3 university CISOs changed focus, not strategy, amid pandemic
Organizations had two options at the beginning of the pandemic: lose productivity and business or sacrifice security. The former was the most obvious choice.
The battle between business continuity and security was the theme of the pandemic. As remote business becomes more permanent than temporary, CISOs are tasked with cleaning up the rush from March 2020.
“As we were going through it, we just lost sight of maybe some best practices just to get capacity to one where we can be remote,” said Aaron Baillio, CISO of the University of Oklahoma, during a webcast hosted by Proofpoint Thursday.
Baillio is in a unique position: his security organization has students working in security operations.
Challenges of the pandemic did not entirely overhaul Baillio’s strategy, but it did impact his focus. Baillio began asking questions that were not priority before, such as examining what OU’s standing in endpoint management or zero trust looks like.
The things OU was “kind of ignoring” became top priorities. Prior to the pandemic, they were stretch goals, he said.
Between 2020 and 2021, security operations centers (SOCs) were brought to the forefront of business. IT teams did whatever they had to to maintain continuity while security teams attempted to secure solutions. Higher education institutions have a security problem: provide users, whether students or staff, the individualized experience they need to succeed without shortchanging security.
“The reality is, there are some tenants that we just have to hold on to. And there are some standardizations that just have to happen,” said Mary Dickerson, AVP, assistant vice chancellor of IT Security, and CISO of the University of Houston, during the webcast. “This professor may prefer to save his data in a certain way, but the reality is it’s not his data, it’s university data.”
To combat the temptation for students or staff to skirt security standardizations, security requirements are a must, just as awareness is.
Applying past experiences
Cybercriminals saw the opportunity and seized the moment, stretching into the second year of remote work and escalating attacks. Like CIOs, CISOs were largely taken out of the back office function of most organizations.
While most CISOs realized their attention would shift during mass remote work, some organizations had experience dealing with cybercriminals acting on opportunities. Because of recent events like Hurricane Harvey in 2017, “our users understood that people will take advantage of any type of crisis,” said Dickerson. Security professionals had to repurpose past experiences in phishing schemes, explain that cybercriminals will act the same, no matter the crisis.
“We just had to remind them of that with the pandemic, ‘Hey, this is like Harvey, don’t expect this COVID[-19] resource that you’re hearing about through this special one-time offer really is what you need to be taking advantage of,'” she said.
But CISOs know even the most aware user can engage with or can click a phishing email. CISOs want the right technologies in front of users before a threat can reach them — people should not always be the last line of defense.
“I have a philosophy that any security control that requires a person to make a decision for it to be effective, it’s pretty much destined to fail,” said Rebecca Harness, AVP and CISO of Saint Louis University, during the webcast. The technologies have to at least ensure recovery will be timely.
Users had to be reminded to use university resources. These university resources also included policies and protocols for appropriate remote work and learning depending on faculty or student body. From the backend, OU’s SOC was changing what metrics it would normally value by asking:
- How do we monitor the everyday use of VPNs? If we increase VPNs, how do we monitor everyday usage?
- How do we measure the adoption and use rates of a potential COVID-19 app?
“We spent a lot of time and attention just focusing on providing the resource and communication to those populations, because that’s what they wanted the most,” said Baillio. IT and the SOC were working to understand what tools were needed most and if they were worth the investment.
Because of the need for new metrics, pre-planned areas of attention were almost abandoned for new ones, including how the SOC measures its solutions. “The traditional methods we were using to generate a lot of our metrics weren’t applicable in the new world order of everyone being remote,” said Dickerson.
Dickerson and Baillio reexamined what metrics their leadership would need to know now, while noting the information leadership desired was not really available yet. “We’d never looked at it before,” said Dickerson. Security operations had to team with IT operations to service the information their leadership sought.
The next desired step for Saint Louis University is more formal training for its technology administrators, according to Harness. Because the school took a hardlined, cloud-based approach in the fall of 2019, the SOC wants to ensure that as more cloud-enabled technologies are adopted, IT professionals know how to properly configure what they need.
“If I had the extra investment, that’s exactly where I’d place it,” she said.