Artwork for podcast The Cybersecurity Readiness Podcast Series
Is Cybersecurity A Moving Target at Academic Institutions?
Episode 3612th October 2022 • The Cybersecurity Readiness Podcast Series • Dr. Dave Chatterjee
00:00:00 00:44:04

Share Episode

Shownotes

In a highly engrossing and in-depth discussion, Tej Patel, Vice President, and CIO at Stevens Institute of Technology sheds light on the various information security challenges that plague academic institutions and how best to deal with them. He talks about establishing a highly collaborative and security-centric culture, structuring an ideal CIO-CISO relationship, effective execution strategies, and more.

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-36-is-cybersecurity-a-moving-target-at-academic-institutions/


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcripts

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. Today, our guest is Mr. Tej Patel, Vice President

Dr. Dave Chatterjee:

and CIO at Stevens Institute of Technology. So I'm really

Dr. Dave Chatterjee:

thrilled to welcome someone who is from my industry, academia,

Dr. Dave Chatterjee:

and I can't wait to learn more about his thoughts and

Dr. Dave Chatterjee:

perspectives on how you secure academic institutions from

Dr. Dave Chatterjee:

different types of attacks. Our discussion will revolve around

Dr. Dave Chatterjee:

unique security challenges, CIO-CISO relationships,

Dr. Dave Chatterjee:

preparing for cyber attacks, effective execution strategies.

Dr. Dave Chatterjee:

So we will be covering a lot of ground and I hope you find it

Dr. Dave Chatterjee:

interesting. But before we get into the details, let's bring

Dr. Dave Chatterjee:

our guest into the discussion. So welcome, Tej. Thanks again

Dr. Dave Chatterjee:

for making time,

Tej Patel:

Dave, pleasure to be here.

Dr. Dave Chatterjee:

So Tej, why don't you give listeners an

Dr. Dave Chatterjee:

overview of your professional background?

Tej Patel:

Absolutely. They and again, it's my pleasure to be

Tej Patel:

here and look forward to sharing some of the thoughts around this

Tej Patel:

very important topic in all industry, in fact. So, a little

Tej Patel:

bit about me, I have been in higher education for almost 20

Tej Patel:

years now. My first job was in higher education, and I'm still

Tej Patel:

in higher education. Prior to joining my current organization,

Tej Patel:

I was at University of Pennsylvania, where I have held

Tej Patel:

several roles, most most recently, Chief Information

Tej Patel:

Officer for Penn Nursing. And in August of 2020, I joined Stevens

Tej Patel:

Institute of Technology as the Vice President for Information

Tej Patel:

Technology and University CIO. I am responsible for end-to-end

Tej Patel:

digital, IT cybersecurity enterprise data and data

Tej Patel:

services, classroom technology and learning technology.

Dr. Dave Chatterjee:

Okay, fantastic. So let's begin by

Dr. Dave Chatterjee:

discussing the information security challenges that

Dr. Dave Chatterjee:

academic institutions face.

Tej Patel:

Yeah, I think that's a great question. And before I

Tej Patel:

share challenges, I must tell you that cybersecurity is a

Tej Patel:

moving target in higher education. Right. And I, as I

Tej Patel:

tell my team and my constituency is that it's a team sport, where

Tej Patel:

it's a shared response, cybersecurity is a shared

Tej Patel:

responsibility to promote a protected cyber infrastructure

Tej Patel:

on campus. Right. And some of the challenges are unique to

Tej Patel:

higher education. But I think there are a lot of similarities

Tej Patel:

as well, when we look at banking, financial institutions,

Tej Patel:

or pharmaceuticals or healthcare and what have you, right. There

Tej Patel:

are specific areas within higher education, I believe, that are

Tej Patel:

very challenging to manage and maintain and meet the

Tej Patel:

expectation. For example, research, particularly research

Tej Patel:

IP, when a researchers is doing or conducting a research that

Tej Patel:

deals with a treatment or DOD or confidential data Department of

Tej Patel:

Defense. It's a very unique environment at that point. Then

Tej Patel:

you have students data, that is also very high target,

Tej Patel:

libraries, right, where open research, it's the motto, right?

