In this interview, David talks about the lessons he learned as CISO of Brown University, he discusses unique BYOD challenges, the value of education for the modern IT security professional, and much more.
How many incidents do you deal on a yearly basis? What type of threats present the biggest headache?
As a CISO of a university that has a great deal of decentralization, incidents are a part of daily life. Whether is it a compromised host, an account that is sending spam messages or attacks on the border, we are almost always researching, watching or addressing an incident.
Hard numbers are difficult to determine (and I would not share it anyway), but it is safe to say it would be in the hundreds, although the incidents would be of varying degrees. Only a small percentage would escalate up our Incident Response process for a widespread impact. Our biggest threat is compromised hosts, which often occur in a decentralized area, but not always.
Higher education is an open environment, where information sharing and academic freedom is important to the culture and the individuals. As a result, servers are sometimes built in a way that makes them vulnerable to attack or compromise. We work with the owners and admins of a compromise to correct the vulnerability quickly and efficiently, in order to not hinder the work that the server is doing. Identification and mitigation time are both critical metrics to look at and analyze.
We also take each event as a learning opportunity to get the security message across and reduce the possibilities of further issues. Of course, we also have instances of phishing and spam attacks, but a compromised server is our biggest concern.
How do you deal with BYOD in an environment where probably every student has at least one mobile device?
Higher education has been dealing with BYOD for a very long time, especially with both faculty and student populations. And we are constantly in need of upkeep as the latest and greatest technologies arrive on our campus after each summer and holiday breaks. And you are correct in your assumption of “at least one”. We actually deal with BYODs, as each student arrives with multiple smart devices, laptops, wireless printers and gaming devises, as well as emerging TV and video devices.
It is important to our university to ensure that all or our distinct populations have the access that they need, on the device that they need. We utilize a combination of network registration, authentication and authorization, as well secure wireless. We constantly monitor the balance between access and risk, and dealing with mobile access and mobile devices are simply part of an overall risk management strategy for protecting data.
What are some of the lessons you learned as CISO of Brown University?
I have, of course, learned many, many lessons here at Brown, both personally and professionally. There are a few that stand out for me though. First and foremost is the value of information sharing. CISOs in higher education are focused on sharing best practices, policies, project plans and more, all to create a more secure academic community. This is especially important given the amount of federation and sharing with other institutions across the country and around the world.