My First Year as a Shared CISO

In April 2017, ORION launched a two-year pilot program with eight Ontario education institutions. The idea was brought to us by members of our higher education community with the objective of sharing a Chief Information Security Officer (CISO) to establish and further a security framework to address information privacy and cybersecurity challenges. 

As one of our group’s members, Nela Petkovic, Chief Information Officer at Wilfred Laurier University, says, “One of the key priorities that the ICT department has identified is the security of our information systems. However, balancing this critical need and dedicating sufficient resources, both financial and human, which are required to ensure the university is protected from cyber threats is a challenge. The advice and support from the shared CISO takes us much further than we would be able to go alone.”

Year One Achievements

Shared CISO cohort meeting at the ORION office

In order to share effectively, we needed to start with understanding where we were all coming from; what our needs were. I quickly learned that each institution had a different level of cybersecurity maturity. In my role as CISO, I led the members through a security gap assessment to understand the common gaps and weaknesses at each institution. We then discussed their security needs and challenges. The results led to the creation of a shared roadmap with three project streams:

  1. Development of a shared security framework
  2. Training, awareness and skill development
  3. Shared Security Information Event Management (SIEM) proof of concept

 Developing a Shared Security Framework

Some of the key priorities identified by the institutions included guidelines for incident management and cloud security, as well as a security governance approach and structure. We also developed a compliance strategy for the Payment Card Industry Data Security Standard (PCI-DSS), since all the participating institutions either store or process and transmit credit card information. We conducted a full day workshop on PCI-DSS compliance for the participating institutions. 

David Cullum, Chief Information Officer at Brock University says, “I see this project being a strong baseline for other institutions, to help guide them to be more cybersecurity-aware as well as addressing any compliance programs such as PCI.”

While they share a CISO, it is important for each institution to have ownership over cybersecurity at each level and for stakeholders to understand their role in ensuring strong cybersecurity at each level and for stakeholders to understand their role in ensuring strong cybersecurity controls in their organization. One of our key milestones was to develop a methodology for threat risk assessment. I created and conducted a workshop, presenting real-life scenarios to which participants applied the framework to develop a solution. 

As we worked on a security governance framework, we ran a workshop on security governance which outlined the information security responsibilities of various stakeholders in each organization. It also ensured that their cybersecurity strategies aligned with their objectives. 

Training, Awareness and Skill Development

CND workshop at ORION’s office

ORION conducted pilot workshops on other key cybersecurity topics through a partnership with the EC-Council, one of the leading cybersecurity training and certification bodies. We held a three-day workshop on the Certified Network Defender course for the G8 working group. Upon the completion of the course, the attendees had the option of writing the CND exam and applying for certification. 

Participating institutions also took advantage of our CCISO (Certified Chief Information Security Officer) workshop, the first training and certification program of its kind which aimed at producing top-level information security executives. It was held as part of our THINK conference and included tickets to the main event, complete with an entire security track of expert panels, including a few speakers from our group. 

Farooq Naiyer speaking at Brock University for cybersecurity awareness month


Training continued within the participating institutions as well. I was pleased to be part of Brock University’s cybersecurity awareness month, highlighting the importance of cybersecurity and how we’ll need to be a part of the solution. 

SIEM Proof of Concept

As our CTO, David Smith, reported at CANHEIT, the NREN’s goal is to deploy a SIEM in each province and territory. Improving our cybersecurity capability is a big project. We can only tackle this effectively by working together at the institutional, provincial and national level. This group has started the important work of determining how this could play out in Ontario by contributing requirements for a shared SIEM and undertaking a proof of concept. 

An Inspiration for Canada 

The creation of this project is an achievement in itself: it’s the first shared-CISO project in Canada’s research and education sector. It garnered much attention across the country and is inspiring others to implement similar programs. We worked with BCNET to provide guidance on launching the same initiative in BC. SRNet invited me to Saskatoon to present the model to the CIOs from Saskatchewan’s education institutions. We’re also working closely with MRNet in Manitoba in their pursuit to launch this initiative in Manitoba.

What’s to Come

Speaking with our community, I’ve seen a need to develop stronger communications around cybersecurity. That’s something I’ve identified for us to work on this year. I am also working to scale the pilot framework to additional institutions. Our current group sees a need to scale this model. “I envision a more focused service offering to a broader community of participants,” says group member Denise Ernst, Information Security Officer at Queen’s University. 

In the end, our goal is to protect our research and education institutions from cyber attacks, ensuring data and information remains secure. 

The Collaboration

Founding Shared CISO cohort members at ORION’s 2018 THINK Conference

The best part of this project has been the cooperative experience with the members of this group. Denise said the project “provides a forum for Queen’s to contribute knowledge with other institutions and learn new methods for managing threats and vulnerabilities in the higher education sector.”

When I spoke to Alastair MacLeod, Chief Information Officer of OCAD, and a participating institution about the project, he called the project “a landmark initiative for Ontario higher education shared services that help to address a critical issue for the community. It established a collaborative network leveraging shared information and resources that is hoped to expand and include other members of the Ontario higher education community.”

I’m proud that he agrees that our project is achieving its objective, and there’s still more to come. 

As David Cullum says, “the shared CISO project has opened our eyes to the many complexities and areas of security that must be taken into consideration. It’s not just about firewalls and policies.”

I look forward to seeing what we can achieve together this year!