According to Educause’s “2016 Top 10 IT Issues,” Information security is the No. 1 issue facing college and university IT departments. Learn how Virginia Tech’s CISO deals with the constant threats of being hacked.
Having a Chief Information Security Officer (CISO) or the equivalent function in an organization has become a standard in business, government and non-profit sectors. With more than 80 percent of large organizations employing a CISO, we thought it would be interesting to interview CISOs across a wide-array of institutions, with varying certifications and backgrounds. Our first CISO featured in our new A Day in the Life of a CISO series is Randy Marchany.
Randy Marchany is Virginia Tech’s Information Technology Security Officer and the Director of the Virginia Tech IT Security Lab. He’s been involved in the computer industry since 1972, before the terms CISO, cyber threat and firewall existed. Randy is a co-author of the FBI/SANS Institute’s “Top 10/20 Internet Security Vulnerabilities” document which has become a standard for most computer security and auditing software.
As Virginia Tech’s IT security officer, how would you describe your role?
We are responsible for the data protection and security of a “small city” comprised of various business operations. Our campus includes retail outlets such as bookstores and dining facilities (credit card data), research centers (patents and intellectual property), HR functions (payroll), law enforcement, power and energy systems, plus day-to-day financial transactions (accounts receivable, purchase orders) in addition to responding to general cyber attacks and probes directed at university computer systems.
On top of the wide array of business centers, universities function as a commercial ISP to thousands of students and professors who use their own electronic devices over our network. Students can download anything to their computers over our network. Professors conduct online research and upload proprietary data to our servers. University staff needs to be able to freely connect with domestic and international students and businesses. As a result, my team’s role necessitates a cyber strategy that protects data and privacy across multiple channels and allows students and staff to conduct day-to-day functions.
What are the main threats and dangers universities face?
The biggest threats are IP theft and sensitive data breaches. Historically, hackers tried to gain access to university computers and use those computers to attack other websites. They used to follow a hit-and-run strategy. Today, hackers seek to maintain a presence on our network and gather sensitive information. We also see more attacks coming from other countries and these attacks are much more systematic and persistent.
Professors and graduate students are continuously conducting proprietary research, some of which is protected by government regulations. Each year, the federal government grants billions of dollars for research and development (R&D) to universities across the country. We strive to protect all of our university research and IP but fiscally funded R&D requires additional security measures. Some of these measures include physical security, increased security for email relating to research projects and compliance with federal security requirements such as NIST 800-53 and NIST 800-171 (Controlled Unclassified Information).
Student data and educational records are also protected by law. The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. FERPA defines what type of data is classified as “directory” information. This includes data such as email address, house address, phone number and student class status. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children’s education records. However, these rights transfer to the student when he or she reaches the age of 18 which can be frustrating to some parents whose child denies them the right to access.
How are universities handling the uptake in campus hacks?
The strategy of trying to prevent hackers from successfully gaining access to internal systems and networks across industry categories has failed. Years ago we introduced firewalls to protect our borders and hackers figured out how to break through. Now we operate a continuous monitoring strategy which assumes someone has already hacked our network and we use network security and monitoring tools and processes to hunt down compromised systems inside our network.
Since we have a BYOD (bring your own device policy), the university acts as an ISP to thousands of individual devices (e.g. tablets, phones, computers, etc.) Therefore, we have moved from the strategy of protecting the devices to protecting the data stored on the devices. In the “old days”, the network border or firewall was a clearly defined entity. However, with wireless networks, the protective border is now the individual machine.
Our strategy also focuses on monitoring outbound network traffic and using external threat intelligence services to determine if this traffic is headed to suspicious sites on the Internet. Traditional network monitoring focused more on inbound traffic. Hackers started using techniques such as phishing where the user receives an email asking them to click on a link inside the email, or infecting ads that are displayed on commercial web sites.
What skills does one need to be successful in cybersecurity or as a CISO?
There are at least three critical skills you need to be a successful CISO:
- Communication skills or what we call, “geeks who can speak.” As the CISO of Virginia Tech I give many presentations inside and outside the university. I need to be able to talk about complicated information and tech topics to low tech audiences as well as high tech audiences. I also need to formulate and communicate strong business arguments to convince upper management to spend money on technology and security initiatives.
- A technical background is critical. You need to be able to talk to your tech team and understand what they are facing in the trenches. If you don’t understand the technical aspects as to why your team is unable to solve a problem or why your team needs more time and resources then you and your team will not be effective.
- A basic understanding of business operations is also important. Knowing how corporate finances are calculated and how to prepare a budget can go a long way. Plus, no matter what type of company you work for, you need to understand the business process first in order to create an effective Information Technology security program.
What advice would you give to people starting their cybersecurity careers?
- Find a good mentor. I was very lucky. My boss was my first mentor and he was a terrific manager. If you can’t find a mentor on your team or within your company, reach out to organizations such as Educause which offers a mentor program.
- Don’t be afraid to fail. You are up against highly skilled elite hackers from nation states. You are going to lose a couple of battles so learn from your mistakes and ask yourself, “What did I learn from this hit that will help me prevent another hit in the future?”
- Learn the business processes of your company. Understand how the various departments function and interact plus why processes operate the way they do. Companies are in business to make money. And often security is viewed as impediment to making money. CISOs need to work around the business model and incorporate security practices into the business process.
- Build a network of key players in your organization. Establish relationships with colleagues higher up on the organizational chart who get things done and are well-respected.
How do you see the CISO role evolving over the next 5 years?
- The CISO position needs to be elevated to the management team. The scope of the CISO’s authority in organizations is wide and needs to be higher up. In my job, I report to the university CIO who reports to President of the university.
- The skill set required to succeed as a CISO will become more balanced in terms of policy development skills, communication skills and tech skills. Currently, I believe CISO’s are more skilled in policy making vs. technology. I came up through the tech ranks and then I started writing university policy 10 to 15 years ago. I think it’s easier to start acquiring tech skills and then learn how to write policies and make management presentations.