WASHINGTON -- When Mark Johnson first took over as the new CISO at Vanderbilt University in 2004, he looked at the university's information security organization and network security infrastructure and couldn't believe what he saw. Not only did the campus not have a firewall between the Internet and its 33,000 faculty, staff and students, those users weren't even required to authenticate themselves in order to get onto the network.
He knew he had to do something, but, despite the fact that he was the CISO of the university, Johnson didn't really have the authority to make the sweeping changes he thought were needed. His role, he had been told, was a strategic one. He had no control over security operations and virtually no one reporting to him. So Johnson, who spent years working in security incident response in the military, intelligence and financial-services worlds, decided to do what he'd normally do and ignore his job description.
That didn't work out so well.
"I was told that none of the security operations would report to me. I thought, 'How does that work?'" Johnson said during a session at the Gartner IT Security Summit here. "It looked like I was going to be that figurehead they take out on the lawn and summarily shoot in the head when something goes wrong. If they wanted me to make the dinner, I've got to be able to buy the groceries. So I started bossing the operations guys around, demanding meeting. I ignored my boss's mandates. I figured they're wrong, I'm right. What happened? Nothing got done and I had a very irate boss."
Johnson had just found out the hard way that the role of the CISO is changing rapidly, and in many ways it can be a difficult transition for security professionals who are used to directing response, managing projects and generally running the show. With compliance and other non-technical initiatives becoming more important, the CISO position increasingly is a strategic one that requires communication, management and interpersonal skills. For Johnson, that was a hard pill to swallow. He had to go back and figure out why Vanderbilt had cast the CISO role as a strategic one, and then decide how best to use his skills in this new capacity.
To start with, aside from the problem of not really having any direct authority over the security operations team, Johnson also was a complete neophyte when it came to understanding the culture of academia, as opposed to the highly structured environments he had worked in previously. Vanderbilt, like many colleges and universities, designed its network with maximum openness and freedom in mind. Security was somewhere toward the bottom of the list of priorities. Though Johnson has been able to make a few changes in recent years, keeping the network basically open was a must.
"We do not have a perimeter. I don't require authentication for you to get onto my infrastructure. I have [access points] pointed at Starbucks because professors like to get online while they have their coffee," Johnson said. "We are in fact part of the Internet. We are an open academic environment for a legitimate reason. Our job is to ask the next great question, and you don't do that in isolation, in lockdown. You do it in a free and open environment."
So after getting his head around the fact that he was not going to be able to turn Vanderbilt's network into a citadel, Johnson set about the task of repairing the relationships with other IT executives, systems administrators and other stakeholders that he had damaged during his attempted coup d'etat. In doing so, he learned that many of the folks lower down on the university's organizational chart were the ones who wielded the real power around campus. They had spent years developing the relationships necessary to get things done and knew who to work with on any given project. In short, the systems administrators, staff and faculty members knew where the bodies were buried.
"It's a feudal system with a weak king and very powerful dukes," Johnson said. "The culture is built on collaboration. Disagreement is good, but conflict is not. If you're smart, you surround yourself with smart people who disagree with you."
Now, Johnson spends his time working the leaders of organizations throughout the university and medical school, educating them about security and compliance issues and learning about their needs, as well. For example, when the PCI Data Security Standard became an issue, Johnson took the time to explain to the university leadership that compliance with the standard was not really a security problem.
"I spent my time trying to convince the business leaders that it was a business problem," he said. "Information security and IT are there to help with the problem, but in reality it's a business problem. My job is to focus attention on risks that we can deal with."