Are We Ready for a Chief Information Security Officer? Jack McCoy, Ed.D., MBA, CISM Information Security Officer East Carolina University The Challenges

Are We Ready for a Are We Ready for a Chief Information Chief Information Security Officer?Security Officer?

Jack McCoy, Ed.D., MBA, CISMJack McCoy, Ed.D., MBA, CISM

Information Security OfficerInformation Security Officer

East Carolina UniversityEast Carolina University

The Challenges and Evolution The Challenges and Evolution of of

the Campus IT Security the Campus IT Security OfficerOfficer

November 9, 2005 Jack McCoy, East Carolina University 2

The Security Officer The Security Officer AlphabetAlphabet

ISO – Information Security OfficerISO – Information Security Officer Often an “IT” Security OfficerOften an “IT” Security Officer Designated official, dedicated to information Designated official, dedicated to information

securitysecurity CISO – Chief Information Security OfficerCISO – Chief Information Security Officer

““C” level executive, a strategic business C” level executive, a strategic business partnerpartner

CSO – Chief Security OfficerCSO – Chief Security Officer Corporate security, a convergence of Corporate security, a convergence of

information, asset, and physical securityinformation, asset, and physical security

The ChallengesThe Challengesof the Campus ISOof the Campus ISO


The Environment:The Environment:The Institution of Higher The Institution of Higher

Education Education A shaky track record for protecting A shaky track record for protecting

informationinformation A culture of shared governanceA culture of shared governance A penchant for distributed computingA penchant for distributed computing A desire for free and unfettered exchange of A desire for free and unfettered exchange of

information across organizational boundariesinformation across organizational boundaries

. . . in essence a formidable . . . in essence a formidable environment for those environment for those

with campus responsibility for with campus responsibility for information securityinformation security


The Organization:The Organization:University AccountabilityUniversity Accountability

Resistance to corporate type controls may Resistance to corporate type controls may arise because a university is “not a arise because a university is “not a business”business”

Regardless of the culture or inherent Regardless of the culture or inherent challenges a university will be held challenges a university will be held accountable, just as any other organization accountable, just as any other organization (e.g., bank or and retailer)(e.g., bank or and retailer)

Accountability must trickle down to internal Accountability must trickle down to internal departments, groups, and individualsdepartments, groups, and individuals


The Organization:The Organization:University Accountability University Accountability

(cont’)(cont’)Challenges arise when the university Challenges arise when the university

community:community: Is not aware of risks to information and Is not aware of risks to information and

potential impacts to the university and its potential impacts to the university and its stakeholdersstakeholders

Does not believe that the threats are realistic Does not believe that the threats are realistic Thinks that someone in another building is Thinks that someone in another building is

taking care of the “security problem” for themtaking care of the “security problem” for them Believes that other job duties and Believes that other job duties and

responsibilities always take priority over responsibilities always take priority over securitysecurity


The Strategic Challenges: The Strategic Challenges: Issues Likely to be Issues Likely to be

EncounteredEncountered ““IT” versus “Information” SecurityIT” versus “Information” Security Security: “technical” vs. “business” Security: “technical” vs. “business”

issueissue Executive awareness and involvementExecutive awareness and involvement Governance structures and processesGovernance structures and processes Evolving roles and skill sets of the ISOEvolving roles and skill sets of the ISO

The Evolving Role of The Evolving Role of the Campus ISOthe Campus ISO


The Relationship of The Relationship of InfoSecurity Maturity, InfoSecurity Maturity, Structure, and RolesStructure, and RolesInfoSecurit

y Organizatio

nal Maturity

InfoSecurity

Organizational

Maturity InfoSecurity

Functions and Org

Structure

InfoSecurity

Functions and Org

Structure ISO Roles, Responsibili

ties, and Authority

ISO Roles, Responsibili

ties, and Authority


Gartner’s Gartner’s InfoSecurity Maturity InfoSecurity Maturity

ModelModel

Blissful IgnoranceBlissful Ignorance Awareness Awareness Correction Correction Operational ExcellenceOperational Excellence

