Interviewees reported that cost avoidance analysis was having an impact on campus decision making, particularly in the context of large costs associated with major security breaches. However, one ISO reported that even a breach did not bring the attention to security needs. This person said, We have had data breaches, although nothing seems to get the attention of senior management. We remain in a purely reactive security stance. ISOs believe their institutions need to comply with a number of laws and regulations is helpful. Wield regulatory compliance as a hammer to get things done, was one comment. One effective tactic ISOs shared was identifying the potential costs related to noncompliance with regulations, such as payment card industry regulations in relation to credit card processing, as an effective argument for increased attention to IT security. Others reported they used an approach that seeks to help others accept responsibility for their data. ISOs reported a shift in the attitude of campus departmental managers, who began to understand that they are data managers or stewards : I ask people what information they have. For example, we have alumni records, so we need to assign owners to that location, an owner who is not an IT person. So, say you are the registrar. I say to you, Is this your information, are you responsible for it? And I ll say, after we ve identified who owns the information, And here s what we think you d need to do to mitigate these threats if you are interested in mitigating them. If they say yes, then I ll tell them how to do that what you put in place but it s not my information, it is not my decision to make. I can identify the risks and tell them what we need to do about it. But they have to make that decision, they have to make efforts to do it... so a big part of the information security is identifying whose information it is in advance, who is willing to take responsibility. If department mangers can begin to accept responsibility for their data and its protection, the security program will be able to shift its role to one that offers assistance, not one that dictates compliance. Security as a service then becomes possible. These reported strategies use both positive and negative messages to persuade others to support security programs, and they show a strong trend toward focusing on education, communication, and influence. The survey respondents reported that a focus on both people and process is affecting strategies for successful program implementation. Conclusion The ISO has broad authority to act to protect campus networks and environments from harm. ISOs utilize a number of internal and external sources of authority to establish their credibility. The ISO is only occasionally challenged, although faculty is the group that most often challenges the ISO. ISOs use a variety of strategies to deal with these challenges, frequently explaining the reason behind the request and citing a rule, policy, or mandate. ISOs interviewed agreed with the observation that higher education s decentralized environment and strong emphasis on EDUCAUSE Center for Applied Research 37

40 research autonomy and shared governance make implementing and overseeing a successful IT security program especially challenging. Survey respondents and interviewees reported a number of strategies to gain compliance with and understanding of the security programs. These strategies include risk assessment and metrics, education and awareness, continual communication, gaining support of institutional administrators, and building relationships across campus. Endnote 1. For a detailed examination of institutional IT governance process, see Ronald Yanosky, with Jack McCredie, Process and Politics: IT Governance in Higher Education (Research Study, Vol. 5) (Boulder, CO: EDUCAUSE Center for Applied Research, 2008), available from 38

41 5 Conclusion ECAR studies since 2003 have sought to track the development of the IT security profession. The data from these studies show the development of the information security officer role within campus environments, given that 311 individuals responded to this survey. However, the role on many campuses is combined with other responsibilities. Some campuses have recognized security as a top administrative concern and have either created an ISO position or delegated this responsibility to the CIO. Other campuses have recognized the function but have chosen to assign the responsibility to a lower-level technical staff member. We believe that in many cases this occurs in very small IT organizations where the number of staff positions limits the ability to assign exclusive roles to individuals. While higher education institutions continue to respond to this important area of the technology landscape, a new profession is taking shape. This study reveals common positions, responsibilities, qualifications, skill sets, and training. The study finds that these common elements mirror those defined at the federal level as well. In addition to focusing on the development of the ISO profession, this study outlines strategies that are used to approach security issues on campus. These strategies document current ISO actions to secure their campuses and also point to the future of IT security programs. The study data clearly show that institutions have moved beyond merely a technical control approach to security work. While campuses still maintain robust network control technology and deploy a number of technical mechanisms to control the devices connected to their networks, the focus of security work has shifted to emphasize people rather than machines and data rather than technology. Again and again in the study interviews, ISOs discussed broad parameters for IT security. Their focus was clearly on the importance of gaining the cooperation of people within the institution. Equally, institutional data had their attention. As the complexity of institutional data issues has been revealed, often through initial approaches to protection mechanisms prompted by HIPAA or other data protection mandates, it has become clear that identifying data that needs to be protected for privacy reasons and subjecting it to a different business process profile is a necessary component of security. Strategies identified in this study are aimed at people, data, and process. These three programmatic drivers are used side by side to convince higher education administrators that investing funds and providing policy guidance are worthwhile institutional 2009 EDUCAUSE. Reproduction by permission only. EDUCAUSE Center for Applied Research 39

