โ† Back to Schedule
Abstract visualization of cybersecurity program growth and maturity
Session 11

From vCISO to Institutional CISO: Building a Sustainable Cybersecurity Program

Wednesday, June 10, 2026 3:00 PM โ€“ 4:00 PM Pomona ยท Estella 1051

About This Session

CLAC schools face similar cybersecurity pressures as large companies โ€” regulatory compliance, vendor risk, and evolving threat landscapes โ€” without comparable staffing or resources. This session presents a real-world case study of how Pomona College built a sustainable cybersecurity program through a five-year long-term partnership with a cybersecurity consulting firm.

Beginning as a virtual CISO (vCISO) relationship, the partnership supported foundational governance, risk assessment, and compliance needs while enabling the institution to progressively internalize cybersecurity leadership and decision-making. Co-presented by Pomona College's Chief Information Security Officer and Aldrich Solutions' VP of Cyber Risk Services, this session shows what intentional capability-building looks like over time.

The Partnership Journey

  • Year 1โ€“2vCISO Engagement โ€” Foundational governance, risk assessment, and compliance support. The institution accesses expertise without bearing full CISO overhead.
  • Year 2โ€“3Risk-Based Planning โ€” Annual internal and external penetration testing to inform POAM-driven planning; recurring GLBA and PCI assessments.
  • Year 3โ€“4Vendor Risk Management โ€” Integrating HECVAT reviews into a scalable vendor risk management program; translating findings into actionable improvements.
  • Year 4โ€“5Internal Capability โ€” Leadership development as cybersecurity maturity increases; demonstrable maturity that satisfies annual trustee report-out.

Key Topics

  • How to structure a vCISO-to-CISO transition including governance, assessment cadence, and leadership enablement
  • Using POAM-driven planning to improve cybersecurity maturity at a sustainable pace, rather than reacting to individual findings
  • Integrating HECVAT reviews into an operational vendor risk management program aligned with institutional capacity
  • What demonstrable cybersecurity maturity looks like for trustee reporting and external stakeholders

Learning Outcomes

  • Identify key components of an effective vCISO-to-CISO transition, including governance structure, assessment cadence, and leadership enablement.
  • Apply POAM-driven planning to systematically improve cybersecurity maturity at a sustainable pace rather than reacting to individual findings.
  • Integrate vendor risk management practices, including HECVAT reviews, into an operational cybersecurity program aligned with institutional capacity and resources.

Session Description

This session emphasizes what worked, what changed over time, and how institutions can intentionally design partnerships that evolve as internal capabilities grow. Rather than a consultant-client dependency model, the Pomona/Aldrich partnership was structured from the beginning to build toward institutional independence โ€” a model other CLAC institutions can adapt regardless of their current cybersecurity maturity level.