The document discusses centralized versus decentralized approaches to cybersecurity. Under a centralized model, there is single authority over policies and processes, while a decentralized model gives more autonomy to individual groups. The challenges of securing a decentralized higher education environment are also examined, where research environments have unique needs and varying levels of IT support across campus. Effective CISOs in this environment must find ways to address common threats with a unified approach, while also providing support to less resourced areas and ensuring security does not impede academic work. Partnerships are important to improve programs in a decentralized governance model.

1. CENTRALIZED CYBERSECURITY IN
A DECENTRALIZED WORLD
BOB TURNER
CHIEF INFORMATION SECURITY OFFICER
UNIVERSITY OF WISCONSIN-MADISON
CISO CHICAGO SUMMIT - AUGUST 2015

2. CYBERSECURITY PERSPECTIVES
3/10/2016
2
CENTRALLY GOVERNED DISTRIBUTED GOVERNANCE
Single threaded authority, responsibility, and
decision making power
Authority, responsibility, and decision making
power are vested in and delegated to
individual groups and teams
Common hierarchy for policies, standards,
guidelines, procedures, and processes
Teams establish their own policies, standards,
guidelines, procedures, and processes
Enterprise-wide involvement in the
development and implementation of risk
management and cybersecurity strategies
Decentralized cybersecurity risk
management is based on individual team
and business strategies
Strong, well-informed central leadership
provides consistency throughout the
organization
Sharing of risk-related information among
subordinate organizations
Less autonomy for subordinate organizations No subordinate organization is able to
transfer risk to another without the latter's
informed consent.

3. 3/10/2016 3
Advanced Persistent Threat
Data Breach Attacks
WHY ARE WE TALKING ABOUT THIS?
DDoS or Other Events
3/10/2016

4. What are the current attack vectors?
CHANGES IN HIGHER EDUCATION
3/10/2016
4
From 2014 Wisegate Survey: Assessing and Managing IT Security Risks

5. • Academic and research responsibilities can be burdened when
cybersecurity processes and procedures are not risk reducers
 While research environments are run by talented technologists providing adequate
security controls, providing system information to the campus wide cybersecurity
team should follow industry best-practices
 Remote scans and continuous monitoring are options for gathering vulnerability
information and can be run during off-peak hours
• Perceptions (and a little reality) that vulnerability and asset management
scanning slows down higher performance networks
 Computing power and high bandwidth can mask criminal activity
 Scans can be tailored to be as non-intrusive as possible or scheduled to occur
outside peak computing windows
• Not all campus networks have adequate IT support or appropriately
trained cybersecurity staff
 Can centralized cybersecurity staff provide support on a transactional basis?
WHAT IS THE ROOT CAUSE?
3/10/2016
5

6. THINK TANK!
What does a CISO do when IT support and
cybersecurity services are not centrally driven?
How can CISOs address common cybersecurity
threats with a unified and cohesive approach?
Where do CISO’s turn to find the right
partnerships to improve cybersecurity
programs?
3/10/2016
6

7. 3/10/2016
7
What questions do you have?
http://www.cio.wisc.edu/security/