Q&A with CSU CISO William Perry on Higher Ed's Future
William Perry, chief information security officer at California State University, joined the system four years ago after working several years within the banking and finance industries. His private sector experience in IT security has informed a progressive approach to data security at Cal State — one that has also gained the attention of other institutions nationwide.
Perry recently spoke with EdTech Managing Editor Tara E. Buck about what’s behind the rising number of cyberattacks on college systems as well as the technologies and practices higher ed should turn to next for greater protection.
EDTECH: Do you find that it’s easier or more difficult for higher education to protect against attacks than organizations in the private sector?
PERRY: It’s the same challenge — the difference is how they view cost.
When I worked in banking, we saw risk as a cost. Higher education takes a measured approach in how we mitigate risk and how we evaluate it. I am trying to change the mindset that risk is tied to cost because, when an incident occurs, it costs us to mitigate.
With the amount of information we have and the general openness of our networks, it is imperative that we protect them.
EDTECH: Why does higher education seem to be at greater risk for attacks?
PERRY: We collect a lot of student data, which is important because a lot of students are younger, and have not damaged their credit. We have Social Security numbers, medical records and other information that is worth money on the dark market.
We also have limited resources, especially at institutions like Cal State that are state funded. We don’t have a large budget, so you feed those things you believe are highest on your list. For us, it was ensuring we provide students access to more IT and data that grew our security footprint.
EDTECH: Higher education today utilizes more Web 2.0 technology that also relies heavily on network security. What are the top ways that campuses can protect themselves as networks grow?
PERRY: When you look at companies like Target and Sony, these are large firms with lots of resources, and they still were hacked. It sounds simple, but the best things institutions can do is train their staff, students and constituents on safe ways to work on the Internet.
When I was a student, we shared things over bulletin boards or on sites like Napster. Today there are a lot more ways students can expose data, from sharing sites such as Facebook to their phones and other devices equipped with microprocessors.
Even people who are careful can be hacked. I’m not saying the future is bleak, but we’ve entered a new paradigm. Everyone needs to, at times, take a step back and think about how they live in this world and what they can do better.
EDTECH: Beyond user education, what are some other unique or progressive steps your team has taken to address cybersecurity?
PERRY: We use a lot of tools, but one in particular is defense in depth. It incorporates a number of factors, including next-generation firewalls, a behavioral network monitoring system, anti-virus, signature-based protection and other proactive tools.
Cybercriminals are smart and can adapt to changes, so we focus on behavioral-based tools that watch the packages flow across the network. When something odd happens — like a package filtering data at 3 a.m. — then it proactively stops that and sends information to every connected machine.
EDTECH: What other security tools are on the horizon?
PERRY: Data encryption can only get better. It will be a new type, homomorphic encryption, which is becoming a more popular way to protect databases and information.
We may also see an increase in password defenses. In the old days, we used brute force hacks. Now, computers are so fast that, unless your password is 15 characters long and incredibly complex, it can be figured out in a matter of minutes. People will need to incorporate longer passwords that, combined with better encryption, can help ensure defense.
EDTECH: How receptive have other higher education leaders been when you discuss the future of cyber risks?
PERRY: It’s a mixed bag. I almost compare it to the real estate market — there will be people trying to sell property at the high end of the market even after the bubble bursts. It just takes time for some to catch up to the new reality.
You will find that spectrum here at CSU and within any organization. Some people get it early and tell others what they need to do to prepare. There are others who think it will never happen until it actually does.
That is not just common to higher education, but everywhere. Higher educations looks like it could be slow because it traditionally has less funding than other private sector organizations. If you are a for-profit organization and you are doing well, and you know that this may be pose a risk to your bottom like you can be more agile in fixing that. With higher ed we have to be a little more careful.
EDTECH: You’ve spoken frequently on a national level and work in a partnership with the Department of Homeland Security. How did that come about?
PERRY: As the chief information security officer at CSU they keep in touch with me, letting me know what is happening and asking me to help spread the word. I meet with CIOs and CISOs at other campuses to pass along information and inform them as to things that are happening and what we can do to be prepared.
For example, we get notices that are not always true, but there are some false positives. We’ll get a notice that says CSU servers are under attack from a certain country. We’ll tell these campuses what we’re seeing and tell them to run some type of compromise assessment on their servers to let them mitigate that risk. We don’t have the resources to always fix it, but we can put a finger in the dam where we can.
EDTECH: This summer you spoke at Campus Tech on the risks to that community, what else have you been working on?
PERRY: I am going to constantly be a passionate about educating folks about information security. I am a member of the California Cyber Security Taskforce, the Governor [recently] put out an executive order asking our members to be part of an incident response team for the state along with take part in an information sharing group.
When it comes to cybersecurity, the more you talk about it the better. The more I tell you to look both ways before you cross the street, the more you will think about that before you cross the street.
And so that’s why I am passionate about; that’s what I try to do when I am out speaking. At Campus Tech, that’s one of the things I tried to say: you have all these new tools in place, but the biggest bang for your buck is to train new people. You need to find new and exciting ways to talk about information security to people so that they get it.
The ease and use of technology is so great that people will often forget to be safe when they are out there.