1 of 15

Tammy L. Clark, CISSP, CISM, CISA, CRISC, PMP

Chief Information Officer

The University of Tampa

April 19. 2016

You’ve Got This!

Briefing the Board on Information Security

2 of 15

Speaker Bio

  • CISO for the past 16 years at two universities
  • Recently Promoted to CIO
  • Involved with EDUCAUSE HEISC since 2002
  • Veteran board presenter

3 of 15

The University of Tampa

  • Independent University in Tampa, Florida
  • 8000+ students enrolled, Liberal Arts tradition
  • Students from 50 states and 140 countries
  • 65% of full-time students live in campus housing
  • 1200 staff; hundreds of contractors and student part time workers; 900 faculty; 4 colleges
  • Ultimate responsibility for the University resides with the Board of Trustees, as governance of the University is legally invested in the Board.

4 of 15

Information Security at The Univ of Tampa

  • Information Security Program formalized 3.5 yrs ago
  • CIO/CISO - reports to UT President
  • Chief among infosec initiatives building a culture of risk management, security awareness, and data protection
  • ISO/IEC 27001:2013 Certified since July 2015

5 of 15

Session Agenda

  • Why talk to the board?
  • Key board briefing goals
  • Understand the audience
  • Tips and techniques
  • Discussion

6 of 15

Why Talk to the Board Anyway?

  • “C-Suite” Issue = Board Issue
  • Due Diligence
  • Correct misperceptions
  • Professional development

7 of 15

Goals for Briefing the Board

  • Relationship building
  • Risk assessment
  • Highlight next steps

8 of 15

Know Your Audience

  • Boards are typically business people
  • Be honest and direct
  • Be brief (because there will be questions)
  • Educate

9 of 15

Putting Things into Context

How much does your Board know about your current information security posture?

10 of 15

Define Your Approach

  • Align with strategic objectives and goals
  • Share concrete examples
  • Stress risk management culture
  • Discuss challenges

11 of 15

Discuss InfoSec Challenges

  • Security attacks invisible
  • Confidential data everywhere
  • Complicated regulatory landscape
  • Lack of legal enforcement (until there isn’t)
  • Data Losses can be staggering

12 of 15

Then What Happens?

  • Get invited back
  • Develop strong relationships
  • Continued education
  • Increased investment?

13 of 15

Tips and Techniques Discussion

  • Have you talked to your board?
  • What worked well?
  • What didn’t work so well?
  • What is your one piece of advice for your colleagues?

14 of 15

Summary

EDUCAUSE Review, Leading an Effective Briefing with Board Executives about Information Security, http://er.educause.edu/articles/2016/1/leading-an-effective-briefing-with-board-executives-about-information-security

15 of 15

Thank You!

Please remember to fill out session evaluations.

Feel free to contact me at tclark@ut.edu