CISO In a Box?

When Nick McLarty resigned as TTI CISO in December, it was a significant blow to NIS because Nick was (and is) a valued and highly skilled team member. While I’m proud that Nick went on to become an Assistant Information Security Officer (ISO) for the TAMU System, I’m now tasked with providing a quality level of agency security in his absence.

I had heard about a number of TAMU system schools (5) that had engaged in the System contract to provide ISO services – the so-called “CISO In a Box.” After talking with my colleagues in some of these schools, I learned that the service was both economical and effective. One colleague told the story of how their contracted ISO recently lead them through a TAMUS Security Audit with a highly favorable outcome (i.e., Level 2). Of course, I asked Nick’s opinion, and he enthusiastically recommended it. After these communications, I wasn’t totally sold on the service as a permanent solution but thought it would be worth a try as a provisional one.

To this end, we contracted under the TAMUS master contract for ISO services in December. I intend to revisit the service in May and make a decision whether or not to continue the contract, or hire a new CISO. The decision will be based upon a set of performance metrics that Nick and the System Security group are helping me to identify.

While we are still working out the workflows, the results have been promising. The contractors are reviewing and maintaining our security framework, providing consulting on security issues, and will soon take on some of the operational work Nick was doing for us. These are things like security investigations and responses.

To our customers, the change will be completely transparent, I will ostensibly be the “Interim CISO” for the Agency, but our contractor will take care of the heavy lifting. 90% of our security infrastructure is automated, so the contractor will act in persona Nick and soon be responding to any security incidents that may arise. As they begin to respond to customers, I’m very interested in your feedback about the job they are doing.

As always, I’m at your service.