Educause Security Discussion
mailing list archives
Re: Reporting Structure
From: "Watkins, Lewis" <LWATKINS () UTSYSTEM EDU>
Date: Thu, 24 Oct 2013 14:33:49 +0000
Within the University of Texas System, policy is that Institutional CISOs report to the President of the Institution or
to an Executive Officer who reports directly to the President. In most cases, this ends up being the EVP for Business
affairs or the Provost. Policy also states that the Institutional CISO is not to report directly to the CIO. This
went into effect a few years ago to address certain conflicts of interest that can arise when the CISO reports directly
to the CIO, somewhat analogous to the Audit Director reporting directly to the Chief Financial Officer.
UT System Institutional CISOs also have dotted line reporting relationships to the Institutional Compliance Officer,
the UT System CISO, and in some cases the Institutional CIO. In all cases, the CISO has permission to go to the
President if there is a need to report something.
That said, there is no one correct answer as to where the CISO, or the CIO for that matter, should report. It very
much depends on the culture of the organization, maturity of IT and Information Security functions, and any local
issues posing barriers to creating a security mindful culture within the institution.
**** CONFIDENTIALITY STATEMENT ****
The information in this message may be confidential. If you received the message in error,
please notify me and delete the message. Further dissemination is prohibited. Thank you.
Lewis Watkins, Chief Information Security Officer
The University of Texas System, 201 W. 7th Street, ASH 318, Austin, Texas 78701
Ph: (512) 499-4540
On Thu, Oct 24, 2013 at 12:00 AM, SECURITY automatic digest system <LISTSERV () listserv educause edu<mailto:LISTSERV
() listserv educause edu>> wrote:
There are 6 messages totalling 997 lines in this issue.
Topics of the day:
1. reporting structure (6)
Date: Wed, 23 Oct 2013 20:20:40 +0000
From: Russ Leathe <Russ.Leathe () GORDON EDU<mailto:Russ.Leathe () GORDON EDU>>
Subject: reporting structure
Who does Information Security report to? Does the CSO or ISO report to th=
e CIO or somebody else?
Thanks and Happy Cyber Security Month!
russ () gordon edu<mailto:russ () gordon edu>