We had the privilege of being puppy raisers for Guiding Eyes for the Blind, an organization that provides assistance dogs for the visually impaired. Our role was to help the puppy become a mature adult who was able to fulfill his role as an enabler. Yes, it’s a stretch, but it’s also what an Information Security Officer does when “raising” an information security program. A mature information security program becomes an enabler for the business and users it supports. A mature guide dog enables the user it supports to go about his or her daily business. (And no, I’m not going to try to keep drawing parallels between the two experiences!)
In a university setting, maturing a security program and successfully accomplishing initiatives depends on cooperation and collaboration. In my experience, there is very little that can be mandated, unless required for legal compliance; even then, there may be significant resistance. Understanding the business needs of an institution will enable the Information Security Office to set the best balance between security strategies and other priorities at the campus level; thus, opening doors to acceptance of security initiatives.
Meeting these challenges is best accomplished by building relationships and goodwill with key influencers in business divisions and colleges, especially with those individuals who are your detractors. One way to build relationships is to meet regularly with key individuals to ensure that the Information Security Office understands the needs of the business. (Recognition that a “one-size-fits-all” model isn’t the best approach and building reasonable business-sensitive solutions will help people view Information Security as an enabler, not an impediment.) These meetings will also provide opportunities for key individuals to understand the need for specific security initiatives. It’s helpful to articulate “what’s in it for them.”
One model that has worked previously in some higher education environments is the establishment of three teams: security advisors, security coordinators, and an extended team that reviewed proposed standards. Working with security advisors (a subteam of leadership of divisions and colleges) helps ensure the reasonability of proposed requirements for the university and to provide a direct communication link to the Information Security Office. Working with security coordinators helps with the implementation of security requirements and assisting their end users. An extended review team reviewing draft standards/requirements before they are submitted for final approval helps ensure their suitability to executive leadership.
Increasing and maintaining security awareness is another key enabler for maturing an information security program. Effective messaging will raise awareness and help the university community work towards a common goal in information security as they understand their role in practicing Digital Self Defense–protecting themselves and everyone else.