Mike Corn and Cheryl Washington on the Role of the CISO [podcast]

John O'Brien: Welcome to our community conversation about cybersecurity. I'm thrilled to welcome Cheryl Washington, a new member of the EDUCAUSE board and the CISO at University of California, Davis, as well as Mike Corn, CISO at University of California, San Diego. Welcome to both of you. So Cheryl, you are the first CISO on the EDUCAUSE board ever, which is a big deal for us. It seems, kind of, like a milestone and really firm evidence of the way that the stature and influence of CISOs in our community is growing. What does it feel like on your end of things?

Cheryl Washington: A lot of pressure, no. It actually feels like the right move, at the right time, for all the right reasons. First, I appreciate the board having the confidence in me and inviting me to join. I also think that, given the growth and importance of cybersecurity across our communities, it's a clear signal to me and to others that all of us are beginning to see the significance, importance and relevance of security. And having conversations, not just within the IT communities but across the organization. I think the appointment of a CISO on this board, and I dare say any board, in my opinion, reflects the need for these conversations to be had at levels that, perhaps, traditionally they were not had and that is at the leadership level, is really important for leadership and members of that community to be actively engaged in cybersecurity.

And so, this appointment, I hope will not be the last but rather, a strong indicator that organizations, particularly those of us in higher education, should look to see where we best position the security officers across the board and make sure that we're having active, engaging conversations with these individuals. We're seeing, in the last few months, some real challenges on the cybersecurity front, not just within higher education. It's clear that these discussions must take place and you don't want to wait until you're in the midst of an incident to begin a conversation with your security officer. So, I think this appointment, again, was the right thing to do, at the right time, for all the right reasons. And I thank the board for having, at least, the foresight to look into the future and ask itself, where can we and should we place the security officers and where can we begin that discussion?

John O'Brien: Michael and Cheryl, when I think about the last year, everybody's job is hard, there's not an easy one in the mix. But I have to admit, when I think of the responsibilities of a security officer, it really makes my head hurt. I think about the fact that, your job before was, sort of, focused on protecting the perimeter, now the threats come from everywhere, including or especially, at the homes, where people are working. And then, meanwhile, on top of just the hard job of protecting us, you're always balancing this expectation that higher education is going to be this, sort of, reckless and free exchange of ideas. So, how in the world do you balance that, even on a daily basis? Michael, why don't you start.

Mike Corn: There's several dimensions to it, that I think are worth talking about. And I do want to pick up, for a second, on Cheryl's response about her being on the EDUCAUSE board because I think it feeds into this. First of all, I couldn't be happier that Cheryl was put on the board. I mean, she's someone we all respect, nationally, within the UC system and as a colleague, I'm tickled pink. But one of the challenges I think we as a field face is, that C in our title, I think many of us took that to mean we were campus executives and yet, I don't think we often act like campus executives. I think, too often, we're too director of security-ish and not really engaged in that C-suite level discussion of risk. And this is why it's so important to see Cheryl in this position. But this also feeds into the question you asked, what we are doing these days is no longer just securing our perimeter or securing endpoints, we're part of the national discussion about cybersecurity and national security and business continuity for the country.

We just saw an oil pipeline shut down, people are hoarding gasoline. This is a conversation we need to be part of. And it's both exciting and challenging. Now, you layer on that the fact that everyone's remote, on my campus, the number of active IPs on the campus is half what it was before COVID. So, the scope of our jobs have changed. And you asked, sort of, how we deal with this problem, that's a really great question. I don't have any magic bullet there, other than, I think, CISOs have to be good at compartmentalizing stress and risks. If I let myself get wrapped around the axle on the risks to the institution, which frankly, with issues like ransomware, are existential risks. They're not really just about the loss of data, business continuity is at risk here. I would never sleep and I'd look a lot older than I am. I don't really have a magic bullet for you here, it's just something people in our jobs have to learn how to deal with, it's a very personal equation, I think.