Tej Patel:

The network is open in some of those areas where it creates a

Tej Patel:

very unique challenges where you want to find a perfect balance

Tej Patel:

between security and allowing learning and teaching to take

Tej Patel:

place for our students. Right. Classroom instructions nowadays,

Tej Patel:

right? Particularly throughout the pandemic, and the journeys

Tej Patel:

that we all went through, how do we secure that kind of hybrid

Tej Patel:

environment where we live in an increasingly interconnected

Tej Patel:

world? Right. So these are some of the unique challenges that we

Tej Patel:

have from a business perspective that I find it extremely

Tej Patel:

challenging to manage, and make sure that we are able to find a

Tej Patel:

perfect balance, where we are not hindering the progress of

Tej Patel:

faculties and students. So those are a few few things come in

Tej Patel:

mind.

Dr. Dave Chatterjee:

That makes a lot of sense. In fact, as you

Dr. Dave Chatterjee:

were articulating the challenges, I was reflecting on

Dr. Dave Chatterjee:

my experiences and expectations as an academic, the faculty

Dr. Dave Chatterjee:

members would like to operate in a very autonomous and open kind

Dr. Dave Chatterjee:

of an environment and environment that would enable

Dr. Dave Chatterjee:

the pursuit of research and teaching as freely and

Dr. Dave Chatterjee:

independently as possible. However, as you rightly pointed

Dr. Dave Chatterjee:

out, there is a lot of sensitive data that needs to be carefully

Dr. Dave Chatterjee:

managed, protected, we're talking about intellectual

Dr. Dave Chatterjee:

property, student data, library resources, and more. So the

Dr. Dave Chatterjee:

challenge lies in enabling the university pursue its mission as

Dr. Dave Chatterjee:

safely and securely as possible. Is that a fair understanding of

Dr. Dave Chatterjee:

the fundamental challenge?

Tej Patel:

It's more about understanding a researchers'

Tej Patel:

needs versus wants. I think that's where we draw the line.

Tej Patel:

But more importantly, building that trust and relationship that

Tej Patel:

is so critical, that allows my team and myself to have a

Tej Patel:

conversation with our researchers to fully understand

Tej Patel:

what exactly are they trying to achieve. And once we understand

Tej Patel:

their needs and requirements, we are able to create custom

Tej Patel:

solutions that allowed them to flourish and produce the amount

Tej Patel:

of work that they're committed to do. But we also take this

Tej Patel:

opportunity to educate them as well. So it's a learning on both

Tej Patel:

sides, right. And I think that's the most important thing that we

Tej Patel:

all need to understand that it begins, we need to have a

Tej Patel:

dialogue where both parties are able to understand like, right

Tej Patel:

before this call, you mentioned, make sure if I use any acronyms,

Tej Patel:

I spell it out. Right. And this goes same for a lot of our

Tej Patel:

faculty members who are tremendous researchers, they are

Tej Patel:

10X knowledgeable compared to some of us in our team. But

Tej Patel:

there is that's their expertise. And we have our own expertise.

Tej Patel:

The goal is to how do we bring both expertise together to meet

Tej Patel:

that digital ambition for that particular individual faculty.

Tej Patel:

And when that happens, a lot of great solutions come to life,

Tej Patel:

right? Most recently, we partnered with one of the

Tej Patel:

faculty where we were able to create a closed VLAN network

Tej Patel:

where he was able to conduct his research. And our CISO was also

Tej Patel:

happy that this this partnership took place because we also

Tej Patel:

reduced the overall risk that is associated with this kind of

Tej Patel:

setup. And lot of time, then we document all of this in our

Tej Patel:

exception processes. And everyone was it was a win-win

Tej Patel:

for both where the researchers were allowed to conduct their

Tej Patel:

research, the security folks and the network folks said that

Tej Patel:

providing this environment in the most secure possible way

Tej Patel:

that we could. And and this is the type of partnership that

Tej Patel:

will be required to address some of the challenges. Dave, there's

Tej Patel:

one more thing I also wanted to mention around the challenges,

Tej Patel:

right, there are two specific challenges that I believe were

Tej Patel:

