Moving Forward: Do Better Than Incident Response
As it becomes increasingly clear the pandemic is not ending anytime soon, CISOs are readjusting their security strategies.
“As security professionals, we start off in these moments doing incident response,” says Erik Decker, CISO and CPO at University of Chicago Medicine. “But you can’t run an incident response program for a long-term, never-ending cycle.” As a result, higher education leaders at UCM have been carefully discussing policy changes.
Stanford is also focusing on securing remote communication platforms. “We have to be mindful of the migration from email to office messaging,” says Michael Duff, Stanford University’s CISO and chief privacy officer. “As information security leaders, we have to be ready to take the risks that come along with these migrations and adjust our strategies.”
To better secure remote communication, Stanford is embracing passwordless authentication. In March, the university implemented a program called Cardinal Key, which is a digital certificate that eliminates the need for usernames, passwords and multifactor authentication.
“We’re leaving passwords in the past and ushering in simpler computing,” Duff says. “The Cardinal Key gives us the mechanism to ensure that all our user devices are secure no matter where they are in the world.”
Securing the New World of Tik Tok — and More
The stereotype of Generation Z is that they are tech natives who should intuitively understand how to stay secure online. But Helen Patton, CISO for The Ohio State University, says this could not be further from the truth.
“I know there is a trope that says students are technical natives. But in our experience, we have not actually seen that,” Patton says. “They’re very sophisticated in a few areas, like social media. But in higher ed, there are certain technologies they haven’t been introduced to before and they are certainly not secure in the way they handle those.”
Since students are using multiple communication channels for remote learning, attacks have persisted on multiple messaging tools. In response, Ohio State has been conducting anti-phishing programs for students to train them not to click on bad links.
But Duff does not have high hopes for security awareness training at Stanford. “I have to admit I have a somewhat unpopular view on awareness education,” he says. “I see it has limited efficacy.”
Instead, Stanford is prioritizing automating enforcement standards — such as identifying and blocking malicious emails before they reach user inboxes.
“We still do bi-weekly phishing campaigns,” Duff adds. “Security awareness is important, but it’s not going to solve our problems.”
How to Balance Zero Trust with Academic Freedom
Above all, CISOs remain concerned that the zero-trust security model is still perceived as antithetical to what higher education stands for. After all, sharing knowledge and collaborating on research is a core mission for many universities. But such free-flowing information can lead to major cybersecurity vulnerabilities.
“Higher education is all about opening the doors, trusting everybody and sharing our knowledge with the world,” Patton says. “To turn around and say, ‘Don’t trust anybody, and validate everything … it’s a marketing message that we need to play with.”
Patton suggests working with faculty early on in the research lifecycle to determine what types of information need to be protected at different stages.
“If they’re at the beginning of a research cycle and they’re just trying to crowdsource ideas, they’re not interested in data confidentiality at that point,” she says. “When they’re ready to put a patent on it, now they want to put some controls around that because it can potentially be monetized.”
That’s why working with researchers to set up controls from the beginning is key. “When you hit this point and you start to care about confidentiality, we’re here for you. But we can’t just turn these things on and off,” Patton says.
Patton does see this time as a rare opportunity for CISOs and faculty to come to an agreement about zero trust. “I see COVID as an opportunity to use real-life examples, in real time, to show why a zero-trust architecture is important,” she says.