New CISO at ETH Zurich
Dr. Domenico Salvati is the new CISO at ETH Zurich.
Domenico Salvati has been working as CISO (Chief Information Security Officer) at ETH Zurich since the beginning of April 2019. The role of the CISO has existed at ETH for some time now, and was hitherto carried out by the Head of IT Services, Dr. Rui Brandao. With the entry into force of the directive «Information Security at ETH Zurich» (around April 2018) it became clear that the tasks, rights and duties of the CISO as specified would exceed the time budget of the Head of IT Services
Domenico Salvati: Career Path
For Domenico Salvati, Information Security has played a central role in his professional career. His interest in information security began towards the end of his studies in information systems at the University of Zurich, where he wrote his degree dissertation on «Organisational Aspects of Information Security». The final year paper opened the way to his first employment with a large audit firm, where he gained initial experience in the Computer Risk Management Group. He gained further experience on the staff of the CIO at a medium-sized Swiss bank, and this led to him being hired by a major Swiss bank, where he held various roles in the field of information security. The bank later offered him the opportunity to work part-time with its support in order to write a dissertation entitled «Management of Information System Risks». Domenico Salvati then went from the banking world to a job with a major Swiss health insurer, where he served as Corporate Risk Manager.
What is information security and what does a CISO do?
Information security «wants» to ensure that confidential information remains confidential, that information is not unintentionally and erroneously altered (information and integrity), and that information is available when needed. In many cases, the above-mentioned requirements for the protection of information also stipulate verification and/or traceability, which are particularly important when someone wants to make a payment via e-banking, and prove retrospectively that the payment was actually triggered. The «information» part of the term «information security» should also indicate that this protection should not be limited to the IT resources of ETH Zurich, but also applies, for example, to information written on paper, and even to the spoken word.
The ETH Zurich CISO now essentially implements the above-mentioned directive, «Information Security at ETH Zurich» and is the central point of contact for all units (central bodies, departments, and their institutes, as well as teaching and research institutions outside the departments) for all information security issues. It is also important in this context to adhere to the rules of conduct specified in the «ETH Zurich Acceptable Use Policy for Information and Communications Technology (BOT)». In view of the size and complexity of ETH Zurich and the great variety of tasks involved in the role of CISO (see article 5 of the «Information Security Directive»), for each department and for the central bodies and staff, so-called Information Security Officers (ISO) are being appointed, who are on the front line, as the first points of contact.
Information Security Directive URL
Organizational affiliation
As its area of responsibility extends across the entire ETH, the CISO is part of the Secretary General under the helm of the ETH President. The organizational placement in the General Secretariat is intended to underpin the ETH-wide acceptance of the CISO by contacts outside the IT Servives.
IT Services are an important contact, in particular for the implementation of technical measures for information security. The central role played by IT Services in information security issues is also reflected in the fact that the CISO does not belong to IT Services organizationally, but still works within IT Services
What are the next projects?
For the next few months, Domenico Salvati will be busy getting acquainted with ETH Zurich, and planning the next steps. So far, many efforts have been made in the area of information security to collect sensitive information (including databases) and determine their protection requirements. The results obtained are now being intensified in order to achieve ETH-wide coverage.
As a next step, the collection and reassessment of the current state of information security should prove interesting. Domenico Salvati has also been requested to provide the ISOs «at the front line» with the necessary tools and support to carry out their duties in the field of information security.