(Scholtz & Byrnes, 2005)(Scholtz & Byrnes, 2005)

Organizations and their security Organizations and their security programs evolve through four phases programs evolve through four phases of maturity:of maturity:


InfoSec Maturity - Blissful InfoSec Maturity - Blissful Ignorance Ignorance

Extensive, but outdated policiesExtensive, but outdated policies Inadequate user awarenessInadequate user awareness Breaches not reportedBreaches not reported Prevailing belief that the enterprise is Prevailing belief that the enterprise is

securesecure No effective communication between No effective communication between

the IT security function and business the IT security function and business functions functions



InfoSec Maturity - InfoSec Maturity - AwarenessAwareness

An event leads to a sudden awareness that An event leads to a sudden awareness that “something must be done” about security“something must be done” about security

(Re)establishment of dedicated security (Re)establishment of dedicated security teamteam

Efforts focus on policy review and updateEfforts focus on policy review and update Some organizations assume policy is Some organizations assume policy is

sufficient and regress to blissful ignorance sufficient and regress to blissful ignorance phasephase

Others develop security vision and strategy Others develop security vision and strategy (Scholtz & Byrnes, 2005, p. 4)(Scholtz & Byrnes, 2005, p. 4)


InfoSec Maturity - InfoSec Maturity - CorrectiveCorrective

Strategic program launched, based on Strategic program launched, based on information security vision and strategyinformation security vision and strategy

Security, risk, governance processes Security, risk, governance processes revampedrevamped

New policies derived from business needsNew policies derived from business needs Corrective actions prioritized and fundedCorrective actions prioritized and funded Progress toward goals measured and Progress toward goals measured and

reported through business and governance reported through business and governance channels channels



InfoSec Maturity – InfoSec Maturity – Operational ExcellenceOperational Excellence

Information security “embedded into Information security “embedded into the culture of the organization”the culture of the organization”

Security is driven by business Security is driven by business processesprocesses

Program metrics emphasize Program metrics emphasize continuous improvementcontinuous improvement

The organization understands and The organization understands and accepts residual risks accepts residual risks

(Scholtz & Byrnes, 2005, p. 4)(Scholtz & Byrnes, 2005, p. 4)


A Gartner A Gartner RecommendationRecommendation

Organizations must be aware of Organizations must be aware of and understand the evolving and understand the evolving

maturity of their security maturity of their security programs.programs.



Information SecurityInformation SecurityFunctional StructuresFunctional Structures

An organization’s security function An organization’s security function depends on its size, business, culture, depends on its size, business, culture, regulatory requirementsregulatory requirements

Functional structure types: Functional structure types: TechnicalTechnical Technical / ManagementTechnical / Management ManagementManagement

(Kobus, 2005)(Kobus, 2005)


““Technical” Technical” Information Security Information Security

Structure Structure No formal security functionNo formal security function Security responsibilities assigned to Security responsibilities assigned to

technicians in IT operational areastechnicians in IT operational areas Networking Networking OperationsOperations DevelopmentDevelopment

Reports to IT infrastructure or Reports to IT infrastructure or operational areaoperational area

(Kobus, 2005)(Kobus, 2005)


Aspects of a Aspects of a Technical ISO RoleTechnical ISO Role

Relegated to a purely technical role, Relegated to a purely technical role, e.g., “firewall jockey”e.g., “firewall jockey”

Often has few resources and little Often has few resources and little authorityauthority

The reason for hiring a ISO may be toThe reason for hiring a ISO may be to address a regulation, audit, or other address a regulation, audit, or other

requirement requirement or to “sit on the bomb”or to “sit on the bomb”

(Berinato, 2004)(Berinato, 2004)


The “Technician”The “Technician”ISOISO

* Security functions in blue. The designated ISO may reside in any of these areas.

