The Rise of the CISO
The 'chief information security officer' role is increasingly important
for higher ed, as new cyber security challenges loom on the horizon.
THE LATE 1980s was an exciting time to be a CIO
in higher education. Computing was being decentralized
as microcomputers replaced mainframes,
networking was emerging, and the National Science
Foundation Network (NSFNET) was introducing
the concept of an “internet” to hundreds of
thousands of new users. Security wasn’t much of
an issue; the big debate on campus was whether to
regulate access to the alt.sex newsgroups. An institution’s
systems group handled IT security as an
afterthought. None of us had a “chief information
security officer”—or anything like it.
Now, two decades later, cyber security is routinely
identified as the top concern of higher ed CIOs,
according to the Campus Computing Project’s 2006
National Survey of Information Technology in US
Higher Education. And
with good reason: The CDW-G Higher Education IT
Security Report Card 2006 (newsroom.cdwg.com/
features/feature-10-10-06.html) indicates that 56
percent of all higher ed institutions have experienced
at least one security incident in the last year.
The CISO in Higher Ed
With the growing importance of security, it is not surprising
that the responsibility for IT security has moved to senior IT
management or dedicated IT security professionals. Forty
percent of institutions now have a formally designated chief
information security officer, up from 22 percent in 2003,
according to Safeguarding the Tower: IT Security in Higher
Education 2006, a study from the Educause Center for
Applied Research (ECAR).
The person responsible for IT and information security (as
well as related audits) may have a variety of titles: information
security officer (ISO), IT security manager, or director of
information security. Although common in the corporate
world, the use of the functional descriptor “chief security
officer” (CSO) or “chief information security officer” (CISO)
is less common in higher ed. Because the term “chief security
officer” is used by many companies for a position that is
also responsible for physical security and the safety of
employees, the term “chief information security officer” is
becoming more prevalent for individuals with an exclusive
cyber security focus.