There’s No "I" in Team (Come to Think of It, There’s No "I" in SPC Either)

The 15th annual EDUCAUSE Security Professionals Conference (SPC), held in Denver May 1–3, 2017, has come to a close. Not only was this the most attended conference (with over 650 attendees), but all who were there enthusiastically offered their feedback on both the quality and value of the conference, with the vast majority calling it the best ever. Many of the attendees were multiyear veterans of previous conferences but almost half were first-time attendees. Three of the five members of the Princeton information security office (ISO) were first-timers. We were excited to attend as a full team, and we were not disappointed.

Why bring your entire team to the same conference? After our experience, we think the more pertinent question is, why wouldn’t you? We all know that the SPC is the go-to conference if you work (or have interest) in higher ed information security. Having the entire team there simply makes sense and provides the most value for your time. We experienced both tangible and intangible benefits from this conference. Let’s cover the intangible ones first.

Our team’s security engineer went to SPC 2016 in Seattle on his own last year (actually, the CISO was there as well, but they were both so busy that it felt like they were attending alone). There was a big difference between the two experiences. Because we attended this year as a group, we were able to each cover much more ground than any one person could. The Princeton infosec team is made up of a diverse group of people, and each person has a specific area of expertise and focus. The specialized SPC tracks allowed our training and awareness person to follow the track that applied to her area of responsibility, the security analyst assigned to risk assessments followed the track that applied to her job, and so on. However, each of us was also challenged to attend a session that was "out of our comfort zone," which gave us a glimpse of what others do on a day-to-day basis. Over lunches and dinners we shared our day and talked about what we had learned. None of this occurred in previous years and is a big value-add for attending as a complete team.

Some members of the Princeton staff are new to the information security field and found the conversations during sessions and in the hallways to be priceless. Having the opportunity to discuss current issues and ideas with like-minded colleagues from peer institutions was an added benefit of the SPC experience. A common theme that was discussed over dinner each night was people’s willingness to openly share and discuss ideas. There is comfort in knowing that we are not alone in the challenges our institution faces, and that colleagues from across the country (and the world!) are just a phone call or e-mail away for advice and support.

The newest member of the Princeton security team is also one of the newest members of the HEISC Awareness & Training Working Group. Attending the conference afforded her the opportunity to meet many of her fellow working group members. Similarly, close to 50 colleagues from the Ivy Plus consortium made their way to Denver, allowing deeper connections to be made at all levels and disciplines of our individual security teams. While we all have the same focus, the staffing models differ, and establishing the right contacts and making face-to-face introductions are critical to success in our field.

Upon returning and reflecting on the overall experience, an unexpected surprise of attending as a full staff was the team-building experience it afforded. Having never traveled to a conference as a complete functional group before, this trip gave us more time to bond as a team and to develop as a unit in a way that can’t really be replicated in the office environment. Between traveling together, dining together, and just generally socializing as a group, our team had the opportunity to develop our interpersonal relationships both personally and professionally. Going forward, the cohesiveness that developed will allow the Princeton ISO to function as a much stronger collaborative team. Having been a fully staffed team since October of last year, there already had been some of that cohesiveness going on, but this trip brought it to the next level.

We also returned with tangible and actionable results from the conference proceedings. We came back to New Jersey with physical examples of awareness, procedure, and policy documents. We were reenergized on the top 20 controls and have new thoughts about NIST. We are inspired by the CISO visionaries who shared their wisdom at the close of the conference. We learned about new solutions from the vendor tables. We met some of the "real heroes" of our profession who secure their institutions with little to no staff or resources. We came back with many real-world success stories and foresee new phases, new directions, and a new mindset. We hope that we can take what we’ve learned, put it into practice, and subsequently share it with others at a future SPC.

Oh, and we also noticed more golden shovels.

EDUCAUSE SPC 2017 has come and gone. The Princeton ISO team offers our sincere thanks and congratulations to the conference committee, whose yearlong effort resulted in an amazing conference. SPC continues to grow and get better year after year, and we have confidence in the 2018 committee. We have it marked on our calendars and anticipate that it will (once again) exceed our expectations, providing great value for us individually, as a team, and for Princeton.

Mark your calendars for April 10–12, 2018 in Baltimore, Maryland. We’ll see you there!


David Sherry is the CISO at Princeton University, and helping his team learn to speak about security with a Boston accent. You can follow his security thoughts @CISOatPrinceton.

Tara Schaufler is the senior information security training and outreach specialist at Princeton University and strives to teach the campus community about the importance of information security (eventually with a Boston accent).

Dean Plante is the senior security engineer at Princeton University and strives to keep the campus safe, even if it costs him losing sleep and stern looks from his wife for checking his e-mail too much. Being a Yankees fan, he has no desire to talk with a Boston accent.

Steven Niedzwiecki is the senior security architect at Princeton University. While the majority of his career has been spent at Princeton, he does love Boston but more for the marathon than for the accent.

Daphne Ireland is the senior information security analyst at Princeton University. As a student of languages, she speaks fluent Boston whenever it helps communicate that progress in teaching and research relies on taking the right risks.

© 2017 David Sherry, Tara Schaufler, Dean Plante, Steven Niedzwiecki, and Daphne Ireland. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.