Protecting Against the Invisible
Beth Chancellor, chief information security officer, University of Missouri System
You’re the CISO for the entire UM System. How do you ensure information assets and technologies are adequately protected across the various campuses? The field of information technology is not short on standards. The same applies to information security. We use standards and best practices to establish university-wide information security policies and procedures. We have a distributed approach to information security. Each of the university’s four campuses has an information security officer and security analysts who contribute to policy and program development. They also select and deploy a number of security technologies designed to manage security risks. Additionally, IT staff working in a number of technology areas are responsible for the security of the systems and applications they manage. Security staff and technical staff work together to meet that common goal.
How would you describe your job? Your day-to-day activities? My daily activities are filled with meetings and staying in touch with the security staff to understand what’s happening on campus and throughout the world. If a new threat comes out, and they do on a regular basis, we put on our “responder” hat and work to understand and mitigate the threat. I also spend as much time as possible reading and engaging in online webinars to keep up with the fast pace of IT and information security fields.
What sorts of attacks are most common? What are the most common risks? The number of security risks that we deal with continually grows and morphs. We prevent thousands of attempts to gain access to our networks each day. However, the most common successful attacks are phishing attacks. Our security, network and email teams spend a great deal of time working to prevent phishing attempts from getting into our email systems and to mitigate the impact of successful phishing messages.
CISOs are usually responsible for information-related compliance. If this is an aspect of your job, how do you do so when working with thousands of students and staff on your network who may or may not be aware of the policies and may or may not care? What is your policy of action for those breaking the rules? The foundation of our “information” security program is our data classification system that categorized different types of data and sets security requirements for each category. University employees depend on their local IT staff to help them with IT issues including information security. Therefore, we spend most of our time educating IT staff and allowing those individuals to assist the users they support.
What would you say are some of the most significant emerging risks in information security at this time? What steps has MU taken to protect against those risks? I think it’s hard to say what the most significant emerging risk is because significant is in the eye of the beholder. Certainly, corporate hacking has become and will continue to be a problem. Hackers tend to go where the money is. Intellectual property theft is becoming more of a concern and can and almost certainly will impact higher education, especially research institutions.
From an end-user perspective, viruses and insecure apps on mobile phones are going to pose significant problems in the future just like outdated operating systems and applications do currently.
What would you say are the top trends in your industry right now? The proliferation of mobile devices and how they can be potentially exploited is of high concern in the industry. It’s important to note that it’s the combination of behavior and technology that creates security issues, and there is a lot that we do to educate our users regarding how to protect themselves and MU.
On a scale of one to 10, how big of an issue is hacking to the UM System and MU in particular? Hacking from the sense of someone outside gaining access to our systems or our networks is a big concern and something our security and technical staff guard against each and every day. It’s sort of the reverse of running a prison. Prisons try to keep people in, and information security tries to keep the bad guys out. It’s a crazy environment when threats are everywhere and are also (mostly) invisible.