Princeton, Cal State and Ohio State CISOs Discuss Cybersecurity and Their Roles in the Higher Education Sector
The higher education sector is like no other vertical among the critical industries. Each institution resembles a municipality, comprising retail, healthcare, physical security, fire station and police force – and perhaps 10,000 new potential student hackers every year.
It requires a special quality of CISO, and in this installment of SecurityWeek’s CISO Conversations series, we talk to three of the best: David Sherry (Princeton University), Ed Hudson (California State University) and Helen Patton (Ohio State University).
So, what does it take to be a CISO in higher education? David Sherry has two suggestions. The first is the ability to understand the culture of your organization. This will vary across sectors and between companies.
“Our mission statement,” he explained, “is to make security programmatic and cultural. And you cannot do that without understanding the culture that you’re in. I could not do my job at Princeton with the mindset of working at a top ten bank. They’re not the same. If I tried to utilize the same methodology and vision of the banking industry in higher ed, well, I’d be tarred and feathered on the main green pretty quickly. So, understanding that culture is first.”
The second, he added, is coolness under pressure – you cannot be a leader if you panic. “People like to see someone who takes command in a pressured situation, whether it’s 48 hours to flip your model from on-campus to off-campus in response to COVID-19, or an attack coming from a nation-state or whatever.”
Helen Patton’s suggestion possibly encompasses these – and much more – in two simple words: a CISO needs ‘emotional intelligence’.
Recruitment and diversity
Staff recruitment and diversity are issues that are closely related and important to all CISOs. Recruitment is made difficult because of the huge skills gap in cybersecurity, while increased diversity – in this instance focused on increasing the number of women engineers – is seen as a method of closing that gap. But the advantages of diversity go beyond just adding numbers to the potential labor pool.
“Diversity is a passion of mine,” comments Hudson. “It’s very important in higher education, but it’s also important for society in general.” There is evidence, he suggests, to show that when you intentionally leverage diversity of thought, race, religion, and gender, you get better solutions to problems. “When you can bring together diversity of background, diversity of thinking, diversity of approach you just get a view that is more dynamic than the myopic view of continuing to do things in the same old way.”
With women in cybersecurity, there is one fascinating statistic: the ratio of women to men CISOs is far higher than the general ratio of women to men engineers. This raises an interesting question: is there something in the female psyche that makes women particularly suited to security leadership?
Ohio’s Helen Patton thinks not – or at least not in such simple terms. “I’ve met female CISOs that I hugely respect, and I’ve met female CISOs I don’t; and I think that’s true for men as well. So, I’m hesitant to stereotype a class of people, male or female, as being more of this or less of that. I still look at the individual and the circumstance in which they work as being more important.”
But there is a proviso. “I think one thing that is a common experience for women in this profession is to be the outsider. You can’t help it; every conference you go to, every meeting you go to, you are the one or the two percent in the room if you are lucky. This forces you firstly to see things from a slightly different perspective and recognize that you’re seeing from a different perspective; and secondly to try to find a way to bridge back to whatever the common conventional wisdom is and to question it.”
For Patton, what women bring that is new is not from being a woman, but from being a minority. “I think there are skills that are honed when you are a minority candidate of any minority, that you are forced to hone just because of your experience. But sometimes in some organizations that’s a positive and sometimes that’s a negative and so it’s hard to generalize.”
Nevertheless, it supports Hudson’s view that diversity is a wider issue than just male/female, while succeeding from a minority background will require and hone Patton’s ‘emotional intelligence’.
Hierarchy, soft skills, compliance, and the higher education culture
The CISO’s need for, and use of, soft skills is a theme that recurs through this series. Usually it is in terms of bridging the gap between the official reporting structure and the reporting structure required to be efficient. Most CISOs believe that the modern CISO needs to be both a businessperson and a techie.
Businessperson or techie?
“I am both,” says Patton. She has a strong technical team around her, but relies on her own technical skills to understand and guide them. “My day-to-day job,” she adds, “is primarily exercising my business skills – everything from emotional intelligence to business planning, and organizational planning, strategic planning, legal compliance, and risk – that’s where I spend my time. It’s not arguing about firewall configurations and endpoint management tools.”
Sherry believes the balance depends upon the organization, particularly in terms of size. Small concerns may need a rock solid technical CISO who is more tactical than strategic. In larger concerns, so long as the technology is working, the CISO may need to be more strategic and businesslike; “But I do agree,” he adds, “that having the right balance between the two is probably best.”
Most top CISOs are not too concerned about their position within the corporate – or in this case the educational – hierarchy, so long as they can influence if not control security policy. Influence comes down to relationships which comes down to soft skills.
The optimal position within the organization’s hierarchy is a continuous debate among CISOs. Surprisingly, most top CISOs are not too concerned, provided only that they can effect change where and when it is necessary. “I have two bosses,” comments Patton, “I report to the CIO who reports to the Provost who, in a non-higher ed environment, would be considered the Chief Operating Officer – and he reports to the President. So, through that lens, I am three layers down from the President. My other direct report is the Chief Compliance Officer who reports to the head of legal who reports to the Board. So, in that regard, I am two or three layers down from the Board.”
