Is Cybersecurity A Moving Target at Academic Institutions?
In a highly engrossing and in-depth discussion, Tej Patel, Vice President, and CIO at Stevens Institute of Technology sheds light on the various information security challenges that plague academic institutions and how best to deal with them. He talks about establishing a highly collaborative and security-centric culture, structuring an ideal CIO-CISO relationship, effective execution strategies, and more.
To access and download the entire podcast summary with discussion highlights --
https://www.dchatte.com/episode-36-is-cybersecurity-a-moving-target-at-academic-institutions/
In a highly engrossing and in-depth discussion, Tej Patel, Vice President, and CIO at Stevens Institute of Technology sheds light on the various information security challenges that plague academic institutions and how best to deal with them. He talks about establishing a highly collaborative and security-centric culture, structuring an ideal CIO-CISO relationship, effective execution strategies, and more.
To access and download the entire podcast summary with discussion highlights --
https://www.dchatte.com/episode-36-is-cybersecurity-a-moving-target-at-academic-institutions/
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Dr. Dave Chatterjee:
Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:
welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:
Podcast Series. Today, our guest is Mr. Tej Patel, Vice President
Dr. Dave Chatterjee:
and CIO at Stevens Institute of Technology. So I'm really
Dr. Dave Chatterjee:
thrilled to welcome someone who is from my industry, academia,
Dr. Dave Chatterjee:
and I can't wait to learn more about his thoughts and
Dr. Dave Chatterjee:
perspectives on how you secure academic institutions from
Dr. Dave Chatterjee:
different types of attacks. Our discussion will revolve around
Dr. Dave Chatterjee:
unique security challenges, CIO-CISO relationships,
Dr. Dave Chatterjee:
preparing for cyber attacks, effective execution strategies.
Dr. Dave Chatterjee:
So we will be covering a lot of ground and I hope you find it
Dr. Dave Chatterjee:
interesting. But before we get into the details, let's bring
Dr. Dave Chatterjee:
our guest into the discussion. So welcome, Tej. Thanks again
Dr. Dave Chatterjee:
for making time,
Tej Patel:
Dave, pleasure to be here.
Dr. Dave Chatterjee:
So Tej, why don't you give listeners an
Dr. Dave Chatterjee:
overview of your professional background?
Tej Patel:
Absolutely. They and again, it's my pleasure to be
Tej Patel:
here and look forward to sharing some of the thoughts around this
Tej Patel:
very important topic in all industry, in fact. So, a little
Tej Patel:
bit about me, I have been in higher education for almost 20
Tej Patel:
years now. My first job was in higher education, and I'm still
Tej Patel:
in higher education. Prior to joining my current organization,
Tej Patel:
I was at University of Pennsylvania, where I have held
Tej Patel:
several roles, most most recently, Chief Information
Tej Patel:
Officer for Penn Nursing. And in August of 2020, I joined Stevens
Tej Patel:
Institute of Technology as the Vice President for Information
Tej Patel:
Technology and University CIO. I am responsible for end-to-end
Tej Patel:
digital, IT cybersecurity enterprise data and data
Tej Patel:
services, classroom technology and learning technology.
Dr. Dave Chatterjee:
Okay, fantastic. So let's begin by
Dr. Dave Chatterjee:
discussing the information security challenges that
Dr. Dave Chatterjee:
academic institutions face.
Tej Patel:
Yeah, I think that's a great question. And before I
Tej Patel:
share challenges, I must tell you that cybersecurity is a
Tej Patel:
moving target in higher education. Right. And I, as I
Tej Patel:
tell my team and my constituency is that it's a team sport, where
Tej Patel:
it's a shared response, cybersecurity is a shared
Tej Patel:
responsibility to promote a protected cyber infrastructure
Tej Patel:
on campus. Right. And some of the challenges are unique to
Tej Patel:
higher education. But I think there are a lot of similarities
Tej Patel:
as well, when we look at banking, financial institutions,
Tej Patel:
or pharmaceuticals or healthcare and what have you, right. There
Tej Patel:
are specific areas within higher education, I believe, that are
Tej Patel:
very challenging to manage and maintain and meet the
Tej Patel:
expectation. For example, research, particularly research
Tej Patel:
IP, when a researchers is doing or conducting a research that
Tej Patel:
deals with a treatment or DOD or confidential data Department of
Tej Patel:
Defense. It's a very unique environment at that point. Then
Tej Patel:
you have students data, that is also very high target,
Tej Patel:
libraries, right, where open research, it's the motto, right?
Tej Patel:
The network is open in some of those areas where it creates a
Tej Patel:
very unique challenges where you want to find a perfect balance
Tej Patel:
between security and allowing learning and teaching to take
Tej Patel:
place for our students. Right. Classroom instructions nowadays,
Tej Patel:
right? Particularly throughout the pandemic, and the journeys
Tej Patel:
that we all went through, how do we secure that kind of hybrid
Tej Patel:
environment where we live in an increasingly interconnected
Tej Patel:
world? Right. So these are some of the unique challenges that we
Tej Patel:
have from a business perspective that I find it extremely
Tej Patel:
challenging to manage, and make sure that we are able to find a
Tej Patel:
perfect balance, where we are not hindering the progress of
Tej Patel:
faculties and students. So those are a few few things come in
Tej Patel:
mind.
