View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Are We Ready for a Are We Ready for a Chief Information Chief Information Security Officer?Security Officer?
Jack McCoy, Ed.D., MBA, CISMJack McCoy, Ed.D., MBA, CISM
Information Security OfficerInformation Security Officer
East Carolina UniversityEast Carolina University
The Challenges and Evolution The Challenges and Evolution of of
the Campus IT Security the Campus IT Security OfficerOfficer
November 9, 2005 Jack McCoy, East Carolina University 2
The Security Officer The Security Officer AlphabetAlphabet
ISO – Information Security OfficerISO – Information Security Officer Often an “IT” Security OfficerOften an “IT” Security Officer Designated official, dedicated to information Designated official, dedicated to information
securitysecurity CISO – Chief Information Security OfficerCISO – Chief Information Security Officer
““C” level executive, a strategic business C” level executive, a strategic business partnerpartner
CSO – Chief Security OfficerCSO – Chief Security Officer Corporate security, a convergence of Corporate security, a convergence of
information, asset, and physical securityinformation, asset, and physical security
November 9, 2005 Jack McCoy, East Carolina University 4
The Environment:The Environment:The Institution of Higher The Institution of Higher
Education Education A shaky track record for protecting A shaky track record for protecting
informationinformation A culture of shared governanceA culture of shared governance A penchant for distributed computingA penchant for distributed computing A desire for free and unfettered exchange of A desire for free and unfettered exchange of
information across organizational boundariesinformation across organizational boundaries
. . . in essence a formidable . . . in essence a formidable environment for those environment for those
with campus responsibility for with campus responsibility for information securityinformation security
November 9, 2005 Jack McCoy, East Carolina University 5
The Organization:The Organization:University AccountabilityUniversity Accountability
Resistance to corporate type controls may Resistance to corporate type controls may arise because a university is “not a arise because a university is “not a business”business”
Regardless of the culture or inherent Regardless of the culture or inherent challenges a university will be held challenges a university will be held accountable, just as any other organization accountable, just as any other organization (e.g., bank or and retailer)(e.g., bank or and retailer)
Accountability must trickle down to internal Accountability must trickle down to internal departments, groups, and individualsdepartments, groups, and individuals
November 9, 2005 Jack McCoy, East Carolina University 6
The Organization:The Organization:University Accountability University Accountability
(cont’)(cont’)Challenges arise when the university Challenges arise when the university
community:community: Is not aware of risks to information and Is not aware of risks to information and
potential impacts to the university and its potential impacts to the university and its stakeholdersstakeholders
Does not believe that the threats are realistic Does not believe that the threats are realistic Thinks that someone in another building is Thinks that someone in another building is
taking care of the “security problem” for themtaking care of the “security problem” for them Believes that other job duties and Believes that other job duties and
responsibilities always take priority over responsibilities always take priority over securitysecurity
November 9, 2005 Jack McCoy, East Carolina University 7
The Strategic Challenges: The Strategic Challenges: Issues Likely to be Issues Likely to be
EncounteredEncountered ““IT” versus “Information” SecurityIT” versus “Information” Security Security: “technical” vs. “business” Security: “technical” vs. “business”
issueissue Executive awareness and involvementExecutive awareness and involvement Governance structures and processesGovernance structures and processes Evolving roles and skill sets of the ISOEvolving roles and skill sets of the ISO
November 9, 2005 Jack McCoy, East Carolina University 9
The Relationship of The Relationship of InfoSecurity Maturity, InfoSecurity Maturity, Structure, and RolesStructure, and RolesInfoSecurit
y Organizatio
nal Maturity
InfoSecurity
Organizational
Maturity InfoSecurity
Functions and Org
Structure
InfoSecurity
Functions and Org
Structure ISO Roles, Responsibili
ties, and Authority
ISO Roles, Responsibili
ties, and Authority
November 9, 2005 Jack McCoy, East Carolina University 10
Gartner’s Gartner’s InfoSecurity Maturity InfoSecurity Maturity
ModelModel
Blissful IgnoranceBlissful Ignorance Awareness Awareness Correction Correction Operational ExcellenceOperational Excellence
(Scholtz & Byrnes, 2005)(Scholtz & Byrnes, 2005)
