Helen Patton - What Would the CISO Do (WWCD) - How to Build a Security Strategy

this is helen patton security in higher ed what it's like to secure a city take it yeah thank you so when i was writing the abstract for this it really i changed the name so if you're wondering why it doesn't say running a city in higher ed i change it because it should be what would the cso do so uh what i want to do in this session is have you pretend to be me which was the cso at ohio state um right now i'm an advisory cso at cisco and duo but i've only been doing that for about two months eight years before that i was the cso at ohio state um and eight years is a long time to be

see so uh i think i have a bit of a masochistic streak in me i'm i'm not sure you will find me at ceso helen on twitter you'll find me on linkedin as well so if you want to follow along follow me there feel free to do that um so yeah so the point of this talk is to talk about um what it's like to try and do security in an organization that is like a city um some of you may or may not know ohio state so i'm going to give you uh some background i became the cso at ohio state in 2013 and prior to being the cso ohio state i was doing security at jp morgan

so here i am i come from a wall street bank and when you're doing security in a wall street bank everybody tells you that like you're the best at security because you're a financial sector and you're highly regulated and so you must know everything to do with security so there was that i had a bit of a complex and two i thought teaching being a cso in higher ed is about teaching and learning it's about kids in classrooms how hard can this be like really yeah so welcome to ohio state as i do this think about your company or think about the company you're thinking about going to and sort of compare what your company

looks like to this one and um and we'll compare notes all right so here's some information about ohio state the numbers that you see here i think are a couple of years old now these aren't the numbers that i had in 2013 but they haven't changed too terribly much so in any given year we've got about 70 000 students most of them are undergrad most of them are on campus in ohio although some of them are overseas we've got about 45 000 employees and from an employee perspective that includes teaching staff researchers administrative staff it also includes the folks who work at the hospital because you'll notice that we've got seven hospitals under our umbrella as

well we have about six hundred thousand i'm rounding for for because i'm rounding makes it sound better we've got about six hundred thousand living alumni and we got more dead ones than that and dead ones still come up in your security profile every once in a while so we'll talk about that we have on any given year we have about fifty seven thousand patients if not more the budget almost eight billion dollars of budget a year um of that about a quarter of it maybe is the hospital the rest is the university side of things about a million of that is research dollars oh sorry a billion of that is research dollars almost there's an endowment

uh so as universities do we we have a lot of our operational income but also other kinds of things that come through our endowment we have about 1300 buildings and those buildings could be anything from a room a building that has a lot of classrooms in it to a hospital to a sports facility to an entertainment center all that kind of stuff about 16 000 acres across six campuses some hospitals we have four international locations two primary data centers in the us not including what we put into cloud uh public private cloud we've got an airport we've got some golf courses we've got hotels and among other things we've got a nuclear reactor all of this stuff by

the way we're a public institution it's publicly available okay so i rock up and i'm thinking yeah this is kids in classrooms and then i'm like what like what do you do with this now what's your risk profile uh i can't just show up and talk to business leadership and say what are your crown jewels you know we've heard this right you go to a lot of conferences and they say start with your crown jewels well crown jewels is it my students is it my patience is it the health care system that we're running and the medical records or is it um the student financial aid that goes which is many millions of dollars worth of financial

aid is it the endowment there's a lot of money there right so is that my crown jewel or do i have i just became a jeweler i've got like hundreds of thousands of crown jewels from a data perspective from a business process perspective from a physical security perspective you know 1300 buildings with five different security swipe systems that are going on ah like yeah so um so deep breaths helen after i called myself self up into the fetal position i had to go okay what do i do with this how do i do planning around this what does this mean so what i'm going to do for the rest of this talk is sort of talk you through what are

some of the elements that i think about as a cso as a security leader when you've got all this going on and how might i put that into a security plan that makes sense for an organization like this now your organization might be super small and super focused on one particular industry or one kind of data or one kind of technology or maybe it's you you've got something like this which is sort of really a multi-headed beast um but these strategic planning steps are going to be similar for everybody it's just sort of a matter of scope and scale okay so let's start first the first thing you've got to work out is what does your organization

care about and how do they think about security um you'll notice that there are five little circles on this particular graph it actually sort of aligns to a lot of maturity models if you've seen them so one is we don't know what we're doing we're not really doing anything to five is wow we are so organized we optimized our security every single day i don't know anyone anywhere who's a five i know very few people who are four most of us tend to sit in the one to three and we really hope that we're effective but the more you the further you go along this arrow the more complex it gets from a tech perspective from a

