Cybersecurity in Higher Ed: Thoughts, Fears, and Empowerment

"Hire for attitude and train for skills." This Tom Peters quote does not seem to apply to today's IT security world. Certifications and developmental programming skills are highly sought after in corporate cybersecurity positions and can seem intimidating to someone contemplating how to get a foot in the door. Universities, however, offer a different culture and mindset. They value people who embrace the enthusiasm to learn, invoke a strong support system for individual growth, and provide a welcoming sense of community. Before joining this amazing family recently as an IT security analyst at Duke, I was just a young college graduate who provided computer technical support to customers to help pay the bills. Removing viruses and helping people with their specific computer issues kept me busy, but I always felt a strong urge to learn more and be more. It wasn't until a higher ed CISO took me under his wing that I finally gained clarity on what direction I wanted to take with my career. In the past couple of years, my eyes have opened to a wide variety of thoughts, fears, and empowerment.

In a constant changing world of new technology, how can we keep up? Working in an environment with a vastly diverse amount of network data has its advantages and disadvantages. Some businesses have the option to block certain sites, peer-to-peer traffic, and the like, locking down their employees' Internet habits to achieve a narrower sense of traffic. But in higher education, we don't have that luxury. Students are always evolving and attuned to what's hot right now, and the encouragement of academic freedom definitely keeps Duke's network traffic fun and exciting. When I started obtaining certifications for hacking and incident handling, I learned quickly that an enthusiasm to learn and quickly adapt was necessary. Cybersecurity is a huge field, and no matter how much training you have, there will always be someone smarter than you. The necessity for sharing threat intelligence is vital to our survival. The rise of the Internet of Things, and the increasing surface of risk that hackers are finding and expanding every day, leaves an overwhelming sense of low visibility in our cloud environments. What are we not seeing? What are we not catching on our network while we perform our daily cyberhunting tasks?

I recently had the opportunity to attend the EDUCAUSE Security Professionals Conference (SPC) in Denver, Colorado, and immediately knew that I was not alone in experiencing these fears. Hearing various IT security analysts and CISOs speak about how they are protecting themselves and their universities, while offering comparisons and combining ideas for us all to gain better visibility, was incredible. The social networking that occurred in between and after the scheduled presentations was invaluable. Having this opportunity to converse with other people who work in similar higher education IT security roles not only expanded my goals for what we could further improve at Duke but also gave me contacts for sharing blacklist data and confirming false positives in the future. It was a feeling of community. I didn't feel like such a little fish in a big pond anymore — in Denver, we shared a common goal and genuinely respected everyone's input.

Being a female in IT security presents a few obstacles, however. Diversity, in general, is limited in the IT world, and women who work in a technical IT job role are especially scarce. Finding a voice in a career dominated by men and continuously striving to avoid condescension and exclusion presents challenges. For example, I attended a few hacker conferences last year that had a vastly different community feeling compared to SPC. At one conference, I was shooed away from the registration computer to let the next person in line register. When I explained that I was preregistered and was printing out my badge, he proclaimed, "Oh...I thought you were with him (pointing to my colleague). Most of the girls just tag along with the guys." At social functions at these hacking events, people initially assume I type up security standards or work in a nontechnical role, which is discouraging at first. My enthusiasm-to-learn quality does not seem to matter much. These folks care about what computer languages you know or what cool new scripts you've created or tested to hack the next big thing. Mitigation techniques are only a rare side conversation, and the focus of these presentations is "hack all the things." It is intimidating, to say the least, and it stokes fears of whether I will sink or swim in my position as an IT security analyst. Do I have a chance to make a difference and to protect the security and privacy of our faculty, staff, and students?

The last talk at SPC, "So You Wanna Be a Higher Ed CISO? Understanding What It Takes to Get There and Stay," helped diminish these concerns. Half the CISOs on the panel on stage were women who shared experiences similar to mine and the rigors they faced before becoming CISOs. It empowered me to believe in myself and know that I too can become a CISO one day. Everyone has to start somewhere, and I shouldn't allow myself to be discouraged. As I said before, no matter how good you are or how much training you have, there will always be someone smarter than you. This should inspire us to constantly challenge ourselves and always seek more knowledge.

I am thankful to be in a higher ed IT security position, as opposed to a corporate equivalent. I feel empowered to achieve my individual goals for knowledge acquisition, and I love the encouraging sense of community that allows my voice to be heard. I feel embraced for my enthusiasm to learn, and I could not be more grateful. I will continue studying and learning new technical skills. As my CISO inspired me years ago, I hope in turn to mentor young minds eager to learn.

Alyse Zavala is an IT security analyst at Duke University.

© 2017 Alyse Zavala. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-ND 4.0.