Organizations and their security Organizations and their security programs evolve through four phases programs evolve through four phases of maturity:of maturity:
November 9, 2005 Jack McCoy, East Carolina University 11
InfoSec Maturity - Blissful InfoSec Maturity - Blissful Ignorance Ignorance
Extensive, but outdated policiesExtensive, but outdated policies Inadequate user awarenessInadequate user awareness Breaches not reportedBreaches not reported Prevailing belief that the enterprise is Prevailing belief that the enterprise is
securesecure No effective communication between No effective communication between
the IT security function and business the IT security function and business functions functions
(Scholtz & Byrnes, 2005)(Scholtz & Byrnes, 2005)
November 9, 2005 Jack McCoy, East Carolina University 12
InfoSec Maturity - InfoSec Maturity - AwarenessAwareness
An event leads to a sudden awareness that An event leads to a sudden awareness that “something must be done” about security“something must be done” about security
(Re)establishment of dedicated security (Re)establishment of dedicated security teamteam
Efforts focus on policy review and updateEfforts focus on policy review and update Some organizations assume policy is Some organizations assume policy is
sufficient and regress to blissful ignorance sufficient and regress to blissful ignorance phasephase
Others develop security vision and strategy Others develop security vision and strategy (Scholtz & Byrnes, 2005, p. 4)(Scholtz & Byrnes, 2005, p. 4)
November 9, 2005 Jack McCoy, East Carolina University 13
InfoSec Maturity - InfoSec Maturity - CorrectiveCorrective
Strategic program launched, based on Strategic program launched, based on information security vision and strategyinformation security vision and strategy
Security, risk, governance processes Security, risk, governance processes revampedrevamped
New policies derived from business needsNew policies derived from business needs Corrective actions prioritized and fundedCorrective actions prioritized and funded Progress toward goals measured and Progress toward goals measured and
reported through business and governance reported through business and governance channels channels
(Scholtz & Byrnes, 2005)(Scholtz & Byrnes, 2005)
November 9, 2005 Jack McCoy, East Carolina University 14
InfoSec Maturity – InfoSec Maturity – Operational ExcellenceOperational Excellence
Information security “embedded into Information security “embedded into the culture of the organization”the culture of the organization”
Security is driven by business Security is driven by business processesprocesses
Program metrics emphasize Program metrics emphasize continuous improvementcontinuous improvement
The organization understands and The organization understands and accepts residual risks accepts residual risks
(Scholtz & Byrnes, 2005, p. 4)(Scholtz & Byrnes, 2005, p. 4)
November 9, 2005 Jack McCoy, East Carolina University 15
A Gartner A Gartner RecommendationRecommendation
Organizations must be aware of Organizations must be aware of and understand the evolving and understand the evolving
maturity of their security maturity of their security programs.programs.
(Scholtz & Byrnes, 2005)(Scholtz & Byrnes, 2005)
November 9, 2005 Jack McCoy, East Carolina University 16
Information SecurityInformation SecurityFunctional StructuresFunctional Structures
An organization’s security function An organization’s security function depends on its size, business, culture, depends on its size, business, culture, regulatory requirementsregulatory requirements
Functional structure types: Functional structure types: TechnicalTechnical Technical / ManagementTechnical / Management ManagementManagement
(Kobus, 2005)(Kobus, 2005)
November 9, 2005 Jack McCoy, East Carolina University 17
““Technical” Technical” Information Security Information Security
Structure Structure No formal security functionNo formal security function Security responsibilities assigned to Security responsibilities assigned to
technicians in IT operational areastechnicians in IT operational areas Networking Networking OperationsOperations DevelopmentDevelopment
Reports to IT infrastructure or Reports to IT infrastructure or operational areaoperational area
(Kobus, 2005)(Kobus, 2005)
November 9, 2005 Jack McCoy, East Carolina University 18
Aspects of a Aspects of a Technical ISO RoleTechnical ISO Role
Relegated to a purely technical role, Relegated to a purely technical role, e.g., “firewall jockey”e.g., “firewall jockey”
Often has few resources and little Often has few resources and little authorityauthority
The reason for hiring a ISO may be toThe reason for hiring a ISO may be to address a regulation, audit, or other address a regulation, audit, or other
requirement requirement or to “sit on the bomb”or to “sit on the bomb”
(Berinato, 2004)(Berinato, 2004)
November 9, 2005 Jack McCoy, East Carolina University 19
The “Technician”The “Technician”ISOISO
* Security functions in blue. The designated ISO may reside in any of these areas.