John O'Brien: Mike, before Cheryl answers, I'm sort of hearing you talk, I just want to ask, are you teaching the university how to manage risk?

Mike Corn: I think that actually is a big part of our job. When you see a lot of CISOs sit down with their leadership, they'll talk about things like patching or compliance with policy. The leadership doesn't want to talk in those terms, they look at us as manager for that problem, they expect us to take care of it. But you do have to, when you put together presentations for your board or your boss or your boss's boss, the cabinet, you have to find a way to talk about risk, that bridges the world they operate in, which is an enormous register of risks that our leadership deals with and our risks. And that's actually a very hard part of the job but I think that's required, if you're going to keep that C in your title.

Cheryl Washington: I'm going to pick up and say, I strongly concur. That last segment feels, for me, to be a huge part of my job today, operating in that space we call risk management. Walking a little bit backwards, as of late, I've started to think more and more about work life balance. The job is, without question, far more stressful and it's not stress that is manifesting itself just because what's happening on my campus. As Mike pointed out, I have to think a lot more globally today, than I had in the past. I think about my university, I think about our health system, I think about our system, that is the collective University of California system, I think about what's happening in the state, I think about what's happening in the country and I also think about what's happening geopolitically and all of these pieces have to come into play, as I think about the maturing of our programs and the threats that we face today or that we may face tomorrow. So, Mike is spot on there as well.

So, how do I address this? Collaboration. I am absolutely convinced that there's not a single CISO in the world who can do it all by him or herself, it's just too big of a job. And I think one of the advantages that we have, particularly in higher education, is this ability to be open, candid and want to talk to one another. I tell my colleagues and Mike has heard this a lot from me, particularly as of late, because he has some fantastic programs, I'm going to steal what you have and I'll adapt it to my institution's needs. So, I'm not trying to invent or reinvent the wheel every time I'm faced with a new challenge. So, that's one tactic that I take to continue marching towards my objectives and goals and that is to protect this institution. We have some advantages and, I think, through our organizations, EDUCAUSE brand and others, we have forums where we can have these conversations very openly with our colleagues and try to find that path forward for us but there's no question, this is a tough job.

John O'Brien: I've been saying for years that, in higher education, one of the facts of life is that, we can do more together than we ever can do by ourselves. I can't think of an area where that's truer than cybersecurity, where we're always running to catch up, never caught up because the threats change so dynamically. Could you talk about some of the partnerships and the collaborations that have meant the most to you as you try to do your job in this challenge environment. And why don't we start, Cheryl, with you.

Cheryl Washington: I'll get a little into the weeds with this question, because I think it's an important one and it may even lend itself to newer CISOs trying to find their way. The EDUCAUSE working groups, in particular, for me, perhaps the one that stands out the most is what we call the GRC working group or the governance risk and compliance working group. As we stated at the very beginning, a lot of what we do, at least what I do, is manage cyber risk or manage risk. And through that forum, I was able to talk with others who are in the same boat and because our institutions have maybe some subtle differences, as well as a lot of commonality, I can put an issue or a challenge on the table and someone can raise their hand and say, I've gone through this or I've worked on something similar, or I know someone who's worked on a very similar challenge. And so, through that forum, I was able to build relationships with others.

In fact, one of my dearest friends, Kathy Hubs, as you know, was a co-chair of that group once upon a time. And she and I have been partners for almost a decade or longer, because we met in that forum and we were able to share thoughts and ideas with one another. From that kind of engagement, you then start to develop these intimate, more personal relationships with colleagues. As Mike pointed out, at the onset, he and I work together very, very closely, perhaps more closely because we know each other, we trust each other. And so, through these engagements, through these forums, through these working groups, you begin to build these relationships with individuals. I can pick up the phone any day of the week, call Kathy or Mike and say, I am really, really having a hard time with this issue, what do you think? And they will frankly tell me, Cheryl, you're way off base here, or here's what you might want to do, or here's someone you want to talk to.