CIOCIO

NetworkNetwork SystemsSystems App. Dev.App. Dev.

System Adm, Sys

Prog, Acct Mgmt

System Adm, Sys

Prog, Acct Mgmt

Firewall, Router,

IPS Admin

Firewall, Router,

IPS Admin

Application

Programmer,

Developer

Application

Programmer,

Developer


““Technical / Management” Technical / Management” Information Security Information Security

Structure Structure Designated security teamDesignated security team Responsibilities cover range of Responsibilities cover range of

issues:issues: TechnicalTechnical ManagementManagement Strategic enterprise Strategic enterprise

Reports to an operational managerReports to an operational manager

(Kobus, 2005)(Kobus, 2005)


The “Security The “Security Coordinator”Coordinator”

ISOISOCIOCIO

NetworkNetwork SystemsSystems App DevApp Dev

Firewall, Router,

IPS Admin

Firewall, Router,

IPS Admin

System Admin, Sys Prog


Application

Programmer,

Developer

Application

Programmer,

Developer

ISOISO

Acct Mgmt, IT

Policy, Awarene

ss

Acct Mgmt, IT

Policy, Awarene

ss


““Management” Management” Information Security Information Security

StructureStructure Designated security teamDesignated security team Responsibilities include:Responsibilities include:

Enterprise oversight of security programsEnterprise oversight of security programs Security governance processesSecurity governance processes

Technical security responsibilities shift Technical security responsibilities shift back to IT operationsback to IT operations

Information security may report outside Information security may report outside of ITof IT

(Kobus, 2005)(Kobus, 2005)


The “Management The “Management Advisor”Advisor”

ISOISO

CIOCIO

NetworkNetwork SystemsSystems App DevApp Dev

Governance, Risk Mgmt, Corp

Policy


Policy

Security Council

Security Council

ISOISO

App Programm

er, Developer

App Programm

er, Developer

Firewall, Router,

IPS Admin

Firewall, Router,

IPS Admin




The “Strategic Business The “Strategic Business Partner”Partner”

ISOISO

CIOCIO

Operational

Directors

Operational

Directors

Acct Mgt, IT Policy,

Projects

Acct Mgt, IT Policy,

Projects

Security Council

Security Council

ISO (Bus. Unit)

ISO (Bus. Unit)

Technical security

Technical security

CFO, COO, RMO

CFO, COO, RMO

CISOCISO


Policy


Policy


More than One ISO?More than One ISO? Organizations are creating two security Organizations are creating two security

positions:positions: CISO – bridges the gap between business process CISO – bridges the gap between business process

and policy directives, and technical security and policy directives, and technical security BISO – business unit (e.g., IT) representative, BISO – business unit (e.g., IT) representative,

implements process & policy directives implements process & policy directives CISO consults with business units on CISO consults with business units on

implementation of policy and process directivesimplementation of policy and process directives CISO advises senior executives on the CISO advises senior executives on the

management of risks brought about by the use management of risks brought about by the use of technology of technology

(Witty, 2001)(Witty, 2001)


Information Security Information Security Maturity, Structure, ISO Maturity, Structure, ISO

RoleRoleGartner’s Gartner’s Maturity Maturity

ModelModel

Kobus’ Kobus’ Funct. Funct.

StructureStructure

ISO Role ISO Role CharacterizatCharacterizat

ionionBlissful Blissful

IgnoranceIgnorance TechnicalTechnical ““Technician”Technician”

AwarenessAwareness Technical / Technical / ManagementManagement

““Security Security Coordinator”Coordinator”

CorrectiveCorrective ManagementManagement ““Management Management Advisor”Advisor”

Operational Operational ExcellenceExcellence

Management Management ++

““Strategic Strategic Business Business Partner”Partner”

The “Debate”The “Debate”

Who is Really in Charge? Who is Really in Charge? Who Should Be?Who Should Be?