CIOCIO
NetworkNetwork SystemsSystems App. Dev.App. Dev.
System Adm, Sys
Prog, Acct Mgmt
System Adm, Sys
Prog, Acct Mgmt
Firewall, Router,
IPS Admin
Firewall, Router,
IPS Admin
Application
Programmer,
Developer
Application
Programmer,
Developer
November 9, 2005 Jack McCoy, East Carolina University 20
““Technical / Management” Technical / Management” Information Security Information Security
Structure Structure Designated security teamDesignated security team Responsibilities cover range of Responsibilities cover range of
issues:issues: TechnicalTechnical ManagementManagement Strategic enterprise Strategic enterprise
Reports to an operational managerReports to an operational manager
(Kobus, 2005)(Kobus, 2005)
November 9, 2005 Jack McCoy, East Carolina University 21
The “Security The “Security Coordinator”Coordinator”
ISOISOCIOCIO
NetworkNetwork SystemsSystems App DevApp Dev
Firewall, Router,
IPS Admin
Firewall, Router,
IPS Admin
System Admin, Sys Prog
System Admin, Sys Prog
Application
Programmer,
Developer
Application
Programmer,
Developer
ISOISO
Acct Mgmt, IT
Policy, Awarene
ss
Acct Mgmt, IT
Policy, Awarene
ss
November 9, 2005 Jack McCoy, East Carolina University 22
““Management” Management” Information Security Information Security
StructureStructure Designated security teamDesignated security team Responsibilities include:Responsibilities include:
Enterprise oversight of security programsEnterprise oversight of security programs Security governance processesSecurity governance processes
Technical security responsibilities shift Technical security responsibilities shift back to IT operationsback to IT operations
Information security may report outside Information security may report outside of ITof IT
(Kobus, 2005)(Kobus, 2005)
November 9, 2005 Jack McCoy, East Carolina University 23
The “Management The “Management Advisor”Advisor”
ISOISO
CIOCIO
NetworkNetwork SystemsSystems App DevApp Dev
Governance, Risk Mgmt, Corp
Policy
Governance, Risk Mgmt, Corp
Policy
Security Council
Security Council
ISOISO
App Programm
er, Developer
App Programm
er, Developer
Firewall, Router,
IPS Admin
Firewall, Router,
IPS Admin
System Admin, Sys Prog
System Admin, Sys Prog
November 9, 2005 Jack McCoy, East Carolina University 24
The “Strategic Business The “Strategic Business Partner”Partner”
ISOISO
CIOCIO
Operational
Directors
Operational
Directors
Acct Mgt, IT Policy,
Projects
Acct Mgt, IT Policy,
Projects
Security Council
Security Council
ISO (Bus. Unit)
ISO (Bus. Unit)
Technical security
Technical security
CFO, COO, RMO
CFO, COO, RMO
CISOCISO
Governance, Risk Mgmt, Corp
Policy
Governance, Risk Mgmt, Corp
Policy
November 9, 2005 Jack McCoy, East Carolina University 25
More than One ISO?More than One ISO? Organizations are creating two security Organizations are creating two security
positions:positions: CISO – bridges the gap between business process CISO – bridges the gap between business process
and policy directives, and technical security and policy directives, and technical security BISO – business unit (e.g., IT) representative, BISO – business unit (e.g., IT) representative,
implements process & policy directives implements process & policy directives CISO consults with business units on CISO consults with business units on
implementation of policy and process directivesimplementation of policy and process directives CISO advises senior executives on the CISO advises senior executives on the
management of risks brought about by the use management of risks brought about by the use of technology of technology
(Witty, 2001)(Witty, 2001)
November 9, 2005 Jack McCoy, East Carolina University 26
Information Security Information Security Maturity, Structure, ISO Maturity, Structure, ISO
RoleRoleGartner’s Gartner’s Maturity Maturity
ModelModel
Kobus’ Kobus’ Funct. Funct.