So, that's one group that I think really helped propel my career. And I believe that because of the work that it does, that focus on governance risk and compliance, it's made me an officer who is, again, more focused on looking at the broader picture than continuing to align cybersecurity with solely IT, which is something that we do see in some areas and some arenas.

Mike Corn: I couldn't agree more with Cheryl. This is a theme you're going to hear a lot today, I think. She mentioned the EDUCAUSE working groups, I've been involved with many of those over the years, Internet2 has groups that we've worked with. But there's a couple other things that, sort of, build off what Cheryl said, it's the ability to form partnerships with people. So, I've engaged with colleagues on peer mentoring. Hey, why don't we get together once a month and do a mentoring exercise where we're talking to each other? I've had mentees through the EDUCAUSE program and just other people that have contacted me. And then, when you get to know people, as Cheryl said, you often start tackling a problem together.

Many of these partnerships have led to presentations at places like EDUCAUSE. Those partnerships are terrific. Not only are they good for you professionally, in the sense that they build your resume, but as Cheryl said, those conversations, where you can sit around and go, I'm really stuck. Or even now, and I've been doing this a long time, I have a really strong opinion about something and how to do it, I'll just lay it out for someone like Cheryl or my other colleagues in the UC and they'll go, boy, are you wasting your time, or you're really stuck in the way you did it 10 years ago. It's that relationship building, I think, that is the heart of what makes these collaborations work.

John O'Brien: Are there any partnerships or collaborations that you think are especially urgent for under resourced institutions that are clearly struggling with resources generally, but in particular, around cybersecurity?

Cheryl Washington: We may have to think outside of the box when it comes to helping provide support for institutions who are smaller than R1s. Maybe a team of one and I still see that, much to my dismay. I think that there are opportunities for individuals who represent those types of institutions to find that place, that meeting place, where they can walk up to someone like a Mike and introduce yourself and take it from there. That has happened to me more than once. And I think, absent of being able to attend the grand meetings or big meetings, you have to find that path, find that person, find that forum. And they exist, believe it or not. There's a wealth of meetings, conferences, events, where security officers converge, it's just simply a question of introducing yourself or raising your hand and saying, I'd like to talk to you, have coffee with you, meet with you after hours and make that happen.

Mike Corn: The other thing I would suggest is, especially at the smaller institutions, we do have a tendency, especially at the larger schools, to do it all ourselves and that really reflected, sort of, how the field grew. When I started in security, only the largest companies could even think about outsourcing a security function. And nowadays, there's a huge and rather mature market of third-party services that will do core security functions, from SOCK to incident response, although that one's harder. Your network monitoring, especially the small institution.

I worked for a few years at a small private, in addition to working at two very large R1s. And I got to tell you, the portfolio of the security office there was identical to what it is at my gigantic institution now. And there was no way they were going to hire a staff as large as I have here and I have a relatively small staff for a large institution. So, we have to stop this culture of, we're going to build it, engineer it, staff it, all internally. I think we really have to think hard about looking outside of ourselves and realizing, a lot of security operations are becoming commodity services.

Cheryl Washington: You can't build it by yourself, I'm going to be perfectly blunt. What we do, our space, our series of objectives, is too broad. And anyone who believes that they can, please give me a call, seriously, it just can't be done. But equally important, I do think that, if you're still a team of one, Mike mentioned something that I think we should also spend a moment or two talking about, mentorship. It's really important that, if you really are that small or that new, in the security space, that you find a mentor who's willing to work with you. A few years ago, I was a member of the Hawkins Roundtable. Young man was assigned to me as a mentee, he and I have been in a mentor mentorship relationship for the longest. I've watched him grow, I will continue to mentor him as long as he needs me. There are places where you can find a mentor, in this space we call cybersecurity and I would strongly encourage, if you need one, reach out and find one. We're out here.

