Being a CISO at a higher education institution

In this interview, Matt Santill, CISO of Broward College, talks about the requirements and peculiarities of his job, the technologies the college uses to make its network safe, and offers advice for CISOs working in other educational institutions.

Describe what it means to be the CISO at Broward College. What are the requirements and peculiarities – network-wise and in regards to the users – you needed to meet, and what were the problems you needed to solve to meet them.
My work experience has been primarily in corporate America before coming to Broward College. I worked for a Fortune 100 company and a few other publicly traded organizations. Our goals were always focused on bringing shareholder value by reducing risk. In higher education, it is all about ensuring the success of our students. This requires a more open environment. I knew that in order for us to move the information security initiatives forward, they would have to be less impacting on the end user but still allow for adequate protection and control. We focused on technologies that were less invasive and more behind the scenes.

One of the challenges was to secure BYOD when it had already been the norm for students for years. We had to meet that security challenge without interrupting the current environment. We did this through a combination of ForeScout’s NAC solution, CounterACT, and Fortinet’s UTM Firewalls. We block a lot of viruses, botnets, phishing attempts and malware without anyone knowing.

You’ve occupied this position since September 2011. How did your job change through the years? What dangers has the college faced? What are you most worried about currently, and what new technologies you believe users will turn to and will present new challenges for you and for your team?
When we initiated the information security program in September 2011, it was focused mainly within the IT department. We’ve expanded our scope from just IT security to include information compliance and risk functions, which are really college-wide goals that include every department. It is important that information security does not stay focused entirely on technical controls. I think a lot of departments forget about the physical component and administrative processes of securing information.

A lot of us come from technical backgrounds, which makes it difficult to look at the bigger picture. It is absolutely critical to look outside of IT when developing your strategy. We look at everything now, from locked file cabinets to how mail is carried between buildings. You can never secure every avenue of data loss, but you focus your efforts on the areas that pose the highest risk.

The college, like most organizations, has a variety of threats on any given day. There are a number of phishing attacks and unauthorized access attempts that we block regularly. Our single most important tool in preventing a data breach is our ability to monitor and analyze malicious traffic in real-time. If you don’t know what you are up against, it makes it very difficult to provide adequate protection. Monitoring and taking action is a 24×7 job, unless you have the funding for a fully-staffed SOC, you should consider outside assistance from a MSSP.

We see a lot of storage in the cloud and SaaS solutions that present a unique challenge for information security. For years, people relied on IT for storage and software installations. This allowed us to thoroughly evaluate technical security controls before they were in production. Today, individuals have the ability to find a service and immediately acquire it in the cloud without proper risk reviews being completed. We focus a lot of time ensuring that we are aware of our customers’ needs so that we are a partner in that decision making process. We also rely heavily on application layer controls designed to block SaaS and other applications that have not been evaluated. In large organizations, some solutions may bypass the vendor management process, so having application layer visibility is crucial in preventing data loss.

How does the role of CISO differ from business organizations to educational institutions? What advice would you give to CISOs working in other educational institutions?
The biggest difference is going to be the large amount of unmanaged devices connecting to the network. It is pretty common in other industries to limit access to corporate-owned devices only. That is not the case in educational environments. Your obligation to secure information becomes much more difficult when you have little control over the end points that connect to the network. We are meeting the challenge through technologies such as ForeScout’s NAC, Fortinet’s UTM Firewalls, Virtual Applications and MDM.

The best advice I would give to other CISOs in educational institutions would be to expand their scope of services to meet all areas of information risk. The internal technical controls are very important, but they should not be the sole focus of our efforts. The second piece of advice that I would give would be to make sure that you have the visibility needed in order to make strategic decisions. We utilize NAC and our SIEM to understand everything connected and the security threats that they pose. If you do not have the visibility into your environment, it makes it very difficult to know what you are up against.

What, if any, are the things that would make your job easier and your users safer?
We’ve seen a large increase in security-aware users over the last five years. As the world moves toward new technologies, such as Big Data and the Internet of Everything, it will require additional awareness. The privacy concerns and security threats will continue to expand. We need to ensure that information security as a community evolves to meet these challenges and that our users are aware of these new threats. Information security and privacy education is absolutely invaluable when protecting against new threats.