StructureStructure
ISO Role ISO Role CharacterizatCharacterizat
ionionBlissful Blissful
IgnoranceIgnorance TechnicalTechnical ““Technician”Technician”
AwarenessAwareness Technical / Technical / ManagementManagement
““Security Security Coordinator”Coordinator”
CorrectiveCorrective ManagementManagement ““Management Management Advisor”Advisor”
Operational Operational ExcellenceExcellence
Management Management ++
““Strategic Strategic Business Business Partner”Partner”
The “Debate”The “Debate”
Who is Really in Charge? Who is Really in Charge? Who Should Be?Who Should Be?
November 9, 2005 Jack McCoy, East Carolina University 28
Who is Responsible Who is Responsible for Campus IT Security?for Campus IT Security?
In 2002 Gartner predicted 60% of higher ed In 2002 Gartner predicted 60% of higher ed ISOs would report outside of IT by 2005 ISOs would report outside of IT by 2005 (Hurley, Harris, Zastrocky, & Yanosky, 2002) (Hurley, Harris, Zastrocky, & Yanosky, 2002) In 2003 94.5% of IT security functions reported to In 2003 94.5% of IT security functions reported to
the top IT adm (Hawkins, Rudy, & Madsen, 2003) the top IT adm (Hawkins, Rudy, & Madsen, 2003) In 2004 95.2% of IT security functions reported to In 2004 95.2% of IT security functions reported to
the top IT adm (Hawkins, Rudy, & Nicolich, 2004) the top IT adm (Hawkins, Rudy, & Nicolich, 2004) We’re not on track to realize Gartner’s We’re not on track to realize Gartner’s
predictionprediction The top IT administrator is ultimately The top IT administrator is ultimately
responsibleresponsible
November 9, 2005 Jack McCoy, East Carolina University 29
Reporting to the CIO - Reporting to the CIO - AdvantagesAdvantages
Advantages of the “Security” CIO: Advantages of the “Security” CIO: Access to executive leadership Access to executive leadership ““C” level skills and organizational C” level skills and organizational
awarenessawareness Ability to initiate change in the IT Ability to initiate change in the IT
infrastructure to enhance information infrastructure to enhance information securitysecurity
Represents greater influence and value for Represents greater influence and value for the CIO position the CIO position
November 9, 2005 Jack McCoy, East Carolina University 30
Reporting to the CIO - Reporting to the CIO - DisadvantagesDisadvantages
Disadvantages of the “Security” CIODisadvantages of the “Security” CIO Information security oversight is a part-time Information security oversight is a part-time
rolerole Increased CIO workload may lead to the Increased CIO workload may lead to the
neglect other strategic objectivesneglect other strategic objectives Conflicts of interest arise when security Conflicts of interest arise when security
controls impede the timely delivery of controls impede the timely delivery of projects and servicesprojects and services
Difficult to conduct unbiased investigations Difficult to conduct unbiased investigations of IT operationsof IT operations
(Koch, 2004)(Koch, 2004)
November 9, 2005 Jack McCoy, East Carolina University 31
If Information Security If Information Security Moves Out of ITMoves Out of IT
Accountability must follow responsibilityAccountability must follow responsibility CIOs do not want accountability without CIOs do not want accountability without
authorityauthority Security must report to an executive with Security must report to an executive with
“broad managerial responsibilities” for the “broad managerial responsibilities” for the organization,organization, For example, the CEO, CFO, COOFor example, the CEO, CFO, COO
Information Security and IT must work Information Security and IT must work closely together as a teamclosely together as a team
(Koch, 2004)(Koch, 2004)
November 9, 2005 Jack McCoy, East Carolina University 33
The Future of the ISO The Future of the ISO A View from GartnerA View from Gartner
More companies are appointing a More companies are appointing a CISO withCISO with
““decreasing responsibility for day-to-decreasing responsibility for day-to-day security operations, and a day security operations, and a greater level of participation in greater level of participation in strategic business decisions”strategic business decisions”
(Gartner, 2005)(Gartner, 2005)
November 9, 2005 Jack McCoy, East Carolina University 34
State of the IndustryState of the Industry
A 2005 Global State of Information A 2005 Global State of Information SecuritySecurity11 study: study:
34% of respondents employ a CSO/CISO 34% of respondents employ a CSO/CISO More security executives report to the More security executives report to the
CEO or Board than the CIOCEO or Board than the CIO 46% report to the CEO/Board 46% report to the CEO/Board 36% report to the CIO36% report to the CIO
(CSO, 2005)(CSO, 2005)11A joint study of PricewaterhouseCoopers and CIO Magazine, representing a range of industries, e.g., computer-related manufacturing & software, consulting & professional services, financial services, education, health care, telecommunications, & transportation.