Dr. Dave Chatterjee:
That makes a lot of sense. In fact, as you
Dr. Dave Chatterjee:
were articulating the challenges, I was reflecting on
Dr. Dave Chatterjee:
my experiences and expectations as an academic, the faculty
Dr. Dave Chatterjee:
members would like to operate in a very autonomous and open kind
Dr. Dave Chatterjee:
of an environment and environment that would enable
Dr. Dave Chatterjee:
the pursuit of research and teaching as freely and
Dr. Dave Chatterjee:
independently as possible. However, as you rightly pointed
Dr. Dave Chatterjee:
out, there is a lot of sensitive data that needs to be carefully
Dr. Dave Chatterjee:
managed, protected, we're talking about intellectual
Dr. Dave Chatterjee:
property, student data, library resources, and more. So the
Dr. Dave Chatterjee:
challenge lies in enabling the university pursue its mission as
Dr. Dave Chatterjee:
safely and securely as possible. Is that a fair understanding of
Dr. Dave Chatterjee:
the fundamental challenge?
Tej Patel:
It's more about understanding a researchers'
Tej Patel:
needs versus wants. I think that's where we draw the line.
Tej Patel:
But more importantly, building that trust and relationship that
Tej Patel:
is so critical, that allows my team and myself to have a
Tej Patel:
conversation with our researchers to fully understand
Tej Patel:
what exactly are they trying to achieve. And once we understand
Tej Patel:
their needs and requirements, we are able to create custom
Tej Patel:
solutions that allowed them to flourish and produce the amount
Tej Patel:
of work that they're committed to do. But we also take this
Tej Patel:
opportunity to educate them as well. So it's a learning on both
Tej Patel:
sides, right. And I think that's the most important thing that we
Tej Patel:
all need to understand that it begins, we need to have a
Tej Patel:
dialogue where both parties are able to understand like, right
Tej Patel:
before this call, you mentioned, make sure if I use any acronyms,
Tej Patel:
I spell it out. Right. And this goes same for a lot of our
Tej Patel:
faculty members who are tremendous researchers, they are
Tej Patel:
10X knowledgeable compared to some of us in our team. But
Tej Patel:
there is that's their expertise. And we have our own expertise.
Tej Patel:
The goal is to how do we bring both expertise together to meet
Tej Patel:
that digital ambition for that particular individual faculty.
Tej Patel:
And when that happens, a lot of great solutions come to life,
Tej Patel:
right? Most recently, we partnered with one of the
Tej Patel:
faculty where we were able to create a closed VLAN network
Tej Patel:
where he was able to conduct his research. And our CISO was also
Tej Patel:
happy that this this partnership took place because we also
Tej Patel:
reduced the overall risk that is associated with this kind of
Tej Patel:
setup. And lot of time, then we document all of this in our
Tej Patel:
exception processes. And everyone was it was a win-win
Tej Patel:
for both where the researchers were allowed to conduct their
Tej Patel:
research, the security folks and the network folks said that
Tej Patel:
providing this environment in the most secure possible way
Tej Patel:
that we could. And and this is the type of partnership that
Tej Patel:
will be required to address some of the challenges. Dave, there's
Tej Patel:
one more thing I also wanted to mention around the challenges,
Tej Patel:
right, there are two specific challenges that I believe were
Tej Patel:
unique to Higher Ed as well. Number one is having
Tej Patel:
non-centralized security perform on campus, right? Because you
Tej Patel:
know, the larger the organization, the larger the IT
Tej Patel:
teams and the research that take place in a localized area,
Tej Patel:
right? And they all have independent systems, how do you
Tej Patel:
bring them together? Right. And the second one is, majority of
Tej Patel:
the universities are still dealing with outdated systems,
Tej Patel:
whether it's desktop systems or service systems. And that also
Tej Patel:
creates rather unique challenges to keep up with what's happening
Tej Patel:
in the security. So those are a few things that probably we need
Tej Patel:
to pay very close attention to.
Dr. Dave Chatterjee:
very true. In fact, when he talked about
Dr. Dave Chatterjee:
the importance of a collaborative relationship, it
Dr. Dave Chatterjee:
brought to mind a podcast that I just published today, where the
Dr. Dave Chatterjee:
guest talks about transitioning to the cloud, and how they were
Dr. Dave Chatterjee:
very successful. Because it was an all hands on deck, kind of an
Dr. Dave Chatterjee:
operation. Everybody was engaged. Everyone recognize that
Dr. Dave Chatterjee:
this organization, which was the American Cancer Society, they
Dr. Dave Chatterjee:
couldn't lose any more money because money was needs to go to
Dr. Dave Chatterjee:
research and not be spent on on it operating costs. So they were
Dr. Dave Chatterjee:
doing their best to optimize operations. So that's an
Dr. Dave Chatterjee:
interesting story. But essentially what he was trying
Dr. Dave Chatterjee:
to say is, is is is similar to what you're saying, is that The
Dr. Dave Chatterjee:
importance of collaboration. That brings up the next
Dr. Dave Chatterjee:
question, you know, a university setting different schools,
Dr. Dave Chatterjee:
different departments doing so many different things. And you
Dr. Dave Chatterjee:
gave us this example of helping a particular researchers set up
Dr. Dave Chatterjee:
a virtual LAN so they could securely, you know, exchange
Dr. Dave Chatterjee:
information with their colleagues in other parts of the
Dr. Dave Chatterjee:
world. How do you keep up with all the activities that's going
Dr. Dave Chatterjee:
on across campus or at satellite locations? If you'll have
Dr. Dave Chatterjee:
satellite locations? What's the mechanism in place where you
Dr. Dave Chatterjee:
would be forewarned, people will feel the need to say, hey, we
Dr. Dave Chatterjee:
need to talk to the security office, because this has some
Dr. Dave Chatterjee:
serious security implications that we want to make sure that
Dr. Dave Chatterjee:
we are doing doing it the right way.
