David Sherry is the CISO at Brown University. He leads the Information Security Group, charged with the development and maintenance of Brown’s information security strategy, information security policies and best practices, security training and awareness programs, as well as ongoing risk assessment and compliance tasks.
In this interview, David talks about the lessons he learned as CISO of Brown University, he discusses unique BYOD challenges, the value of education for the modern IT security professional, and much more.
How many incidents do you deal on a yearly basis? What type of threats present the biggest headache?
As a CISO of a university that has a great deal of decentralization, incidents are a part of daily life. Whether is it a compromised host, an account that is sending spam messages or attacks on the border, we are almost always researching, watching or addressing an incident.
Hard numbers are difficult to determine (and I would not share it anyway), but it is safe to say it would be in the hundreds, although the incidents would be of varying degrees. Only a small percentage would escalate up our Incident Response process for a widespread impact. Our biggest threat is compromised hosts, which often occur in a decentralized area, but not always.
Higher education is an open environment, where information sharing and academic freedom is important to the culture and the individuals. As a result, servers are sometimes built in a way that makes them vulnerable to attack or compromise. We work with the owners and admins of a compromise to correct the vulnerability quickly and efficiently, in order to not hinder the work that the server is doing. Identification and mitigation time are both critical metrics to look at and analyze.
We also take each event as a learning opportunity to get the security message across and reduce the possibilities of further issues. Of course, we also have instances of phishing and spam attacks, but a compromised server is our biggest concern.
How do you deal with BYOD in an environment where probably every student has at least one mobile device?
Higher education has been dealing with BYOD for a very long time, especially with both faculty and student populations. And we are constantly in need of upkeep as the latest and greatest technologies arrive on our campus after each summer and holiday breaks. And you are correct in your assumption of “at least one”. We actually deal with BYODs, as each student arrives with multiple smart devices, laptops, wireless printers and gaming devises, as well as emerging TV and video devices.
It is important to our university to ensure that all or our distinct populations have the access that they need, on the device that they need. We utilize a combination of network registration, authentication and authorization, as well secure wireless. We constantly monitor the balance between access and risk, and dealing with mobile access and mobile devices are simply part of an overall risk management strategy for protecting data.
What are some of the lessons you learned as CISO of Brown University?
I have, of course, learned many, many lessons here at Brown, both personally and professionally. There are a few that stand out for me though. First and foremost is the value of information sharing. CISOs in higher education are focused on sharing best practices, policies, project plans and more, all to create a more secure academic community. This is especially important given the amount of federation and sharing with other institutions across the country and around the world.
Another lesson is surely the recognition of the differing needs (and demands) of the three unique populations: faculty, students and staff. In many areas, one size does not fit all, and this needs to be taken into consideration when considering any technology, process or policy. Lastly, from a personal perspective, I’ve learned patience, as all decisions are well thought out and discussed in depth before actions may take place.
How do you keep up with emerging threats? It must be difficult to plan a yearly budget with such a fast-paced threat landscape.
Keeping up with emerging threats means to be always reading, listening, attending and participating. It’s impossible to keep up with everything on your own, so I lean on others to help in identifying key areas to look at or address. This can be peers, working groups, websites, conferences, vendors and magazines. I also find that participating in affinity groups is of immense value. I have three higher education groups I can query on any given topic, all with actives listservs for information and research sharing. There is also the national Educause consortium that is a wealth of information.
In addition I also participate as a founding member with Wisegate, a private invitation-only community of senior information technology professionals. Getting prompt answers from experienced and trusted colleagues in the community is of immense value. As for budget, you are correct in indentifying the difficulty of planning a yearly budget. While I do plan three years ahead, emerging areas in need of addressing can brought forward to the university’s IT Governance Committee for funding that may be needed and not in the current budget.
When evaluating an addition to your IT security team, how much value do you place on certification compared to experience? What certificates would you recommend for someone aiming to be a CISO one day?
This is an excellent question, and one that I think is not so black and white. When adding to the security team, I tend to look at the person holistically, assessing experience, certifications, and perhaps most importantly, future potential. The fit to the organization is also a key ingredient for a hire in education, as the environment and challenges are unlike the corporate world.
As for certifications, it once again differs as the role that needs to be filled. Surely the CISSP is the gold standard, and can be of value for all roles. However, more technical certification, such as GIAC may be more appropriate for the bits and bytes roles of the security team, working on the architecture and monitoring of the network. Individual solution or technology certifications are considered when a need arises in a concise area, but that rarely occurs now. I also have roles in policy and awareness that certifications don’t apply. For these roles, creativity, web design, and highly tuned communications skills are paramount. Experience is always necessary, but it does not have to be in security.
As I stated, future potential comes in to play when assessing a candidate that may not have had direct security expertise. I also look beyond the certificates as well, for excellent communication skills, as well as some soft skills like marketing and sales. Much of what we do is convincing the university community to do the right thing, and to think securely. That’s a function of every member of my group, and is a key to be hired and for continued success.
I also look at education, and I’m keen on hiring MBA’s in to my security group. The successful completion of an MBA indicates to me the candidate has a deep knowledge of the business aspects that security supports, as well as exposure to group work, meeting deadlines, prioritization, the economics of decisions, and the need for risk based decision making.