Commentary

Let’s get together: How a CISO-CBO partnership can reduce information security risk

CISOs and CBOs should forge their appreciation for risk, compliance, and resource management into stronger efforts to secure institutional resources.

By Joanna Grama

September 19, 2018

(Getty Images)

The story is familiar. An accounts payable clerk gets an email from the institution’s chief business officer, or CBO, requesting that an invoice be paid immediately via wire transfer. The clerk feels that the email is a bit strange, but not entirely out of the ordinary. After some internal deliberation, the accounts payable clerk decides to complete the transaction as requested. It is later discovered that the email was faked and the transaction was fraudulent.

According to the FBI , scams like these, called business email compromise, are prevalent across all industry sectors and are growing.

But for higher education chief information security officers and campus IT leaders, information security threats that target institutional funds, the personally identifiable information of students, faculty, and staff, and institutional research data and intellectual property poses a special concern. So much so, in fact, that information security is the No. 1 issue on the 2018 EDUCAUSE Top 10 IT Issues list.

IT departments aren’t the only ones worried about information security risk. Jenny Whittington, Executive Director of the University Risk Management & Insurance Association said that information security risk is continuously changing and expanding.

“URMIA members widely recognize cyber risk as a top area of risk for colleges and universities,” Whittington said. And, these same risks are also increasingly on the minds of institutional chief business officers, even where the CBO does not have authority and responsibility for campus information technology operations.

Fortunately, by their very nature CISOs and CBOs speak a common language and share common perspectives that especially suit them to form an effective partnership to improve an institution’s information security posture.

For example, CISOs and CBOs both understand the language of risk and how to implement controls to mitigate risk. Each realizes that the institution has resources (tangible and intangible) that must be protected from different types of risk, whether that risk is of a compliance, financial, system, operational, reputational, or strategic nature. They also both understand that their roles involve reducing and mitigating risk in a way that matches the institution’s risk posture.

In addition, CISOs and CBOs are both used to and comfortable dealing with complicated compliance requirements. They are often called upon to make sense of the various laws and regulations that apply to the use of institutional resources. Finally, like all higher education executives, CISOs and CBOs must maximize the use of limited resources (like equipment, budget, and staff) in a way that creates efficiencies and value for the institution.

These common perspectives may help form the basis for a CISO-CBO partnership that can dramatically further an institution’s information security posture.

For example, to form an effective partnership with her CBO, a CISO can:

Learn more about the institution’s business and financial processes. Assess where those processes are susceptible to threats and vulnerabilities that may compromise information security, and work with the CBO to identify workable controls for avoiding those risks.
Educate business office units and staff about the types of scams and attempted compromises that they are most likely to see in the course of their work and provide concrete and actionable tips for avoiding scams.
Assist the CBO in identifying and implementing technological solutions that protect institutional data and allow for efficient business processes.

To form an effective partnership with her CISO, a CBO can:

Invite the CISO to discussions about business processes and technologies. Insist that security be considered early in any process change so that solutions can be elegantly designed to protect institutional data.
Encourage staff members to engage in information security awareness training and help the CISO understand where information security training needs to be improved to meet unit needs.
Assist the CISO in identifying opportunities to partner with other campus stakeholders to improve institutional information security practices.

The outcome of these types of activities is that the CISO and CBO will better understand how business processes use institutional data and IT resources each day, and they will also be better poised to mitigate information security risks to those processes, data, and IT resources.

CISOs and CBOs both know that their efforts are integral to supporting an institution’s many missions and that neither information security or business operations exist for their own purpose. This shared point of view could be especially useful in helping CISOs increase information security awareness and hygiene practices across campus business units — especially as social attacks, like business email compromise scams continue to pose a threat across all industries .

Joanna Lyn Grama, JD, CISSP, is a senior consultant at Vantage Technology Consulting Group where she advises clients on information security policy, compliance, governance and data privacy issues.