What’s the real threat to cybersecurity in higher education? Spoiler: It’s not just technology. In this candid Q&A, two higher education leaders unpack why culture and trust matter more than firewalls, and how optimism and collaboration can transform security.
View Transcript
Michael Corn
Executive Strategic Consultant
Vantage Technology Consulting Group
Jack Suess
Vice President of IT & CIO
University of Maryland, Baltimore County
Mike Corn: Hello everybody. My name is Michael Corn and I'm an executive strategic consultant at Vantage Technology Consulting and I'm also a career CISO and the host of the hotline, the advice column that shows up monthly in EDUCAUSE Review. And given that this is EDUCAUSE’S National, I thought we would try a podcast and just sort of see how it went compared to the usual printed form. But I've invited a guest, a longtime friend, Jack Seuss, and Jack, would you introduce yourself?
Jack Suess: Hi, I'm Jack Seuss. I'm the vice president of IT and CIO at University of Maryland Baltimore County or UMBC as we like to be called.
Mike Corn: And what I thought we would do is, as you know the column is an advice column. We'd encourage you to submit your own questions and topics there. If you look at the column in Ed cause review, there's a link to a submission form. It's anonymous so you can ask embarrassing questions about your boss or your own organization. But I thought we'd just kick it off with a question someone had submitted a month or two ago and hadn't gotten around to answering. So, Jack, this comes from Patch Me If You Can. People really enjoy the signatures on these questions I've discovered in your view, is the biggest threat to higher education, cybersecurity, technical, organizational or cultural? I think it's cultural on my campus, but I'm not sure if that is the general consensus or just my campus being a special snowflake.
Jack Suess: So I think that's a great question and as I was thinking about the question as you were saying it, what struck me is it's all three. So this is CIO speak where we make the question more complex, but it really is around where the institution is at the present time. If you're at an institution that has one person doing cybersecurity right now, you're clearly resource constrained. And that may be that at this particular point it's more technical or it's an organizational issue of not putting additional resources in at some places. I would generally say that where we are today, most of the time the technology can be solved pretty easily. There's vendor solutions, there are ways and often audit and other things are sort of mandating certain technical solutions. The organizational and cultural are usually where you're going to find most of the challenges that come into play. And in that I would say that the hardest of those two is cultural, but cultural really also is integrated into organizational. You have cultural challenges when you haven't had an organization that's been able to build trust with what it's doing with the rest of the university. And so that's what makes the cultural challenges so difficult in through this.
Mike Corn: No, I agree completely. Technical challenges are, I mean in my religion I trust engineers and engineers build technology and the only challenge we have with technology is affording it. So that's really not an issue. But you're absolutely right. The relationship between the culture of an organization and organizational issues, I have trouble detangling because they are one and the same frequently. The one factor I would put in there though that patch me didn't ask about, I think it's important for CISOs and the people, whoever's leading security in an organization, and this goes to the CIOs who they usually report to that they ask what their own role is in that culture. It's not one thing to go into an organization and say, oh, it has a negative view of security, so I'm going to change that. It's more what is your role, what is your sense of responsibility organization wide, I've run into CISOs who feel their only responsibility is central. IT because the span of their control, when in fact I believe it's important for CISOs to recognize that they're not fundamentally technologists, they're organizational operators, they're coaching the organization and understanding risk, they're coaching their CIOs into understanding risk, they're helping move the organization along in its own sort of maturity and organizational growth. So it goes to that point you were making about culture.
Jack Suess: Well, to what you were just describing, I look at most organizational functions in sort of this capability maturity model sort of approach. And I think that what you describe as to where this CISO should be is when you're elevating the cybersecurity role up at the very highest level and your organization is moving towards that high level of maturity that you would hope to be seeing at institutions. But that takes time and that's a process that it's very difficult to go from low levels of capability to high levels with evolving through the transitions that you have to be making because trust, which is a key element of this cultural organizational dynamic, is not something that's going to be built in an incredibly short time. And so I think that one of the real aspects that CISOs and CIOs in a partnership have to be doing is especially how are they making connections with the academic units, with the colleges. We all sort of joke that often our problem where we have a one-off is going to be our computer science department. That's
Mike Corn: True.
Jack Suess: I've gone out of my way to try to be working with our computer science department, the group that focuses on cybersecurity. We hire a lot of students, we help them with workshops that they run for the students. We're sort of partners in working with them around how to be thinking about what they want to do because they're going to be an important stakeholder. The campus. Often when you think about faculty, if a faculty member in computer science is talking about you in a positive way that really sort of that's the expert that's now giving you a little bit of trust that is coming from them, that yes, you're doing the right things. And I think that the process to get to where you want to get is really about building these relationships, building connections. And that really comes from not going in. If your first time visiting with people is going to be telling them what they can't do, then it's really hard to build a good relationship.