Tej Patel:
I think that's, that's a very good question,
Tej Patel:
Dave. Again, and there are some specific steps that we have
Tej Patel:
taken to to gain that visibility campus wide, right, whether it's
Tej Patel:
one campus or multi multiple campus. The first and first most
Tej Patel:
important thing is, is having a solid cybersecurity program and
Tej Patel:
governance that will guide us through some of those challenges
Tej Patel:
that you describe in your question. For example, how are
Tej Patel:
we partnering with procurement? Is our CISO and, and, and CIO
Tej Patel:
involved in some of the new contracts that are being
Tej Patel:
reviewed or drafted? Are we following hacker guidelines? Are
Tej Patel:
we following certain steps to ensure that privacy and other
Tej Patel:
standards are being followed? So there are a lot of things that
Tej Patel:
we have changed our practices to make sure that we instill the
Tej Patel:
culture of cybersecurity in our business from day one, right? So
Tej Patel:
before even a software platform shows up on our campus, we have
Tej Patel:
some visibility, and IT and and the Security office are part of
Tej Patel:
this conversation. That's number one. Number two is what happens
Tej Patel:
once all these platforms and activities are taking place on
Tej Patel:
campus, right? It requires solid 24/7 monitoring, right? So we
Tej Patel:
have partnered with external vendors, for example, we have
Tej Patel:
24/7 SOC center, a security operation centers where we are
Tej Patel:
we are monitoring and detection and response takes place in that
Tej Patel:
area, right? We have developed risk profiles, where we are able
Tej Patel:
to look at university wide between manage assets and non
Tej Patel:
managed assets. Where do we stand overall, in terms of patch
Tej Patel:
management, OS deployments and all of that, right? And the last
Tej Patel:
and the most important is network monitoring and
Tej Patel:
partnership with our network ISP provider, right? How do we work
Tej Patel:
with them to make sure that we have a good visibility
Tej Patel:
throughout our entire network, whether it's wired or physical,
Tej Patel:
and that is what allows us at a very high level, to make sure
Tej Patel:
that if we see some activities like Bitcoin mining or what have
Tej Patel:
you, that's taking place, we are able to stop the problem before
Tej Patel:
it becomes a larger issue. So those are some of the steps we
Tej Patel:
take very proactively on a daily basis. And then on a weekly and
Tej Patel:
bi-weekly basis, we have executive updates as well, where
Tej Patel:
I get briefed on on certain incidents that takes place
Tej Patel:
certain projects that are moving on, or just simply speaking,
Tej Patel:
just just review of some of the KPIs that we have built around
Tej Patel:
to improve our security posture.
Dr. Dave Chatterjee:
Makes a lot of sense. So you mentioned about
Dr. Dave Chatterjee:
creating a collaborative learning environment, where your
Dr. Dave Chatterjee:
unit is learning about the researchers, about what they do,
Dr. Dave Chatterjee:
and they're learning about the role of Information Technology,
Dr. Dave Chatterjee:
Information Security personnel. So, you are essentially feeding
Dr. Dave Chatterjee:
off each other's knowledge and expertise. And that's great. In
Dr. Dave Chatterjee:
that spirit, how feasible is it to provide every unit, every
Dr. Dave Chatterjee:
department with a customized do's and don'ts list?
Tej Patel:
I would, for us at least, that journey starts as
Tej Patel:
part of our onboarding process, particularly speaking faculty
Tej Patel:
orientation, there are very specific sessions geared towards
Tej Patel:
data security and privacy. They were we walk the new onboarding
Tej Patel:
faculty members, the resources that they have available, how to
Tej Patel:
partner with IT. And this goes back to your do's and don'ts,
Tej Patel:
Don's. Not going to go into a lot of details there. But at a
Tej Patel:
very high level, we provide the data classification review, and
Tej Patel:
what that entails right. High, medium, low risk, and where and
Tej Patel:
how they should partner with IT, and the Security to ensure that
Tej Patel:
the data that they are acquiring or sharing, it meets some of
Tej Patel:
those guidelines. Followed by once they determine their high
Tej Patel:
medium risk data, there are some specific guidelines that have
Tej Patel:
been put together, whether it's related to Cloud Storage, or
Tej Patel:
servers or virtual servers, or what have you. And that guides
Tej Patel:
them to have to make sure that this data and the systems remain
Tej Patel:
secure. Furthermore, there are certain there are specific
Tej Patel:
instructions that we also provide because many of these
Tej Patel:
faculty work with graduate students as well. And we have
Tej Patel:
very specific guidelines for for them as well whenever CISO meets
Tej Patel:
with them actually on a regular basis to make sure that these
Tej Patel:
guidelines are being followed. And the last one is we created a
Tej Patel:
dotted reporting structure, sort of, where the local tier system
Tej Patel:
administrator and researchers, they work very closely with our
Tej Patel:
systems and infrastructure group, where they have learned
Tej Patel:
to share some of the details at the system level to make sure
Tej Patel:
they are following the best practices, whether it's a Zero
Tej Patel:
Trust framework, or NIST framework that we are adopting
Tej Patel:
and deploying some of the controls to make sure that
Tej Patel:
university wide we have a similar controls applied and
Dr. Dave Chatterjee:
Okay. Good to know, good to know. So let's
Dr. Dave Chatterjee:
configured.
Dr. Dave Chatterjee:
talk a little bit about the CIO-CISO relationship. You know,
Dr. Dave Chatterjee:
you keep referring to we we we, which sounds great actually
Dr. Dave Chatterjee:
seems like you're a very integrated, cohesive team. But
Dr. Dave Chatterjee:
what is your vision of an ideal CIO-CISO relationship?