42 endeavors. The ISO s focus on people often serves to increase informed individual action by technology users. The ISOs reported that one of the most productive expenditures of their time is educating individual users about risk and appropriate behavior. Education and awareness programs, as well as building collaborations with governance groups, all help to increase user awareness. An important element in these programs is the shift from security s being an IT responsibility to being everyone s responsibility. ISOs perceive that a key element of success involves departmental managers coming to see their role as digital asset managers, indicating acceptance of their responsibility for their data. If this transfer of ownership takes place, the ISO becomes the person who helps them with their insecure data and process issues. The data asset manager role is not new to higher education. Many institutions have had records management programs that developed policy (or, in the case of many public institutions, implemented state mandates) and assisted institutional departments with the maintenance of their paper records. It was the shift to electronic formats along with the integration of data in enterprise information systems that brought the information technologist into this process, sometimes shifting primary responsibility away from the local departmental manager and, at a minimum, extensively involving IT staff in the care of the data. Now, many ISOs are promoting the concept of joint responsibility for institutional data. Functional managers are taking the primary responsibility, with IT staff providing education and the means to protect data through secure systems and secure transfer mechanisms. The ISOs reported that departmental managers have begun to see their responsibility for the data they create and that they believe this responsibility fits well with their traditional role. The ISOs reported that they can appeal to administrative staff dedication to faculty and students, as well as to their professional values, to cement this belief in their roles. At the institutional level, the focus on data and processes, along with the need to organize approaches to legal mandates, has more administrators considering campus-wide coordination of data and information. A few campuses have moved to appoint chief privacy officers. At this writing, it is unclear whether such a development would dilute, augment, or merely confuse the interrelated data management roles of the institution and whether the CPO role would stand beside or become part of the ISO portfolio. Despite the difficulty in defining success for these programs, ISOs believe that they see gains in their environments. They cite improvements in the number of compromised machines, the lack of breaches, and clear improvement in the awareness of staff. In addition, they report widespread adoption of responsibility for security among administrative officers, particularly administrative unit managers who are charged with the responsibility for confidential data. The difficulty of demonstrating, specifically, the results of the investment in a security program remains, but the ISOs reported progress on defining metrics and increased understanding that data protection brings less defined but nonetheless important benefits for institutional reputation. Despite the progress made in building strong security programs, the ISO and the CIO face new and even more challenging environments. Just as the CIO and the ISO make gains within their campus environments, higher education is shifting beyond the campus in a substantial way for technology services. Yochai Benkler points out in his article on the networked economy and society that permeability of the higher education environment continues to increase as faculty and students reach into the cloud for communication and 40

43 content services. 1 He points out that preserving the ability of faculty and students to innovate rests on the preservation of decentralized control. He contends that innovation comes from the edges, where faculty and students experiment and interact with the cloud of services available to them. If the boundary of the institution becomes less defined and if academic work requires participation in multiple environments and systems, then higher education is an increasingly challenging environment for security programs that seek to protect data and systems. This reality would seem to portend a future for IT security that will focus on informed individualized action and processes for data protection that will extend to partners outside the institution. Collaboration with campus administrative staff, faculty, and students will most likely become even more important as the CIO and the ISO seek to provide both security and the openness required of today s environment. This study has noted the shift of ISO focus toward policy, analytical approaches, and education, with less emphasis on technical control mechanisms. The higher education future in the cloud would require even more movement toward an ISO skill set focused on collaborative leadership and education. Endnote 1. Yochai Benkler, The University in the Networked Economy and Society: Challenges and Opportunities, EDUCAUSE Review 43, no. 6 (November/December 2008): EDUCAUSE Center for Applied Research 41

44

45 Appendix A Institutional Respondents to the Online Survey Adelphi University Adler School of Professional Psychology Alliant International University San Diego American Public University System Angelo State University Antioch University System Administration Appalachian State University Athabasca University Auburn University Augusta State University Ball State University Barnard College Baylor University Bellevue Community College Black Hills State University Board of Regents of the University System of Georgia Boise State University Boston University Brandeis University Brenau University Brevard College Bridgewater State College Brigham Young University Idaho Buffalo State College California Maritime Academy California State University, Channel Islands California State University, Chico California State University, East Bay California State University, Office of the Chancellor California State University, San Bernardino California State University, Stanislaus Calvin College Canisius College Cardinal Stritch University Carnegie Mellon University Case Western Reserve University Centenary College Central Piedmont Community College Central Virginia Community College Chapman University Charles Drew University of Medicine & Science Christian Brothers University Christopher Newport University City University of New York Clark University Clemson University Cleveland State Community College Colby-Sawyer College Colgate University College of DuPage The College of New Jersey The College of Saint Scholastica College of William and Mary Colorado College Colorado State University Columbia College Chicago Columbus State University Concordia University at Austin Connecticut College 2009 EDUCAUSE. Reproduction by permission only. EDUCAUSE Center for Applied Research 43

