Earth’s Mightiest Heroes: Combating the Evils Lurking in Cyberspace September 29, 2016 2016 CACR Summit Kim Milford Joanna Grama REN-ISAC
Agenda A little bit about us Higher Ed InfoSec Workforce Demographics InfoSec Workforce Trends and Changing Needs REN-ISAC
Speaker Bio Kim Milford Executive Director, REN-ISAC Work in IT security, policy, privacy, risk, business continuity planning and compliance since 1996 A wearer of many hats (literally and figuratively) Always looking for the next big innovation and how it impacts risks REN-ISAC
REN-ISAC Aid and promote cyber security operational protection and response within the higher education and research (R&E) communities. Within the context of a private community of trusted representatives at member institutions, and in service to the R&E community at-large. Serve as the R&E trusted partner for served networks, the formal ISAC community, and in other commercial, governmental, and private security information sharing relationships. REN-ISAC
Speaker Bio Joanna Grama Director of Cybersecurity and IT GRC Programs at EDUCAUSE Work in IT security, policy, privacy, risk, compliance and legal issues since 2000 Admitted work-a-holic willing to invent fun Social media addict (@runforserenity) REN-ISAC
Visit us at www.educause.edu. EDUCAUSE helps people who lead, manage, and use technology to make better decisions about Enterprise systems Strategic leadership Teaching and learning Cybersecurity REN-ISAC Visit us at www.educause.edu.
EDUCAUSE Cybersecurity Initiative Lead by the Higher Education Information Security Council (HEISC); an EDUCAUSE and Internet2 partnership Working Groups Yearly Security Professionals Conference The Information Security Guide (practitioner resource) Mentoring Program Security Discussion List @HEISCouncil The Higher Education Information Security Council (HEISC) supports higher education institutions as they improve information security governance, compliance, data protection, and privacy programs. Learn about HEISC and its programs at www.educause.edu/security REN-ISAC
Heroes in the Workforce REN-ISAC
Higher Ed IT Positions in Short Supply REN-ISAC Today’s Higher Education IT Workforce. https://library.educause.edu/resources/2016/3/the-it-workforce-in-higher-education-2016
CISO Role REN-ISAC Source: Grama, Joanna L., and Leah Lang. CDS Spotlight: Information Security. ECAR, July 3, 2015.
(Coming Soon to a Webpage Near You) 2016 CISO Research (Coming Soon to a Webpage Near You) https://library.educause.edu/resources/2016/3/the-it-workforce-in-higher-education-2016 REN-ISAC
CISO Survey Research Report, Forthcoming 2016 Q4 Today’s CISO SNEAK PEEK REN-ISAC CISO Survey Research Report, Forthcoming 2016 Q4
CISO Survey Research Report, Forthcoming 2016 Q4 Today’s CISO SNEAK PEEK REN-ISAC CISO Survey Research Report, Forthcoming 2016 Q4
CISO Survey Research Report, Forthcoming 2016 Q4 Today’s CISO SNEAK PEEK REN-ISAC CISO Survey Research Report, Forthcoming 2016 Q4
Top CISO Responsibilities SNEAK PEEK Information security policies (including development & compliance) Incident management Awareness and training Information security compliance Risk assessment and management Organization of information security At least 90% of CISOs said they are currently responsible for these duties at their institution. REN-ISAC CISO Survey Research Report, Forthcoming 2016 Q4
CISO Survey Research Report, Forthcoming 2016 Q4 CISO Reporting Lines SNEAK PEEK REN-ISAC CISO Survey Research Report, Forthcoming 2016 Q4
CISO Survey Research Report, Forthcoming 2016 Q4 The Board and the CISO SNEAK PEEK REN-ISAC CISO Survey Research Report, Forthcoming 2016 Q4
CISO Survey Research Report, Forthcoming 2016 Q4 CISO Influence Highly influential How influential do you feel you are at your institution? SNEAK PEEK Not at all influential REN-ISAC CISO Survey Research Report, Forthcoming 2016 Q4
CISO Survey Research Report, Forthcoming 2016 Q4 The Making of a CISO SNEAK PEEK REN-ISAC CISO Survey Research Report, Forthcoming 2016 Q4
Your text here On Guard for Threats! REN-ISAC
Data Breaches in Higher Education REN-ISAC Source: Milford, Kim, and Joanna Grama. This Magic Moment: Reflections on Cybersecurity. EDUCAUSE Review, September, 2015 (updated with complete 2015 data).
Threat Trends 80% of the time, the threat actor is external to the organization Time to discover (more than 1 day over 75% of the time) is still way behind time to compromise 99.9% of exploited vulnerabilities were compromised more than a year after the vulnerability was published. Ransomware is a growing attack vector Phishing is now the established initial attack vector for online crime, nearly 50% of users open phishing email and click on the link within the first hour Mobile is not a big vector in data breaches REN-ISAC
Malicious Actors Target US College and Universities REN-ISAC
Protecting Cyberspace REN-ISAC
Security Practices REN-ISAC Source: Grama, Joanna L., and Leah Lang. CDS Spotlight: Information Security. ECAR, August 10, 2016.
50 percent of U.S. institutions track information security metrics. Security Preactices 71 percent of U.S. institutions have mandatory information security training for faculty or staff. 78 percent of U.S. institutions have conducted some sort of IT security risk assessment. The most commonly deployed information security systems and technologies are malware protection (92 percent), secure remote access (90 percent), and secure wireless access (85 percent). 50 percent of U.S. institutions track information security metrics. REN-ISAC Source: Grama, Joanna L., and Leah Lang. CDS Spotlight: Information Security. ECAR, August 10, 2016.
Central & Fed Identity Mgmt Security Practices 2 Factor AuthN Data Loss Protection Central & Fed Identity Mgmt Whole Disk Encryption Log Accum & Analysis Vulnerability Scans
Origin Stories: The Evolution of Heroes REN-ISAC