I was recently quoted in eCampus News regarding the recent cyber attack against Penn State, which triggered a number of conversations with CISO’s at various academic institutions.One of these conversations was with Helen Patton, the Chief Information Security Officer for Ohio State University. I had a very interesting dialogue with her via email, and asked if we could publish a Q&A to share some of her insight regarding the Penn State compromise and challenges of security in higher education.
Helen Patton – CISO, Ohio State University
Helen Patton (CRISC, CISA) is the Chief Information Security Officer for the Ohio State University. An evangelist for pragmatic, achievable security practices, and with a firm belief that better security translates to better overall management of information technology, Helen works to ensure security solutions and processes enable the mission of the University and all its partners. Q&AIn light of the recent Penn State data breach, it seems higher education struggles with resource constraints more so than in private industry. How do you communicate the security risks to university leaders and boards, and to what degree does private industry play a role if, for example, you are partnering with a company to commercialize research?Overall, in Higher Ed, budgets are not as expansive as they are in private industry – this is true for all aspects of IT and also general support services, not just Security.Having said that, a review of a lot of the EdTech communications would reveal that we, as a research industry, are just now waking up to the Security implications on our research data.Researchers care relatively less about data theft – they want their stuff to be public, mostly – but they care deeply about the integrity of the data. It doesn’t occur to university leaders that they may have research data that is modified without their knowledge, and that they would only find that out after years of research investment of time and money.The other inhibiting factor has been the distributed nature of IT at most higher Ed institutions. Here at OSU we have over 130 individual units with their own IT, standards, and budgets. This creates two big problems:Getting people to know when an apple is an apple, and not a marsupial; andGetting upper management visibility across disparate systems and unitsOh, and did I mention the cultural understanding that the EMPLOYEE owns the data, not the INSTITUTION?Here at OSU, we’ve introduced a risk framework (PDF) which brings all these things together. For the first time, I’ve been able to sit in front of the Board of Trustees and let them know where we stand, holistically, and give them suggestions on what to do about it. I’m gratified to see that this approach has been recently adopted by other big 10 schools, and more broadly by the HigherEd IT community.Are there currently requirements from private industry with regards to security controls being put in place when conducting research, or exchange of technology?Private industry is not yet consistently REQUIRING researchers to include security controls in their research plans – we’re pushing that from our side. Our framework aligns to NIST, which allows for mapping to ITAR/DOD research, but processes between the acronym agencies and HigherEd researchers are still maturing.You will see a rash of Universities starting to invest in Security technologies as a result of all this activity. Boards cannot ignore the fact that we’ve underinvested in Security for too long. Research, not federal/state dollars, will be the largest part of the income pie for most research universities – we have to get this right.What is one of the most challenging aspects of dealing with cyber security for a large academic institution?The hardest part about external University spend is that we are not one industry, with one behavior footprint (like Finance, Retail, Healthcare, etc). We are ALL industries (did I mention that OSU owns a Nuclear reactor, a golf course, a hotel, an airport, etc?), so having external security services companies try to identify “normal” behavior is really tricky. Not impossible, but tricky. If a vendor can invest to solve this problem for HigherEd, they will corner the market for all other industries.Vendors also need to realize they cannot eat all the university at one time (here at OSU it takes 2 to 3 years to roll out a new security product) – so pricing and licensing has to be flexible to allow for consumption-based pricing, or vendors will immediately price themselves out of range of most universities. Don’t think for a second, though, that funding isn’t available – it is. Universities and vendors need to partner to get creative enough to get things accepted in the context of the higherEd environment.Title image courtesy of ShutterStock