46 Corban College Davis & Elkins College DePauw University Eastern Michigan University Eastern Oregon University Eastern Shore Community College Eastern Washington University Elgin Community College Elmhurst College Emory University Fairfield University Fayetteville State University Ferrum College Florida Community College at Jacksonville Florida International University Florida State University Fordham University Fort Lewis College Francis Marion University Franklin and Marshall College Frederick Community College Furman University Genesee Community College Georgetown University Georgia College & State University Georgia Southern University Georgia State University Georgian Court University Germanna Community College Harford Community College Hawaii Pacific University Houston Community College Illinois State University Indiana University Indiana University East Indiana University Northwest Indiana University Southeast Indiana University-Purdue University Indianapolis Ithaca College J. Sargeant Reynolds Community College John Tyler Community College The Johns Hopkins University Kansas State University Keyano College Lamar University Lansing Community College Le Moyne College Lehigh University Lehman College/CUNY Lewis & Clark College Lincoln University in Pennsylvania Linn-Benton Community College Louisiana State University Loyola College in Maryland Loyola University Chicago Luther Seminary Manhattan College Mansfield University of Pennsylvania Maricopa Community College District Marquette University McDaniel College McGill University McKendree University Medical College of Georgia Memorial University of Newfoundland Mercyhurst College Merrimack College Miami University Michigan State University Middle Tennessee State University Middlebury College Middlesex County College Midwestern State University Millersville University of Pennsylvania Millikin University Minot State University Mississippi State University Missouri State University Missouri University of Science and Technology Monmouth College Montana State University Great Falls, College of Technology Montgomery County Community College Moravian College Mount Royal College Mount Saint Mary s College Mount Vernon Nazarene University Nebraska Wesleyan University Nevada System of Higher Education New Mexico State University 44

47 New River Community and Technical College Niagara College North Dakota State University Northampton Community College Northeastern University Northern Arizona University Northern Illinois University Northern State University Northwest University Northwestern University Northwood University Nova Scotia Community College Oakwood College Oberlin College The Ohio State University Ohio University Oklahoma State University Oregon Institute of Technology Oregon State University Pace University Pennsylvania College of Technology The Pennsylvania State University Pepperdine University Pima County Community College District Plymouth State University Pomona College Portland Community College Portland State University Prince George s Community College Princeton University Providence College Queens College/CUNY Queen s University Rio Salado College Rosalind Franklin University of Medicine and Science Rutgers, The State University of New Jersey Sacred Heart University Saint Louis University Salve Regina University Sam Houston State University San Jose State University School of the Art Institute of Chicago Seattle University Seneca College of Applied Arts and Technology Sewanee: The University of the South Shippensburg University of Pennsylvania Simmons College Sinclair Community College South Dakota School of Mines & Technology Southern Illinois University at Carbondale Southern Methodist University Southwest Baptist University Southwestern Oregon Community College St. Cloud State University St. Olaf College Stanford University Stephen F. Austin State University SUNY College at Oswego SUNY College at Potsdam SUNY College of Technology at Delhi Swarthmore College Sweet Briar College Texas A&M University Texas A&M University at Galveston Texas A&M University Commerce Texas A&M University Corpus Christi Texas State University San Marcos Tougaloo College Truckee Meadows Community College Tulane University UCLA Université de Montréal University at Albany, SUNY University of Alabama University of Alabama at Birmingham University of Arkansas University of Baltimore The University of British Columbia University of Calgary University of California Office of the President University of California, Berkeley University of California, Davis University of California, Irvine University of California, Merced University of California, San Diego University of California, Santa Cruz University of Central Florida University of Chicago EDUCAUSE Center for Applied Research 45

