Jodi Ito joined the staff of the University of Hawaii in 1982 and has served as its CISO since 2000, giving her unusually deep and continuous knowledge of the university’s IT landscape and the threats it faces. She talked with EdTech about the changes she has seen and how information security teams can ensure that a teammate’s departure doesn’t leave the university vulnerable.
EDTECH: How did you get your start in IT at the University of Hawaii?
ITO: I started in user support. I was a computer science major, and then I took a student help position with what was then called the Computing Center. We’re talking in the early ’80s: punch cards, IBM mainframes. As a student employee, I was doing a lot of programming, and I was also assisting staff, researchers and faculty with their programming assignments.
Click the banner to learn how university leaders are managing modern workspaces.
EDTECH: What prompted your shift into information security?
ITO: The internet started evolving, and then the security threats evolved. We started with things like the Morris worm, which raised awareness of the threats that can affect networks. Initially, it was more about distributed denial of service attacks that would make a network unreachable or take computer systems offline.
Since then, it’s evolved into so much more. It really has been such an interesting journey to see how the internet changed everything related to security, data, privacy and all of the applications that we depend on now just in our everyday lives.
EDTECH: What are the current threats?
ITO: We worry about things like Ransomware as a Service. Attackers can just buy into attack tools. We have so many more attackers now; it used to be just a few skilled people. Then combine that with hostile nation-states that are after the intellectual property of countries like ours. We’re seeing them pursuing a lot of research in academic institutions. Academic institutions are very open environments because we have to do so much collaboration; we cannot put up the hard boundaries that a bank or a hospital can.
RELATED: Universities turn to next-generation SIEM for improved cyber visibility.
EDTECH: You have such a breadth and depth of experience. How do you ensure that the knowledge you and your team hold remains available as people transition to new roles throughout their careers?
ITO: Succession planning isn’t something that we normally think about as security professionals, but it’s been coming up a lot more within higher education. Many of my colleagues at other institutions are planning to retire, and we’re noticing a knowledge gap between the existing staff and what we see needs to be done in the future. We’re not going to be here to do it, so how do we make sure that the concerns are addressed?
The primary thing is to ensure that there are very strong communication channels both among and beyond the team. You need the institutional knowledge about why things evolved to be where they are today and who to contact when you need to effect changes to specific areas. It’s very important to ensure that the university community understands that we don’t put security in place just because we want to. It’s because there is a definite need, either because of a regulatory requirement or the threats that we see coming in.
I started off as a team of one for almost 10 years. Then we started having breaches, and I started adding people. When the team is smaller, you can still have the talk over coffee or in the hallways. When the team grows, it gets harder to ensure that communication is there. So, it’s building into the group this notion of collaboration and knowing that I won’t be there forever. They need to think ahead about how they will work with a new CISO or other upper-level management.
Succession planning is different from professional development. Professional development tries to address the needs and capabilities of the individual person. When we talk about succession planning, it’s about how we ensure that the team can carry forward if any one member is not available anymore.
READ MORE: Stanford student Kyla Guru brings Gen Z into the cybersecurity conversation.
EDTECH: How do you keep your succession plan relevant as technology changes and threats evolve?
ITO: That’s hard because a lot of it relies on documentation, and that’s something historically that our profession is not very good at. But that needs to change, because as we document and record the different things that each of us does in our jobs, where our responsibilities lie, what our current projects are, then we provide a roadmap of where we exist today. We need to be agile, especially as we get new threats. The spear-phishing attacks are getting so much better. We, as security professionals, are struggling a little bit with it, so what does that mean for the end user?
As the attackers get better at what they do, we have to get better at what we do. This whole whack-a-mole game forces us to revisit the things that we do: Is it still relevant? If this is the trend, what should we be anticipating? There’s a constant reflection of what was and what we think will be, and then trying to adapt what we do to stay relevant.