Tej Patel:
It's a it's a great question. And there's so much
Tej Patel:
debate going on, right? Do you couple them, do you decouple
Tej Patel:
them? What's the reporting structure looks like and this
Tej Patel:
and that, right? There are three main topics that a lot of folks
Tej Patel:
talk about right one where CISO reports to CIO, one where a CISO
Tej Patel:
reports to the CEO or President. Right. And I think the third one
Tej Patel:
nowadays, the new one that I hear is the CISO reports to the
Tej Patel:
CPO, the chief privacy officer, right? That's it. Those are the
Tej Patel:
three themes I have seen. But really the way I look at it,
Tej Patel:
it's not so much about reporting structures. It's more about how
Tej Patel:
a CISO and CIO can partner together to deliver the message
Tej Patel:
that cybersecurity or security is a strategic value service for
Tej Patel:
any institution and organization. Right. This is
Tej Patel:
something that is beyond CIO and CISO relation. It's about
Tej Patel:
instilling a culture of security at large and institution, right?
Tej Patel:
How do we leverage and implement governance structure around
Tej Patel:
security that allows us to bring together, work together, right.
Tej Patel:
For me, the CISO does report to me, but one of the major changes
Tej Patel:
that we instilled is the CISO also has dotted reporting into
Tej Patel:
our Audit and Risk committee as well for full transparency and
Tej Patel:
visibility. And that's the way I look at it, right? We don't want
Tej Patel:
to control anything, but how do we bring information to life?
Tej Patel:
How do we share some of these learnings lesson learned? Right?
Tej Patel:
And how can we be transparent with the community and the
Tej Patel:
Board? That what are some of the challenges? What are some of the
Tej Patel:
things we are doing well, and what are some of the deltas that
Tej Patel:
we need to constantly adapt and and proactively address some of
Tej Patel:
those right? And the last and the most important, which I also
Tej Patel:
pointed out earlier, right? The role of CISO and CIO, in my
Tej Patel:
view, is more towards reducing the business risk nowadays,
Tej Patel:
right? It's all about risk management there. Right? It's
Tej Patel:
not about technology, cybersecurity, 10 years ago, it
Tej Patel:
was all about bits and bytes, right? But now, if you look at
Tej Patel:
the CISO, who understands bits and bytes, but also pays very
Tej Patel:
close attention to figuring out the business risk, and how to
Tej Patel:
manage that business risk and works with CIO very closely as a
Tej Patel:
peer. They are the ones who are going to make sure that the
Tej Patel:
institution or the organization remains safe. And they could
Tej Patel:
provide the value added services that any organization will
Tej Patel:
benefit from. So that's the way I look at that CIO CISO.
Tej Patel:
relationship in today's world.
Dr. Dave Chatterjee:
I couldn't agree with you more. That's a
Dr. Dave Chatterjee:
very holistic approach. It's a very pragmatic and practical
Dr. Dave Chatterjee:
approach. And as you said, one can always debate the different
Dr. Dave Chatterjee:
reporting relationships. And each reporting approach has its
Dr. Dave Chatterjee:
pros and cons, there is no one perfect approach. Absolutely.
Dr. Dave Chatterjee:
But the extent to which you can strike that balance where there
Dr. Dave Chatterjee:
is independence, yet, there is cohesion, you don't want to
Dr. Dave Chatterjee:
create a situation where the structure is such that you have
Dr. Dave Chatterjee:
a competing relationship where it becomes you know, then then
Dr. Dave Chatterjee:
we have constant have conflicts. And that's what you want to
Dr. Dave Chatterjee:
avoid, because they have to address the different pieces of
Dr. Dave Chatterjee:
the puzzle so that, you know, each has a certain role to play.
Dr. Dave Chatterjee:
I have a couple of follow ups for you. Absolutely. I'm so glad
Dr. Dave Chatterjee:
that you talked about transparency, I feel very
Dr. Dave Chatterjee:
strongly about it, that the keeping the various stakeholders
Dr. Dave Chatterjee:
informed about where the organization is, in terms of
Dr. Dave Chatterjee:
readiness, what are the possibilities? Without, you
Dr. Dave Chatterjee:
know, again, when you are transparent, you're mindful that
Dr. Dave Chatterjee:
any and everybody is not getting the information. But you don't
Dr. Dave Chatterjee:
want the stakeholders to be surprised that what happened? We
Dr. Dave Chatterjee:
never knew anything about this. Why didn't you brief us? So the
Dr. Dave Chatterjee:
fact that you mentioned about transparency and regular
Dr. Dave Chatterjee:
reporting to the board and to the other stakeholders, that is
Dr. Dave Chatterjee:
definitely very reassuring. You wanted to say something I'm
Dr. Dave Chatterjee:
sorry, I didn't mean to,
Tej Patel:
One of the example I was going to share with you in
Tej Patel:
this audience is, is there are ways to craft business cases
Tej Patel:
together that improve user experiences overall, right. And
Tej Patel:
that's the strength when you have CISO and CIO working
Tej Patel:
together, one trying to bring that efficiency or tools or
Tej Patel:
platforms versus one is making sure that the tools and the
Tej Patel:
platforms that that we are we are adding to our ecosystem is
Tej Patel:
being managed securely, data is being protected. And that's the
Tej Patel:
type of environment that that will be very successful in the
Tej Patel:
coming days.
Dr. Dave Chatterjee:
Yeah, yeah, true. The other thing that I
Dr. Dave Chatterjee:
wanted to touch upon was culture. In my book that I
Dr. Dave Chatterjee:
published last year through sage publishing, I talk about the
Dr. Dave Chatterjee:
importance of creating and sustaining a high-performance
Dr. Dave Chatterjee:
information security culture. Commitment, preparedness, and
Dr. Dave Chatterjee:
discipline are the cornerstones of the proposed high-performance
Dr. Dave Chatterjee:
information security culture, in my book. Each of these cultural
Dr. Dave Chatterjee:
dimensions -- commitment, preparedness, and discipline --
Dr. Dave Chatterjee:
are associated with a set of success factors. I don't want to
Dr. Dave Chatterjee:
get into all the details of how to create and sustain such a
Dr. Dave Chatterjee:
security culture, because that's something that one can pick up
Dr. Dave Chatterjee:
from reading the book. However, it would be valuable, if you
Dr. Dave Chatterjee:
could share an example of how you and your team brought about
Dr. Dave Chatterjee:
a change in the security culture at your institution.
