CISO — Chief Information “Service” Officer

Most days I feel like I am in sales, marketing, communication, or like a consultant going from one gig to the other, more than I feel like a CISO. There is a reason for this — I believe that my role as a Chief Information Security Officer is a lot more than security. I am in the business of sales, marketing and communication, and I am in the business of consulting; in fact, I firmly believe that CISOs are really Chief Information “Service” Officers.

Why Sales? Some years ago I had a conversation with a faculty member; I was trying to convince him to adopt a few basic security controls — two factor authentication, antivirus, the basics — he labored through the conversation, then said, “I just need an easy button, tell me what service I need to use and I will do it.” This was a real light bulb moment for me. As excited as I was about the security controls, I realized that the faculty member was only interested in the service he needed to use and not the security features that I was promoting. From then on I decided to shift my focus from selling security features to working with IT to embed security into their services, and got into the business of selling secure IT services to my customers.

Why marketing and communication? This is not my specialty, but it is my job, so I surround myself with expert messaging, marketing and communication folks to get the right results. I feel lucky; my colleagues understand timing and messaging for all stakeholder groups — students, faculty, staff, and the IT community — and provide me with great partnerships to make sure we highlight the right benefits of securing our services and the assets of our constituents, while striking the right tone.

Why consulting? This is the most exciting part of being a CISO; I get to connect customers with solutions that often exceed their expectations. Now, this is not hard to do, but your mindset must be “yes-if” instead of “no-because” and you have to be a bit entrepreneurial. When a psychologist points out that they cannot meet face-to-face with patients due to COVID-19, my answer is telehealth; when a researcher worries about performing sensitive research away from the confines of their lab, my thoughts go to the establishment of a secure virtual lab service. Chief Information Service Officers are often the first ones to encounter a customer looking for a solution to a difficult problem. It’s my job to understand the problem and collaborate with the right folks to find answers. What’s even more exciting is that I get to provide oversight to ensure that the solution has the right level of security built-in from the get go.

Before I go further, there is one myth, I need to clear up about the role of a CISO. Information security Offices, hence CISOs are often seen as the place of “no”, roadblocks, speedbumps, etc. This is absolutely correct, as it relates to the “bad guys”. My general philosophy, and I believe this is shared by most CISOs, is that our job is to stop the “bad guys” while enabling the “good guys.”

Following is a typical day in my life as a CISO; hopefully this will inspire and encourage others to follow this path.

Lillis Building

Morning

I am normally up between 5:30 am and 6:30 am depending on how many times I decide to hit the snooze button. This morning my day began with a warm shower that got me thinking mainly about big “strategic” items I want to accomplish; you know, things like, when am I going to find time to rake the leaves in the front yard and lamenting on the fact that it’s grocery day and I am going to have to wash the groceries again today (to remove COVID-19). By 7:00 am I shifted gears and began to plan my work day by making my TTDT (things to do today) list which had the same things that were on the list the previous day plus or minus a few items.

Between 7:00 am and 7:30 am, I checked a few cable news channels and my favorite cybersecurity news feeds to see what’s going on in the world. This is a good way to be prepared for the random encounter later in the day where someone may ask about some cybersecurity event somewhere in the world and want to know if we are at risk or to otherwise comment on that event. In cyber-speak, this gave me a level of situational awareness of the global threat landscape and potential implications for my institution.

Finally, before work began at 8:00 am, I spent some time orienting myself with the specific cybersecurity issues related to my institution. I reviewed my favorite “CISO dashboard” — my email, text messages, voicemail — for this information. This day, several things bubbled up to my dashboard, some of which I could handle in the morning, others were better dealt with later.

Quick turnaround. I answered specific policy questions immediately and provided additional references to written standards, guidelines or other knowledge-based materials. Specific requests relating to security operations or compliance were delegated to my Director for Information Security Services and to my Director for Information Security Compliance who rallied the troops to fulfill the requests.

Longer turnaround. Some requests required additional conversations in the form of meetings; this is where I differed to my assistant to work another miracle to figure out how to rearrange and fit another meeting on my calendar. More complicated items like requests to negotiate overly stringent data use agreements from third-party collaborators or grant funders, RFP review requests, or other proposal reviews, resulted in a task added to my TTDT to be addressed later.

Incidents. Another major piece of my CISO dashboard review is to identify new specific threats or incidents and to start to formulate a game plan for addressing them. Common key considerations include: 1) unusually high number of phishing complaints from the campus community; 2) instances of “whaling” or very targeted spear phishing aimed at high-level individuals; 3) other issues (e.g., system outage/sluggishness) that could have resulted from a security incident (e.g., DDoS); 4) direct hotline reports with potentially high risk implications. Thankfully there was nothing too alarming today.

By 8:00 am the real work began, or as my family calls it, “meetings.” This morning, we addressed some staffing issues; our Chief Technology Officer is moving on to a CIO role at a different institution and our executive council started working out a transition plan, updating the duties for the next CTO and began planning for his replacement. We later shifted gears and began finalizing the University IT strategic plan and roadmap.

At 8:45 am it was time for our daily Information Security Office stand-up meeting to touch base and see what each staff member was working on and whether they needed feedback from the rest of the team on issues, ideas or directions. We spent a few minutes talking about hiking, fishing and a few other outdoors activities and how to keep that going safely with the looming new COVID-19 shutdown. Next we proceeded to the usual round robin discussion on security topics — current incidents, consulting questions, quick project updates and the day’s threat landscape.