unique to Higher Ed as well. Number one is having

Tej Patel:

non-centralized security perform on campus, right? Because you

Tej Patel:

know, the larger the organization, the larger the IT

Tej Patel:

teams and the research that take place in a localized area,

Tej Patel:

right? And they all have independent systems, how do you

Tej Patel:

bring them together? Right. And the second one is, majority of

Tej Patel:

the universities are still dealing with outdated systems,

Tej Patel:

whether it's desktop systems or service systems. And that also

Tej Patel:

creates rather unique challenges to keep up with what's happening

Tej Patel:

in the security. So those are a few things that probably we need

Tej Patel:

to pay very close attention to.

Dr. Dave Chatterjee:

very true. In fact, when he talked about

Dr. Dave Chatterjee:

the importance of a collaborative relationship, it

Dr. Dave Chatterjee:

brought to mind a podcast that I just published today, where the

Dr. Dave Chatterjee:

guest talks about transitioning to the cloud, and how they were

Dr. Dave Chatterjee:

very successful. Because it was an all hands on deck, kind of an

Dr. Dave Chatterjee:

operation. Everybody was engaged. Everyone recognize that

Dr. Dave Chatterjee:

this organization, which was the American Cancer Society, they

Dr. Dave Chatterjee:

couldn't lose any more money because money was needs to go to

Dr. Dave Chatterjee:

research and not be spent on on it operating costs. So they were

Dr. Dave Chatterjee:

doing their best to optimize operations. So that's an

Dr. Dave Chatterjee:

interesting story. But essentially what he was trying

Dr. Dave Chatterjee:

to say is, is is is similar to what you're saying, is that The

Dr. Dave Chatterjee:

importance of collaboration. That brings up the next

Dr. Dave Chatterjee:

question, you know, a university setting different schools,

Dr. Dave Chatterjee:

different departments doing so many different things. And you

Dr. Dave Chatterjee:

gave us this example of helping a particular researchers set up

Dr. Dave Chatterjee:

a virtual LAN so they could securely, you know, exchange

Dr. Dave Chatterjee:

information with their colleagues in other parts of the

Dr. Dave Chatterjee:

world. How do you keep up with all the activities that's going

Dr. Dave Chatterjee:

on across campus or at satellite locations? If you'll have

Dr. Dave Chatterjee:

satellite locations? What's the mechanism in place where you

Dr. Dave Chatterjee:

would be forewarned, people will feel the need to say, hey, we

Dr. Dave Chatterjee:

need to talk to the security office, because this has some

Dr. Dave Chatterjee:

serious security implications that we want to make sure that

Dr. Dave Chatterjee:

we are doing doing it the right way.

Tej Patel:

I think that's, that's a very good question,

Tej Patel:

Dave. Again, and there are some specific steps that we have

Tej Patel:

taken to to gain that visibility campus wide, right, whether it's

Tej Patel:

one campus or multi multiple campus. The first and first most

Tej Patel:

important thing is, is having a solid cybersecurity program and

Tej Patel:

governance that will guide us through some of those challenges

Tej Patel:

that you describe in your question. For example, how are

Tej Patel:

we partnering with procurement? Is our CISO and, and, and CIO

Tej Patel:

involved in some of the new contracts that are being

Tej Patel:

reviewed or drafted? Are we following hacker guidelines? Are

Tej Patel:

we following certain steps to ensure that privacy and other

Tej Patel:

standards are being followed? So there are a lot of things that

Tej Patel:

we have changed our practices to make sure that we instill the

Tej Patel:

culture of cybersecurity in our business from day one, right? So

Tej Patel:

before even a software platform shows up on our campus, we have

Tej Patel:

some visibility, and IT and and the Security office are part of

Tej Patel:

this conversation. That's number one. Number two is what happens

Tej Patel:

once all these platforms and activities are taking place on

Tej Patel:

campus, right? It requires solid 24/7 monitoring, right? So we

Tej Patel:

have partnered with external vendors, for example, we have

Tej Patel:

