You've hired an information security professional, allocated hundreds of thousands or even millions of dollars to security technologies, training, awareness, policies and standards, human resources, tweaked old processes and developed some new. BUT, no one is really sure what's going on and there doesn't seem to be a clear path forward. The CISO/director/manager has come up with a 150-page tome called an information security strategy (there is alot of detail). It references ISO 27001-2, PCI, CoBiT, ITIL, FIPPA/HIPA/PEPIDA and the top 20 security controls. Only the CISO/director/manager has read it all the way through, but it isn't clearly connected to either the IT strategic plan or the institution's strategic plan. 

In the meantime:

  • Your institution is trying to become PCI compliant
  • Various departments/faculties/divisions have presented you with the de facto cloud solution to their business problems
  • The privacy office is demanding that you provide PIA information
  • Your last audit indicated that your institution's controls could use some basic remediation for passwords, access control, encryption...
  • Your Board would like to know what risks cybersecurity really poses to your institution
  • The most urgent need is to deal with the most recent incident, AND
  • While recovering from that everyone knows that the next major incident is only a click away!

This probably sounds all too familiar, but there are no magic bullets. Can your campus get to an information security strategic plan? Will it make any difference? 

In this interactive presentation, we will have the opportunity to see how one medium-sized school is doing and consider what's working and what isn't.


Hugh Burley

Manager of Information Security/Information Security Officer, Thompson Rivers University/BCNET