Who is Responsible Who is Responsible for Campus IT Security?for Campus IT Security?

In 2002 Gartner predicted 60% of higher ed In 2002 Gartner predicted 60% of higher ed ISOs would report outside of IT by 2005 ISOs would report outside of IT by 2005 (Hurley, Harris, Zastrocky, & Yanosky, 2002) (Hurley, Harris, Zastrocky, & Yanosky, 2002) In 2003 94.5% of IT security functions reported to In 2003 94.5% of IT security functions reported to

the top IT adm (Hawkins, Rudy, & Madsen, 2003) the top IT adm (Hawkins, Rudy, & Madsen, 2003) In 2004 95.2% of IT security functions reported to In 2004 95.2% of IT security functions reported to

the top IT adm (Hawkins, Rudy, & Nicolich, 2004) the top IT adm (Hawkins, Rudy, & Nicolich, 2004) We’re not on track to realize Gartner’s We’re not on track to realize Gartner’s

predictionprediction The top IT administrator is ultimately The top IT administrator is ultimately

responsibleresponsible


Reporting to the CIO - Reporting to the CIO - AdvantagesAdvantages

Advantages of the “Security” CIO: Advantages of the “Security” CIO: Access to executive leadership Access to executive leadership ““C” level skills and organizational C” level skills and organizational

awarenessawareness Ability to initiate change in the IT Ability to initiate change in the IT

infrastructure to enhance information infrastructure to enhance information securitysecurity

Represents greater influence and value for Represents greater influence and value for the CIO position the CIO position


Reporting to the CIO - Reporting to the CIO - DisadvantagesDisadvantages

Disadvantages of the “Security” CIODisadvantages of the “Security” CIO Information security oversight is a part-time Information security oversight is a part-time

rolerole Increased CIO workload may lead to the Increased CIO workload may lead to the

neglect other strategic objectivesneglect other strategic objectives Conflicts of interest arise when security Conflicts of interest arise when security

controls impede the timely delivery of controls impede the timely delivery of projects and servicesprojects and services

Difficult to conduct unbiased investigations Difficult to conduct unbiased investigations of IT operationsof IT operations

(Koch, 2004)(Koch, 2004)


If Information Security If Information Security Moves Out of ITMoves Out of IT

Accountability must follow responsibilityAccountability must follow responsibility CIOs do not want accountability without CIOs do not want accountability without

authorityauthority Security must report to an executive with Security must report to an executive with

“broad managerial responsibilities” for the “broad managerial responsibilities” for the organization,organization, For example, the CEO, CFO, COOFor example, the CEO, CFO, COO

Information Security and IT must work Information Security and IT must work closely together as a teamclosely together as a team

(Koch, 2004)(Koch, 2004)

The Future of the The Future of the Campus ISOCampus ISO


The Future of the ISO The Future of the ISO A View from GartnerA View from Gartner

More companies are appointing a More companies are appointing a CISO withCISO with

““decreasing responsibility for day-to-decreasing responsibility for day-to-day security operations, and a day security operations, and a greater level of participation in greater level of participation in strategic business decisions”strategic business decisions”

(Gartner, 2005)(Gartner, 2005)


State of the IndustryState of the Industry

A 2005 Global State of Information A 2005 Global State of Information SecuritySecurity11 study: study:

34% of respondents employ a CSO/CISO 34% of respondents employ a CSO/CISO More security executives report to the More security executives report to the

CEO or Board than the CIOCEO or Board than the CIO 46% report to the CEO/Board 46% report to the CEO/Board 36% report to the CIO36% report to the CIO

(CSO, 2005)(CSO, 2005)11A joint study of PricewaterhouseCoopers and CIO Magazine, representing a range of industries, e.g., computer-related manufacturing & software, consulting & professional services, financial services, education, health care, telecommunications, & transportation.