24/7 SOC center, a security operation centers where we are

Tej Patel:

we are monitoring and detection and response takes place in that

Tej Patel:

area, right? We have developed risk profiles, where we are able

Tej Patel:

to look at university wide between manage assets and non

Tej Patel:

managed assets. Where do we stand overall, in terms of patch

Tej Patel:

management, OS deployments and all of that, right? And the last

Tej Patel:

and the most important is network monitoring and

Tej Patel:

partnership with our network ISP provider, right? How do we work

Tej Patel:

with them to make sure that we have a good visibility

Tej Patel:

throughout our entire network, whether it's wired or physical,

Tej Patel:

and that is what allows us at a very high level, to make sure

Tej Patel:

that if we see some activities like Bitcoin mining or what have

Tej Patel:

you, that's taking place, we are able to stop the problem before

Tej Patel:

it becomes a larger issue. So those are some of the steps we

Tej Patel:

take very proactively on a daily basis. And then on a weekly and

Tej Patel:

bi-weekly basis, we have executive updates as well, where

Tej Patel:

I get briefed on on certain incidents that takes place

Tej Patel:

certain projects that are moving on, or just simply speaking,

Tej Patel:

just just review of some of the KPIs that we have built around

Tej Patel:

to improve our security posture.

Dr. Dave Chatterjee:

Makes a lot of sense. So you mentioned about

Dr. Dave Chatterjee:

creating a collaborative learning environment, where your

Dr. Dave Chatterjee:

unit is learning about the researchers, about what they do,

Dr. Dave Chatterjee:

and they're learning about the role of Information Technology,

Dr. Dave Chatterjee:

Information Security personnel. So, you are essentially feeding

Dr. Dave Chatterjee:

off each other's knowledge and expertise. And that's great. In

Dr. Dave Chatterjee:

that spirit, how feasible is it to provide every unit, every

Dr. Dave Chatterjee:

department with a customized do's and don'ts list?

Tej Patel:

I would, for us at least, that journey starts as

Tej Patel:

part of our onboarding process, particularly speaking faculty

Tej Patel:

orientation, there are very specific sessions geared towards

Tej Patel:

data security and privacy. They were we walk the new onboarding

Tej Patel:

faculty members, the resources that they have available, how to

Tej Patel:

partner with IT. And this goes back to your do's and don'ts,

Tej Patel:

Don's. Not going to go into a lot of details there. But at a

Tej Patel:

very high level, we provide the data classification review, and

Tej Patel:

what that entails right. High, medium, low risk, and where and

Tej Patel:

how they should partner with IT, and the Security to ensure that

Tej Patel:

the data that they are acquiring or sharing, it meets some of

Tej Patel:

those guidelines. Followed by once they determine their high

Tej Patel:

medium risk data, there are some specific guidelines that have

Tej Patel:

been put together, whether it's related to Cloud Storage, or

Tej Patel:

servers or virtual servers, or what have you. And that guides

Tej Patel:

them to have to make sure that this data and the systems remain

Tej Patel:

secure. Furthermore, there are certain there are specific

Tej Patel:

instructions that we also provide because many of these

Tej Patel:

faculty work with graduate students as well. And we have

Tej Patel:

very specific guidelines for for them as well whenever CISO meets

Tej Patel:

with them actually on a regular basis to make sure that these

Tej Patel:

guidelines are being followed. And the last one is we created a

Tej Patel:

dotted reporting structure, sort of, where the local tier system

Tej Patel:

administrator and researchers, they work very closely with our

Tej Patel:

systems and infrastructure group, where they have learned

Tej Patel:

to share some of the details at the system level to make sure

Tej Patel:

they are following the best practices, whether it's a Zero

Tej Patel:

Trust framework, or NIST framework that we are adopting

Tej Patel:

and deploying some of the controls to make sure that

Tej Patel:

university wide we have a similar controls applied and

Dr. Dave Chatterjee:

Okay. Good to know, good to know. So let's

Dr. Dave Chatterjee:

configured.

Dr. Dave Chatterjee:

talk a little bit about the CIO-CISO relationship. You know,

Dr. Dave Chatterjee:

you keep referring to we we we, which sounds great actually

Dr. Dave Chatterjee:

seems like you're a very integrated, cohesive team. But

Dr. Dave Chatterjee:

what is your vision of an ideal CIO-CISO relationship?