But, she continued, “It works. My philosophy on this is organizationally there is no pedantically correct answer to that question. It depends on the institution and whether or not you can be effective in the role you are in. Here, even though I am two or three levels down from the top of the tree, I get to have regular interaction with the top of the tree. I have bosses who allow me to speak freely. We are not overly hierarchical in terms of messaging in our organization.”
However – and this is important – she is philosophically opposed to the CISO reporting to the CIO. It works in her case, “My personal thoughts on this is if you take personalities out of the equation, it is not appropriate for the CISO to report to the CIO. But you can’t take personalities out of the equation so I think it can work, although I think, philosophically, it is not the preferred option.”
Sherry has a similar view. “The easiest answer to where the CISO should sit is where he or she can have the most influence – and that depends on the vertical and the organization. But I believe the CISO should sit in the IT structure. I report to the CIO, as do many other CISOs – but I believe the best situation is to be equal with the CIO reporting up to whoever the CIO reports to.” That time hasn’t yet come, but Sherry believes it must. Ideally, the CISO should control his own budget; or at least, like Sherry, have “a CIO who is extremely security-minded and security-conscious so I never have to worry about my budget being cut.”
Both Patton and Hudson have a proviso to these viewpoints. Hudson suggests that, “If you’re in a situation that is not a good fit for you, then you’re not in the right organization. You probably need to go to an organization that’s more the fit for the type of CISO you want to be.” Patton adds that the CISO must first try to change the situation so that it works. If that’s not possible, she says, “You don’t really have much of a choice but to look for something different.”
Hudson believes that soft skills are also necessary for the smooth running of the higher education culture. Here they are necessary to bridge the divide between strict compliance requirements and more relaxed student attitudes.
Compliance is an issue on its own. Some CISOs see it as a boon to security, some see it as a burden, and others see it as both. “It can be a boon in terms of possibly getting extra staff or technology or consulting dollars,” says Sherry; “or at least, shining a light on the need for it. But it can certainly be a burden when it’s just a litany of checkboxes on a checklist.”
Compliance is complex in higher education because each institution involves huge numbers of potentially vulnerable young people – including healthcare, finance, intellectual property, physical security and more. While staff welfare can be largely handled by HR within traditional corporations, student welfare is subject to its own range of regulations. For this reason, Patton believes that the CISO must not be the compliance officer. “In the context of higher education, the CISO should absolutely not be the Compliance Officer,” she says. “I am the Compliance Officer as it relates to technology and risk. I play that role, but in a higher ed environment there are so many kinds of compliance – everything from sexual harassment to occupational health and safety, and to all those things. There is more to compliance in my world than just technology – there are many kinds of compliance that need to be considered. and for that purpose, I report to the Compliance Officer.”
Hudson’s view is complex – he fears the rigors of compliance can interfere with the culture of higher education. “It is probably one of the more challenging areas, for CISOs in general, but certainly for CISOs in higher ed”, he says. “There are two flavors of CISO. There’s the compliance-driven – I call that the Abominable No-man – who simply says ‘you must’, ‘you shall’, or ‘we have to do this’ – and I think you are going to be very frustrated if you are that kind of a CISO in higher ed. And then there’s the one that casts the wider net, the more strategic net; so, the balance is how do we meet our compliance requirements and not be seen as, or construed as, or be a barrier to what the institution is trying to accomplish. And that’s one of our more challenging issues.”
This is the second use of soft skills – being able to be legally compliant but not operationally obstructive.
It’s a challenge, but one of those fascinating challenges that has kept Hudson within the higher education sector. “I get to address issues around banking regulation, healthcare information, privacy regulations – regulations having to do with the student records and how we safeguard those. We’re a state agency so we have numerous state regulations. It makes for an interesting job, for sure. But the balance is, how do we fulfil those requirements and do it in a way that we don’t become a barrier, or be perceived as a barrier, to academic attainment and student success.”
The secret, he suggests, is for security to be frictionless. “My ideal is that information security should be happening behind the scenes. My users are aware of security, but are not slowed down by it. We place a high degree of importance on communication and awareness; so, when we roll out a technology that maybe causes a little bit of friction, people understand why it is necessary. They become part of the process. Then you can look at something like multi-factor authentication which requires an extra step in the process. But if we’ve done a good job, it doesn’t become friction, because they understand why we’re doing it and what’s happening behind it, what the benefit is to them.”
Recognizing and learning from good advice is an essential process in the development of strong leaders. For Helen Patton, the advice was an epiphany moment when she was told, ‘You’re right, but you’re not being effective.’ “Like a lot of security people and a lot of CISOs,” she said, “we pride ourselves on being smart and we pride ourselves on having a lot of data, and we leverage that data to pound our point forward. It was following a meeting when I was told this. Yes, I was accurate, and I was saying the correct thing; but my message was not getting across. It really made me step back and go ‘it’s not enough to be right – it does not mean people are going to act on your recommendations. You must win their heart and mind. Heart and mind – not just their mind.’ It’s all about influence and persuasion and, dare I say it, coercion and knowing when to apply those skills.”
