6 Steps to Become a Security-Forward Institution
When I became Brandeis University’s Chief Information Officer, our security posture was, to be kind, lacking. It was not that the information technology security group fell short. As a matter of fact, they worked very hard to better protect the institution. They simply could not get any traction with senior leadership or the community. People generally felt that the IT department was trying to encroach on their privacy, which opens a whole other conversation about how much privacy an employee should expect. Also, the never-ending struggle to get faculty to understand that they are employees, just like the staff is one higher education institutions wrestles with all the time. Who owns the organization’s email? Ask several people, and you would be shocked to find that many of them think they do. (For the sake of answering the question, the organization does.)
We were running systems that had no patches and were in grave danger of being compromised. When I arrived, it was like going into a messy room and feeling overwhelmed by it. Where do you start? Does it even matter? It just felt like we needed to be cleaning something, anything. From that point on, we never looked back.
Six Steps to a Stable Environment
I thought about how to cover what we did over several years in a short format. I came up with six steps we took to become a more stable environment. I would like to clearly state that we are by no means perfect, but I do believe we have moved the needle in a positive direction. Let’s continue with the understanding that a completely secure organization does not exist. Then again, what in our technological world is perfect and permanent?
Step 1: A Strong Chief Information Security Officer (CISO)
A strong CISO is a requirement for improving your posture. It must be someone who not only grasps the landscape but understands the community they are working with. The individual needs to be able to talk to the board of trustees, senior leadership and the user community. As technology people (and I feel qualified saying this), we tend to talk above people’s understanding. So, having a CISO with the ability to communicate across different groups is a necessary skillset for success.
In addition, the CISO role continues to evolve. It is amazing how much a CISO must understand state and government laws and work with the university counsel office on a regular basis. Data privacy plays a large role in decision-making for organizations and can be a CISO’s friend. Introducing data security changes have more teeth when they are tied to compliance.
Step 2: Educate Leaders to Invest in Security
Educate the board of trustees and senior leadership on the importance of investing in security. While obviously easier said than done, it is a bit better than it was five or ten years ago. Security events are more widely reported in mainstream media, and data privacy has found its way into their lives. When working with groups like these, there are varying amounts of comprehension. It is extremely important to make sure everyone has the same baseline understanding. I have found that providing numbers tends to speak volumes with these groups. I once had a trustee approach me after a presentation to say that I “scared the crap out of him.” Mission accomplished!
Step 3: Make a Plan
Come up with a sequencing plan that makes sense for your organization. Over the past five years, Brandeis University has introduced new ERP and CRM system. I was able to utilize a new ERP system to enact wide-ranging change for the institution. Of course, not everyone has a large change like this to hitch their trailer to. ERP and CRM systems have forced the institution to have necessary conversations that were previously considered taboo. These system changes are responsible for the formation of a data governance program and clearer definitions of data. Five years ago, we needed to institute security policies including a written information security program (WISP), upgrade firewalls, introduce two-factor authentication, stronger spam filters, penetration testing and internal phishing programs—and the list goes on. There were all individual projects of varying degrees of size. However, most of them had direct impact on the community and had to be managed delicately. It was a substantial amount of change, but we sequenced these changes and never forgot that each one was a piece of a larger puzzle. We assured the community that they would receive the appropriate support and, by delivering on this promise, we received wide acceptance.
Step 4: Execute the Plan
I break this out from step 3 because in higher education there tends to be a lot of talk and lack of action. Everyone seems to have a reason why you can’t do something. Most of the time, it is directly related to change. Many people cannot believe that something bad could happen to them. Or the other argument is that we—the IT folks—are paranoid or, even worse, playing Big Brother. When it comes to security, we must be more forceful, which flies in the face of a higher educational environment. We must remember that our purpose is to protect the institution, which sometimes requires us to tell and not ask. We try not to do this and even when we do, we work hard to find the correct tone and ensure understanding.
Step 5: Educate the Community
Educate the community and give them some ownership or responsibility. You must work with the community, as the execution will have direct impact to them and how they operate. We began running security awareness training several years ago. Attendance has been sporadic, but it is a form of outreach that we continue to improve on. As the environment becomes more volatile, people are approaching us. We have found that the students tend to accept change better than staff and faculty. For example, introducing two-factor authentication to students was far easier than it was for faculty. Most students were aware of two-factor because it had become part of their daily lives.
We recently reduced the amount of time one needs to authenticate their account, and it was not the event one would think it was. The majority of the community understood what we were doing and why we were doing it. Had we done that a few years ago, it most certainly would have made waves. Another example on how the community has become accustomed to being more vigilant is through internal phishing programs. When we began running them, we received a large number of complaints. Some people viewed it as a gotcha technique, which is, of course, not the point. We have elevated the difficulty on these, as real hackers have done the same. We do not hear the complaints anymore and often receive positive feedback.
Step 6: Monitor and Look Ahead
Monitor and continue to look ahead. As technologists, we must continue to watch the landscape and be agile. We must keep our respective communities updated and protected. It’s a continuing conversation that takes place in trainings, town halls, awareness fairs, onboarding and community newsletters. As technology continues to change and hackers become more sophisticated, we must up our game and endeavor to keep one step ahead. At the same time, we must understand our community and its capacity and appetite for change. It is a balancing act to be sure, but we must pay attention to keep from falling.
Author Perspective: Administrator