When Tom Dugas set out to build an information security program at Duquesne University in Pittsburgh, he had little to work with: no staff, scant funding and a campus that didn’t quite grasp the importance of a dedicated security department.
His third day on the job brought another challenge: A staff member fell victim to a hacking hoax and inadvertently granted an intruder full access to his data files.
But Dugas turned that crisis into a valuable opportunity, using it to show the Duquesne community that security risks are real and that it takes a concerted effort to protect users’ data.
Dugas, the associate vice president and CISO at Duquesne, shared his experiences Tuesday at the UB Tech Conference in Orlando, Fla., in a session titled “Lessons Learned from Starting an Information Security Program from Scratch.”
Dugas joined Duquesne in 2006 as the director of information security, then a brand-new position with little precedent on campus.
Dugas, a former staff member at Carnegie Mellon University, had been through numerous program launches before, but creating a data security program from scratch would be a new challenge.
“Many organizations doing these things have up to a dozen people doing them,” he said, recalling those early days. “I have me.” Dugas now has two employees on his security team.
Equally difficult, he said, was that many staff questioned the need for an IT security professional in the first place. “Most people don’t even think you are needed,” he said. “They think, ‘I got this. Why are you here?’”
Potential Breach Mobilizes Support for Data Security Program
As Dugas set out to overcome these challenges, he identified a few key components of a successful information security program.
One was the balance between independence and autonomy. Security staff need to be able to go in and out of campus departments to understand what’s happening, he said, but they also must be mindful of building relationships with stakeholders.
“If you stray too far from that, you have a unique opportunity to alienate yourself from the IT organization,” he said. “You don’t want people to feel that security is telling them what to do but not helping to get it done.”
Building a program that reflected the university’s mission and values also was important, Dugas said.
“Values matter, particularly at a Catholic institution, so I told people about these values and how we were going to build a program together, from the beginning,” he said.
To compensate for the lack of a staff, Dugas built a 20-person cross-functional team that agreed to dedicate a certain percentage of their working hours to the security program. That became the equivalent of two full-time employees, and it served to engage a broad swath of the campus.
There were also, of course, the nuts and bolts of any new program: developing policies, procedures, definitions and guidelines.
“As with any new program, and I can’t emphasize this enough, in order to get started you have to start defining things like process and policy and practice,” Dugas said. “Write it down, communicate it and hold people accountable for it.”
When the security incident happened on Dugas’ third day on the job, it was a wake-up call. Dugas already had the support of his CIO, but this potential breach engaged the support of other stakeholders. Fortunately, even though the involved staff member had an excess of sensitive information on his computer, no actual loss of data occurred.
“That incident got to demonstrate quickly that there was a need, there was a demand and we had to do something better,” Dugas said. “I had to take advantage of the crisis. This was such a learning opportunity. We need to know what’s on people’s machines and why they have it.”
That was a turning point, he said. Although he didn’t get more staff positions at that point, campus leaders did increase his funding, which made it possible to acquire more security software and supported the shift from a reactive security posture to a proactive one.
Step-by-Step Model Leads to a Proactive Risk Management Strategy
To build his program, Dugas used a “crawl/walk/run” approach, setting out goals for the first two years, then the next three years, followed by an ongoing evolution.
In the “crawl” phase, he focused on baseline protection and the work required for security transparency and response. That included tasks such as creating incident response plans, developing policies and procedures, and making better use of an existing next-generation firewall from Palo Alto.
“We had some great tools,” Dugas said, but staff hadn’t felt empowered to use them to their full advantage.
In the “walk” phase, risk management became more proactive. Staff took more steps to meet regulatory requirements and to prevent security incidents from happening in the first place, including penetration tests and multifactor authentication. Successes included a drop in the number of compromised emails as a result of phishing from 2,500 to 250, Dugas said.
His team is now entering the “run” stage, working toward cloud application security and other strategies to optimize data protection, including partnerships with other institutions that help to maximize limited resources.
As with most successful initiatives, transparency and communication went a long way to help the security program succeed, Dugas said. That was especially true in the beginning, when staff worried that his goal was to ferret out existing weaknesses in security and, by extension, their performance.
“You’d be surprised how many people felt we were going to point out all their flaws,” he said, a concern that Dugas countered by emphasizing that better security, not finger-pointing, was his ultimate objective.
While technology tools were key to improving Duquesne’s security posture, the accompanying processes were equally important, he said. “If you don’t have a process to manage it, the technology is useless,” he said. “I wanted to be sure each and every time we knew the business problem we were trying to solve.”
Follow EdTech’s coverage of the 2019 UB Tech Conference here.