A Week In The Life Of A CISO: Bob Turner, University of Wisconsin

The role of the Chief Information Security Officer (CISO) has been significantly impacted by Enterprise Mobility, and has consequently been forced to evolve in terms of operational focuses and relationships across the entire business.

We asked the CISO of one of the largest universities in the United States, Bob Turner of the University of Wisconsin, Madison campus, to share with us how his typical week is shaped, to help better understand the importance of mobile security. The following was written by Bob Turner.

My favorite question is “What is keeping the CISO up at night?” My quick but internal response is there are too many good books to read and I have a weakness for television police dramas. My next favorite question is “Do you have time this week to discuss (insert topic here)…” to which I have to pause before answering to understand the meaning behind the meeting.

At the University of Wisconsin-Madison, our mission is to provide a learning environment in which faculty, staff and students can discover, examine critically, preserve and transmit the knowledge, wisdom and values that will help ensure the survival of this and future generations and improve the quality of life for all.

In rounded numbers, the University of Wisconsin-Madison is a $2.9B business that serves 43,000 students who earn 10,000 degrees per year; nearly 22,000 staff that includes researchers who generate revenue and who hold dozens and dozens of patents; administrators who manage budgets, buildings, equipment, entertainment, food service, human resources, parking, security, student schedules, technology and life itself.

See Related: Utility Of Cyber Security Certifications

Knowing there are only 168 hours in a week, as a higher education CISO, I need to watch my time carefully to ensure I can address a wide variety of issues and respond to a large constituency and still have a life. My working calendar is a bowl of fruit salad: Meaning that my assistant manages my time in 15-minute increments by the type of event or appointment with a color code assigned for every meeting or portion of my work day.

My average week starts with a meeting where my Associate CISO and I take a look at the week ahead, followed by a meeting with the Cybersecurity Domain Leaders for Risk Management and Compliance, Enterprise Systems Security, Incident Response and Monitoring, Security Testing and Cyber Defense, and my special assistants for Security Awareness and training and IT Policy. This meeting specifically focuses on understanding what their weekly success story will be when Friday rolls around. I follow that by ensuring I have checked in with department directors and other IT leaders and see where I need to be headed next and to learn of the events, meetings, conversations and technology issues that will be encountered during the week. I try to intersect with my busy Chief Information Officer, Bruce Maas, or his Chief of Staff sometime during the day.

My office works closely with the central Division of Information Technology and also maintains relationships with some of the larger distributed IT organizations on campus. This means that I am called into executive meetings and Director-level planning sessions throughout the week. Many of these meetings require additional study and review of plans, documents and strategies ahead of the meetings (rose-colored blocks on the graphic).

As a highly visible member of UW-Madison information technology leadership, the rest of my week includes participating in standing committees and governance bodies (green on the graphic), meetings with external UW and Wisconsin State agencies (purple), meetings with my team or other Directors (dark gray), larger group discussions with colleagues, managers and other teams (orange).

An average week might look like the figure below:

Each day brings important briefings with my Cybersecurity Operations Center and our Enterprise System Security teams. These people provide me a look at the daily cyber threats and activities that shape our defense of some of the University’s most valuable data. These daily briefs may touch on any number of topics and normally include threat intelligence, potential security breaches, incident response and management strategies, security testing in progress and potential compliance issues. You can add four to six hours per week keeping up with the industry and in professional reading on leadership, management, technology, strategy and tactics, and articles and professional papers dealing with the influence and direction of technology in higher education.

See Related: 6 Key Enterprise Cyber Security Trends And Predictions

Some days I even get lunch worked in the schedule.

The modern day Higher Education CISO must be able to balance the normal day-to-day events with strategic planning, public relations and communications, staff planning and mentoring, and completing the routine administrative chores. For this I try to fence off the first hour of each day so I can tee up the work that will be performed in the margins between meetings. I am also conscious of how long it takes to travel in between the many venues on our campus and budget time on the calendar appropriately. Fortunately for me, at a brisk walking pace, I can get to most of the meeting places within 15 minutes.

See Related: Security Leaders Help Make Sense Of CISO Priorities For The Balance Of 2019