Securing the Ivory Tower in a changing world

July 28, 2014
Convergence of technologies and responsibilities create new and expanded roles for university CISOs

The world of information security is an interesting one, and oftentimes we who have chosen it as a vocation suffer from an identity complex.  At least the discipline is now well enough established that we don’t have to explain our roles to people when they ask us what we do.  Still, there is an element of mystery, and a difficulty in providing a concise answer when queried.  I find it funny when I attend a conference or seminar and I hear the usual question asking how long the attendees have been in the information security field.  This question is becoming more and more irrelevant, as the roles and responsibilities now are not the same as those ten, fifteen or more years ago.  A great deal of this is because of the ever changing landscape that we know as information security.

Information security is no longer the troglodytes at the end of the corridor, working in dark offices or cubes, and living on Skittles and coffee.  Security is now a respected member of not only the IT division, but the overall enterprise.  With the integration of some aspects of physical security, privacy and compliance, the CISO may find themselves covering numerous areas of risk.  It was not long ago that information security was having a hard time getting a seat at the table, and now it may find itself wearing multiple hats at that very same table.

This is certainly the case in higher education.  While many institutions have created chief privacy officers and compliance areas, others chose to let the CISO cover these roles.  And this makes sense, as looking at the confidentiality, integrity and availability of these areas holistically supports economies of scale, and creates a strong focus on reducing risk.  With recent high-profile and well-publicized breaches in higher education, this has shown increased spotlight on the CISO function in higher education, and how overall information protection is accomplished.

Higher education is a stimulating and challenging area for security.  With numerous constituents, including faculty, staff, students, researchers, scholars, visitors, applicants, parents, donors, sports fans and more, the mission can be daunting.  While BYOD is a relatively new term for many entities, higher ed has been dealing with the issue as long as there has been personal devices.  Many students (and faculty) have multiple devices that they need to access the network.  Add to this decentralization, openness and academic freedom, and it is obvious that there needs to be a focus on information security.  Higher education also continues to be a target for the darker side of the internet.  We are a target because of the openness we embrace, the databases we may be keeping, and the valuable research that we participate in. 

So how do we deal with the ever-evolving mission, and the ever-increasing threats?  It takes a comprehensive view of security, which includes partnerships, governance, awareness, networks and business skills.

It all begins with a robust and agile strategy, structure and foundation of network security.  Many institutions still have flat networks, and because of the openness of a campus, this architecture can be an incubator of issues. However, with the advent of APT and other emerging and serious attacks, this view is changing.  Network security in higher education now utilizes segmentation as a key security strategy to reduce the attack vectors, and to minimize any compromise or disruption.  In addition, a strategy on protecting the most valuable areas of the network is of continuous focus, be it the data these areas contain or the function that they perform. Many schools have dedicated security analysts and engineers in their network teams, and have even created security operations centers, as the need for proactive measures and quick response has taken center stage.  Strategic alliances for network security are also necessary, through the Research and Education Network ISAC, which also aids in incident response.

Next generation firewalls are also providing value on college campuses.  Gone are the days of simply having a firewall at the core acting like a full network router, as recent data indicates that using firewalls at both the border and specific network segments is now the norm.  Next generation firewalls now give greater visibility into the immense amount traffic that flows through a college campus at all hours of the day (and night!), and provides the insight necessary to make informed and strategic decisions on the traffic.

As our discipline came of age, the CISOs most often came up through the ranks of network security or systems administrators, which were both a solid training ground for the role.  However, the mission that they fulfill now is much more comprehensive. In addition to having responsibilities for firewall rule sets and network security architecture, the CISO mission can now include additional (and complimentary) responsibilities such as awareness, privacy, compliance and risk management. CISO’s are looked to as part of the leadership team, and must have business acumen and critical thinking skills.  Many that fill the role have an MBA as part of their personal tool kit.  Information security in higher education embraces this, and the role of the CISO is key to success in the university mission.