Tej Patel:

It's a it's a great question. And there's so much

Tej Patel:

debate going on, right? Do you couple them, do you decouple

Tej Patel:

them? What's the reporting structure looks like and this

Tej Patel:

and that, right? There are three main topics that a lot of folks

Tej Patel:

talk about right one where CISO reports to CIO, one where a CISO

Tej Patel:

reports to the CEO or President. Right. And I think the third one

Tej Patel:

nowadays, the new one that I hear is the CISO reports to the

Tej Patel:

CPO, the chief privacy officer, right? That's it. Those are the

Tej Patel:

three themes I have seen. But really the way I look at it,

Tej Patel:

it's not so much about reporting structures. It's more about how

Tej Patel:

a CISO and CIO can partner together to deliver the message

Tej Patel:

that cybersecurity or security is a strategic value service for

Tej Patel:

any institution and organization. Right. This is

Tej Patel:

something that is beyond CIO and CISO relation. It's about

Tej Patel:

instilling a culture of security at large and institution, right?

Tej Patel:

How do we leverage and implement governance structure around

Tej Patel:

security that allows us to bring together, work together, right.

Tej Patel:

For me, the CISO does report to me, but one of the major changes

Tej Patel:

that we instilled is the CISO also has dotted reporting into

Tej Patel:

our Audit and Risk committee as well for full transparency and

Tej Patel:

visibility. And that's the way I look at it, right? We don't want

Tej Patel:

to control anything, but how do we bring information to life?

Tej Patel:

How do we share some of these learnings lesson learned? Right?

Tej Patel:

And how can we be transparent with the community and the

Tej Patel:

Board? That what are some of the challenges? What are some of the

Tej Patel:

things we are doing well, and what are some of the deltas that

Tej Patel:

we need to constantly adapt and and proactively address some of

Tej Patel:

those right? And the last and the most important, which I also

Tej Patel:

pointed out earlier, right? The role of CISO and CIO, in my

Tej Patel:

view, is more towards reducing the business risk nowadays,

Tej Patel:

right? It's all about risk management there. Right? It's

Tej Patel:

not about technology, cybersecurity, 10 years ago, it

Tej Patel:

was all about bits and bytes, right? But now, if you look at

Tej Patel:

the CISO, who understands bits and bytes, but also pays very

Tej Patel:

close attention to figuring out the business risk, and how to

Tej Patel:

manage that business risk and works with CIO very closely as a

Tej Patel:

peer. They are the ones who are going to make sure that the

Tej Patel:

institution or the organization remains safe. And they could

Tej Patel:

provide the value added services that any organization will

Tej Patel:

benefit from. So that's the way I look at that CIO CISO.

Tej Patel:

relationship in today's world.

Dr. Dave Chatterjee:

I couldn't agree with you more. That's a

Dr. Dave Chatterjee:

very holistic approach. It's a very pragmatic and practical

Dr. Dave Chatterjee:

approach. And as you said, one can always debate the different

Dr. Dave Chatterjee:

reporting relationships. And each reporting approach has its

Dr. Dave Chatterjee:

pros and cons, there is no one perfect approach. Absolutely.

Dr. Dave Chatterjee:

But the extent to which you can strike that balance where there

Dr. Dave Chatterjee:

is independence, yet, there is cohesion, you don't want to

Dr. Dave Chatterjee:

create a situation where the structure is such that you have

Dr. Dave Chatterjee:

a competing relationship where it becomes you know, then then

Dr. Dave Chatterjee:

we have constant have conflicts. And that's what you want to

Dr. Dave Chatterjee:

avoid, because they have to address the different pieces of

Dr. Dave Chatterjee:

the puzzle so that, you know, each has a certain role to play.