Tej Patel:
I think that's, that's a very good question. And
Tej Patel:
we could have conversation about that probably for hours. But at
Tej Patel:
a very high level, I will touch upon a little bit where I talked
Tej Patel:
about Protect Stevens cybersecurity program, part of
Tej Patel:
that program, there are a few things that we did that I'm very
Tej Patel:
proud of. Number one, we made certain tools available to our
Tej Patel:
entire community at no cost, right. For example, our entire
Tej Patel:
faculty, staff, student community enjoys LastPass and
Tej Patel:
and anti-virus that they're able to download at no cost, because
Tej Patel:
we wanted to make sure that no matter what environment they're
Tej Patel:
working from, no matter what devices they're working from,
Tej Patel:
it's safe. So for us, our approach starts from their home
Tej Patel:
security, right? How do we make sure that that our users are
Tej Patel:
fully aware of what's happening? So we wanted to make sure that
Tej Patel:
tools are provided. That's number one. Second, we made sure
Tej Patel:
that they were provided periodic security awareness training,
Tej Patel:
right? There was some gamification and all of that and
Tej Patel:
based on how they did they were rewarded certain things as well.
Tej Patel:
Right? We celebrate Cybersecurity Awareness month
Tej Patel:
where the CISO and CIO together provide state of the
Tej Patel:
cybersecurity at the University and it's an open event to
Tej Patel:
faculty, staff and students. Again, this goes back to the
Tej Patel:
creating that culture of fairness and transparency. It
Tej Patel:
begins With CIO and CISO goes all the way to faculty, staff
Tej Patel:
and students. Right. This is how we approach today's
Tej Patel:
cybersecurity at Stevens, Dave. And it has been very successful,
Tej Patel:
it generates a lot of dialogue among the community. And the
Tej Patel:
last one that I should also add is to our student program, we
Tej Patel:
also hire cybersecurity undergrad and grad students as
Tej Patel:
well who work very closely on our CSIS team, right? Whether
Tej Patel:
it's cybersecurity or physical security, because we might
Tej Patel:
monitor and manage both of those system, and they help us improve
Tej Patel:
some of those experience from their own experiences, they come
Tej Patel:
and tell us this, this is working, this is not working,
Tej Patel:
and we try to learn and adopt from them. So these four things,
Tej Patel:
I find that we have done it very well, that builds the culture
Tej Patel:
that we talked about.
Dr. Dave Chatterjee:
Fabulous, I'm so happy to learn that you
Dr. Dave Chatterjee:
are providing students with hands-on experience by involving
Dr. Dave Chatterjee:
them in different cybersecurity projects. Duke University is
Dr. Dave Chatterjee:
another institution that does that. And I'm sure there are
Dr. Dave Chatterjee:
many others doing the same. You also talked about making
Dr. Dave Chatterjee:
available the various security tools for free. So there are no
Dr. Dave Chatterjee:
excuses, excellent! Securing the student population can be a big
Dr. Dave Chatterjee:
challenge, and it's heartening to hear the many concrete steps
Dr. Dave Chatterjee:
you're taking to deal with this challenge. At this time, it
Dr. Dave Chatterjee:
might be a good idea to revisit this important aspect of
Dr. Dave Chatterjee:
securing an academic institution. So what steps do
Dr. Dave Chatterjee:
you all take to secure the student population as best as
Dr. Dave Chatterjee:
possible?
Tej Patel:
The majority of the breaches happen not through any
Tej Patel:
highly sophisticated cyber attacks, right? It happens
Tej Patel:
because of basic controls are lacking. Some fundamentals
Tej Patel:
training haven't been provided, patch management, and and what
Tej Patel:
have you. So at the very minimum, what we try to do is we
Tej Patel:
regularly communicate with our student community. I have a CIO
Tej Patel:
Student Advisory. So we also leverage that advisory committee
Tej Patel:
to make sure the word gets out about phishing, scam, right?
Tej Patel:
Password practices, and all of that. But that's creates a very
Tej Patel:
good, a very aware community. So next time when these phishing
Tej Patel:
attacks are happening, they know that these are not legit, and
Tej Patel:
they know how to report it. Right. So that's the very low
Tej Patel:
hanging fruit for us. But it pays a high dividend, right?
Tej Patel:
That's one thing. Second one is, there are very specific controls
Tej Patel:
that we take in the backend infrastructure side, right?
Tej Patel:
Whether it's bringing a new device on our network, right,
Tej Patel:
how do you authenticate that? Are we using two-step
Tej Patel:
authentication, multifactor authentication, and all of that,
Tej Patel:
are they connecting to wide network or a wireless network
Tej Patel:
and what have you, and we use very specific VLANs and taggings
Tej Patel:
that takes place where if you know, this individual is a user,
Tej Patel:
we put them in a separate network environment where it's
Tej Patel:
completely separate from, from our day to day business
Tej Patel:
operations, for example, right? The same concept applies for
Tej Patel:
gaming consoles and IoT device, we have a complete separate
Tej Patel:
mechanism for onboarding and monitoring that kind of network.