As with private enterprise and government, it all starts with executive level support, and with that comes a Security Executive Committee, and the overall governance relative to security.  At my institution we look at the security of information holistically, and the executive committee that provides direction and support covers data security, privacy, compliance and records management.  Known as “DPCRM”, this committee of high level administrators and key data owners articulates and prioritizes campus business needs for policy, process, technology, and solutions which identifies, protects, and manages university records and data.  The committee also reviews and acts as the approval authority for all exemption requests for use of restricted information outside of university policy.  This committee, chaired by the CISO, aids in not only setting the strategy and priorities for the information security function, buts acts as a driver for acceptance and buy-in for security initiatives.

The higher ed CISO also plays a key role in ensuring that the security of the institution’s data is protected via contract reviews.  There are two key areas in this regard: normal purchasing legal agreements, and contracts and protocols for research funding.

Purchasing contracts oftentimes have elements of data security and privacy, especially with the moving of data, processing and infrastructure to the cloud.  Ensuring review by a qualified security practitioner is key in establishing the protections necessary for your data, and aids in identifying the necessary contract language for retrieval of information, breach response, physical security and more.  By creating a strong partnership with purchasing, and establishing standard acceptable contract language for data security aids in reducing risk to my institution.

Research funding is also established through contracts, and in recent years the contracts have been much more descriptive and prescriptive in their language concerning security.  It is absolutely necessary for the security officer to review the language to ensure that the university can comply, and that the agreed upon terms are adhered to.  Much of this data is covered under regulatory mandates as well, and a CISO who also has compliance responsibilities can ensure acceptable practices in both areas during research proposal reviews.

Higher education must also cooperate with national law enforcement. While universities are not specifically part of critical infrastructure, it is prudent to secure them as such.  Interaction with national agencies is critical given the research that is being conducted for national security, the foreign nationals that are educated on our campus, and such regulations as ITAR and Export Controls that we need to be in compliance with.  A strong connection to local authorities is critical to achieving success in securing data that is part of national security.

So what does this all mean?  Certainly my focus is on higher education, but the skills and mindset to be a successful CISO is enterprise agnostic. And while each vertical will have its own unique challenges, the mission is the same.  I’d like to close with portraying the CISO role in a new light, as a rock star.

We are all familiar with some of the greatest hits of 2014: the Heartbleed panic, XP’s end of life, and yet another IE issue. If you are like me, information security garnered a great deal of attention when these security concerns made it in to the mainstream media.  As a result, for a few days after each event, my phone rang numerous times from members of my community that I rarely get an opportunity to engage with, my daily email stream became a deluge, and requests for my guidance and opinions observed a dramatic increase.

For about 72 hours after each of these events, the CISO became the rock star.  Everyone wanted my opinion on how such events impacted our organization.  Several of them wanted to know what they should do personally.  Another subset actually took the opportunity to dig deeper into other areas of security.

So what does this mean to us as security practitioners?  It means that those we serve look to us for guidance.  They want to know that we are there to help them, and they understand that we are the go-to people when their lives are impacted through technology.  We are the ones they rely upon to cut through the noise, hype and jargon.  More and more of our communities are realizing that technology is no longer just a tool for their use, but it has become something they must pay attention to relative to security and privacy. We are the ones with the answers for them.

So when the next unexpected security event hits us, and our schedule and routine gets completely pushed aside for us to address yet another issue, prepare for the calls and requests that you will receive from a curious or panicked community.  Encourage these calls.  Tell them that you are there to help, and are happy to provide the insight and sense of calm that they need.  For a few days, be thankful that you are the rock star that they are looking for, and that you can fulfill this role.

 About the Author:

David Sherry is the Chief Information Security Officer at Brown University. His institutional responsibilities are to provide proactive security expertise and guidance, engineer robust security architecture, champion strategic security vision and policy, and enhance the culture of security awareness. As the university spokesman for information security and privacy and as CISO, he also plays a key role in the record management program, copyright compliance and protection, risk assessment process, and serves as the University DMCA agent.