John O'Brien: Cheryl, I would be remiss if I didn't say that we just launched an EDUCAUSE mentoring platform and that would be a great place for people to start. Go put together a profile, either to be a mentor to others or to find a mentor or as many people do both, because we're all the works in progress. We've got some things nailed, other things we're still working on and looking for help. So, check out the EDUCAUSE mentoring platform, I would say.

Mike Corn: Let me say something about the REN-ISAC. The REN-ISAC, it's the Research Education Network Information Sharing Organization. And I view it as one of the most foundational pieces of the professional community in higher ed. It's a terrific place to form the network of contacts that we've been talking about, they provide a lot of terrific services around threat intelligence, threat sharing. And operationally, everywhere I've worked, the staff have lived on the REN-ISAC, either mailing list or discussion forums. It's such a terrific example of how groups of people work together and share information. I'm not sure all of our attorneys would be thrilled at how much information we share across institutions but it's really hard to say enough positive things about it.

John O'Brien: Among the many threats and opportunities that we're looking at, more now than ever, is around cloud operations and services. As we become more reliant on cloud, we also have more vulnerabilities. The EDUCAUSE Horizon Report, the 2021 edition, focused on information security. Talks a lot about cloud and dependency and raises this as an area needing attention. What do you think campuses can do to deal with this opportunity more effectively?

Cheryl Washington: The report that you referenced is spot on. We do have, both opportunities as well as challenges, as we continue our march toward all things cloud and I say that precisely, with intent. I see more and more of our organizations transitioning their infrastructure, their services, their systems, you fill in the blanks, into the cloud arena. On the one hand, I understand it and I get it and it makes a high degree of sense. On the other hand, I want individuals and organizations to walk into this new space with their eyes completely wide open. The cloud is not Nirvana, it's not the panacea, it's not going to solve all your problems. It certainly, if you look at it in one dimension, perhaps a cost savings, on the other hand, as you are alluding to, there are some security risks associated with a transition to the cloud.

And I would suggest that there's another dimension that I don't see enough organizations paying nearly enough attention to and that is, what happens when you need to leave this partnership with your cloud provider? I won't spend the rest of our hours or days talking about all things good or bad about the cloud but what I would say is this, develop the most holistic concrete plan you can imagine when you engage with a cloud provider. Don't look at it just as a cost savings or a way to move your infrastructure from on-prem to off-prem or to find ways to save money, which is often what I hear, this is going to save us a lot of money. Maybe, maybe not. Think about the other dimensions, ongoing support and services. And to your point, John, your cloud provider is much like us. They have their own set of threats and vulnerabilities and issues to grapple with.

That transference does not mean that that's a full transference, there's liability and associated issues with that relationship that you, as the owner of that information, must be aware of. Make sure that you have an action plan, a remediation plan, or some plan, that addresses your role and responsibilities with respect to that infrastructure, even though it's sitting in the cloud. And then, I would also dare suggest that, keep in mind that maybe one day you might want to leave that relationship. What is your exit strategy? How do you plan to make that transition to either another provider or back home? And I am seeing some organizations grapple with, how do I get myself from the cloud back to on-prem? What do I do? A lot of questions, a lot of answers yet to be uncovered and put on the table.

John O'Brien: Mike.

Mike Corn: Let me focus more on the opportunity here. Cheryl's absolutely right, that there are a host of the same security issues, new security issues, the data life cycle issues with the cloud. But what excites me about the cloud and I dare say, I don't think most of us are embracing this, so let me just say that. The cloud represents the first opportunity, I think, and probably the only one in my career, for a true paradigm shift as to how we do a lot of security. So, if you take a very cloud-centric, cloud-focused, cloud tool, approach, microservices, systems as software, it creates new opportunities for controlling a lot of security traditional concerns in a very different way.