Tej Patel:
And those are some of the the steps that we have taken that
Tej Patel:
that we find that that has been working very well. And also
Tej Patel:
remember, we want to make sure the user experience stays as is
Tej Patel:
where they don't have to contact IT for every day. How do I
Tej Patel:
connect my console versus how do I connect to your wireless
Tej Patel:
network, right, so we also pay very close attention to find
Tej Patel:
that balance between user experiences and maintaining the
Tej Patel:
security.
Dr. Dave Chatterjee:
And you know, that brings up a thought
Dr. Dave Chatterjee:
here. One of my previous guests he talked about in his
Dr. Dave Chatterjee:
organization, which is also an academic institution, they
Dr. Dave Chatterjee:
created what is called a Champions Network. And the
Dr. Dave Chatterjee:
Champions Network comprised of students, faculty, staff, and
Dr. Dave Chatterjee:
these were the folks who were enthusiastic about securing the
Dr. Dave Chatterjee:
institution, enthusiastic about enhancing awareness. And they
Dr. Dave Chatterjee:
would serve as ambassadors, liaisons, evangelists, in their
Dr. Dave Chatterjee:
respective domains, areas. So you know, to your point, it's
Dr. Dave Chatterjee:
not possible for you to have somebody from your unit embedded
Dr. Dave Chatterjee:
everywhere. You have to find a way of getting the word out by
Dr. Dave Chatterjee:
creating those ambassadors, who can who will serve the interests
Dr. Dave Chatterjee:
of your department, of your unit as well. So I thought that that
Dr. Dave Chatterjee:
structure of creating a champions network and rewarding
Dr. Dave Chatterjee:
them and again, rewards doesn't have to be expensive, but just
Dr. Dave Chatterjee:
the recognition goes goes a long way. I just thought of putting
Dr. Dave Chatterjee:
it out there.
Tej Patel:
I think that's a fantastic way to engage with
Tej Patel:
with all all the constituents within your organization, and we
Tej Patel:
also benefit from being a technological university Dave.
Tej Patel:
So we have a lot of awareness, generally speaking, and, and the
Tej Patel:
students are sophisticated, technically sophisticated
Tej Patel:
students, right. And they are demanding. They have
Tej Patel:
expectations when they show it show up on campus. So we don't
Tej Patel:
have a champion network like that. But I feel that the
Tej Patel:
culture that we instill early on, that's, that's our
Tej Patel:
champions. So it's a community effort. It's a team sport. So
Tej Patel:
everyone's part of this Cybersecurity Awareness Campaign
Tej Patel:
for us. And they all play their their individual roles. And then
Tej Patel:
the IT team and the Security team provides innovative,
Tej Patel:
easy-to-use solution, right? 'Report a Spam' button, for
Tej Patel:
example, in your Outlook, right, that makes it easier, right? How
Tej Patel:
do you report some of the phishing attempts and all of
Tej Patel:
that. So we have also created into an intuitive environment
Tej Patel:
where they don't have to spend a lot of time to go through the
Tej Patel:
hoops to report an incident, right. So, we made it easy for
Tej Patel:
them as well. So these are the things that probably could work.
Tej Patel:
But the champion network, it's a fantastic idea.
Dr. Dave Chatterjee:
Fantastic. On a related note, I recall a
Dr. Dave Chatterjee:
discussion with the Chief Information Security Officer of
Dr. Dave Chatterjee:
another organization. He said that there is an expectation in
Dr. Dave Chatterjee:
his organization, that members will help by diligently going
Dr. Dave Chatterjee:
through their emails, and flagging the ones that deserve
Dr. Dave Chatterjee:
attention, I can totally see from where he's coming. There is
Dr. Dave Chatterjee:
no disagreement there. But it's also true that people are busy,
Dr. Dave Chatterjee:
they have to deal with so many things. So that becomes another
Dr. Dave Chatterjee:
chore for the user trying to diligently look through every
Dr. Dave Chatterjee:
email and identify the ones that are worth reporting. Where are
Dr. Dave Chatterjee:
you on this? What's your perspective?
Tej Patel:
I think it's a very complex situation where how do
Tej Patel:
we find the balance between being productive versus making
Tej Patel:
sure we are contributing towards the cybersecurity right, and I
Tej Patel:
think that's where the, it's important for the for the IT
Tej Patel:
folks to, to do a lot of things on the backend side before even
Tej Patel:
the message arrives in the inbox, right. So for example, we
Tej Patel:
use something called mail tip, I believe that's the right term,
Tej Patel:
pardon me, I'm not a CISO for example. I'm an accidental CISO
Tej Patel:
again, but so we have enabled certain mechanism to our email
Tej Patel:
platform. So if a message is coming in, it will say message
Tej Patel:
from external sender or something that automatically
Tej Patel:
alerts the user, right. The second thing is, we have
Tej Patel:
adjusted and continue to adjust our spam filtering, right, where
Tej Patel:
where we have enabled a lot of built in encryptions, or DLP, or
Tej Patel:
data loss prevention type of a policies upfront at that level
Tej Patel:
as well. And and we continue to partner with our vendors to make
Tej Patel:
sure that we remain up to date in terms of those signatures,
Tej Patel:
and all of that. So there are a lot of things we do also in the
Tej Patel:
back end to mitigate this particular risk and still be
Tej Patel:
able to manage the expectations of users. But again, if you are
Tej Patel:
so right, 90% of the emails that you get, it's either spam, sales
Tej Patel:
call, or marketing emails. Only 10% or less than of 10% are, are
Tej Patel:
legit emails that you will read, open, open, read and respond to,
Dr. Dave Chatterjee:
You make a lot of sense, when you say that
Dr. Dave Chatterjee:
it's important to do that work at the backend, use relevant
Dr. Dave Chatterjee:
tools to automate the filtering process. Through such process
Dr. Dave Chatterjee:
automation, one can take the load off the user, freeing them
Dr. Dave Chatterjee:
up to focus on their core expertise. Reminds me of a
Dr. Dave Chatterjee:
discussion that I was having with the CISO of another
Dr. Dave Chatterjee:
academic institution. When I asked him, what were some
Dr. Dave Chatterjee:
principles that guided his day to day activities, he said
Dr. Dave Chatterjee:
something very interesting. He said, Dave, we are not in the
Dr. Dave Chatterjee:
business of saying No. The first thing that I always think about
Dr. Dave Chatterjee:
is that the job of security is not to stop the institution from
Dr. Dave Chatterjee:
doing what they are formed to do. The job of security is to
Dr. Dave Chatterjee:
enable those functions, those activities, and that stayed with
Dr. Dave Chatterjee:
me, a very compelling statement. You also emphasized the
Dr. Dave Chatterjee:
importance of creating a culture of enablement, where the role of
Dr. Dave Chatterjee:
the CISO is recognized to be much more than just a security
Dr. Dave Chatterjee:
officer. They are strategic enablers, business enablers, and
Dr. Dave Chatterjee:
that's exactly how the CISO role needs to be perceived and
Dr. Dave Chatterjee:
operationalized. CIOs and CISOs must have a seat at the table
Dr. Dave Chatterjee:
when strategic decisions are being made. They can provide
Dr. Dave Chatterjee:
valuable feedback on how technology can be an enabler, on
Dr. Dave Chatterjee:
the security implications of the proposed strategic initiatives.