November 9, 2005 Jack McCoy, East Carolina University 35
The Emerging CISO RoleThe Emerging CISO Role Technical security is becoming an operational Technical security is becoming an operational
issueissue Information security is emerging as a strategic Information security is emerging as a strategic
business issue, addressed through risk business issue, addressed through risk management processesmanagement processes
Resulting in “more authority and influence being Resulting in “more authority and influence being invested in the security manager or CISO” invested in the security manager or CISO” More CISOs are participating in “crucial business More CISOs are participating in “crucial business
decisions” and are reporting outside of ITdecisions” and are reporting outside of IT Ceding turf to a “more powerful security function Ceding turf to a “more powerful security function
also raises political issues,” especially with the also raises political issues,” especially with the CIO position CIO position
(Vijayan, 2004)(Vijayan, 2004)
November 9, 2005 Jack McCoy, East Carolina University 36
The Emerging CISO Role The Emerging CISO Role (cont’)(cont’)
Experts are divided over whether the CIO, Experts are divided over whether the CIO, CSO, or CISO should be responsible for CSO, or CISO should be responsible for securitysecurity
However, it is clear that the IT industry is However, it is clear that the IT industry is moving toward “shared responsibilities for moving toward “shared responsibilities for security”security”
So, “whether the roles of the CIO and the So, “whether the roles of the CIO and the CSO are mutually exclusive or gradually CSO are mutually exclusive or gradually merging into a mutually beneficial merging into a mutually beneficial relationships still is not evident.”relationships still is not evident.”
(Germain, 2005)(Germain, 2005)
November 9, 2005 Jack McCoy, East Carolina University 37
Looking Further Into The Looking Further Into The Future Future
Gartner predicts: Gartner predicts:
““there will be a new breed of security there will be a new breed of security expert who expert who
will be trusted to protect the will be trusted to protect the organisation of the future, and in organisation of the future, and in
many companies, this person will be many companies, this person will be given the title of the Risk given the title of the Risk
Management Officer”Management Officer”(Gartner, 2005)(Gartner, 2005)
November 9, 2005 Jack McCoy, East Carolina University 39
Factors to ConsiderFactors to Consider
The organizational maturity of your The organizational maturity of your institution’s information security institution’s information security programprogram Executive awareness, security culture, etc.Executive awareness, security culture, etc.
Your institution’s size, resources, and Your institution’s size, resources, and culture culture
The nature of your institutions The nature of your institutions governance framework and enterprise governance framework and enterprise risk management processesrisk management processes
November 9, 2005 Jack McCoy, East Carolina University 40
Factors to Consider Factors to Consider (cont’)(cont’)
The university CIO is the person typically The university CIO is the person typically responsible for security. So consider:responsible for security. So consider:
The CIO’s workload, operational priorities, The CIO’s workload, operational priorities, and strategic objectivesand strategic objectives
The working relationship of the CIO and ISOThe working relationship of the CIO and ISO ISO access to executive leadershipISO access to executive leadership ISO “C” level skills: e.g., business acumen, ISO “C” level skills: e.g., business acumen,
political savvy, and organizational awarenesspolitical savvy, and organizational awareness
November 9, 2005 Jack McCoy, East Carolina University 41
A Peek Into My Crystal A Peek Into My Crystal BallBall
For the immediate future many For the immediate future many CIOs will retain responsibility for CIOs will retain responsibility for security, leveraging their “C” security, leveraging their “C” level skills and organizational level skills and organizational contacts for good effectcontacts for good effect
Higher education institutions will Higher education institutions will eventually embrace the corporate eventually embrace the corporate CISO model -- but not overnight!CISO model -- but not overnight! Larger institutions with greater Larger institutions with greater
resources will lead the change resources will lead the change
November 9, 2005 Jack McCoy, East Carolina University 42
A Peek Into My Crystal A Peek Into My Crystal Ball Ball (cont’)(cont’)
““Security” CIOs will continue to Security” CIOs will continue to serve as unofficial campus CISOs, serve as unofficial campus CISOs, but . . .but . . .