security philosophy perspective and the more it costs right so you've got to think about your vertical if i was in um back in jpmorgan chase their security budget was more than the entire i.t budget of ohio state right so they've got some money to burn comparatively but the university is not going to put up with duct tape and chewing gum because our regulators won't like it our certainly our our researchers and our students won't like it our alumni who give to that billion dollar endowment they're not going to like it so not duct tape and chewing gum but probably somewhere between good enough and effective is an appropriate place for higher ed and by the way for all of you who are

like ah higher ed is so expensive one of the reasons is we've got lots of regulations that we have to think about in addition to just trying to do the right thing from a security perspective but i know as a security person every dollar i ask for for a security thing is considered to be a dollar that's not spent on scholarships or in doubt or or or free stuff you know or sort of that equity and inclusion piece of what's so important to higher ed so you've got to start with your values and think about where does your organization fit on this so give that a thought where does your organization fit on this scale

are you duct tape and chewing gum you want to be like award-winning somewhere in the middle okay so there's some elements that go into strategies i like mind maps this is a very simple mind map um if you're going to take anything away from this particular talk this might be the slide to take a picture of a screen capture of um i'm going to go and talk about each one of these six things but in general as you think about putting together a strategy these are the elements that you need to take into account and so as we go through these we're going to talk about this and i'll talk about this from a higher ed perspective but

you're going to have your own particular views of each of these so let's start with compliance okay so i walk into ohio state and by the way ohio state's like the third largest university in the united states but it's not unique arizona state florida kentucky um tennessee like we we're all sort of any sort of research university is going to be in the same kind of boat that ohio state is location when you're putting a strategy together location's important i had to worry about a lot of regulations but i didn't have to worry too much about australia or england or singapore or any international sort of spaces unless we had offices there so we did have

offices in china and brazil and india and romania but we didn't so you know location's going to determine what you have what which laws you have to pay attention to industry is definitely a thing if you're in the energy sector you're going to have to deal with nercsip whatever whatever data types you have so if you're collecting private information about your employees at least if not about your customers you're going to have privacy rigs you've got to think about and of course your technology architecture is also going to determine what kind of compliance and framework standards you want to comply with if you're cloud native you might be looking at a cloud security alliance kind of framework and that

might work really well for you so what's ohio state got going on well we're subject to glba because we've got student financial aid and they think like we're a bank we're subject to pci because you know just one football game we have a hundred thousand people in the stands for a saturday afternoon and they're all buying beer and you know buckeye stuff and yeah pci is the thing we've got cafeterias on campus we've got bookstores on campus we sell stuff and yeah pci is a thing we are subject to ferpa which is the education act so all of our student data is covered by ferpa we've got our hospitals so that's hipaa uh we do have a power plant uh let's the

the nuclear act is just for research it's not really active but um you know we've got we've got a steam factory going on for heating and cooling so we've got energy issues that are going on we have to think about that um we have our own airport that's got its own weird things so what should i use right what's the framework i should follow do i make everybody comply to the higher standards actually we're subject to cmmc and department of defense security for some of the research we do for the dod am i going to make everybody hit that level no so thinking about i need a framework i need people to be talking the same

language um i need them to be compliant with laws and regulations how do i do that short answer by the way segmentation is my friend um but i'll come back to that in a second so we think about compliance it's the first thing when you're putting a strategy together you should start with not because i think compliance means security but it sure doesn't mean security if you don't have it and you can really get into trouble really fast if you don't have it so start with compliance business needs okay so what's going on in higher ed uh we people think it's too expensive um but they really like climbing walls um they want to be able to do their work

from anywhere we have people in antarctica we have people in the arctic like we're in all continents all islands all locations and they want to be able to get their stuff back to our systems so they want to be everywhere distance education is becoming a thing so you know more and more of our students don't actually want to come to campus actually anymore and more of our students are adult learners than traditional students which you may not realize so those folks want to have much more technology support than maybe they did before and over the last eight years at ohio state we've also gone from an on-premise erp system to a cloud-based erp system and that was for hr that was the finance

and it will be for student as well you can go google all of this none of it's private what are those business needs and what does that mean for security right so remote users this is pre-coded remote users working from anywhere cloud-based but hybrid with lots of regulation around it it's a thing and oh by the way the business believes that information and data default should be shared so i've got to do security in a cultural environment where they say why would i put controls around data yeah yeah it's fun okay third thing what's your org structure now this may not tell you what you need to do for in your security strategy and what projects

but it's sure going to inform you how right in my role i had two bosses i reported to the cio but i also reported to the chief compliance officer the reason for that was in 2010 they had a really big breach they lost 750 000 student records they did not have a security program at that time and it originated out of the cio shop so when they created the security team and created the security so role to their credit they said we think it's an i.t role which okay i'm going to argue with him on that one probably but there needs to be an independent reporting line that the cso can call on if they need to so

the compliance officer goes up through legal and up through the to the board and the cio goes up through to the president of the united states two bosses right but it also means i've got two major stakeholders that have different needs that i've got to take care of and thirdly thirdly because you know two fingers and then there's three uh the budget owner was neither of those it really became it came down to both the financial office and a group called the senate fiscal finance committee that may ultimately make decisions about budget priorities so whatever i did had to be reasonable and understandable to those folks as well and then i didn't have to worry about

this so much but in your company you may also have this question of do you in-source things and outsource things do you pay for pen testers to come and and do security assessments of your environment is that cool to do that what does your organization think about outsourcing do you outsource your sock you know all of those kinds of questions and so this sort of tolerance of we do our own thing thank you very much or we have to do our own thing because we're a unique snowflake and no one can really do it for us which happens in higher ed a lot are things to take into account all right four good practice so one of the things that

i think keeps csos up at night everywhere is that if you were to be on the receiving end of a breach and we recognized it at some point you probably will some armchair quarterback is going to second guess you and they're going to go why the hell didn't that cso have xyz in place why didn't they have a better vulnerability management program why weren't they doing purple teaming why blah blah blah right everyone's a especially on twitter we're really good at second guessing what happens right but i think that it's reasonable to say that there are certain things that security needs everywhere in order to do a decent job of getting too effective right asset management basic cyber hygiene

patching keeping up to date and current that kind of thing doing a basic tech refresh having some level of incident detection and response i sort of jax for openness for any kind of security program so as i was thinking about this strategy of okay i've got all of these rules that i have to follow and laws that i have to follow and which framework should i deal with and what are the business objectives coming up and all of those things on top of that i needed to evaluate how well we were doing the basics and if we weren't doing the basics very well should i put a program in place to plug the gaps and i would say i would so when

you're thinking about your own company and you think about these kinds of things and by the way some of these things aren't the responsibility of the security team asset management doesn't tend to sit with security it'll sit with just it operations right maybe you've got a really dodgy help desk who can be socially engineered all the time i'm sure you'll hear talks about that during the day right maybe you need to have something in your security strategy that shores up other parts of the organization in the name of security that doesn't really help your overall team but it does help the overall security profile of the organization so give that some thought um good practice is another element

i would be remiss if i didn't say you got to think about what the threats are um and i i put these into two three buckets coffee haven't had much today one is what's happening within your organization in higher ed we have a lot of click happy people so email security giving up credentials those kinds of problems yeah it's a big threat in higher ed we receive by the way also just from an external perspective from a nation-state industry perspective we receive more fishing than all other verticals combined combined so you think you got a phishing problem come to higher ed and see see what's what right um so what are our internal uh problems ransomware's big in higher ed

insider threat is bigger than higher ed right what about general industry trends we just talked about those and then every one of us has to think about the potential for nation state and i will say the word solar winds but it's a good example of you know stuff's happening because somebody's targeting israel or iran or the united states or russia or china or whatever and we're getting the blow back from it um and i'm sure there will be lots of talks today about that lots of talks at rsa lots of talks at black hat um but the reality is we we're all going to get sucked by it so um think about what those threats are

and if you're really worried about them you need to have something in your strategy that addresses them and then last but not least um innovation i was going to put this slide up with a whole bunch of words that you're all going to know um but i just decided to put buzzword bingo on it right this could be 5g it could be artificial intelligence it could be drones it could be disinformation it could be deep folks it could be whatever there's going to be something that is coming future focused at you so everything i've talked about up until now has been what do you see in the environment today that needs attention but part of your

strategy particularly if you're the security leader is to be forward-looking so what's coming and uh certainly you know we we all went from on-prem to cloud it was like cloud's coming are we ready for cloud are we ready for cloud and for most of us we're still not ready for cloud not really um so it could be a tech innovation like that but it could also be a business innovation so again you know from a higher end perspective covert just accelerated the fact that most of our people want to do school and research from home so what does it mean to do that securely and what do what does the security team and the security strategy need to

include so that we can innovate in that space and i would also say by the way if you're running a team of people who are security folks you want to be playing in the innovate space or they'll get bored and they'll leave so innovation is an important thing to put into a security strategy all right so you've got all these things right here's a summary of of of sort of what we're what i'm thinking about i've got all these i've got all these regulations that i have to worry about i've got these business needs i've got an org structure kind of thing including by the way declining budgets there's always declining budgets in higher ed even if there's not

i managed to grow our security budget every year but overall budgets went down over the last eight years um great practices good practices good enough practices threats that we have to think about and other innovation opportunities in higher ed absolutely there are they come from not only start-up vendors that we work with but also internally actually from an insider threat perspective the computer science department faculty and students are nasty man so you you there are a lot of really smart people in higher ed that you can innovate with uh which is awesome it's one of the reasons i love being in higher ed but everything's got two sides right yay for innovation we did a lot with

autonomous vehicles and autonomous vehicle security and oh by the way uh when it came to insider threat i was dealing with the same damn people so fun times in high red all right so you've got these six elements put together then the question is what do you do with it well the first thing i'm going to tell you to do is go out and and do some independent sense checking of your thinking okay there is a lot going on in everyone's world and you can't know everything so networking coming to events like this but also looking at some of the data reports that are out there is super important i'm going to talk about one

and i'm going to talk about because i'm living the dream of it at the moment cisco did a report it was a study in 2020 called the security outcomes study um it was double blind cisco didn't actually conduct the study nor did they know who was in it but they uh the study was included um more than a thousand companies security practitioners and i t practitioners and they were asked questions like what do you care about for your security program what activities do you do that lend itself to those things and what correlates to good outcomes positively and how much okay so okay so i'm thinking about my strategy and i'm thinking i've got to have

something because we're going to the cloud and i've got to have something that's going to help us comply with cmmc and i've got all of these things but what's really important for a security program well on the on the vertical on this chart you will see some business outcomes some security outcomes that this this group of people who were surveyed thought were positive things that they wanted okay so you know keeping up with the business absolutely getting peer buy-in was really important if you're going to have a good program being cost efficient retaining security talent these are some outcomes we want out of our security program and then along the bottom we've got activities there are about 25 of them

that people were asked about what did they do why did they do them what kind of benefit did they see in relation to those outcomes that they were going for what you find is if you go to the left hand side of this graph the darker blue is a higher positive outcome and across all of the outcomes that we were looking for there were some four or five that sort of correlated pretty positively to all of them so if i'm thinking about a security strategy i want to make sure that those outcomes are included somewhere in my security strategy okay interestingly um some of the data there were things here that um did had had less of a positive

outcome so you know go look at the things to the right hand side of this scale and go well hang on i would i would think that having a secure development approach would be good well it is it's not that it independently isn't good but it wasn't a very high positive correlator to these business outcomes there will be future studies by the way from cisco so watch this space and there are many studies out there right you can certainly look at the verizon breach reports see what kinds of things are happening in your industry and a whole bunch of other kinds of reports uh this is just one so i summarized that slide for you right

so the three things on the left hand side here are the outcomes that i don't know any security leader would disagree with these as being outcomes we want right we need to enable the business we need to manage risk we need to operate efficiently again every dollar i spend is a dollar not going towards your scholarship so i better be doing something good with it right on the right hand side these are the five practices that most positively correlated with those outcomes and you'll see some of these are security things and some of these are not security owned things having a proactive tech refresh program is sometimes something that security has influence over and sometimes it doesn't

and certainly in higher ed where we have lots of people making it decisions independently of the center um proactive tech refresh is a bit of a is a bit of a struggle actually so that's a thing well integrated tech what we mean here is well integrated security technology um and a security tech stack hard to do if you don't have it well integrated it in general but basically what we what we're trying to say here is if you have security stuff that talks well with each other so you don't end up with blind spots you're probably going to have an efficient program you're probably going to be enabling the business and managing risk right um an accurate threat detection

is number five right so feel free to go read this report if you want to go see it in detail it is free um and uh love to get your comments on it if you read it let me know what you think but from a strategy perspective i'm going okay i've got what i think i need to have now i'm seeing this data that says i've got these elements that i really should probably be including somewhere so you know how do i put it all together so one is i i'm going to tell you right away you want to know your business we started with this know where your business wants you to go are you do you want to be award-winning

do you want to be duct taped you want to be somewhere in the middle apply those strategy elements around it validate externally so here's the example for me this is this is an example in higher ed by the way i'm no longer there some of these things are still in place some of these things have already been done um from a governance perspective we did implement a security framework uh so we had a framework that says this is the base level of security everyone needs but with network segmentation and other things we apply to the higher levels so not the entire university doesn't have to be hipaa compliant just the pieces that have to be here but

compliant the entire university doesn't have to change their passwords every 90 days thank you pci only this the segments that deal with pci have to change their passwords every 90 days those kinds of things right so so we had a baseline framework plus segmented other things because we needed to do that now does that mean my security stack is less integrated yes does it mean it's more expensive yes am i willing to make that trade-off yes because if i'd have gone in and said the whole university needs to be cmmc compliant they would have like hung drawn and quartered me before i even got started so baby steps okay secondly i want to make sure i've got

metrics and reporting in the governance space so i want to know where we're starting and i want to know how well we go as we head there so metrics and reporting is always a piece of that governance strategy secondly business strategy definitely focusing on cloud for us right so again it's going to support the distance education business objective it's going to support remote learning fun fact higher education in k-12 does more zoom sessions and more online sessions than all other verticals combined who knew right so yeah we're remote we get it um and in my case i had an erp migration but to be honest i don't know how many people aren't doing some level of erp

migrations right now or at least having some major administrative system that you're doing some migration to probably from on-prem to the cloud so part of my strategy was hook security to those projects and get funding for whatever i needed as it related to that project so as a result of the erp migration i got five additional head count that was paid for by the project that ultimately became part of my operational team and there were some technologies that needed to be in place in order for that project to work that we used for that project but also for other things across the university as well so aligning strategy to the business was a good thing because the business cared

not for security so much but they cared for the erp migration and i was able to piggyback and hitch myself to that need managing threats ransomware inside a threat or continue to be big in higher ed this is no big secret so how do i think about that i had a plan around email security i had a plan around edr edx and i had a plan around ueba okay so thinking about those are the threats i've got at the moment um and in an organization that's that's got you know 70 000 students and 45 000 employees you can't really get to those things overnight so easily so part of the strategy managing the basics in again higher ed

tech refresh vulnerability management improving our ability to detect and respond really important so that was part of the strategy and i didn't include this but it's sort of something that wraps around all of these you need to make sure that you're incorporating a security first culture and enabling a security first culture as much as possible so part of my security strategy was also rolling out a training and awareness platform that wasn't just one hour of powerpoint training on what the law requires but really focused on what people's jobs were so if you're a cis admin what do you need to do know to do that securely or if you're a software developer what do you need to

do to do that securely but also just general security awareness for everybody which focused on them as personal non-employees so how do they stay secure at home what do they need to protect their kids online what do they need to do for online banking that kind of stuff knowing that they would bring those habits back with them into the into the office so we talked about that as well and change doesn't happen overnight so you'll see here on the bottom i've got an arrow that talks about time different companies are going to have a different time horizon when i was in wall street banking everything had to be done in six months or less now whether it actually happened

in six months or less is different story but the intent was everything happened in six months or less higher ed three to seven years right so timing is uh is an interesting piece of this strategy as well so what would the cso do this is how i approached it um i'm sure you get 10 c cells in a room they're going to say but helen you didn't think about x or y or z or yeah i get it but this is what i did so the question for all of you is what would you do what would you do so hopefully in in walking you through my thought process you'll get a sense of um a way of thinking about creating a

security strategy for your organization um some of the things that you might want to take into account maybe hopefully i've given you something where you went oh i didn't think about that and maybe you can take that away with you um if you're not a security leader in your report to someone who is um maybe you'll go oh now i know why they're doing that or maybe like i should have it talk to my boss because i think we should be doing these things too so hopefully it's been useful to you um i am available for questions so what does everyone think i'm gonna stop sharing my screen here all right i'm scanning for questions i

have one how big was your team in the beginning i had about 20 people that included a lot of higher ed try again a lot of identity and access management so about a third of my team's identity and access management when i left after eight years we had about 65 people okay that's that's about what i what i would have guessed which is uh i don't know some people would say maybe at least half as many as you could have really used yeah i i would tell when i left i think there was still more growth to be done i think based on the current profile of the organization they could probably grow by another 50 percent

both in terms of head count and in terms of budget um but it's a journey right you're never finished with it and uh we'll see what they do postcode it'll be interesting yeah all right we we do have some questions coming in um let's see have you figured out a cheat code for dealing with competing stakeholders such as belligerent department heads yeah it's a carrot and stick so um i my my preference wasn't to go to the stick first my preference was to try and convince people that doing security was something that was in their interest not my interest so belligerent heads uh often were belligerent because they didn't understand what the risks were that they were facing so

a lot of it was hey look i know that you've just spent 15 years of your life on this research thing but if you don't have good backups and if you don't have good access controls and you go to publish your paper on this research that you've spent your entire life on and you realize the date is bad because someone hacked into your system 10 years ago and you didn't even know it that could be a problem right and they're like oh yeah that could be a problem i'm like okay so now let's talk about security so a lot of it was that but that doesn't scale very well so um some of the things we rolled out we

did push pretty hard at people and then but everything we rolled out we had a big communication program around it before we pushed it out so and and we weren't most of the time we weren't talking about the security reasons we were talking about the business reasons why we needed to do it that's how we handled it okay um and then somebody else said any cat hurting tips which yeah i think you partially covered with that with that answer yeah i think um one of the things we can do to manage the audits it's crazy to think what your audit schedule must have must have looked like uh how did you manage the audits for all the

compliance management uh regulations you had to deal with yeah interesting so i'll answer actually both of those questions to those two questions together the way the university worked was that every college had its own i.t shop and its own p l and then there was central security in central i.t so one of the cat-herding things we had to do because we didn't have direct authority over their just their tech decisions or their control decisions uh was we created a security sort of advocate program um we called them security coordinators but their role base they were hired by those departments they sat in those departments um and we trained them on how to do security things

but they became our voice into things but they were also the people that were on the response end of any audits that came through so we had very few audits that actually applied to the entire university overall identity and access management kinds of things did but more often an auditor would come in and audit just the hospital or they'd order just the financial sector or they'd order just the pci segments and we had those coordinators in those units who would do that for us so that wasn't part of my direct job to do i would certainly support that and help consult and talk about what our security program was and those kinds of questions but

i wasn't on the i wasn't the pointy end of the spear on those audits thank god um do you have any suggestions for resources for developing the framework for compliance and regulations yeah there's actually a lot out there and it depends which one you're going to go with we decided on the nist 853 because most of our funding comes through federal or state or local governments and they're all on the nest platform right so it made sense for us to use nist if i had if i was part of an international company i might use an iso standard or if i wasn't particularly regulated but i was maybe cloud first i might do just do something from the cloud

security alliance um all of those organizations have good resources on how to roll those things out i would actually go to your ice axe and and if you've got a nice ac that you're a part of in your vertical and chances are someone's already done it in your vertical and talk to them and get help from them if you need some if you don't want to pay someone to come in and consult for you to to get it rolled out um networking you can't underestimate the power of networking there's going to be someone here at today's conference who will know how to do it including me by the way so hit me up if you want to

take an offline conversation yeah helen's into in the discord i've seen you there um did you go in with an idea of what the staffing and structure should look like when you when you started out or did you use the first few weeks to kind of figure that out i was figuring that out every day of every eight of the eight years that i was there um i when i first started i i wasn't thinking of it so much in terms of staffing as i was in terms of functions that i needed so um you know i i sort of came in and there were things that i expected to be there that weren't there were some things that we had that

i was delighted to find out that we had and i wasn't expecting them to be there either um and then there were also areas because this is what happens in industries like state and local government do this too they get by on duct tape and chewing gum right so it usually meant that there was one person who did a thing i'm gonna make i'm gonna make something up there was one person who did vulnerability management or there was one person who did something really critical so from a staffing perspective one of the first things i did was look to see where i had single points of failure and try and fix those and that was the original sort of

piece of growth once that was taken care of then i started adding functions that they didn't already have and over the years in some cases we had put in place a security thing that we really no longer needed and so we retired those and then redeployed the staff for other purposes so um it it's not something you can set and forget you've got to as a leader you've got to be looking at it all the time having having i grew up in financial services and and the idea of retiring a function and and you know reusing those folks somewhere else is completely alien to me they just go on forever the mainframe never goes away

well we've got some of that too right go to any hospital and there's still windows 95 machines hooked up to medical devices right so some things some things i wanted to get rid of but i couldn't because the business insisted on holding on to some piece of technology that required some old piece of security right this goes back to that integrated security tech stack um but what i was able to do in those cases to say okay if you really want to hold on to this and you need to pay for the security that goes around it so it becomes a negotiating point yeah yeah here's what it's going to cost you to live in a stone age yeah

um let's see trying to figure out which one to go next um go with next here we're able to leverage okay so how did you handle byod i'm not sure that's going to be in i'm not sure if that's answerable in the time that we have uh go forward i would tell you that i don't think i've i think there's more work to be done um higher ed has been byod from the beginnings like i'll give you an example there is an expectation that a grad student is going to bring their own laptop into a lab and use their own laptop to do research because the granting agencies the nsf the the national institutes of health

whatever they actually those grants often don't have a lot of money associated with them and so where they where the researchers find find savings is by asking their grad students to bring their personal devices into the office right so it's part of the business model to assume that there is byod um going down the the xero trust model actually goes a long way to supporting the byod model and we didn't have that when i first started uh so part of my strategy after i first started like two or three years in was to really try and accelerate zero trust to be able to say okay fine you're going to have your own device but it can't be jailbroken it has

to be patched it has to be this and it has to be that um and in certain cases we are still going to air gap and we're not going to let you plug in your personal devices so again we we sort of segmented the network around where you would allow byod and where you didn't uh based on risk and that's that's what we've had to do but i i would tell you we haven't solved i haven't seen anyone sell for byid yet let alone hire it i don't know someone tell me they've sold for it i'll buy you a beer yeah i mean yeah i i'm with you you know i think the best thing i can think of is is that

zero trust approach you know where you know you you vastly reduce the amount of damage a personal laptop could do and have some control over whether it's patched or not those kinds of things right uh let's see were you able to leverage any public sector support uh for example fbi dod for security concerns and emerging threats if so was it successful and any lessons learned uh yes we did uh so certainly the the the feds and the fbi and others want to have good partnerships with higher ed because we are very much in the crosshairs of nation state uh folks who want to steal intellectual property right um so so the granting agencies as well as the i'll call them the

policing agencies were very good partners i think we struggled though as all industries do in in that one piece of the federal government will have information they don't like to share it very quickly by the time they get around to sharing it it's been so sanitized that you've lost the context of what it is they want to share um and it's also like nine months after the fact that they actually come to you and say hey have you seen these indicators of compromise on your network and i'd be like uh well if you'd come to me six months ago i might have been able to answer that question but yeah no um so the log retention is already done by

that point like it's already rolled off the sim that's right that's right so you know that i i applaud the federal government for trying to improve the private public relationships i think they've they've got more work to do but they're headed in the right direction again i'd sort of the the communication point for me was really more around the ice axe um and and getting in with those groups that that was the most helpful the other thing we did in in higher ed as much as ohio state really hates michigan on the football field uh the the cso's in the big ten we meet every month and we have a lot of uh collaborative security efforts that go on including

ioc sharing you know with a stixx taxi sort of background that kind of thing so we we were doing what we could do to to be as fast in detection and response as we could um by joining hands and and doing collaborative efforts with partners i think that's that's really cool that's almost a step up from the isac you know having you know that that group of so you actually get on like a zoom call something like that where you're you're kind of face to face talking to each other once a month yeah absolutely so and once a quarter we'd get in person to when you know pre-covered so uh i have a whole bunch of swag from all the

big ten schools we we've exchanged challenge coins um but yeah and like i said we're doing a lot of collaborations so we we've collaborated on security assessments so that we don't all have to do our own security assessments of all the same vendors because we use a lot of the you know our ecosystem overlaps a lot um and by the way from an email perspective if somebody is attacking say illinois or michigan or rutgers or whatever chances are they're going to turn around and spam the out of ohio state using email accounts from those schools and they're trusted so um so it they're they're their own version of insider threat for us so we all have to manage that as well

yeah um let's see was the let's see i think you you kind of addressed this earlier on but with a culture focused on freely exchanging information were there opportunities to to leverage some of the research teams in the in the university to find ways to help them better protect their own stuff i guess yeah it's been um it's it has been a journey um it's like staff augmentation may be right yeah i mean i started i started a student uh internship program so um i guess at its high point i had about 15 students who were working with my team who would then go back into their particular departments and sort of spread the spread the love that way there were some

