Q&A with Stan Gatewood of the University of Georgia

EdTech: From your military background and now within academia, are you seeing more schools hire CISOs? Or are they still having the CIO do double-duty?
Gatewood: I see a mixture. I am not seeing schools hire specific CISOs. Most of the time, they initially attempt to take someone from IT and make him or her a CISO, and that's a formula for near disaster. CISOs are different. They have a background in technology, but they also have a background in either military or law enforcement on the forensic or investigative side. They're a different breed all together, and that's one of the reasons why I fight so strongly for the separation of IT and information security.

EdTech: Do you agree that there's a certain skill set that an individual should have in order to be a CISO?
Gatewood: Absolutely. From an IT perspective, every problem has an IT solution, and that's not always the answer. The sweet balance of policies, processes, technology standards, best practices and awareness is what you're trying to achieve. If you continually throw hardware and/or software at a security problem, you'll spend lots of money, waste lots of time and probably not garner much respect or have much success. Security has been – and always will be – a people issue.

EdTech: What are your most pressing security challenges now? What do you see most of your efforts going toward?
Gatewood: We concentrate on six areas. We look at business continuity/disaster recovery, policy management and compliance, user and desktop security, incidence response, security information management, and, last but not least, security awareness training and education. Those are what I call the six tenets. No matter what the budget is, we will do those things.

EdTech: You mentioned security awareness training and education. Is that something you initiated?
Gatewood: Absolutely. We didn't have any formal security awareness training or education at any level. We quickly found out that that's the best bang for your buck. But we also found out that once the story's told, it can't help but get old. You have to mix it up through different distribution and media methods and at different levels.

EdTech: What's in your toolkit right now to fight both internal and external security threats?
Gatewood: We use a layer of security architecture. On our gateways, our touch points to the Internet, we have two of the very strongest IPSs [intrusion prevention systems] that we can find. We have IPSs, firewalls and IDSs [intrusion detection systems] internally. We do some level of vulnerability scanning almost 24 hours a day, seven days a week, and we run Web and database scanners, too. We also have homegrown applications that tell us if a person's computer is registered, if the machine is registered with us and if it has an antivirus program running.

EdTech: Have you had many breaches?
Gatewood: Yes, we have. Every university has them. But the beautiful part now is we can say, “Hey, look, that's a breach attempt.” In the past, we would say, “I don't know; I guess it's an anomaly; let it go.” We are doing things much smarter, and we're seeing much more with SOC, our security operations center.

It's a little frightening. I approach the systems administrators group and say things like, “We've seen one million attack attempts [from outside the university]. That's the good news.” And they look at me like I'm strange and ask, “What do you mean, that's the good news?” And I answer, “Well, the bad news is four million attack attempts emanated from UGA, and we now see those as well.”

EdTech: Four million attacks emanated from within the university?
Gatewood: Approximately … from misconfigured machines, a Trojan horse, very weak passwords, rootkits, unnecessary services and applications that are not running properly or are not patched properly. Things like that. But we're starting to stem that; we're starting to turn that around. You can't secure what you don't know about or can't see.

EdTech: You mentioned that you found more breaches during winter and spring breaks. Is that accurate?
Gatewood: Yes, we see increased attempt activity. You have students who stay behind, and the university has big pipes, throughput and resources, plus you have other students who have gone home and want to check their e-mail, surf the Web, do some class work and talk to their friends. You've got people from the outside trying to come in and people from the inside doing whatever they want to do. It's the “idle minds” situation.

EdTech: How many people are on your team?
Gatewood: I have seven. But one of the great things about the program is that we are deputizing someone from all 13 colleges and schools within the university. This means I have a security contact or liaison within every school/unit.

I not only have people I can call during a breach or hack, I also have people I can train and know that when asked a question, they're going to give a pretty standard answer because they have a common body of knowledge.

EdTech: What advice can you give to other administrators that you've found on your watch? Is there anything that's unique to UGA or to your background?
Gatewood: At the University of Georgia, we do one thing that probably separates us: security information management, or SIM. This means we gather data from our switches, routers, IPSs, IDSs, firewalls, system logs, event logs and vulnerability scanning engines. All of that goes to our security operations center, so we can look at our network and systems from a holistic view.

For example, we can find out that a college has a virus outbreak and determine whether it is the only one. We can tell if we've been scanned or probed, and who did it and where it came from. We also have the ability to do forensics – network, data and computer forensics – from within our SOC. I think that separates us from a lot of places. And we rely heavily on our security awareness, training and education.