This document provides a summary of Bob Turner's cybersecurity strategic plan briefing to the Information Technology Committee. The strategic plan aims to improve cybersecurity at UW-Madison through establishing a risk management framework, promoting cyber hygiene, facilitating incident response, and consolidating incident response capabilities. The plan aligns with UW-Madison's strategic priorities of education, research, community engagement, diversity, and resource stewardship. Key elements of the cybersecurity strategy include implementing data governance, establishing a risk management framework, improving user competence through training, consolidating security operations, enhancing threat intelligence, and establishing collaborative partnerships. The roadmap provided outlines the review and socialization process for the strategic plan.

1. Cybersecurity Strategy
… a first look
Brief to Information Technology Committee
Bob Turner
UW-Madison CISO
April 17, 2015

2. What the Cybersecurity Strategic Plan provides…
• A road map to improved cybersecurity within RMF
• Enables complete understanding of the UW-
Madison and UW System IT infrastructure that:
• enables clear view of all routers, switches and hosts;
• promotes cyber hygiene in connected or virtual
environments;
• facilitates helpful behaviors and drives staff to engineer
appropriate defense measures, informed incident
response; and
• consolidates Incident Response capability for campus
networks and systems and for UW Common Systems
2

3. Aligns to University Strategic Priorities and Initiatives
• Educational Experience: Improve access and affordability; Scale
Wisconsin Experience; Improve learning outcomes; Ensure
graduate student mentoring; Build innovative professional
degrees and other lifelong learning experiences.
• Research and Scholarship: Nurture excellence in research,
scholarship, and creative activity; Optimize the research and
scholarship infrastructure; Strengthen our influence in national
decision-making around research policy and funding; Engage our
interdisciplinary strength; Support the continued high level
integration of research and education.
• The Wisconsin Idea: Partner to bring value to Wisconsin citizens;
Promote economic development through technology-transfer
ecosystem; Extend our educational mission to Wisconsin and the
world; Leverage our distinctive interdisciplinary strength to
address complex problems
http://chancellor.wisc.edu/strategicplan2/images/Strategic%20Framework_15-19.pdf 3

4. Aligns to University Strategic Priorities and Initiatives
(Cont’d)
• People: Ensure a highly talented, engaged, and diverse workforce;
Enhance the strength of our campus through diversity and
inclusion; Ensure our ability to attract and retain talent Nurture
growth of our people through professional development; Create
the best possible environment for our people
• Resource Stewardship: Promote resource stewardship, improve
service delivery and efficiency; Create a stable and sustainable
financial structure; Identify and pursue new revenue sources
aligned with mission and goals; n Promote environmental
sustainability; Transform library structures and technologies to
best support research and learning; Sponsor a comprehensive
campaign to invest in the future of the university and shape the
future of Wisconsin and the world
http://chancellor.wisc.edu/strategicplan2/images/Strategic%20Framework_15-19.pdf 4

5. Links to Campus/UW System IT Strategy
A. Educational Experience
1. Provide career-oriented experiences for our students
2. Design, create, and support learning-centered ecosystem
3. Unify the student experience with access to data and information
4. Provide tech services and resources to enhance student success and digital literacy
B. Research and Scholarship
1. Provide and support robust and secure IT research and scholarship infrastructure
2. Collaboratively partner with researchers to explore, access and use technology
3. Encourage, recognize and support staff scholarship
C. Wisconsin Experience
1. Foster state-wide public and private IT relationships
2. Proactively share our IT expertise to solve complex problems
3. Extend the educational mission with next generation IT infrastructure
D. Our People
1. Provide career-pathing and prepare staff and managers for the future
2. Diversify the IT workforce
3. Recruit and retain talented and engaged staff
E. Stewards of Our Resources
1. Practice and promote IT effectiveness and efficiency
2. Ensure sustainable funding
3. Practice transparent financial management and reporting
4. Provide leadership for IT risk compliance and management
5. Support and enhance innovate business and administrative systems
6. Facilitate effective and secure sharing and use of data
“Look beyond the send button and shift your focus to the receiving end.”
- Anonymous
5

