Technology Evolution: A Higher Ed Ciso’s Journey From Concept To Reality…
Bob Turner became the Chief Information Security Officer and Director of the Office of Cybersecurity at the University of Wisconsin-Madison in 2015. He leads a high performing and growing team that includes Governance, Risk Management and Compliance, Incident Response, Security Testing and Cyber Defense, and Common Systems Cybersecurity domains. His office also facilitates IT Policy and Cybersecurity Awareness and supports the university’s data governance organization. Prior to this role, Bob was a Senior Associate with the consulting firm Booz Allen Hamilton for 13 years. His first career included 23 years serving in telecommunications and information systems roles in the U.S. Navy that included enlisted and commissioned service in technical, operational, teaching and leadership with his last six years as Officer in Charge of executive staff communications centers.
About four years ago, my Chief Information Officer asked me, “What do we need to prevent what’s happening to our peer institutions?” No doubt, this question came from a place of increasing angst resulting from a significant increase in universities reporting data breaches, denial of service attacks, and malware infections over the previous six months. Having spent the better part of that time (which was also my first six months on the job) looking at what people, processes, and tools we had to counter the potential cybersecurity evil in this world, the answer was simple – PREVENTIVE TECHNOLOGY!
We also needed a better way to view all of campus’ IT landscape, a unified understanding of risk, and the total cooperation from a widely distributed group of IT experts. In addition to the central IT organization, much of the responsibility for keeping the information systems going and providing support for the diverse academic, research, and administrative needs of the university fell to around 150 different IT teams (some of which were a team of one). Oh, and the campus operated in an austere funding climate.
No problem, right? Everyone else is doing it, right? After all, cybersecurity is easy, right?
Back then, the cybersecurity playing field was a bright shade of green. We had people who knew their own jobs well and were eager (a slight CISO overstatement) to take on the challenges of incorporating new concepts, processes, and technologies into what was a well running machine – at least a machine that had not broken in the same way other universities had experienced. What we needed were entry gates, boldly colored foul lines, and yardage markers.
Many CISOs will tell you that cybersecurity is mostly human – but it takes well developed strategy, strong networking technology and hardware knowledge, and the ability to manage a diverse set of information technology applications and appliances to win the cyber war.
With the help of several IT leaders and a very intense group of technologists, we set out to tackle the formative issues. People, Processes – then Tools!
Overarching people issues are perhaps best addressed in a separate article … likewise with process development, rationalization, and application. Understanding a base level set of processes was important, as was the need to ensure we did not have technology driving the re-engineering of the end-state business process.
The best technology solutions are generally something other people have tried. My experience is that few CISOs choose to be the first adopters unless there are multiple backups in place. In our case, we had firewalls in service but not ones that easily supported protection features, like analytics that supported blocking bad URLs or traffic inspection with prescribed actions that blocked malicious activity before it detonated at an endpoint. We also had endpoint tools in place that detected malicious activity and made limited attempts to stop the “conditions of weirdness.”We had a collection of open source tools that gave us some of the capabilities found in a Security Event and Incident Management suite, though we lacked the capability to orchestrate activity in real time or effectively display information about that activity.
Moving forward presented several challenges. First, the business case had to be defined in terms that executives, managers, operators, and technicians could understand. Next, the individual use cases needed to encompass the needs of a widely diverse organization. Finally, we needed to show the total cost of ownership that included recurring costs (i.e., licenses, hosting, training, etc.) and transition costs (e.g., surge labor for installation teams, overtime, additional parts and services).
Creating a team to focus on the non-equipment issues like policy and standards was one way we dealt with the diversity in use cases. Labeling the project “Advanced Threat Protection,” we established a cross discipline and multi-business-unit working group to sort out and propose resolutions for issues like schedules, policy for next generation firewall contexts, training and certification requirements, and determining key evaluation points with reasonable metrics for success and effectiveness. From my CISO perspective, having technically savvy team members and strong co-leaders that represented both the Cybersecurity viewpoint and the distributed IT Service teams was the key to our current success. While this approach may not work in every situation, is was tailor-made for higher education as collaboration and cooperation are the strengths we have plenty of.
We divided the work into 17 initiatives, some standing alone and others linked in a way that brought several initiatives into better focus. Presenting these business cases was aided by my CIO working closely with university leadership, helping to translate the CISO speak into the right language that business and academic leaders understood. It was also helpful that we did our total-cost homework well enough to present a balanced picture. This was a significant factor in approving the initiatives, which combined capital expense with operating expense and forecasted requirements out for five years. For technology, we focused on hardware, licensing, and ongoing support requirements for on-premise and off-campus(or cloud) components. For people, we included reasonable salaries, on boarding expenses (e.g., computing environment, travel and training, and ramp-up time), and cost of additional help from other teams. For process issues, we inserted time to develop the right changes or new policy and procedure, and we hired a Program Manager to keep us on track.
So here we are. People are onboard, training is in progress, processes are solidifying, and tools are installed and undergoing the necessary tuning and testing. Along the way, the University published and annually updated a broad Cybersecurity Strategy, developed a cybersecurity risk management program with a comprehensive policy and implementation framework, increased and improved security awareness, and built a Cybersecurity Operations Center. Toward the end of 2018 and through the first half of 2019, the Office of Cybersecurity team grew to 45 full-time staff and 23 student interns who keep watch over 34 major academic, research, and business units operating on a complex 100GB campus network. On a daily basis, the team assesses risk on a broad technical spectrum that includes thousands of information systems and applications. They also run 25 cybersecurity “plays” each workday to evaluate services and security controls. The team is ultimately responsible for cybersecurity controls that protect the information for 34 divisions (schools, colleges, and institutions) which includes approximately 43,000 students, 22,000 staff, and thousands of affiliated researchers, vendors, and other network users. Now, we are working on showing how we turn these people, processes, and tools into an organization that is not only risk aware, but adaptive in how we address cybersecurity across the enterprise.
Successful cybersecurity programs are core to the business and never exceed the value of the information and systems the program is designed to protect. At the University of Wisconsin-Madison, we are adding value by living our State Motto – Forward!