Dr. Dave Chatterjee:

I have a couple of follow ups for you. Absolutely. I'm so glad

Dr. Dave Chatterjee:

that you talked about transparency, I feel very

Dr. Dave Chatterjee:

strongly about it, that the keeping the various stakeholders

Dr. Dave Chatterjee:

informed about where the organization is, in terms of

Dr. Dave Chatterjee:

readiness, what are the possibilities? Without, you

Dr. Dave Chatterjee:

know, again, when you are transparent, you're mindful that

Dr. Dave Chatterjee:

any and everybody is not getting the information. But you don't

Dr. Dave Chatterjee:

want the stakeholders to be surprised that what happened? We

Dr. Dave Chatterjee:

never knew anything about this. Why didn't you brief us? So the

Dr. Dave Chatterjee:

fact that you mentioned about transparency and regular

Dr. Dave Chatterjee:

reporting to the board and to the other stakeholders, that is

Dr. Dave Chatterjee:

definitely very reassuring. You wanted to say something I'm

Dr. Dave Chatterjee:

sorry, I didn't mean to,

Tej Patel:

One of the example I was going to share with you in

Tej Patel:

this audience is, is there are ways to craft business cases

Tej Patel:

together that improve user experiences overall, right. And

Tej Patel:

that's the strength when you have CISO and CIO working

Tej Patel:

together, one trying to bring that efficiency or tools or

Tej Patel:

platforms versus one is making sure that the tools and the

Tej Patel:

platforms that that we are we are adding to our ecosystem is

Tej Patel:

being managed securely, data is being protected. And that's the

Tej Patel:

type of environment that that will be very successful in the

Tej Patel:

coming days.

Dr. Dave Chatterjee:

Yeah, yeah, true. The other thing that I

Dr. Dave Chatterjee:

wanted to touch upon was culture. In my book that I

Dr. Dave Chatterjee:

published last year through sage publishing, I talk about the

Dr. Dave Chatterjee:

importance of creating and sustaining a high-performance

Dr. Dave Chatterjee:

information security culture. Commitment, preparedness, and

Dr. Dave Chatterjee:

discipline are the cornerstones of the proposed high-performance

Dr. Dave Chatterjee:

information security culture, in my book. Each of these cultural

Dr. Dave Chatterjee:

dimensions -- commitment, preparedness, and discipline --

Dr. Dave Chatterjee:

are associated with a set of success factors. I don't want to

Dr. Dave Chatterjee:

get into all the details of how to create and sustain such a

Dr. Dave Chatterjee:

security culture, because that's something that one can pick up

Dr. Dave Chatterjee:

from reading the book. However, it would be valuable, if you

Dr. Dave Chatterjee:

could share an example of how you and your team brought about

Dr. Dave Chatterjee:

a change in the security culture at your institution.

Tej Patel:

I think that's, that's a very good question. And

Tej Patel:

we could have conversation about that probably for hours. But at

Tej Patel:

a very high level, I will touch upon a little bit where I talked

Tej Patel:

about Protect Stevens cybersecurity program, part of

Tej Patel:

that program, there are a few things that we did that I'm very

Tej Patel:

proud of. Number one, we made certain tools available to our

Tej Patel:

entire community at no cost, right. For example, our entire

Tej Patel:

faculty, staff, student community enjoys LastPass and

Tej Patel:

and anti-virus that they're able to download at no cost, because

Tej Patel:

we wanted to make sure that no matter what environment they're

Tej Patel:

working from, no matter what devices they're working from,

Tej Patel:

it's safe. So for us, our approach starts from their home

Tej Patel:

security, right? How do we make sure that that our users are

Tej Patel:

fully aware of what's happening? So we wanted to make sure that

Tej Patel:

tools are provided. That's number one. Second, we made sure

Tej Patel:

that they were provided periodic security awareness training,

Tej Patel:

right? There was some gamification and all of that and

Tej Patel:

based on how they did they were rewarded certain things as well.

