Being a CISO at a higher education institution
by Zeljka Zorz - Managing Editor - 17 June 2014.
In this interview, Matt Santill, CISO of Broward College, talks about the requirements and peculiarities of his job, the technologies the college uses to make its network safe, and offers advice for CISOs working in other educational institutions.

Describe what it means to be the CISO at Broward College. What are the requirements and peculiarities - network-wise and in regards to the users - you needed to meet, and what were the problems you needed to solve to meet them.

My work experience has been primarily in corporate America before coming to Broward College. I worked for a Fortune 100 company and a few other publicly traded organizations. Our goals were always focused on bringing shareholder value by reducing risk. In higher education, it is all about ensuring the success of our students. This requires a more open environment. I knew that in order for us to move the information security initiatives forward, they would have to be less impacting on the end user but still allow for adequate protection and control. We focused on technologies that were less invasive and more behind the scenes.

One of the challenges was to secure BYOD when it had already been the norm for students for years. We had to meet that security challenge without interrupting the current environment. We did this through a combination of ForeScoutís NAC solution, CounterACT, and Fortinet's UTM Firewalls. We block a lot of viruses, botnets, phishing attempts and malware without anyone knowing.

You've occupied this position since September 2011. How did your job change through the years? What dangers has the college faced? What are you most worried about currently, and what new technologies you believe users will turn to and will present new challenges for you and for your team?

When we initiated the information security program in September 2011, it was focused mainly within the IT department. We've expanded our scope from just IT security to include information compliance and risk functions, which are really college-wide goals that include every department. It is important that information security does not stay focused entirely on technical controls. I think a lot of departments forget about the physical component and administrative processes of securing information.

A lot of us come from technical backgrounds, which makes it difficult to look at the bigger picture. It is absolutely critical to look outside of IT when developing your strategy. We look at everything now, from locked file cabinets to how mail is carried between buildings. You can never secure every avenue of data loss, but you focus your efforts on the areas that pose the highest risk.

The college, like most organizations, has a variety of threats on any given day. There are a number of phishing attacks and unauthorized access attempts that we block regularly. Our single most important tool in preventing a data breach is our ability to monitor and analyze malicious traffic in real-time. If you don't know what you are up against, it makes it very difficult to provide adequate protection. Monitoring and taking action is a 24x7 job, unless you have the funding for a fully-staffed SOC, you should consider outside assistance from a MSSP.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th