David Sherry recalls advice he was given – some of which reflects the advice given to Helen Patton. “Speak with data,” he said, “but don’t speak in techie language. You must put the right data into the right context for businesspeople. They’re not interested that your firewall stopped 1.2 million suspicious requests last week, they’re only interested in the one or two that weren’t stopped.”
The other advice he took to heart was that, ”Until you have earned trust and created relationships, be slow to speak and quick to listen. You have to find out what people want before you can offer solutions. You cannot suddenly appear like a knight in shining armor who’s going to solve world peace overnight.”
The advice Ed Hudson received came early in his career, when he still had a linear analytical approach to security and threats. He understood the security and threats of his time very well – but the reality is you don’t get caught by what you know, but by what you don’t know. “You have to be flexible,” he was told. “You have to be ready for contingencies – be flexible.”
That is the advice that Hudson offers to emerging security leaders. Patton, however, says, ‘know yourself and your team.’ “To be a leader in security, as an individual you got to know yourself – but as a leader of a team you’ve also got to understand the boundaries of what your team is willing to do and what it’s not; where you’re willing to lead your team and where you’re not. ‘Know thyself’ is still probably for me the best advice for a budding leader.”
Sherry’s advice is to thoroughly understand the culture of your organization – which is probably different in higher education than in any other vertical sector. “When I was in the banking industry,” he comments, “I had the authority to say ‘thou shalt do this, and thou shalt not do that’ because I was protecting $250 billion of other people’s money. It’s not like that in higher education, where being the CISO is like being the CISO of a small city. I have a fire station, I have a police squad, a rescue squad, I have museums, public parks, parents, donors, visitors, athletic teams, sports boosters, as well as all the faculty staff and the students. And in all this I have to provide an environment that remains conducive to learning and academic exploration.”
Unsurprisingly, given such a wide threat landscape, there is little agreement over the greatest coming threats to the sector. Sherry and Hudson are concerned with the more ‘traditional’ threats. Hudson sees them coming from the criminal use of artificial intelligence (AI). We’ve seen AI’s value in detecting threats, but we haven’t yet seen how it will inevitably be used in conducting cyber-attacks.
For Sherry, the threats come from the explosion of IoT devices. “Everything now seems to have some kind of chip in it, needs to have some firmware upgrade, needs to have some security mindset,” he said. “I’m not worried about the Microsofts and the Oracles and the PeopleSofts – I’m worried about the new light bulbs coming in, or the new security camera that’s going up. They may be fine for now, but 18 months down the line they could be attacking me because everything new now has its own IP address.”
Patton takes a completely different view. “I think our government regulations are probably the biggest threat to higher education,” she said. “The people giving advice to our governments and our regulators are big companies that are private industry profit driven. Most of higher ed is not private industry profit driven. There is a different purpose for higher education, particularly a research education institution, and the regulations that we are being asked to comply with often don’t align easily with higher ed. There is huge pressure on higher education to be cheaper. This is going to get worse as we have to reskill an awful lot of people whose jobs are going away because of the COVID-19 pandemic. We need to be cheaper and we need to be faster. That’s fine; but at the same time, we’ve got regulators who are coming in and imposing regulations on us that make us not cheap and not fast. We’re in conflict, and that’s really challenging.”
Effective sharing of information on threats and solutions is something frequently urged but rarely achieved. This is not so in higher education – many of the leading institutions belong to an organization known as Educause, where the former CISO of Quinnipiac University, Brian Kelly, is director of the cybersecurity program.
“I am an avid supporter of Educause,” comments Ed Hudson. “It gives me a whole cadre of people to go to, who, if they haven’t already solved an issue, they’re solving it at the same time as I am trying to solve it.”
Apart from peer advice, Educause members also work on sector-specific security tools. “The group has done some great things when you look at the tools that we have developed, collaboratively, together within Educause. Things like the higher education information security community security maturity assessment tool (HESCSMAT) – a self-assessment tool that higher-ed organizations can use to help assess the maturity of their security program. And there’s the higher education cloud-vendor assessment tool (HECVAT) which allows us to assess the security posture of cloud vendors.”
For the moment, Educause within the higher education sector is unique – but it is perhaps a model that other sectors could emulate. “I think a lot of industry silos could benefit from this kind of approach,” continued Hudson. “It’s one of the challenges in cybersecurity – we haven’t always been good at sharing with each other. That’s not the case in higher ed. We’re ready to reach out to our brothers and sisters and say, ‘help me solve this’. I didn’t see that when I was in the private sector. There it’s one of those things where you hold your cards closer to the chest for all the understandable reasons. But I do think that the Educause approach would be really beneficial to other industry verticals.”
CISO Conversations: Mastercard, Ellie Mae Security Chiefs Discuss the People Problem
CISO Conversations: Verizon, AT&T CISOs Talk Communications Sector Security
CISO Conversations: Intel, Cisco Security Chiefs Discuss the Making of a Great CISO