6. CISO’s Vision (Functional Capabilities)
Governance Risk Management
 Policy Development, Security
working group leadership
 Data Governance and Security
 Security education, training, and
awareness
 Risk Management Framework
implementation
 Cybersecurity Defense
 Cyber Threat Intelligence and
Reporting
 Security Assessments
 Forensics
 Security Operations (ERP+)
Compliance Communications and Networking
 Security Engineering
 Assessment and Approval (RMF)
 PCI-DSS, PHI, HIPAA, FERPA, and
other auditing activities
 Security Metrics
 Faculty, Staff and Student
Education
 Executive Security Awareness
 Shared Governance, Boards and
Committees
6

7. Leadership and Business Considerations
• Challenging budget priorities
• Competition for resources
• Staff maintaining work-life balance
• Adapt to changing technology or revisions to best
practices
• Shared Governance
• Visibility within DoIT
• External influences
“Security Teams must demonstrate the ability to view business problems from different or multiple perspectives.”
– Gus Agnos (VP Strategy & Operations at Synack) 7

8. Elements of the Cybersecurity Strategy
• Strategic Element 1: Complete Data Governance and
Information Classification Plan
• Strategic Element 2: Establish the UW System Risk
Management Framework to materially reduce
cybersecurity risk
• Strategic Element 3: Build a community of experts and
improve institutional user competence though Security
Education, Training, and Awareness
• Strategic Element 4: Consolidate Security Operations
and institute best practices for UW-Madison Campus
Networks and UW System Common Services
8
“Strategy without tactics is the slowest route to victory, tactics without strategy is the noise before defeat.”
- Sun Tzu (Ancient Chinese Military Strategist)

9. Elements of the Cybersecurity Strategy
(Cont’d)
• Strategic Element 5: Improve Cyber Threat Intelligence
Analysis, Dissemination and Remediation
• Strategic Element 6: Optimize Services, Establish
Security Metrics, Promote Compliance, Achieve
Continuous Diagnostics and Mitigation
• Strategic Element 7: Establish Collaborative Partnerships
to assure teaching and research computing resources
and results are available to fulfill the Wisconsin Idea and
return value to the state and its citizens
9

10. Enabling Objectives
• Objective 1: Consider retention of previous strategy’s
actionable items (“find it”, “delete it”, and “protect it”).
• Objective 2: Create the “Culture of Compliance” for
oversight of all campus data, networks and systems.
• Objective 3: Establish Restricted Data Environments
based on the needs of Faculty, Researchers or IT project
requirement documents.
• Objective 4: Centralize data collection and aggregation
for analysis of security related events to promote unified
measurement of cybersecurity attributes.
• Objective 5: Identify and stabilize sources of repeatable
funding to enable accomplishment of technical or
staffing related strategic goals.
“Real commitment means doing everything in your power to get things done.”
- Jeroen De Flander
10

11. Enabling Objectives
(Cont’d)
• Objective 6: Understand and map requirements
imposed upon us (e.g., FERPA, HIPAA, PCI, DSS, NIST,
etc.) by other agencies (i.e., Department of Education,
Office for Civil Rights, credit card companies, research
grant authorities).
• Objective 7: Develop and refine procedures to ensure
security operations and risk assessments are conducted
in a sustainable and repeatable manner that ensures
standards for timeliness and measurable response are
achieved and maintained.
• Objective 8: Develop and implement marketing and
communications plans.
11

12. The road ahead…
• Complete Draft for CIO Staff Review: Done
• CIO Staff Review: April 15 - 21
• DoIT Director Review: April 15 – 21 (Walk Around Tour)
• Campus Colleges and Departments CIO Review: Week of
April 20
• Forward Draft for UW-MIST Review: April 22
• UW-MIST Review: April 23 – 29. Comments adjudicated by
May 5 with discussion and concurrence during May MIST
meeting (May 7)
• Final Draft for ITC: Brief at May 15th ITC
• Final Version for CIO: No later than 29 May
• Socialize with MTAG: Targeting June 16th meeting
• Socialize with TISC: Announce during Lockdown (July 15) and
TISC Summer Meeting (July 16) with review based on
responses 12

13. 13
Questions?