Dr. Dave Chatterjee:
So, treating the CIO, the CISO as strategic partners, as
Dr. Dave Chatterjee:
opposed to seeing those functions, IT and Information
Dr. Dave Chatterjee:
Security as hurdles or stumbling blocks can go a long way, in
Dr. Dave Chatterjee:
creating and sustaining a high-performance information
Dr. Dave Chatterjee:
security culture.
Tej Patel:
Dave, you're so spot on on that observation Dave. And
Tej Patel:
as I said earlier, it's about building and fostering that
Tej Patel:
trust and relationships, right, that allows the community to
Tej Patel:
come together and have this type of conversation and discussions
Tej Patel:
that will enable folks, right to make sure that they provide a
Tej Patel:
solid, secure, robust environment for them to
Tej Patel:
flourish.
Dr. Dave Chatterjee:
Awesome, awesome. Well, like you said
Dr. Dave Chatterjee:
that we can have this discussion forever. But we don't want to go
Dr. Dave Chatterjee:
too long. For the sake of the listeners, we want to keep it
Dr. Dave Chatterjee:
short and sweet. So as we wrap up the session, I want you to,
Dr. Dave Chatterjee:
of course, you know, talk about anything you want. But also
Dr. Dave Chatterjee:
think about anything that you'd like to share from the
Dr. Dave Chatterjee:
standpoint of how organizations should prepare for cyber
Dr. Dave Chatterjee:
attacks. And what does it take to effectively execute plans on
Dr. Dave Chatterjee:
a sustained manner? As you know, we have plans, we're always
Dr. Dave Chatterjee:
planning, strategizing, but everybody is not good at
Dr. Dave Chatterjee:
executing when the time comes. So I'll leave it. I'll leave it
Dr. Dave Chatterjee:
at that. I'll let you take over from here.
Tej Patel:
I think that's that's a really, really great question.
Tej Patel:
Do you know, and I think we can write a dissertation paper on
Tej Patel:
that together, actually, when you specifically talk about
Tej Patel:
operational excellence and change management, right. But,
Tej Patel:
let me let me take a different approach to answer this
Tej Patel:
question, right. Let's look at it from a strategic side. And
Tej Patel:
then from an operational side, right. From a strategic
Tej Patel:
perspective, right, I think the organization must spend
Tej Patel:
sufficient time effort and resources to build a
Tej Patel:
security-centric culture, right? They need to look at security
Tej Patel:
from business lenses, period, they must be involved at a top
Tej Patel:
level, whether it's Board or CEO for corporate or President at a
Tej Patel:
higher level, right? They need to implement frameworks and
Tej Patel:
architectures, right, that are well aligned with particular
Tej Patel:
business needs. And more importantly, I'll take it to the
Tej Patel:
next level where it must be aligned with cloud-smart
Tej Patel:
initiatives. Right? Those are certain things, I would look at
Tej Patel:
it from a strategic perspective. And the last one I would add is
Tej Patel:
find the talent that will help you achieve what I'm about to
Tej Patel:
talk about next. Right. So that's from from more of a
Tej Patel:
strategic perspective. And in that you would have a
Tej Patel:
cybersecurity program that you will work with engage with the
Tej Patel:
community to come up with a program that addresses certain
Tej Patel:
things, right. And this is something from my own learning
Tej Patel:
from Protect Stevens and the IAM program that we launched, right?
Tej Patel:
Implement solid plans for training and phishing awareness,
Tej Patel:
implement some controls for endpoint device management.
Tej Patel:
That's a big challenge. I didn't talk about that earlier on
Tej Patel:
there. Every faculty staff students have multiple devices,
Tej Patel:
grant issued personal what have you. Have a solid 24/7 SOC
Tej Patel:
center monitoring that allows you that extended detection and
Tej Patel:
response that you need, right. We talked a little bit about
Tej Patel:
network segmentations, and then make sure that there are certain
Tej Patel:
things that we want to also focus on within that program, is
Tej Patel:
make sure you have a return incident response plan, right.