So, for example, some of the most cloud forward companies don't worry about patching. What they do is, they maintain gold images of their machines and then, they blow their entire infrastructure away and rebuild it from scratch every couple of weeks. That's brilliant. But what most of us are doing, mostly because it's, we're figuring our way through this, is we forklift our traditional network and our traditional systems and our traditional data center into the cloud. So, yes, we're gaining some opportunity there for resilience and speed of addressing a little more agility in system management but we're also bringing all those security problems with us. And I think if we really look at the cloud as a different way of architecting our systems, there's a huge benefit for security. I just don't think most of us have the luxury or really embracing that aggressively.

Cheryl Washington: To Mike's point, think creatively but think holistically, to my point. And so, we're suggesting that, we have to consider the cloud as a new frontier that requires maybe a slightly way of approaching cybersecurity.

John O'Brien: One of the tools I hear a lot about is the HECVAT and I'm curious how you've used the HECVAT to manage vendor risk. And I should say that, the HECVAT stands for, the Higher Education Community Vendor Assessment Tool, which is truly the worst acronym ever. I've sometimes described it as an acronym only a mother could love. The good thing is, it's easy to Google. So, could somebody just talk about how the HECVAT can be used to manage vendor risk?

Cheryl Washington: As Mike knows, my institution has a fairly robust vendor risk assessment program, excuse me, not enough coffee this morning. And core to that program are both HECVATs, the HECVAT full and the HECVAT light. It is an extraordinarily important instrument that we use to assess vendors. It's quite useful, it still needs just a little bit of minor tweaking here and there and we add or subtract questions as we deem fit. I think one of its important advantages is that, it is so widely understood, maybe not widely used but widely understood, that when another campus asks my campus for a HECVAT, we're able to share it, that saves that second campus a great deal of time in looking at a new vendor, in a sense that, we've done some of the heavy lifting for that second campus. And so, they can take this instrument and either look at its values or responses and make some determination for itself. Or in some cases, they may ask us for a copy of our analysis of that same instrument.

I think it's one of the central instruments that allows the institutions across higher education to, not only save time but also to leverage, collaborate, support each other's work and need to assess vendors. An assessment of vendors, so the whole supply chain management issue is not going to go away. So, we're going to need tools like the HECVAT and other similar tools to help us all get our arms around supply chain management. So, the short answer to your question is, it's absolutely essential to our vendor risk assessment program. The better answer is that, it allows what we do at Davis to be shared with other institutions. And if you were to ask me what my wishlist would be, it would be to create an exchange, which I think EDUCAUSE is attempting to do, where we can go into this exchange and pull HECVATs so that we can save even more time on getting through the whole VRA process.

John O'Brien: What are you most uniquely proud of, over this most difficult year for people working and leading in the area of cybersecurity?

Mike Corn: If there has ever been a period of time where the significance of technology and your IT organizations have played a role in the mission of the institution, I can can't imagine it. I mean, we moved 30,000 faculty and staff off campus. Patient care kept going, teaching kept going, remote work kept going and security played a role in that. But my goodness, if anyone thinks IT is just a cost center in your organization, I think they're living in pre-COVID.

Cheryl Washington: Yeah. I completely agree. 2020 and parts of 2021, extraordinary times. What I saw us do, and I'll localize this to the cyber community, was extraordinary heavy lifting, extraordinary work. To transition organizations of our size into a remote workforce and keep the lights on and contend with plans to bring individuals back to campus, almost in the same space, that's an incredible feat. And I can't say we've done it because we still have a lot of work to do but we were doing it.

John O'Brien: There have been some bright spots during this interesting and difficult period of time. One of them was, the quick poll we did in 2020 that showed a really substantial increased appreciation for the work that IT professionals do. Have you seen a similar change in your universe?

Mike Corn: I definitely have seen a response like that. The leadership of the university recognized what it took to move to the remote work. And more than remote work, I think it was the remote education. The continuity of education through this has been astonishing and I think the leaders recognize that it's pretty heroic what we've done. And so, I know we feel like that's been recognized by our leadership and is greatly appreciated.

John O'Brien: I think we've got tons of great stuff. I think I'll just say thank you to both of you, this has been a great and really important conversation to have in our community. So, thanks for joining me.