Eventually, even “Security” CIOs will Eventually, even “Security” CIOs will hand information security over to hand information security over to another “C” level positionanother “C” level position
The role of the campus ISO will The role of the campus ISO will evolve rapidly, offering many evolve rapidly, offering many opportunities for advancementopportunities for advancement
November 9, 2005 Jack McCoy, East Carolina University 43
A Survival Kit of Skills A Survival Kit of Skills for the Campus ISOfor the Campus ISO
Grounded in multiple protection Grounded in multiple protection disciplinesdisciplines
Capable project/program managerCapable project/program manager Life long passion to learnLife long passion to learn Business acumenBusiness acumen Diplomatic and adaptableDiplomatic and adaptable Adept at framing issues as risk Adept at framing issues as risk
managementmanagement Professional training and certificationsProfessional training and certifications
(Boni, 2005)(Boni, 2005)
November 9, 2005 Jack McCoy, East Carolina University 44
ReferencesReferencesBoni, W. (2005, April 5). Boni, W. (2005, April 5). The role of the CSO: An industry The role of the CSO: An industry
perspective.perspective. Presented at the EDUCAUSE Security Presented at the EDUCAUSE Security Professionals Conference 2005. Washington, DC. Retrieved Professionals Conference 2005. Washington, DC. Retrieved November 2, 2005 from the EDUCAUSE Web site November 2, 2005 from the EDUCAUSE Web site http://www.educause.edu/LibraryDetailPage/666?ID=SPC0528http://www.educause.edu/LibraryDetailPage/666?ID=SPC0528
Berinato, S. (2004, July). Berinato, S. (2004, July). CISO role: Locked out. CISO role: Locked out. Retrieved Retrieved November 2, 2005 from the CSO Online Web site November 2, 2005 from the CSO Online Web site http://www.csoonline.com/read/070104/cisco.htmlhttp://www.csoonline.com/read/070104/cisco.html
CSO. (2005). CSO. (2005). The state of information security, 2005: A worldwide The state of information security, 2005: A worldwide study conducted by CIO Magazine and PricewaterhouseCooper.study conducted by CIO Magazine and PricewaterhouseCooper. Retrieved November 2, 2005 from the CSO Online Web site Retrieved November 2, 2005 from the CSO Online Web site http://www.csoonline.com/csoresearch/report93.htmlhttp://www.csoonline.com/csoresearch/report93.html
CSO. (2004). CSO. (2004). What is a chief security officer? What is a chief security officer? Retrieved Retrieved September 30, 2005 from the CSO Online Web site September 30, 2005 from the CSO Online Web site http://http://www.csoonline.com/research/leadership/cso_role.htmlwww.csoonline.com/research/leadership/cso_role.html
EDUCAUSE (2002). EDUCAUSE (2002). Higher education contribution to national Higher education contribution to national strategy to secure cyberspace.strategy to secure cyberspace. Retrieved August 17, 2005, Retrieved August 17, 2005, from from http://www.educause.edu/ir/library/pdf/NET0027.pdfhttp://www.educause.edu/ir/library/pdf/NET0027.pdf
November 9, 2005 Jack McCoy, East Carolina University 45
References References (continued)(continued)Gartner (2005, September 15). Gartner (2005, September 15). Gartner highlights the evolving role of Gartner highlights the evolving role of
CISO in the new security order.CISO in the new security order. Retrieved November 2, 2005 from Retrieved November 2, 2005 from the Gartner Web site the Gartner Web site http://www.gartner.com/press_releases/asset_135714_11.htmlhttp://www.gartner.com/press_releases/asset_135714_11.html
Germain, J. (2005, October 13). Germain, J. (2005, October 13). Your next job title: CISO?Your next job title: CISO? Retrieved Retrieved November 2, 2005 from the Newsfactor Magazine Web site November 2, 2005 from the Newsfactor Magazine Web site http://www.cio-today.com/story.xhtml?story_title=Your_Next_Job_Thttp://www.cio-today.com/story.xhtml?story_title=Your_Next_Job_Title__CISO_&story_id=38430itle__CISO_&story_id=38430
