In a little over a month, EDUCAUSE 2011 will be in full force at the Philadelphia Convention Center. There will be networking, knowledge sharing, cocktail parties, and plenty of great interactive sessions — all led by today’s thought leaders and pioneers in higher education IT.
As a lead-up to this year’s conference, we’ve interviewed some of the speakers who will be sharing their knowledge and experiences at EDUCAUSE 2011. It’s our hope that these interviews will spark conversation and give conference attendees a better sense of this year’s speakers. (To check out all our EDUCAUSE-related posts, click here).
For the first installment of our interview series, we spoke to Tammy Clark, the Chief Information Security Officer, at Georgia State University. She’s leading a session atEducause called “Developing a Standards-Based Information Security Program Using ISO 27002.” Tammy was nice enough to answer a few of our questions via email about information security programs, recommendations for first-time EDUCAUSE attendees, and more.
1. What is the most rewarding aspect of what you do? The most challenging?
The most rewarding aspect is working with a diverse and large group of people (staff, faculty, and students) in a very creative, innovative and collaborative environment that constantly challenges me to think outside the box and embrace non-traditional ways of thinking about information security due to being within a higher education environment.
The most challenging aspect is building a culture of security awareness and helping the university community to determine the best means of protecting critical and sensitive information that is processed, stored, or transmitted electronically, in ways that support their desire for transparency, convenience, collaboration with colleagues worldwide, academic freedom, and innovation.
2. According to your bio, you “joined Georgia State in 2000 with the initial charge to start from ‘ground zero’ in creating an information security program.” What were some of the greatest lessons you learned in the process of creating that program?
Some of the greatest lessons I learned early on were:
1) Embrace small successes and don’t focus too much on the length of time it takes to make a big impact
2) Effective communication with students, staff, and faculty is important and requires a flexible and often creative approach, rather than attempting to enforce, mandate, or dictate
3) Find information security ‘champions’ among the students, staff and faculty populations and work with them to build a strong base of support for information security initiatives
4) Strategic planning is essential in order to build support and gain funding for information security solutions—using established best practices and standards, as well as information and toolkits provided by organizations like EDUCAUSE to build a well-defined ‘roadmap’ for University leaders, so that they can better understand that effective information security programs are critical success factors in accomplishing academic, business, and information technology goals and objectives
5) Never give up—the road ahead is not always a ‘freeway;’ sometimes, it’s more like a craggy hill, but as long as you keep finding the path that moves you forward, you will get to your destination!
3. Your session this year is about creating a standards-based information security program using the ISO 27002 standards. What do you see as some of the biggest challenges facing information security officers as they strive to create and maintain comprehensive security programs?
Some of the biggest challenges we face as information security practitioners are:
1) Dealing with a threat landscape that has evolved far beyond viruses and worms that can be easily remediated, to advanced persistent threats and bot networks that are often difficult to detect, bypassing our traditional controls and protection mechanisms, and making it more challenging and time consuming to protect our critical IT systems and devices from compromises; 2) Trying to do more with less as our user populations are large and we have a lot of ground to cover
3) Compliance requirements continue to proliferate
4) Mobile device exploits and attacks are looming large on the horizon and as of now, not many security solutions out there to assist
5) Our data is starting to move out to the cloud and that presents a whole new set of risks
6) Security awareness is an omnipresent issue and as so many of today’s malware attacks target our end users—helping them understand how to protect themselves from identity theft, and their personal accountability to protect internet connected devices and data is always a critical challenge we face.
4. As a veteran Educause presenter, do you have any recommendations or suggestions for first-time attendees? What is your favorite part of the conference?
My recommendations for first time attendees would be to immerse yourself in the ‘EDUCAUSE’ experience and all that it offers in the form of peer networking opportunities; finding out how other universities may be handling challenges that you find yourself confronted with (i.e., not having to reinvent the wheel); the exhibit arena is huge and there will be unfettered access to many vendors who understand the higher ed sector and the unique needs; the Higher Education Information Security Council has a general meeting that is always well attended (I’m a member) and I strongly encourage everyone to get involved and contribute ideas and best practices they’ve discovered!