Tej Patel:

Right? We celebrate Cybersecurity Awareness month

Tej Patel:

where the CISO and CIO together provide state of the

Tej Patel:

cybersecurity at the University and it's an open event to

Tej Patel:

faculty, staff and students. Again, this goes back to the

Tej Patel:

creating that culture of fairness and transparency. It

Tej Patel:

begins With CIO and CISO goes all the way to faculty, staff

Tej Patel:

and students. Right. This is how we approach today's

Tej Patel:

cybersecurity at Stevens, Dave. And it has been very successful,

Tej Patel:

it generates a lot of dialogue among the community. And the

Tej Patel:

last one that I should also add is to our student program, we

Tej Patel:

also hire cybersecurity undergrad and grad students as

Tej Patel:

well who work very closely on our CSIS team, right? Whether

Tej Patel:

it's cybersecurity or physical security, because we might

Tej Patel:

monitor and manage both of those system, and they help us improve

Tej Patel:

some of those experience from their own experiences, they come

Tej Patel:

and tell us this, this is working, this is not working,

Tej Patel:

and we try to learn and adopt from them. So these four things,

Tej Patel:

I find that we have done it very well, that builds the culture

Tej Patel:

that we talked about.

Dr. Dave Chatterjee:

Fabulous, I'm so happy to learn that you

Dr. Dave Chatterjee:

are providing students with hands-on experience by involving

Dr. Dave Chatterjee:

them in different cybersecurity projects. Duke University is

Dr. Dave Chatterjee:

another institution that does that. And I'm sure there are

Dr. Dave Chatterjee:

many others doing the same. You also talked about making

Dr. Dave Chatterjee:

available the various security tools for free. So there are no

Dr. Dave Chatterjee:

excuses, excellent! Securing the student population can be a big

Dr. Dave Chatterjee:

challenge, and it's heartening to hear the many concrete steps

Dr. Dave Chatterjee:

you're taking to deal with this challenge. At this time, it

Dr. Dave Chatterjee:

might be a good idea to revisit this important aspect of

Dr. Dave Chatterjee:

securing an academic institution. So what steps do

Dr. Dave Chatterjee:

you all take to secure the student population as best as

Dr. Dave Chatterjee:

possible?

Tej Patel:

The majority of the breaches happen not through any

Tej Patel:

highly sophisticated cyber attacks, right? It happens

Tej Patel:

because of basic controls are lacking. Some fundamentals

Tej Patel:

training haven't been provided, patch management, and and what

Tej Patel:

have you. So at the very minimum, what we try to do is we

Tej Patel:

regularly communicate with our student community. I have a CIO

Tej Patel:

Student Advisory. So we also leverage that advisory committee

Tej Patel:

to make sure the word gets out about phishing, scam, right?

Tej Patel:

Password practices, and all of that. But that's creates a very

Tej Patel:

good, a very aware community. So next time when these phishing

Tej Patel:

attacks are happening, they know that these are not legit, and

Tej Patel:

they know how to report it. Right. So that's the very low

Tej Patel:

hanging fruit for us. But it pays a high dividend, right?

Tej Patel:

That's one thing. Second one is, there are very specific controls

Tej Patel:

that we take in the backend infrastructure side, right?

Tej Patel:

Whether it's bringing a new device on our network, right,

Tej Patel:

how do you authenticate that? Are we using two-step

Tej Patel:

authentication, multifactor authentication, and all of that,

Tej Patel:

are they connecting to wide network or a wireless network

Tej Patel:

and what have you, and we use very specific VLANs and taggings

Tej Patel:

that takes place where if you know, this individual is a user,

Tej Patel:

we put them in a separate network environment where it's

Tej Patel:

completely separate from, from our day to day business

Tej Patel:

operations, for example, right? The same concept applies for

Tej Patel:

gaming consoles and IoT device, we have a complete separate

Tej Patel:

mechanism for onboarding and monitoring that kind of network.

Tej Patel:

And those are some of the the steps that we have taken that

Tej Patel:

that we find that that has been working very well. And also

Tej Patel:

remember, we want to make sure the user experience stays as is

Tej Patel:

where they don't have to contact IT for every day. How do I

Tej Patel:

connect my console versus how do I connect to your wireless

Tej Patel:

network, right, so we also pay very close attention to find

Tej Patel:

that balance between user experiences and maintaining the

Tej Patel:

security.