research as much as i just beat up on the computer science department i did have some partners in there who did some research on us with us on different kinds of technologies particularly in the vulnerability management space and also in the mobile security space so so there has been some research sharing that's been going on it's interesting though because researchers are interested in the data and security practitioners are interested in the outcome and sometimes those things don't align so you have to have a fair amount of tolerance for each other's motivations when you do that kind of partnership but sometimes it worked sometimes there's definitely opportunity for that if you if you if your company is

anywhere near a college uh research university or even a two-year there are resources there for you to pull on so so think about those in your staffing models they're hungry they're curious and they want something that's going to work on their resume so i can't i can't emphasize enough how how good it is to be able to get a college student or even someone straight out of high school and have them come in and do an internship and just put them on a project that's been bothering you for a while but you haven't really had the resources to get around it just sick them on it and you will get i had students that created

some fabulous splunk dashboards for me that that pulled on my identity information that we ultimately used in our insider threat program that kind of thing so use them they're they're they're there for the taking good advice um two more questions and and i'll let you go and yeah i think that'll be it uh was the university pressing to go to cloud and if so how did you deal with that from a security standpoint or how would you deal with that based on your experiences universities want to go everywhere i'm so one of my colleagues one of the guys on my team had actually worked for the university for 35 years and when he started he

started as a student in the computer science department and he'd been working in computer science department he remembers them having conversations about whether or not they wanted to use the world wide web right and if you remember the web was really started for for research institutions right so we think these days from a tech perspective we tend to think of universities as this lagging thing there's a lot of stuff happening on campus it's right at the front bleeding edge of of tech so yeah people were going to the cloud way before the administrative center of the cloud yeah internet too look at internet too right um for those of you who don't know so most universities this their network

background is is supported by internet too um and and you know we've got 100 gigabit backbones that we're sitting on thanks to the need for sort of big fat network pipes that researchers need to be able to do all their compute so um yeah there's there is all kinds of tech at university and it typically happens before the administrative system so you know we had an on-prem erp system for 20 years and we moved it to the cloud and people like oh you're moving into the cloud but it wasn't because it was going to the cloud it was because we were changing the way they had to work but the the students were using cloud

before then the researchers were using cloud before then so um the hardest part about doing security in a university is keeping up with the tech i have vendors that come out and say things like they'll ask me they'll say what kind of network do you have and i'll go yep because i got all of them right and they're like why like what happened to one single tech stack and i'm like well because everyone won everyone makes their own it decisions and two everyone's got their own unique needs and there is no one tech vendor that's going to satisfy all of them so i've got all of them and that's how that works yeah and our final question um as a cso

what kind of advice would you give [Music] some employees who have seen five csos in six years uh huh well given that the average tenure of a cso is what 18 months 24 months now i think it's going up though i think it's trending up yeah um i would be less concerned about that as long as you like your job and you like the team that you're a part of if when you say i've had x number of csos in y number of years what you really mean is and every time they leave they change the incoming cso changes things and i really hate that churn and i um i don't know where my own

career is going because i don't have any mentors at the top then that's a then the problem there is what's your comfort level and if you're not comfortable with it find somewhere else um but the i think you're going to find a high level the cso role is a churn and burn role and i think you're gonna me being there for eight years was more to do it like seriously is more to do with my masochism than it is because that's typical so i would say um you know always go back to what you value and what you need and if you're not getting it then it's just a signal to leave actually yeah i know i i've

personally seen a lot of uh you know just rooms full of broken toys and abandoned projects from you know like each ciso has their their thing that works for them right you know their combination of things you know but the uh the contracts that are signed are typically longer than how long that season's going to be so yeah now i will i've left right i've gone for two months by the way they will be hiring uh they'll be posting that new cso replacement job here at ohio state in the next couple of months so if you want to post for the job let me know happy to have a chat with you about it um

but i'm sure my my successor whoever that is is going to make changes so uh yeah it happens and and i think that's healthy actually um security and tech change is really fast and so having different eyes on it can make it stronger actually strength in diversity of thought all right uh amazing talk it was every bit i was hoping for uh and and then some so uh thank you for sticking around answering the questions we had some great questions uh from the audience as well you know i think everyone there we had about 83 people uh watching and i'm sure uh this will probably get a lot of views on youtube once we get up there as well so

that that'll be nice that'll be great thanks everybody um and i'm hoping i'm hoping not confirmed yet i'll be at uh b-sides columbus so feel free to check us out there too very cool all right all right thank you helen have a great day you too