Panelists Sol Bermann, CISO for the University of Michigan, Stan Waddell, CIO for Carnegie Mellon University, and David Sherry, CISO for Princeton University, discuss how to balance innovation with IT security operations.

Nov 01 2022

EDUCAUSE 2022: Security Experts Discuss Innovation and Partnerships

To effectively manage risk while constantly innovating, university cybersecurity teams must consider the mission of the institution.

The higher education IT security landscape continues to evolve, with cybercriminals becoming more sophisticated and doing more damage than before. According to the CrowdStrike 2022 Global Threat Report, there was a 45 percent increase in interactive intrusion activity and more than 170 adversaries tracked in 2021 than in the year before.

“Even the run of the mill attackers today have a pretty sophisticated toolset,” said Vice President Tina Thorstenson of CrowdStrike’s Industry Business Unit. “And they’re working in teams, so they really can do a lot of harm really quickly.” Thorstenson moderated a panel of higher education IT security professionals at the 2022 EDUCAUSE Annual Conference, asking how they tackle some of today’s biggest issues in cybersecurity.

“We’re all balancing the idea of, how do we do the new thing that the president is interested in while trying to figure out how to bring the digital transformation efforts into reality?” she said.

Click the link below to stay in the know with exclusive content from our Insider program.

Incorporating Security into IT Offerings Requires Risk Management

To incorporate security into a university’s overall IT service offerings, risk management is top of mind for many CIOs.

“It’s having a risk-based approach, where you’re monitoring your risk, you understand your risk, and then you prioritize your capabilities to respond to that risk based on the highest level of risk and the highest potential impact to your organization,” said Stan Waddell, CIO for Carnegie Mellon University.

At Princeton University, CISO David Sherry said this risk management is baked into the mission of the institution’s IT department. Information security is programmatic and cultural, he said, which supports the overall efforts to support Princeton in its teaching, research and learning.

“Programmatic” means IT security is part of everything that happens at the university, from hiring a new employee to purchasing a new copier or assessing a new cloud service. The cultural aspect requires campuswide awareness of the importance of cybersecurity.

“It means that everyone is aware of security, the security mission and security team, and that they recognize they play a role,” Sherry said. “We also make it cultural by teaching them that security is important in their personal life as well, because we feel if they’re thinking about security from 5 p.m. to 8 a.m., they’re going to be thinking about security from 8 a.m. to 5 p.m. It’s working slowly but surely, and we’re changing the culture of a 275-year-old university.”

University of Michigan CISO Sol Bermann said he’s seeing the greatest improvement in process, building security assessments into existing processes, breaking down the silos between the security experts and the rest of IT.

READ MORE: How security maturity assessments can protect your university from cybercriminals.

Balancing Innovation and Operational Excellence

Support for innovation can start at the staffing level. When Sherry was building his security team, the first hires he made were people with institutional knowledge whom he knew he could trust. But from then on, he has made it a point to hire experts from other schools and industries.

“That brings a different way of thinking that blends innovation and operational excellence,” he said.

He also treats missteps as learning experiences that will make his team better in the long run.

“My staff and I, we use an old quote by the football coach Don Shula,” he said. “He says, ‘Strive for perfection and settle for excellence.’ Sometimes, our role is like Chutes and Ladders. We get a ladder, we climb up a little bit higher, but sometimes we get a chute. We do some post-mortems, and we say, as long as you learn from it and we start heading towards next ladder and some level of excellence, that’s OK for us.”

Waddell sees things a little differently. Previously CISO at the University of New Hampshire, in his current role Waddell understands the IT security team’s responsibility to remain good fiscal stewards of their resources while contributing to the university’s overall mission. This means managing risk as much as possible while understanding that they can never eliminate it.

“Some days, it’s just our turn,” he said. “The bad guys can be lucky, so we want to make sure that we have the right balance and tools in play so that people can get their jobs done.” If people can’t do that within the secure environment, they’ll find another way to do it, he said, which will be less secure than what the IT pros can offer.

Click the link below to follow all of EdTech's coverage of the 2022 EDUCAUSE annual conference.

“Every dollar that we spend on technology is a dollar not directly spent on one of the primary missions of the organization — research, education, outreach,” he said. “I want to be able to look myself in the mirror every morning. I’ve got to face myself, and I want to be able to say I’m contributing to the mission.”

Bermann said that working within the university community can contribute to this overall mission. For example, his IT security team was able to help an internationally regarded genomics researcher win a large grant after embedding a security team member within the research group and helping secure a Google Cloud environment.

“I talk to our team a lot about getting out there, being part of the university community,” he said. “That’s something we do every day. It’s not every day that we bring in $40 million, but it is every day that we help someone innovate, help somebody teach or help some student to learn. We relish those opportunities.”

LEARN MORE: Universities share lessons learned from ransomware attacks.

What Are the Key Ingredients for Building Strategic Partnerships?

Forming these strategic partnerships is key to contributing to the overall university mission, Waddell said.

“Strategic partnerships exist at pretty much every level of the organization,” he said. “I think it’s important for us to have connections and contacts and regular discussions with various areas on campus, from senior leadership to operations, so you understand what they’re driving, how technology can help, or how technology or cybersecurity hinders them.”

At Carnegie Mellon, Waddell is in contact with a number of campus organizations to provide regular feedback and information. He also has a CIO advisory council made up of students, faculty and alumni that provides further insight.

Similarly, at Princeton, Sherry partners with departments across campus, particularly those that have their own IT staff, such as facilities management and public safety. He conducted a risk assessment with each of these groups and provided a report that outlined areas of excellence and those in which best practices were not being met. These reports helped the groups see the IT security team as a trusted partner.

Bermann relies on peers for partnership and support. As a Big Ten school, the University of Michigan participates in the Big Ten Academic Alliance, which disregards athletic rivalries and instead provides peer support for security pros from each of these schools.

“We get together and talk through challenges and strategies,” he said. “There’s some commiserating there. These are strategic partners that let us gauge our own progress against our peers, and it’s super important to me.”

Keep up with EdTech: Focus on Higher Education’s coverage on our EDUCAUSE event page and via Twitter with the hashtag #EDU22.

Amy McIntosh/EdTech

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT