Home page logo

educause logo Educause Security Discussion mailing list archives

Re: reporting structure
From: Valerie Vogel <vvogel () EDUCAUSE EDU>
Date: Wed, 23 Oct 2013 22:54:37 +0000

Good afternoon,

Here is a link to the 2009 ECAR Research Bulletin, The Career of the IT
Security Officer in Higher Education, which covers reporting lines:

Download the PDF here: https://net.educause.edu/ir/library/pdf/ECP0901.pdf

And here is some more recent information from the Core Data Service (CDS):

20% of institutions told us the CIO is the ³highest-ranking person with
primary responsibility for IT security².

Of those who have someone other than the CIO in this role, only 35% are
100% dedicated to the CISO role. (see attached image)

Of those 175 who are full-time CISOs (of one title or another), 69% report
to the CIO and 19% report to a first-line director in Central IT. Only 6%
report to someone at the C-level, who is not the CIO, and 1% report to the

Board of Trustees/Regents: 0%
President/Chancellor: 1%
Provost/Chief Academic officer: 1%
Chief Administrative Officer: 3%
Chief Financial Officer: 2%
Director of Internal Audit: 0%
CIO: 69%
First-line director in central IT: 19%
Second-line manager in central IT: 3%
None of these: 14%

If you have any additional questions, please let me know.

Thank you,

Valerie Vogel Program Manager

Uncommon Thinking for the Common Good
direct: 202.331.5374 | main: 202.872.4200 | educause.edu

On 10/23/13 2:34 PM, "George Farah" <george.farah () QUEENSU CA> wrote:

There is an EDUCAUSE publication that show various reports, CIOs,
Chancellors, Legal counsel, VP ops and Finance and Provost directly are
among the options.

It all depends on your culture centralised vs. de-centralised
environments and maturity of your IT and business organization.

Hope that helps.

George Farah, GIAC/GSEC Gold, CRISC, CISA
University Information Systems Security Manager
Queen's University,
Kingston, Ontario, Canada k7l 3n6
This communication and any attachments is for the use of the individual
or entity to which it is addressed and may contain information that is
privileged, proprietary, confidential and exempt from disclosure. If you
are not the intended recipient you are notified that any dissemination,
distribution, or copying of the communication is strictly prohibited. If
you received this communication in error, please notify the sender and
destroy this email immediately.

Cet envoi (et toute pièce jointe) ne s'adresse qu'à la personne ou à
l'entité à laquelle il est destiné. Il peut contenir des renseignements
privilégiés, confidentiels et ne devant pas être divulgués. Si vous
n'êtes pas le destinataire prévu,  nous vous avisons que toute
dissémination, distribution ou copie de cet envoi est strictement
interdite. Si vous receviez cet envoi par erreur, veuillez en aviser
l'expéditeur et détruire ce courriel immédiatement.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russ Leathe
Sent: October-23-13 4:21 PM
Subject: [SECURITY] reporting structure

Who does Information Security report to? Does the CSO or ISO report  to
the CIO or somebody else?

Thanks and Happy Cyber Security Month!

Gordon College
russ () gordon edu

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]