The Emerging CISO RoleThe Emerging CISO Role Technical security is becoming an operational Technical security is becoming an operational

issueissue Information security is emerging as a strategic Information security is emerging as a strategic

business issue, addressed through risk business issue, addressed through risk management processesmanagement processes

Resulting in “more authority and influence being Resulting in “more authority and influence being invested in the security manager or CISO” invested in the security manager or CISO” More CISOs are participating in “crucial business More CISOs are participating in “crucial business

decisions” and are reporting outside of ITdecisions” and are reporting outside of IT Ceding turf to a “more powerful security function Ceding turf to a “more powerful security function

also raises political issues,” especially with the also raises political issues,” especially with the CIO position CIO position

(Vijayan, 2004)(Vijayan, 2004)


The Emerging CISO Role The Emerging CISO Role (cont’)(cont’)

Experts are divided over whether the CIO, Experts are divided over whether the CIO, CSO, or CISO should be responsible for CSO, or CISO should be responsible for securitysecurity

However, it is clear that the IT industry is However, it is clear that the IT industry is moving toward “shared responsibilities for moving toward “shared responsibilities for security”security”

So, “whether the roles of the CIO and the So, “whether the roles of the CIO and the CSO are mutually exclusive or gradually CSO are mutually exclusive or gradually merging into a mutually beneficial merging into a mutually beneficial relationships still is not evident.”relationships still is not evident.”

(Germain, 2005)(Germain, 2005)


Looking Further Into The Looking Further Into The Future Future

Gartner predicts: Gartner predicts:

““there will be a new breed of security there will be a new breed of security expert who expert who

will be trusted to protect the will be trusted to protect the organisation of the future, and in organisation of the future, and in

many companies, this person will be many companies, this person will be given the title of the Risk given the title of the Risk

Management Officer”Management Officer”(Gartner, 2005)(Gartner, 2005)

Is Your Campus Ready Is Your Campus Ready for a CISO?for a CISO?


Factors to ConsiderFactors to Consider

The organizational maturity of your The organizational maturity of your institution’s information security institution’s information security programprogram Executive awareness, security culture, etc.Executive awareness, security culture, etc.

Your institution’s size, resources, and Your institution’s size, resources, and culture culture

The nature of your institutions The nature of your institutions governance framework and enterprise governance framework and enterprise risk management processesrisk management processes


Factors to Consider Factors to Consider (cont’)(cont’)

The university CIO is the person typically The university CIO is the person typically responsible for security. So consider:responsible for security. So consider:

The CIO’s workload, operational priorities, The CIO’s workload, operational priorities, and strategic objectivesand strategic objectives

The working relationship of the CIO and ISOThe working relationship of the CIO and ISO ISO access to executive leadershipISO access to executive leadership ISO “C” level skills: e.g., business acumen, ISO “C” level skills: e.g., business acumen,

political savvy, and organizational awarenesspolitical savvy, and organizational awareness


A Peek Into My Crystal A Peek Into My Crystal BallBall

For the immediate future many For the immediate future many CIOs will retain responsibility for CIOs will retain responsibility for security, leveraging their “C” security, leveraging their “C” level skills and organizational level skills and organizational contacts for good effectcontacts for good effect

Higher education institutions will Higher education institutions will eventually embrace the corporate eventually embrace the corporate CISO model -- but not overnight!CISO model -- but not overnight! Larger institutions with greater Larger institutions with greater

resources will lead the change resources will lead the change


A Peek Into My Crystal A Peek Into My Crystal Ball Ball (cont’)(cont’)

““Security” CIOs will continue to Security” CIOs will continue to serve as unofficial campus CISOs, serve as unofficial campus CISOs, but . . .but . . .

Eventually, even “Security” CIOs will Eventually, even “Security” CIOs will hand information security over to hand information security over to another “C” level positionanother “C” level position

The role of the campus ISO will The role of the campus ISO will evolve rapidly, offering many evolve rapidly, offering many opportunities for advancementopportunities for advancement


A Survival Kit of Skills A Survival Kit of Skills for the Campus ISOfor the Campus ISO

Grounded in multiple protection Grounded in multiple protection disciplinesdisciplines

Capable project/program managerCapable project/program manager Life long passion to learnLife long passion to learn Business acumenBusiness acumen Diplomatic and adaptableDiplomatic and adaptable Adept at framing issues as risk Adept at framing issues as risk

managementmanagement Professional training and certificationsProfessional training and certifications

(Boni, 2005)(Boni, 2005)


ReferencesReferencesBoni, W. (2005, April 5). Boni, W. (2005, April 5). The role of the CSO: An industry The role of the CSO: An industry

perspective.perspective. Presented at the EDUCAUSE Security Presented at the EDUCAUSE Security Professionals Conference 2005. Washington, DC. Retrieved Professionals Conference 2005. Washington, DC. Retrieved November 2, 2005 from the EDUCAUSE Web site November 2, 2005 from the EDUCAUSE Web site http://www.educause.edu/LibraryDetailPage/666?ID=SPC0528http://www.educause.edu/LibraryDetailPage/666?ID=SPC0528

Berinato, S. (2004, July). Berinato, S. (2004, July). CISO role: Locked out. CISO role: Locked out. Retrieved Retrieved November 2, 2005 from the CSO Online Web site November 2, 2005 from the CSO Online Web site http://www.csoonline.com/read/070104/cisco.htmlhttp://www.csoonline.com/read/070104/cisco.html

CSO. (2005). CSO. (2005). The state of information security, 2005: A worldwide The state of information security, 2005: A worldwide study conducted by CIO Magazine and PricewaterhouseCooper.study conducted by CIO Magazine and PricewaterhouseCooper. Retrieved November 2, 2005 from the CSO Online Web site Retrieved November 2, 2005 from the CSO Online Web site http://www.csoonline.com/csoresearch/report93.htmlhttp://www.csoonline.com/csoresearch/report93.html

CSO. (2004). CSO. (2004). What is a chief security officer? What is a chief security officer? Retrieved Retrieved September 30, 2005 from the CSO Online Web site September 30, 2005 from the CSO Online Web site http://http://www.csoonline.com/research/leadership/cso_role.htmlwww.csoonline.com/research/leadership/cso_role.html

EDUCAUSE (2002). EDUCAUSE (2002). Higher education contribution to national Higher education contribution to national strategy to secure cyberspace.strategy to secure cyberspace. Retrieved August 17, 2005, Retrieved August 17, 2005, from from http://www.educause.edu/ir/library/pdf/NET0027.pdfhttp://www.educause.edu/ir/library/pdf/NET0027.pdf


References References (continued)(continued)Gartner (2005, September 15). Gartner (2005, September 15). Gartner highlights the evolving role of Gartner highlights the evolving role of

CISO in the new security order.CISO in the new security order. Retrieved November 2, 2005 from Retrieved November 2, 2005 from the Gartner Web site the Gartner Web site http://www.gartner.com/press_releases/asset_135714_11.htmlhttp://www.gartner.com/press_releases/asset_135714_11.html

Germain, J. (2005, October 13). Germain, J. (2005, October 13). Your next job title: CISO?Your next job title: CISO? Retrieved Retrieved November 2, 2005 from the Newsfactor Magazine Web site November 2, 2005 from the Newsfactor Magazine Web site http://www.cio-today.com/story.xhtml?story_title=Your_Next_Job_Thttp://www.cio-today.com/story.xhtml?story_title=Your_Next_Job_Title__CISO_&story_id=38430itle__CISO_&story_id=38430

Hawkins, B. L., Rudy, J. A., & Madsen J. W. (2003). Hawkins, B. L., Rudy, J. A., & Madsen J. W. (2003). EDUCAUSE core EDUCAUSE core data report: 2003 summary reportdata report: 2003 summary report. Retrieved September 30, 2005 . Retrieved September 30, 2005 from the EDUCAUSE Web site from the EDUCAUSE Web site http://www.educause.edu/ir/library/pdf/pub8001c.pdfhttp://www.educause.edu/ir/library/pdf/pub8001c.pdf