Jack Suess: You have to be starting with having to build that relationship early on around, well what do you need to do? How are you trying to approach research? What are some big things that you're working on? Take an interest in what they're doing professionally. And then over time you may get to a point where you can be then having the kinds of conversations, oh, this is something that we can't really allow. Do you have any ideas for how we might be able to do it within the risk context? And if they can't, you're engaging them in a conversation around this. And I think that's kind of activity is one that CISOs, you have learned over time to really be people who build trust and make connections. But if you're coming into this without that sort of capital, you're going to find that yes, cultural is one of the biggest challenges.
Mike Corn: And you're absolutely right. I'm so glad you used the word trust because I mean organizations are collections of people and they're collections of relationships and those relationships with those people are far more important than where you sit on an org chart or how much actual authority you have. I remember once getting a phone call from some random faculty member, this is years ago going, I was told I need your approval to buy something. And what they meant is it needed to be reviewed by security. But I just put the phone down and laughed because I didn't think I had the actual authority to buy a pencil in a role as a CISO. But I will say this is a difficult thing for people that are moving into immature organizations to figure out how to balance. I know whether it was a mistake or the right thing or just where I was in my career. Every time I've taken over a new security shop, it's been very immature and needed a lot of building from the ground up. And I have always in those circumstances aired personally on the side of we must do basic operations first. We have to get network monitoring in place and vulnerability detection and incident response. And I prioritize that over the kind of relationship building you talked about. And that was probably not a good balance to have.
Jack Suess: Well, I think that there are some first things first that you just have to have in place to be able to make change. But I'll tell you an example that goes back to 2005. So we were one of the first research institutions that set up a default deny on our firewall. And the way we were able to do that is I made my team build a mechanism that a faculty member could come in and exempt themselves or their machine from the firewall rules and they could pick up specific ports. And my team said, well, why are you allowing them to do that? And I said, well, I'd rather have 6,000 machines that are protected in 300 that aren't then the other way around where I've got 6,300 in that.
Mike Corn: Well, you're demonstrating trust in them to do the right thing
Jack Suess: At the same time and we could be watching it in others. But I think that those kinds of skills really are the key thing that people need to be thinking about how they build as they try to do this. But to your point, doing some first things first with technology is really important. Another example though that I think is really helpful is talking about, you could talk about data security, but data security is really what am I going to not allow you to access what I think is a much better way? And I actually did a talk on this in 2005 at one of the Cornell workshops.
Mike Corn: This is why we have you here,
Jack Suess: Jack. Yeah, well it was about the fact that instead of talking about security, we should also be talking about privacy.
Jack Suess: Because when you look at the data that we're protecting, it's our students' data, it's our employee's data, it's our research data. It's all about protecting what we as a community feel is most important about either us or it's about the work that we're doing. And I think by focusing first on privacy and how we can be protecting data from that standpoint, that's a better message, which then can be leading into, well how can we do that better? What are the things I need to do? How can you help me do this better? That's a better conversation.
Mike Corn: I agree completely. And the way I like to inflect that though is it's in a world where every time you open the newspaper, you read about the latest data breach, the latest this, the latest that it's hard, it's easy to get cynical. It's hard to be optimistic about the world when it comes to data privacy. But in an environment where so much of what we do takes place out in the cloud, out in an environment that could be subpoenaed, that there are law enforcement agencies get access to it, it can be snooped on by people in your own institution in some cases. I think it's important to get across the message that data privacy is a huge underpinning. It's part of the foundation for academic freedom. You can't do the kind of research and enjoy the benefits of academic freedom if you're worried someone is supervising or monitoring. Now the word monitoring triggers everybody and it's very nuanced and it's probably more than we can get into here, but I really like this coupling between privacy, academic freedom as a way to underscore that when a security office or the privacy office is in there doing what they're doing, it's in support of that very basic mission of the institution.
Jack Suess: So one of the things that you mentioned, I've got a smile on my face because recently, so as background to the audience, many years ago I taught systems administration at UMBC. And so I ended up doing the Unix Systems administration class for a number of years. I cut my teeth doing technical work early on. And so I ended up giving up the administration of my Macintosh to our desktop support group because we were now going to use a product that was going to be administering it automatically and patching it. And I had to be able to say to faculty, look, I've given this up myself as much as I like to be able to do the latest and greatest, this is what's important for security. And oh, by the way, I actually realize now I probably wasn't updating my browser as often as I should have because I see that every other day I'm having to restart my browsers and this and that. And so I think being able to be leaders also means taking the first steps and making sure you're doing what you're asking others in the organization to do and talking about your experience of how you've been able to sort of persevere and make that work for you.