48 University of Cincinnati University of Colorado at Boulder University of Dayton University of Delaware University of Denver University of Florida University of Hawaii The University of Iowa The University of Kansas Medical Center University of Manitoba University of Mary Washington University of Maryland, Baltimore County University of Massachusetts at Worcester The University of Memphis University of Michigan Ann Arbor University of Michigan Dearborn University of Mississippi University of Missouri Columbia University of Missouri St. Louis The University of Montana University of Nebraska University of Nebraska at Kearney University of Nebraska Medical Center University of New Mexico University of North Carolina at Greensboro University of North Dakota University of Northern Iowa University of Notre Dame University of the Pacific University of Pennsylvania University of Phoenix University of Puerto Rico at Cayey University of Puerto Rico at Humacao University of Rochester The University of Scranton University of South Carolina University of Southern Maine University of Southern Mississippi University of St. Thomas The University of Tampa The University of Tennessee University of Tennessee at Chattanooga The University of Tennessee Health Science Center The University of Texas at Arlington University of Texas at Dallas University of Texas at Tyler University of Utah The University of Virginia s College at Wise University of Washington Bothell University of Waterloo University of West Florida University of Windsor University of Wisconsin Green Bay University of Wisconsin Milwaukee University of Wisconsin Platteville University of Wisconsin Superior University of Wisconsin Whitewater University System of Maryland Virginia Highlands Community College Virginia Tech Washington and Lee University Washington University in St. Louis Wayne State University Weber State University West Liberty State College West Virginia School of Osteopathic Medicine Western Carolina University Western Michigan University Wheaton College Whitehead Institute for Biomedical Research Wichita State University Widener University Wytheville Community College York College of Pennsylvania Zane State College 46

49 Appendix B Position Titles of ISO Respondents to the Online Survey Chief Information Security and Privacy Officer Chief Information Security Officer (CISO) Chief Information Security Officer and Assistant Director of Network Services Chief Information Security Officer & Network Engineer Chief Information Security Officer, Director of Information Security Chief Information Security Officer, Director of IT Compliance Chief Information Technology Security Officer Chief IT Security & Policy Officer Chief Security Officer Information Technology Deputy CIO/CISO Director & CISO, Networking and Information Security Director, Campus IT Security Director Information Security Director, Information Security Director Information Security Office Director, Information Security and Identity Services Director, Information Security and Operations Director Information Services and Information Security Officer Director, IT Security Director IT, Security Administration Director, IT Security CISO Director of Information & Systems Security/ Compliance Director of Information Security Director of Information Security and Compliance Director of IT/Information Security Officer Director of IT Security Director of IT Security Services Director of Network Services/Information Security Officer Information Security Administrator Information Security Coordinator Information Security Manager Information Security Office & Enterprise Systems Administrator Information Security Officer Information Systems Security Manager Information Technology Security Officer IT Policy and Security Officer IT Security Administrator IT Security Coordinator IT Security Manager IT Security Officer Manager, IST Security Manager, IT Security Manager of IT Security Network & Information Systems Security Coordinator Senior Director Information Security Management University Information Security Officer University IT Security Officer 2009 EDUCAUSE. Reproduction by permission only. EDUCAUSE Center for Applied Research 47

50

51 Appendix C Bibliography Benkler, Yochai. The University in the Networked Economy and Society: Challenges and Opportunities, EDUCAUSE Review 43, no. 6 (November/December 2008): Castro, Stephanie L., and Terri A. Scandura. An Empirical Evaluation of the Construct Validity of Two Multidimensional Mentoring Measures. Paper presented at the Southern Management Association meeting, San Antonio, TX, Ensher, E. A., C. Thomas, and S. E. Murphy. Comparison of Traditional, Step-Ahead, and Peer Mentoring on Protégés Support, Satisfaction, and Perceptions of Career Success: A Social Exchange Perspective. Journal of Business and Psychology 15 (2001): Kram, Kathy E. Mentoring at Work: Developmental Relationships in Organizational Life. Glenview, IL: Scott Foresman, Kram, Kathy E., and L. A. Isabella. Mentoring Alternatives: The Role of Peer Relationships in Career Development. Academy of Management Journal 28 (1985): Kvavik, Robert B., with John Voloudakis. Safeguarding the Tower: IT Security in Higher Education 2006 (Research Study, Vol. 6). Boulder, CO: EDUCAUSE Center for Applied Research, 2006, available from Kvavik, Robert B., and John Voloudakis, with Judith B. Caruso, Richard N. Katz, Paula King, and Judith A. Pirani. Information Technology Security: Governance, Strategy, and Practice in Higher Education 2003 (Research Study, Vol. 5). Boulder, CO: EDUCAUSE Center for Applied Research, 2003, available from Office of Cybersecurity and Communications. National Cyber Security Division. Information Technology (IT) Security Essential Body of Knowledge (EBK): A Competency of Functional Framework for IT Security Workforce Development. Washington, DC: Department of Homeland Security, September Yanosky, Ronald, with Jack McCredie. Process and Politics: IT Governance in Higher Education (Research Study, Vol. 5). Boulder, CO: EDUCAUSE Center for Applied Research, 2008, available from EDUCAUSE. Reproduction by permission only. EDUCAUSE Center for Applied Research 49

52

53