"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Role of the CISO in Higher Education
1. Role of the CISO in Higher Education
University of Edinburgh
1/11/2016
2. Role of the CISO in Higher
Education
Experiences from University of Edinburgh
3. PrincipalPrincipal
Information
Services Group
Information
Services Group
Corporate Services
Group
Corporate Services
Group
University
Secretary’s Group
University
Secretary’s Group
College of Science
and Engineering
College of Science
and Engineering
College of Art,
Humanities and
Social Sciences
College of Art,
Humanities and
Social Sciences
College of
Medicine and
Veterinary
Medicine
College of
Medicine and
Veterinary
Medicine
4. Background to Appointment of CISO
• Structure of University allows for high degree of local
prioritisation of information security risk profile, with
limited central direction.
• Senior Academic review (eg Kenway Report)
recognised benefits of central senior focus.
• Appointment of new CIO brought renewed focus to
requirement for CISO to cover all aspects of
information security risk rather than previous
alignment to IT security.
• Risk and Audit Committee, and senior staff, buy-in
and support crucial to success – mandate from the
top.
5. Recruitment
• Selection process supported by external
recruitment agency to broaden
candidate pool.
• Interview panel included senior
academics and directors from within ISG
– adds to broad engagement.
• Appointment in early 2016, took up post
in February 2016.
6. CISO – Main Responsibilities
• Leads and owns the information security strategy for the
university.
• Drives and owns the information security risk posture, taking a
risk-based, holistic approach to managing information security
risk.
• Leads pan-University information security activities, managing
the information security risk to IT facilities from internal and
external threats.
• Advices the University on strategic existing and emerging
information security threats.
• Owns, manages and develops appropriate information security
policies, procedures, controls and the overall information
security governance framework.
7. Initial Priorities
• Recruitment of team with necessary skills –
challenge of competing against private sector.
• Increased focus on user.
• Overhaul of information security risk
governance to focus on risk based approach.
• Support to strategic/key projects (Service
Excellence Programme, Data Safe Haven,
Network Refresh, Data Sciences, Alan Turing
Institute, Student analytics, distance learning
and eExams.)
8. Keys to Success
• Alignment to University 2016 Strategy – supporting
plans for Digital Transformation and Data and
Partnerships with Industry.
• Buy-in from individual Colleges and Support Groups –
need to recognise requirement for ‘individual’ solutions
– outcome based.
• Ensure that business areas know their responsibilities –
won’t do security ‘to’ or ‘for’ them – they own the risks.
• Provision of supporting services and not about saying
‘No’.
• External and internal collaboration and information
sharing.