Incorporating Security into IT Offerings Requires Risk Management
To incorporate security into a university’s overall IT service offerings, risk management is top of mind for many CIOs.
“It’s having a risk-based approach, where you’re monitoring your risk, you understand your risk, and then you prioritize your capabilities to respond to that risk based on the highest level of risk and the highest potential impact to your organization,” said Stan Waddell, CIO for Carnegie Mellon University.
At Princeton University, CISO David Sherry said this risk management is baked into the mission of the institution’s IT department. Information security is programmatic and cultural, he said, which supports the overall efforts to support Princeton in its teaching, research and learning.
“Programmatic” means IT security is part of everything that happens at the university, from hiring a new employee to purchasing a new copier or assessing a new cloud service. The cultural aspect requires campuswide awareness of the importance of cybersecurity.
“It means that everyone is aware of security, the security mission and security team, and that they recognize they play a role,” Sherry said. “We also make it cultural by teaching them that security is important in their personal life as well, because we feel if they’re thinking about security from 5 p.m. to 8 a.m., they’re going to be thinking about security from 8 a.m. to 5 p.m. It’s working slowly but surely, and we’re changing the culture of a 275-year-old university.”
University of Michigan CISO Sol Bermann said he’s seeing the greatest improvement in process, building security assessments into existing processes, breaking down the silos between the security experts and the rest of IT.
Balancing Innovation and Operational Excellence
Support for innovation can start at the staffing level. When Sherry was building his security team, the first hires he made were people with institutional knowledge whom he knew he could trust. But from then on, he has made it a point to hire experts from other schools and industries.
“That brings a different way of thinking that blends innovation and operational excellence,” he said.
He also treats missteps as learning experiences that will make his team better in the long run.
“My staff and I, we use an old quote by the football coach Don Shula,” he said. “He says, ‘Strive for perfection and settle for excellence.’ Sometimes, our role is like Chutes and Ladders. We get a ladder, we climb up a little bit higher, but sometimes we get a chute. We do some post-mortems, and we say, as long as you learn from it and we start heading towards next ladder and some level of excellence, that’s OK for us.”
Waddell sees things a little differently. Previously CISO at the University of New Hampshire, in his current role Waddell understands the IT security team’s responsibility to remain good fiscal stewards of their resources while contributing to the university’s overall mission. This means managing risk as much as possible while understanding that they can never eliminate it.
“Some days, it’s just our turn,” he said. “The bad guys can be lucky, so we want to make sure that we have the right balance and tools in play so that people can get their jobs done.” If people can’t do that within the secure environment, they’ll find another way to do it, he said, which will be less secure than what the IT pros can offer.