Chas Grundy knows what he’s up against as he tries to protect his institution from the latest cyberthreats. Success, he says, depends on community engagement and getting students, staff and faculty to change their behavior.
“That’s a tall order,” says Grundy, director of IT strategy and transformation at the University of Notre Dame. “Cybersecurity training can be kind of dry. You have to find a way to get your messages to stick while not making it seem like just a bunch of fear mongering.”
With that in mind, last October Grundy and his team tried something new. In celebration of Cybersecurity Awareness Month, they staged their first-ever Notre Dame Cybersecurity Carnival. Held in a ballroom at the university student center, the one-day event featured a slate of live performances and presentations on everything from password management to recognizing phishing scams.
Balloons and carnival music filled the air along with the smell of popcorn and cotton candy, and attendees competed for prizes in games like Cover the Hotspot and Slam the Spam.
“The idea was to do something fun,” Grundy says, adding that the event included nearly a dozen tents and was sponsored by vendors such as Google and Amazon Web Services.
Click the banner below to receive exclusive content about cybersecurity in higher ed.
One game, Cybersecurity Strongman, conveyed to participants that longer passwords and passphrases are always more effective than shorter ones. Grundy says most games involved some combination of “throwing stuff at stuff” or “making stuff ding.” His favorite installation was a Museum of Mishaps, full of famous paintings altered to tell important cybersecurity stories.
Vermeer’s Girl with a Pearl Earring became Girl with an Open Webcam, Grundy explains. The Mona Lisa became Moan of Lisa, “because her two-factor buzzed but her phone was in the other room and she’s like, ‘Do I really have to go do this again?’”
Grundy notes the carnival drew more than a thousand people from throughout the Notre Dame community, and surveys his team conducted after the event showed most attendees liked the change of pace.
“They said they learned a lot, and that they appreciated the fact we were doing something different,” he says. “I think people enjoyed the creativity, but they also recognized we’d made a genuine effort to build something special around a very serious topic.”
Notre Dame’s CISO Leilani Lauger echoes that sentiment.
“It is crucial to connect to people’s real-world experiences,” she says. “The Cybersecurity Carnival was able to do that by making the topic fun and accessible to all ages.”
WATCH: Chas Grundy talks about Notre Dame’s cybersecurity carnival at EDUCAUSE 2022.
CPP’s Cybersecurity and Awareness Fair Supports Attendees
The University of Notre Dame isn’t the only school trying to make cybersecurity more interesting. At institutions across higher ed, campus leaders are increasingly turning to festivals and fairs to drive home the importance of good cyber hygiene.
“Entertainment with education is effective,” says Joe Potchanant, director of the cybersecurity program at EDUCAUSE. “Events like these, they’re not just putting out a blanket statement like ‘You need to do this,’ or ‘Read this policy.’ They’re meeting their students and faculty where they are by educating them in a format that draws them in.”
That was the thinking at Cal Poly Pomona leading up to its 2022 Cybersecurity and Awareness Fair. In Cal Poly’s case, though, the gathering wasn’t new; it was the 18th iteration of the annual event.
“It has definitely evolved over the years,” notes Christopher Laasch, who organized the first fair in 2005 while he was a Cal Poly Pomona student. Back then, he imagined the event as a free “hacker’s conference” where tech-savvy students could network with leaders in the cybersecurity industry. Today, as a senior security analyst with the university who serves as the official coordinator of the fair, Laasch strives to keep it true to its original mission while also ensuring it has broad appeal.
“Now, we’ll show you how to hack a random device, but we also want to teach you how to protect yourself in this world where everybody is trying to get your data and information,” he says. In 2022, the fair’s attractions included everything from Lockpicking 101 to a demonstration on the limits of multifactor authentication. Around 650 people attended the event, which was sponsored by vendors such as IBM and CrowdStrike.
“We put this on for the community,” Laasch says, explaining that over the past several years, the university has “made a huge push” to market the event to people who might not otherwise attend. “If you’re studying architecture or agriculture, it’s not always clear why you should be interested in cybersecurity. We go out and talk to them and ask them how we can get them involved.”
One thing Laasch has learned with experience: Giving away pizza nearly always does the trick.
“If you feed them, they will come,” he says, adding that from there, the rest is relatively easy. “Once you have them, there’s absolutely no chance they’re going to walk away not having learned something.”
DIVE DEEPER: Learn the importance of cybersecurity in university research projects.
A Look at Stanford’s Cybersecurity and Privacy Festival
One higher-ed IT leader who would certainly agree with Laasch is Stanford University CISO Amy Steagall.
Last October, Steagall led Stanford’s fourth annual Cybersecurity and Privacy Festival, “Cloudy with a Chance of Awesome.” The two-day event featured speakers such as former Secretary of State Condoleezza Rice and included games like Capture the Flag, where attendees could participate in ethical hacking. One panel discussion covered perspectives on cloud security, while presentations and workshops hit on everything from privacy technologies to securing research on AWS.
Echoing Grundy at Notre Dame, Steagall says the festival is meant “to make cybersecurity fun while strengthening our first line of defense — our students, faculty, and staff.” The event is held on Stanford’s main campus to make it easy for the community to attend.
This year’s festival, slated for October, will focus on artificial intelligence, Steagall says. A campuswide contest will simultaneously promote the event and determine its tagline, and Steagall and her colleagues plan to seek community input to ensure it includes topics that span a range of interests. The tentative agenda includes outreach meant to impart the lesson that cybersecurity is serious business.
“The main thing we always hope to do, beyond making it educational and entertaining, is to make my team accessible and approachable,” Steagall explains. “We want people to know that we’re here to help them not only protect themselves but also protect the university.”