Hawkins, B. L., Rudy, J. A., & Madsen J. W. (2003). Hawkins, B. L., Rudy, J. A., & Madsen J. W. (2003). EDUCAUSE core EDUCAUSE core data report: 2003 summary reportdata report: 2003 summary report. Retrieved September 30, 2005 . Retrieved September 30, 2005 from the EDUCAUSE Web site from the EDUCAUSE Web site http://www.educause.edu/ir/library/pdf/pub8001c.pdfhttp://www.educause.edu/ir/library/pdf/pub8001c.pdf
Hawkins, B. L., Rudy, J. A., & Nicolich, R. (2004). Hawkins, B. L., Rudy, J. A., & Nicolich, R. (2004). EDUCAUSE core EDUCAUSE core data report: 2004 summary reportdata report: 2004 summary report. Retrieved November 2, 2005 . Retrieved November 2, 2005 from the EDUCAUSE Web site from the EDUCAUSE Web site http://www.educause.edu/ir/library/pdf/pub8002.pdfhttp://www.educause.edu/ir/library/pdf/pub8002.pdf
Hurley, D., Harris, M., Zastrocky, M., & Yanosky, R. (2002, December Hurley, D., Harris, M., Zastrocky, M., & Yanosky, R. (2002, December 9). 9). Information security officers needed in higher educationInformation security officers needed in higher education. . Retrieved November 2, 2005 from the Gartner Web site Retrieved November 2, 2005 from the Gartner Web site http://http://www.gartner.comwww.gartner.com
November 9, 2005 Jack McCoy, East Carolina University 46
References References (continued)(continued)Kobus, W. S. (2005, November 1). Kobus, W. S. (2005, November 1). Security managementSecurity management. Presented . Presented
at the ISSA Triangle InfoSeCon conference on November 1, 2005 at the ISSA Triangle InfoSeCon conference on November 1, 2005 in Cary, NC.in Cary, NC.
Koch, C. (2004, April 15). Koch, C. (2004, April 15). Hand over security.Hand over security. Retrieved November 3, Retrieved November 3, 2005 from the CSO Online Web site 2005 from the CSO Online Web site http://www.cio.com/archive/041504/homeland.htmlhttp://www.cio.com/archive/041504/homeland.html
MacLean. R. (2004, May 18). MacLean. R. (2004, May 18). Defining the role of the security officer Defining the role of the security officer in higher education.in higher education. The Security Professional’s Workshop May 16- The Security Professional’s Workshop May 16-18, 2004. Washington, DC. Retrieved September 30, 2005 from the 18, 2004. Washington, DC. Retrieved September 30, 2005 from the EDUCAUSE Web site EDUCAUSE Web site http://www.educause.edu/LibraryDetailPage/666?ID=SPC0417http://www.educause.edu/LibraryDetailPage/666?ID=SPC0417
Scholtz, T. & Byrnes, F. C. (2005, June 27). Scholtz, T. & Byrnes, F. C. (2005, June 27). Use information security Use information security program maturity timeline as an analysis tool.program maturity timeline as an analysis tool. Retrieved November Retrieved November 2, 2005 from the Gartner Web site 2, 2005 from the Gartner Web site http://http://www.gartner.comwww.gartner.com
Vijayan, J. (2004, October 4). Vijayan, J. (2004, October 4). Rise of the CISO: Chief information Rise of the CISO: Chief information security officers have more influence -- and greater challenges -- security officers have more influence -- and greater challenges -- than ever before.than ever before. Retrieved November 4, 2005 from the Retrieved November 4, 2005 from the Computerworld Web site Computerworld Web site http://www.computerworld.com/securitytopics/security/story/0,108http://www.computerworld.com/securitytopics/security/story/0,10801,96291,00.html01,96291,00.html
November 9, 2005 Jack McCoy, East Carolina University 47
References References (continued)(continued)Witty, R. J. (2001). Witty, R. J. (2001). The Role of the Chief Information Security The Role of the Chief Information Security
Officer.Officer. Retrieved November 2, 2005 from the Gartner Retrieved November 2, 2005 from the Gartner Web site Web site http://http://www.gartner.comwww.gartner.com