Mike Corn: And it's about being transparent about what you're doing. It's about getting out there and partnering with people. It's about just the other day I described it as when you're in these kinds of roles, you kind of have to speed date the whole organization because one of the things I love, and yet it's also a burden for cybersecurity, is I believe that the scope of cybersecurity goes far beyond the scope of the IT organization. It goes to the notion of trust in business processes. I know I've been involved with everything from law enforcement to fraud detection outside of any service it provides to privacy, to medical records. It is infinitely broad. And the only way you can build trust is to start to get to know all these different people around the university. You have to go to the faculty Senate and just become part of their milieu or else you're never going to develop that kind of trust.
Jack Suess: Well, and I don't want to embarrass you, but I follow your articles on substack. And one of the things that I found that I thought was a great article, and I would say it's a great article also for CIOs, but it's especially true for CISOs because of the position, and it was the one about optimism trumps pessimism, so to speak. And I think that often CISOs, because the nature of the world is such that the fact that you weren't breached today or that you didn't have a major phishing attack or that something bad didn't actually happen, no one is going to come up to you at the end of the day, oh, congratulations, we didn't have that today. That doesn't happen. And so it can make people feel like, oh, I'm always, I have to be negative and dour in through this. But I actually think that it's important, even more important for CISOs to be optimistic. And one of the things that I think is important is that if you're optimistic and if you're thinking about where you need to go to get the institution into a position to be able to have a secure world, if you can be talking about that with people, that these are the steps over the next few years that we need to be taking. And if we do that, we're all going to be in a much better place
Jack Suess: And we'll be able to have more flexibility to be able to deal with the fact that there's going to be new security requirements that are coming up constantly. If we can build a compliance program that is flexible, adaptable, that can move quickly, we can be able to be meeting whatever opportunities arise and we can also know that we're able to be adapting to new threats, new challenges. AI is one of them that you need to have in order to be able to maintain that level of security at your organization. And I think that's a powerful thing for CISOs to be talking about because people don't expect you to be optimistic. And if you can be positive and optimistic, I think it makes a difference. The other thing I'm just going to add to what you've said is I don't think we talk about stories enough and we relate some of what we're trying to do to people.
Jack Suess: And I was meeting with our, we have a student run soc and they have been doing amazing work. We've been having these phishing attacks that have come in and they'd been just knocking them out really quickly. And what I talked to them about is I thanked them and I talked to them about the fact that two years ago before we had sort of built this up and had this playbook, we would've found out about the phishing attacks. People reported it, reporting it to the police. And I was there to see the damage that for some of these students, they were losing whatever money they had in their checking account.
Jack Suess: And so now they didn't know how they'd make rent or they didn't know they'd have this. And I talked to the students and I said, you're helping our other students. You don't realize it, but you're making a difference by helping to protect them and the fact that you're doing such a good job and that we're able to be sort of abating these things, that means a lot. And you should be happy and you should be positive about the fact that your work is making a difference.
Mike Corn: That's wonderful. And it is true. It can be very hard to remain optimistic when you deal with problems and failures of technology. Human failures, crime every day. It's exhausting at a certain point. For me though, the arc to optimism really starts when I started to understand how modern science works to be perfect for my journey on this is I grew up like many people believing, oh, there's the Einsteins, the Newtons of the world, right? The Jane Goodall. But the reality is that modern science is this collective effort and aggregation of work by thousands of people, millions of people, most of which you'll never know their name. Even if you try, you can barely track down these people. And it's that collective success that bends that arc of society in the right direction. And I think the same is true at our universities. When you're dealing with cybersecurity, it's not good enough just to have an excellent SOC or an excellent firewall.
Mike Corn: You really do need a prepared and aware workforce to get you to where you need to be. And that doesn't mean we just double down on more kind of ineffective security awareness training, but it's at every level you need your staff that are seeing the big picture of what they're doing. You need the non-IT staff contributing and being aware you need the end users at every level contributing to this sort of cohesive posture of resilience. And I think there's a lot to be said there. I mean, I look at even organizations like EDUCAUSE as manifestations of this. It's that common good, everyone working together that allows us to succeed. It's hard for me to imagine professionally where I'd be if it wasn't for the fact that I had peers I could work with and talk to and learn from. And I find all of that a source of optimism personally,
Jack Suess: Well as two people who have been trying to sort of build the cybersecurity community over the last 25 years. I couldn't agree more. And that's probably a good place to end. It
Mike Corn: Probably is. So I want to thank everybody for tuning in and please check out the hotline every month online and thank you. Thank you, Jack. Thank you,
Jack Suess: Mike.