DeVry University’s CISO on higher education cybersecurity risk

In this Help Net Security interview, Fred Kwong, VP, CISO at DeVry University, outlines how the university balances academic openness with cyber risk. He describes how systems for students are separated from back end operations to limit exposure.

Kwong also discusses how student data has changed over the past decade. Data is now centralized in learning management systems, which improves reporting but raises the stakes if a breach occurs. The interview also covers hybrid learning, identity protection, third party connections, and research security. With students logging in from unmanaged devices worldwide, layered controls, strong authentication, and active monitoring are central to protecting accounts and sensitive data.

Universities often have a culture of openness and academic freedom. Where do you draw the line between openness and unacceptable cyber risk, and who gets to decide where that line is?

Striking the right balance between openness and academic freedom is critical in higher education. At DeVry, that means separating the resources we need to handle the back end of university operations and the systems our learners need access to. This approach ensures students have the tools they need to succeed academically, while giving the university the flexibility to safeguard and limit access to our systems.

The Cyber Risk Committee, made up of the university’s leadership team, helps calculate and determine the risk threshold. Comprised of cross-functional leaders from across DeVry, including myself, the committee constantly reviews risks through the lens of likelihood vs impact. The security team helps quantify the risk, after which the business and academic leaders are presented options as to how they would like to either mitigate or accept the risk. That includes assessing learner confidence, the number of students affected, brand perception, threat credibility and if there is any privacy impact.

If a risk exceeds our acceptable threshold, then an exception is documented. At this stage, we work to understand what compensating controls are in place, if any, assign the owner of the risk and set a review date for the committee. All exceptions are reviewed by the committee at least once a year.

How do you think about the “privacy footprint” of a student today compared to 10 years ago, especially with modern LMS platforms and analytics tools?

A decade ago, student data was much less centralized than it is today. Back then, students’ private information was stored across multiple systems, some even on paper, which created challenges for CISOs. This often meant increased risk because the environment led to unclear ownership, uneven controls and limited visibility into where sensitive data resided.

Modern learning systems (LMS) consolidate student data, allowing for much richer data in one location. This centralization makes it easier to enrich reporting, but it could potentially lead to higher risks if the system were to be compromised. However, centralized LMS enables us to ensure data is minimized to only what is required and then removed following our retention policy.

To minimize risks associated with these systems, CISOs must have full visibility into the data flowing in and out, and ensure appropriate controls are in place. This begins by establishing policies to govern data handling while ensuring organizations are collecting and retaining only what is necessary. This minimizes the chance of any data exposure, should a data leak or breach occur. Furthermore, CISOs need to ensure that a “least privilege” model is enforced to decrease the potential attack surface and ensure access is properly reviewed and logged to detect abnormalities that can be acted on.

How has the rise of hybrid learning changed your threat model? What new attack paths emerged that did not exist when learning was primarily in-person?

As hybrid learning became more popular, it shifted institutions from a campus-centric security perimeter to a distributed model where the “edge” is wherever the learner is.

And as attacker sophistication increases, defense capabilities must evolve as well. AI based e-mail protection, phish-resistant multi-factor authentication and identity verification are becoming the new norm to address the change in perimeter. In this new model, authentication, authorization and continuous verification are core requirements.

Hybrid models also require new ways of delivering information to learners. Gone are the days of physical labs where they access software and hardware. Instead, these have been replaced by connections to third party companies that provide these services, or virtual lab environments. This new reality opens not only cyber risks but operational risks outside of our control, which is why ensuring APIs used to connect our systems are secure becomes ever more critical.

How do you defend against account compromise in environments where thousands of students are logging in from unmanaged devices across the world?

In a distributed student environment, where endpoints are out of your control, we become more focused on protecting the learners’ accounts. Attackers seeking to compromise accounts are constant across the industry, and something we prevent on a daily basis through a variety of efforts including multi-factor authentication, anti-phishing measures utilizing AI and identity verification.

Furthermore, we utilize detective controls such as performing threat hunting and monitoring the dark web for signs of account compromise. We also work directly with students when we believe their accounts have been compromised. During this process we are ensuring they reset not only their university credentials but also personal e-mail accounts as we have seen this is where compromises originated. These steps, and others, are documented in playbooks that help us assist students recover quickly. We also run security campaigns to teach our learners and colleagues how to spot phishing attacks, protect their accounts and practice additional good security hygiene tips.

The key to defending against account breaches is to implement defensive layers throughout the identity lifecycle. This helps to reduce the probability of unauthorized access and shortens the time to detect and accelerate the time to recover.

How do you secure research computing environments where faculty want maximum freedom, but the data could be sensitive or federally regulated?

We encrypt all sensitive data to minimize the chance of compromise. This includes all communications from our colleagues to our learners to ensure the data is not exposed. Systems are hardened and our security kit is implemented on each system, guaranteeing visibility.

We also segment the environment, ensuring that access to one area cannot be used in others or in our backend systems. This follows the least privileged model, limiting access to only what is necessary.

Ultimately, our goal is to allow for academic freedom while ensuring we minimize the risk of data exposure and unintended operational disruption.