I agree that the corporate model is inappropriate. The security controls imposed on academic networks should foster sharing of information, not hamper this. On the other hand, a poor student in Romania can earn $1000/month by filling a technical role in an online fraud ring. Whether such an individual has such a right to hone his talents on the backbone of unchecked universtity network in the spirit of information exchange and progress, he and his university are also contributing to significant disruption in the private sector. Are we discussing two different things, or does the CIO who can't make it in the corporate world have a genuine management issue on his hands? Doing away with the role, and presumably some measure of security thought leadership, might actually shutdown the university network. Nevermind the corporations. Your friend's CIO might consider data lifecycle management, active rights management, .org trust policies, etc. And how would that sort of risk management impact the sharing of information - in academia? So my point here is that maybe the CIO in question is inappropriate for the university, but risk management on university networks should not be discounted.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/newsbriefs/159/777#777