The Rest of the Day Blurred Together

This portion of my day was a mixture of operational, tactical and strategic activities that were carried out in meetings (a.k.a, collaboration vehicles in higher education). Following is a sampling of these activities.

Operational. This morning, there was no known significant incident. If there were, I would be huddling with my team to discuss response to current incidents (vulnerabilities, threats, or potential compromises), engaging communication personnel to provide notification to the IT community and/or formulating briefs for me to update other university executives.

There was also a request to review a cloud vendor application to determine if it meets our requirement for the level of data proposed to be stored and processed by the app. Another request came in from the Research Administration Office inquiring if we could meet requirements for an incoming contract to be FedRAMP compliant. A quick chat session with members of my Information Security Compliance team concluded that the third-party app was approved to move forward. However, FedRAMP compliance requirement for the incoming contract was deemed to be overkill for the data involved with the project. The next step for this request will be to collaborate with my Research Administration Office colleagues to negotiate changes to the requirements from the funder on behalf of our researcher.

Tactical. Our cybersecurity strategic plan was developed and funded (phase one) over 12 months ago. This resulted in several projects currently in various stages of implementation including two-factor authentication expansion, advanced vulnerability scanning, user awareness training and phishing simulation platform, and next generation firewalling. As the executive sponsor for these projects, feedback and/or approval is often required by the project team. Today, the team proposed an approach for enabling 20,000+ students to use DUO 2FA. The proposal was well thought out with a clear approach that will be psychologically acceptable to students, an exciting marketing campaign that gamified the rollout, and of course an acceptable D-day (deadline date). This made my job of giving the go ahead fairly simple and straightforward.

Strategic. In addition to operational and tactical activities, I try to carve out time on my calendar on a weekly basis to chip away at some of the more strategic goals I want to realize; in order to continue to elevate the maturity of the overall cybersecurity program. Key initiatives that compete for my daily “executive time” include:

• CSOC. The development of our student-run cybersecurity operation center (CSOC) which will provide valuable experiential learning opportunities for our students, while helping us to leverage their talents to defend against the adversary. Today we finalized plans to make hiring offers to several students for the 2021 cohort.
• DaaS. A few weeks ago, I had an epiphany to combine like-minded individuals across campus working on various aspects of data-driven decision making, into a single initiative called data-as-a-service (DaaS). The group is now working on developing a governance framework, common tools, and processes to provide data on-demand to analysts seeking to gain insights into matters relating to student success, the COVID-19 impact on learning, and cybersecurity. Today we began fleshing out details of the data architecture that will be needed to create a prototype of the DaaS service by early next year.
• Cybersecurity Metrics. I am a firm believer that you cannot effectively manage what you cannot measure. So, I am compelled to spend time developing our cybersecurity metrics program with the ultimate goal of creating report cards for units to gain insights into the measure of their cybersecurity success relative to other units within the institution. Today I met with senior members of my team to identify specific metrics we believe we can implement within the next 12 to 18 months.
• Compliance Program. Less than a year ago I created a new unit within the Information Security Office to address compliance and more proactive aspects of our security program. I spent a fair amount of time developing this team and moving us toward a more comprehensive compliance program to meet requirements under HIPAA, GLBA, NIST 800-x, FERPA and others. This afternoon my team and I decided to move forward with a proof of concept of a basic GRC tool to manage our compliance controls and activities.
• Budget. With many security tools and services now shifted to subscription-based services, this gives me more leeway to constantly review my budget and move investments around to better address the current risks; i.e., if a tool is not working, I can drop it and move on to something else. Today, I asked my leadership team to begin thinking about how we can maximize our investment in security tools and subscriptions.
• Committees and Governance. As the chair of the Information Security and Privacy Governance Committee (ISP GC) and the Data Security Incident Response Team (DSIRT), my attention is also focused on building agenda items for these groups to address. The ISP GC meets quarterly to weigh in on security strategic direction and policy proposals. The DSIRT also meets quarterly for threat briefings, procedure improvements, and to rehearse and prepare to be activated in case of real incidents.

This Tuesday was a normal day; I like normal days. Others are more eventful, packed with adrenalin and often excitement for the geeks among us. I do not like those days as much — our customers are usually in pain because these are incident days. If today was an incident day, I would have activated the DSIRT, I would be busy trying to identify the scope of the incident and huddling with my team to contain it, determining whether or not to file cyber insurance claims, coordinating internal and external communications and updating executive briefs.

Conclusion

A day in the life of a CISO can often look boring and monotonous to the untrained eye that looks at what you do but not what you are doing. The onlooker sees you talking on Zoom all day, hears you ranting about the evildoers who constantly look for ways to disrupt business or steal something. They hear about wealthy companies that get hacked on a daily basis and wonder if you are wasting time trying to keep the bad guys out of your environment with the meager budget that most higher education CISOs operate on. The truth be told is that, what we do is foundational to the survival of our institutions — we are the last line of defense in maintaining the confidentiality, integrity and availability of our institutions’ data and systems upon which the rest of the business is built. To take it a step further, I consider my role as a defender of my institution’s assets and more importantly I consider the function of a mature cybersecurity program as a competitive advantage to the institution.

I feel like I am in sales, marketing, communication, or like a consultant because that is what I do, I am a Chief Information Security Officer (a.k.a, a Chief Information Service Officer). I enjoy stopping the “bad guys” while empowering the “good guys.”