How do you keep up with emerging threats? It must be difficult to plan a yearly budget with such a fast-paced threat landscape.
Keeping up with emerging threats means to be always reading, listening, attending and participating. Itís impossible to keep up with everything on your own, so I lean on others to help in identifying key areas to look at or address. This can be peers, working groups, websites, conferences, vendors and magazines. I also find that participating in affinity groups is of immense value. I have three higher education groups I can query on any given topic, all with actives listservs for information and research sharing. There is also the national Educause consortium that is a wealth of information.
In addition I also participate as a founding member with Wisegate, a private invitation-only community of senior information technology professionals. Getting prompt answers from experienced and trusted colleagues in the community is of immense value. As for budget, you are correct in indentifying the difficulty of planning a yearly budget. While I do plan three years ahead, emerging areas in need of addressing can brought forward to the universityís IT Governance Committee for funding that may be needed and not in the current budget.
When evaluating an addition to your IT security team, how much value do you place on certification compared to experience? What certificates would you recommend for someone aiming to be a CISO one day?
This is an excellent question, and one that I think is not so black and white. When adding to the security team, I tend to look at the person holistically, assessing experience, certifications, and perhaps most importantly, future potential. The fit to the organization is also a key ingredient for a hire in education, as the environment and challenges are unlike the corporate world.
As for certifications, it once again differs as the role that needs to be filled. Surely the CISSP is the gold standard, and can be of value for all roles. However, more technical certification, such as GIAC may be more appropriate for the bits and bytes roles of the security team, working on the architecture and monitoring of the network. Individual solution or technology certifications are considered when a need arises in a concise area, but that rarely occurs now. I also have roles in policy and awareness that certifications donít apply. For these roles, creativity, web design, and highly tuned communications skills are paramount. Experience is always necessary, but it does not have to be in security.
As I stated, future potential comes in to play when assessing a candidate that may not have had direct security expertise. I also look beyond the certificates as well, for excellent communication skills, as well as some soft skills like marketing and sales. Much of what we do is convincing the university community to do the right thing, and to think securely. Thatís a function of every member of my group, and is a key to be hired and for continued success.
I also look at education, and Iím keen on hiring MBAís in to my security group. The successful completion of an MBA indicates to me the candidate has a deep knowledge of the business aspects that security supports, as well as exposure to group work, meeting deadlines, prioritization, the economics of decisions, and the need for risk based decision making.