Another Research Idea Stolen

By Adam Dodge

Well, it has happened once again. Those folks over at the EDUCAUSE Center for Applied Research (ECAR) have stolen yet another of my research ideas straight from my head before I had a chance to move forward. As always is the case, the result of their mindreading theft is far beyond what I could have accomplished. This most recent case of cranial theft resulted in the ECAR occasional paper titled “The Career of the IT Security Officer in Higher Education”. I want to take a moment to issue a big thanks to Marilu Goodyear, Gail Salaway, Mark Nelson, Rodney Peterson and Shannon Portillo for taking the time and effort to author this amazing paper.

The paper itself is a collection of statistical information gathered from survey responses and follow-up interviews with individuals tasked with IT and Information Security within institutions of higher education. The paper looks at three main sets of issues around the IT Security Officer function at colleges and universities. These sets are: “The Position and the Person”, dealing with reporting lines, previous positions held and demographics; “Responsibilities, Skill Sets and Professional Development”, dealing with responsibilities, job announcement analysis and reaching out for advice; and “Authority, Challenges and Program Strategies”, dealing with authority within the institution, common challenges to authority, and security program strategies. While only 53 pages in length, there is too much information in the paper to fully cover here. Instead, I wanted to focus briefly on a few of the more interesting takeaways from each area.

The Position and the Person

One of the most interesting things I found in this section is that only 64.7% of IT Security/Information Security Officers (the two terms are used interchangeably in the paper) still report to CIOs within their organization. On its face this may not be interesting, but the next most common reporting line is the CTO, although granted, only 8.1% responded thusly. Given the inherent conflict that exists between operational IT (“We need this working and working now”) and IT security (“We need to take time to fully vet the system before production”), I find it odd that just under 1 in 10 (1 in 12.5 if you must) ISO/ITSOs still report to the individual responsible for technical operations. While this arrangement can work, it often does not as operational issues tend to take precedence over security concerns.

Another quick takeaway is that the typical ages of ITSOs/ISOs tend to be younger than I would have expected, with almost 19% of respondents ranging between 30 and 34 years old. Additionally, over half of the respondents reported to being in the ISO/ITSO role for three years or less.

Responsibilities, Skill Sets and Professional Development

Personally, I think that the largest potential shock for non-security professionals in the ECAR paper comes when looking at the average areas of responsibilities. Instead of being filled with a long list of highly technical areas, common responsibilities instead focus on management-level activities such as incident management, training/awareness, policy development/administration, risk assessment, regulatory compliance efforts, etc. In fact, when looking at technical security areas such as IAM, access controls, network security/firewall management, etc. the majority of respondents only listed that they had a “support” role. This is indeed an excellent development within the higher education field as it signals a much needed shift in thinking about IT/Information Security away from the “network security” box it has been in for far too long.

Other interesting takeaways include that despite what was said above, technical knowledge/expertise was listed as a critical need skill in 69.5% of the ITSO/ITO job positions wihtin higher education. Also, while only a minority of ISOs/ITSOs (41.8%) report having control over a dedicated security budget, these individuals cited this budget control as a key component in improving security at their institution.

Authority, Challenges and Program Strategies

Another positive trend shown in the ECAR paper is the fact that a vast majority of the respondents indicated that they have been vested with the authority necessary to perform their jobs. In fact, over 78% of the individuals surveyed responded they had the authority necessary to enforce policies and ensure policy compliance, monitor networks and systems, and authorize the removal of equipment and access rights if necessary. Hopefully, this marks the end of the dreaded cheerleader ITSO/ISO who has been given all the responsibilities for IT/Information Security but none of the requisite authority, and thus is doomed to wander the ivy halls of academia impotently shaking fingers at problems, and hoping against hope that this time the problem will be addressed.

A few more takeaways of note from this section include the fact that while faculty are the most common group on campus to challenge ISO/ITSO authority, such challenges only occur occasionally. Even better is that the single most common method deployed by ITSOs/ISOs when challenged is not pulling rank or blustering about, but is instead rational and reasonable discourse to explain the reasons behind the request.

Fortunately for everyone without an ECAR membership (myself included), this occasional paper has been released to the public. I urge everyone to take a short Internet trip to the ECAR site and give the full paper a read-through.