Hawkins, B. L., Rudy, J. A., & Nicolich, R. (2004). Hawkins, B. L., Rudy, J. A., & Nicolich, R. (2004). EDUCAUSE core EDUCAUSE core data report: 2004 summary reportdata report: 2004 summary report. Retrieved November 2, 2005 . Retrieved November 2, 2005 from the EDUCAUSE Web site from the EDUCAUSE Web site http://www.educause.edu/ir/library/pdf/pub8002.pdfhttp://www.educause.edu/ir/library/pdf/pub8002.pdf

Hurley, D., Harris, M., Zastrocky, M., & Yanosky, R. (2002, December Hurley, D., Harris, M., Zastrocky, M., & Yanosky, R. (2002, December 9). 9). Information security officers needed in higher educationInformation security officers needed in higher education. . Retrieved November 2, 2005 from the Gartner Web site Retrieved November 2, 2005 from the Gartner Web site http://http://www.gartner.comwww.gartner.com


References References (continued)(continued)Kobus, W. S. (2005, November 1). Kobus, W. S. (2005, November 1). Security managementSecurity management. Presented . Presented

at the ISSA Triangle InfoSeCon conference on November 1, 2005 at the ISSA Triangle InfoSeCon conference on November 1, 2005 in Cary, NC.in Cary, NC.

Koch, C. (2004, April 15). Koch, C. (2004, April 15). Hand over security.Hand over security. Retrieved November 3, Retrieved November 3, 2005 from the CSO Online Web site 2005 from the CSO Online Web site http://www.cio.com/archive/041504/homeland.htmlhttp://www.cio.com/archive/041504/homeland.html

MacLean. R. (2004, May 18). MacLean. R. (2004, May 18). Defining the role of the security officer Defining the role of the security officer in higher education.in higher education. The Security Professional’s Workshop May 16- The Security Professional’s Workshop May 16-18, 2004. Washington, DC. Retrieved September 30, 2005 from the 18, 2004. Washington, DC. Retrieved September 30, 2005 from the EDUCAUSE Web site EDUCAUSE Web site http://www.educause.edu/LibraryDetailPage/666?ID=SPC0417http://www.educause.edu/LibraryDetailPage/666?ID=SPC0417

Scholtz, T. & Byrnes, F. C. (2005, June 27). Scholtz, T. & Byrnes, F. C. (2005, June 27). Use information security Use information security program maturity timeline as an analysis tool.program maturity timeline as an analysis tool. Retrieved November Retrieved November 2, 2005 from the Gartner Web site 2, 2005 from the Gartner Web site http://http://www.gartner.comwww.gartner.com

Vijayan, J. (2004, October 4). Vijayan, J. (2004, October 4). Rise of the CISO: Chief information Rise of the CISO: Chief information security officers have more influence -- and greater challenges -- security officers have more influence -- and greater challenges -- than ever before.than ever before. Retrieved November 4, 2005 from the Retrieved November 4, 2005 from the Computerworld Web site Computerworld Web site http://www.computerworld.com/securitytopics/security/story/0,108http://www.computerworld.com/securitytopics/security/story/0,10801,96291,00.html01,96291,00.html


References References (continued)(continued)Witty, R. J. (2001). Witty, R. J. (2001). The Role of the Chief Information Security The Role of the Chief Information Security

Officer.Officer. Retrieved November 2, 2005 from the Gartner Retrieved November 2, 2005 from the Gartner Web site Web site http://http://www.gartner.comwww.gartner.com

Documents

Are We Ready for a Chief Information Security Officer? Jack McCoy, Ed.D., MBA, CISM Information Security Officer East Carolina University The Challenges