Tej Patel:
This is more operational, but it's needed, right? Make sure
Tej Patel:
you you you draft confidentially agreements for employees,
Tej Patel:
vendors and visitors. Many folks still don't pay close attention
Tej Patel:
to visitors. And this goes back to like, you know, having low
Tej Patel:
hanging fruit and attack surfaces, right. Regularly
Tej Patel:
perform data discovery and privacy reviews for risk
Tej Patel:
assessment, right. We perform at least two penetration testing.
Tej Patel:
We also include social engineering aspect of it. So,
Tej Patel:
make sure we do that. And one last topic is review your
Tej Patel:
onboarding and offboarding processes. So important, so
Tej Patel:
critical. And for all the folks who are listening from an IT
Tej Patel:
perspective, adopt these four basic practices. If he can't do
Tej Patel:
all of that for for financial resources or otherwise, make
Tej Patel:
sure you have a solid password management practices, implement
Tej Patel:
multifactor authentication, provide solid user awareness
Tej Patel:
training and timely update systems. I hope it covers your
Tej Patel:
question.
Dr. Dave Chatterjee:
Oh, brilliant, absolutely brilliant.
Dr. Dave Chatterjee:
You know, there's a reason why you do what you do. And you do
Dr. Dave Chatterjee:
it so well. I think you addressed it brilliantly. And as
Dr. Dave Chatterjee:
you were talking, I was just thinking about the vastness of
Dr. Dave Chatterjee:
the attack surfaces and the various ways that these surfaces
Dr. Dave Chatterjee:
can be compromised. For lack of a better word, organizations,
Dr. Dave Chatterjee:
individuals, are sitting ducks. Despite your best efforts, there
Dr. Dave Chatterjee:
could still be a loophole that somebody could find and drive
Dr. Dave Chatterjee:
right through. But having said that, just like you said, you
Dr. Dave Chatterjee:
have to do the basics, right. Do the fundamentals, right. I'm
Dr. Dave Chatterjee:
sure you might agree that there's also some wisdom in
Dr. Dave Chatterjee:
prioritizing what you want to secure, at what level. Because
Dr. Dave Chatterjee:
it's impossible to secure everything. And so you have to
Dr. Dave Chatterjee:
prioritize and then focus your security strategy, your
Dr. Dave Chatterjee:
defense-in-depth strategy accordingly. So this way, it's a
Dr. Dave Chatterjee:
more of a manageable, feasible kind of plan. And finally, from
Dr. Dave Chatterjee:
my standpoint, finally, I'm a big fan of, make sure that you
Dr. Dave Chatterjee:
work closely with with legal because the unfortunate
Dr. Dave Chatterjee:
consequences often result in the courtroom where you're having,
Dr. Dave Chatterjee:
you're being sued, and you having to defend yourself. So
Dr. Dave Chatterjee:
make sure you're totally familiar with the laws, the
Dr. Dave Chatterjee:
regulations, the standards, and you're in compliance, so that
Dr. Dave Chatterjee:
when unfortunate events happen, and when you have to present how
Dr. Dave Chatterjee:
you have been governing, managing security, you look good
Dr. Dave Chatterjee:
out there that you did your best, and despite your best
Dr. Dave Chatterjee:
efforts, things went wrong. As opposed to, it was sloppy, or it
Dr. Dave Chatterjee:
was negligent, which is something I'm sure everybody
Dr. Dave Chatterjee:
would like to avoid. But again, I'd like to give you the final
Dr. Dave Chatterjee:
word. So please.
Tej Patel:
Absolutely, I think I think you're so spot on that.
Tej Patel:
And I will take it to a further as well, right, that the
Tej Patel:
incident response plan that I briefly touched upon, that
Tej Patel:
should also include your cyber insurance provider as well,
Tej Patel:
right. And they will bring in all the legal help. And because
Tej Patel:
different states have different regulations nowadays in terms of
Tej Patel:
what you report and what you don't write. But I think someone
Tej Patel:
recently shared some statistics about cyber attacks, right? It
Tej Patel:
was something around like it happens every 39 seconds, the
Tej Patel:
ransomware attacks are targeted every 14 seconds, and only 10%
Tej Patel:
gets reported. Right. And to make it even this this whole
Tej Patel:
cybersecurity economy, they're expecting it will grow to $10
Tej Patel:
trillion by 2025. Right? I mean, this is fascinating numbers,
Tej Patel:
like, you know, how do you keep up with all of this Dave? So,
Tej Patel:
again, you have to go back to the basics, do the basics,
Tej Patel:
right. Make sure you're transparent. Make sure you you
Tej Patel:
find good people on your team who are stewards of good
Tej Patel:
security, hygiene and, and and do your your best efforts on a
Tej Patel:
daily basis. Right.
Dr. Dave Chatterjee:
Fantastic. Well, with that we'll conclude
Dr. Dave Chatterjee:
our discussion for today. Thanks again Tej, for the wonderful
Dr. Dave Chatterjee:
insights. I so appreciate it. I know listeners are also very
Dr. Dave Chatterjee:
grateful.
Tej Patel:
Dave, thanks for having me. And I really enjoyed
Tej Patel:
our conversation. Thanks again.
Dr. Dave Chatterjee:
A special thanks to Tej Patel for his time
Dr. Dave Chatterjee:
and insights. If you like what you heard, please leave the
Dr. Dave Chatterjee:
podcast a rating and share it with your network. Also,
Dr. Dave Chatterjee:
subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:
Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:
episode.
Introducer:
The information contained in this podcast is for
Introducer:
general guidance only. The discussants assume no
Introducer:
responsibility or liability for any errors or omissions in the
Introducer:
content of this podcast. The information contained in this
Introducer:
podcast is provided on an as-is basis with no guarantee of
Introducer:
completeness, accuracy, usefulness, or timeliness. The
Introducer:
opinions and recommendations expressed in this podcast are
Introducer:
those of the discussants and not of any organization.
Listen On
