When I became the first CISO at Duquesne University about four years ago, we were building a department from scratch, with little budget. Previously, I had gradually built up security programs and reporting, but we still lacked a team and a mature structure dedicated to cybersecurity.
But then came an opportunity — albeit one that didn’t appear so at first. On my third day on the job, a hacker targeted a staff member via a fake computer support scheme. The attack didn’t compromise any sensitive files, but it easily could have.
I turned that incident into something of value: a compelling way to show the Duquesne community that IT security risks are real and that it takes a concerted effort to protect user data. In the wake of the near-breach, I explained to the administration how we would develop a plan that would keep students, faculty and administrators safe.
Duquesne’s new security department would deploy the technology and lead awareness training, but I made it clear that everyone had to get involved with information security. The Target hack in 2013, and all the hacks since, helped to set a tone of urgency and finally convinced our administration that we needed to increase our focus in this area.
By 2016, my work had shifted to security full-time and I started putting my plan into place. Here are five best practices I’ve learned from my experience developing a security department that can help IT staffs build a security program at their institutions.
1. Be Transparent with the Campus Community
Tell people what the security team requires, when it needs the data and why it needs it. Higher education environments have a tradition of academic freedom, so it’s important to balance the need for security with users’ concerns that they may be giving the IT department too much personal information.
With mobile device management software, for example, it’s important to explain that IT staffers have no intention of spying on users. They just want to be able to remotely wipe sensitive data on a smartphone or tablet device in the event it gets lost or stolen.
2. Develop a Three- to Five-Year IT Security Deployment Plan
Never run out and buy technology before the organization has a policy and process to support the technology. At Duquesne, we took the “crawl, walk, run” approach to solution deployment.
Starting in fiscal year 2016-2017, we developed a five-year plan in which we first took care of the basics. That year, we deployed next-generation firewalls, intrusion detection and prevention systems, data loss prevention software, vulnerability management capabilities, security monitoring, advanced endpoint protection, and a security information and event management solution tool. We also started security awareness training and defined security policies and procedures for all this new technology.
After that, we deployed penetration testing, compliance assessment, multifactor authentication, email security and insider threat protection. Moving forward throughout 2020 and beyond, our plan calls for third-party monitoring and validation testing, custom security training, cloud application security, and developing a capability to run “red team” exercises and internal breach analysis.
3. Start Small and Build a Cross-Functional Security Team
In many ways, starting small makes the most sense. I was hired in 2016 to create the security department, so there were no established policies and procedures, and no employees felt that I was trying to take over their work. Start by creating policies, processes and best practices. Write them down, communicate with staff and hold people accountable.
We were finally able to hire two security engineers in 2018. Because there was no pre-existing staff structure, we were able to establish one that worked best for us: a cross-functional team of security pros who cover for one another. Like many institutions, we must do that because we’re a small team, consisting of me, two engineers and a student intern.
4. Teach That Everyone on Campus Must Practice Security Awareness
Often, once an organization hires a security professional, there’s a sense that this individual will handle security and is responsible for checking off the boxes for security-related tasks. But it’s imperative that the new security professional develops good relationships with all the important departments at the university (including human resources, finance and academic departments).
It must be clear that security is everyone’s business, because everyone will play a role in keeping the institution safe. One way to achieve this goal is to make security part of the standard operating procedure for every department and for every user.
5. Gain Credibility as a Leader Through Continuous Learning
When I first took on the CISO role, I didn’t have any security credentials. I had worked in tech support services, planning and development, and service management. My work had touched on security, but over the past five to 10 years especially, security has become its own IT discipline. One of my first moves was to become a Certified Information Security Systems Professional to show the community that I was serious about keeping myself informed on the latest developments.
Independent validation also goes a long way. Most institutions must meet compliance regulations for financial aid, information privacy and medical insurance. This means the university does up to eight audits a year, many of which were helpful because I had to detail precisely what resources we needed and how we could budget for them over several years. Our internal audit team worked closely with us to set realistic priorities and goals, and while we’ve come a long way in a short time, most of our development was planned over a reasonable five-year period.
Every institution has a mission to keep students both physically and digitally safe. At Duquesne, once we experienced an attack in those early days, the entire university pulled together to support security efforts. This type of partnership is essential at every institution to ensure the safety of our communities and their valuable digital assets.