Dr. Dave Chatterjee:

And you know, that brings up a thought

Dr. Dave Chatterjee:

here. One of my previous guests he talked about in his

Dr. Dave Chatterjee:

organization, which is also an academic institution, they

Dr. Dave Chatterjee:

created what is called a Champions Network. And the

Dr. Dave Chatterjee:

Champions Network comprised of students, faculty, staff, and

Dr. Dave Chatterjee:

these were the folks who were enthusiastic about securing the

Dr. Dave Chatterjee:

institution, enthusiastic about enhancing awareness. And they

Dr. Dave Chatterjee:

would serve as ambassadors, liaisons, evangelists, in their

Dr. Dave Chatterjee:

respective domains, areas. So you know, to your point, it's

Dr. Dave Chatterjee:

not possible for you to have somebody from your unit embedded

Dr. Dave Chatterjee:

everywhere. You have to find a way of getting the word out by

Dr. Dave Chatterjee:

creating those ambassadors, who can who will serve the interests

Dr. Dave Chatterjee:

of your department, of your unit as well. So I thought that that

Dr. Dave Chatterjee:

structure of creating a champions network and rewarding

Dr. Dave Chatterjee:

them and again, rewards doesn't have to be expensive, but just

Dr. Dave Chatterjee:

the recognition goes goes a long way. I just thought of putting

Dr. Dave Chatterjee:

it out there.

Tej Patel:

I think that's a fantastic way to engage with

Tej Patel:

with all all the constituents within your organization, and we

Tej Patel:

also benefit from being a technological university Dave.

Tej Patel:

So we have a lot of awareness, generally speaking, and, and the

Tej Patel:

students are sophisticated, technically sophisticated

Tej Patel:

students, right. And they are demanding. They have

Tej Patel:

expectations when they show it show up on campus. So we don't

Tej Patel:

have a champion network like that. But I feel that the

Tej Patel:

culture that we instill early on, that's, that's our

Tej Patel:

champions. So it's a community effort. It's a team sport. So

Tej Patel:

everyone's part of this Cybersecurity Awareness Campaign

Tej Patel:

for us. And they all play their their individual roles. And then

Tej Patel:

the IT team and the Security team provides innovative,

Tej Patel:

easy-to-use solution, right? 'Report a Spam' button, for

Tej Patel:

example, in your Outlook, right, that makes it easier, right? How

Tej Patel:

do you report some of the phishing attempts and all of

Tej Patel:

that. So we have also created into an intuitive environment

Tej Patel:

where they don't have to spend a lot of time to go through the

Tej Patel:

hoops to report an incident, right. So, we made it easy for

Tej Patel:

them as well. So these are the things that probably could work.

Tej Patel:

But the champion network, it's a fantastic idea.

Dr. Dave Chatterjee:

Fantastic. On a related note, I recall a

Dr. Dave Chatterjee:

discussion with the Chief Information Security Officer of

Dr. Dave Chatterjee:

another organization. He said that there is an expectation in

Dr. Dave Chatterjee:

his organization, that members will help by diligently going

Dr. Dave Chatterjee:

through their emails, and flagging the ones that deserve

Dr. Dave Chatterjee:

attention, I can totally see from where he's coming. There is

Dr. Dave Chatterjee:

no disagreement there. But it's also true that people are busy,

Dr. Dave Chatterjee:

they have to deal with so many things. So that becomes another

Dr. Dave Chatterjee:

chore for the user trying to diligently look through every

Dr. Dave Chatterjee:

email and identify the ones that are worth reporting. Where are

Dr. Dave Chatterjee:

you on this? What's your perspective?

Tej Patel:

I think it's a very complex situation where how do

Tej Patel:

we find the balance between being productive versus making

Tej Patel:

sure we are contributing towards the cybersecurity right, and I

Tej Patel:

think that's where the, it's important for the for the IT

Tej Patel:

folks to, to do a lot of things on the backend side before even

Tej Patel:

the message arrives in the inbox, right. So for example, we

Tej Patel:

use something called mail tip, I believe that's the right term,

Tej Patel:

pardon me, I'm not a CISO for example. I'm an accidental CISO

Tej Patel:

again, but so we have enabled certain mechanism to our email

Tej Patel:

platform. So if a message is coming in, it will say message

Tej Patel:

from external sender or something that automatically

Tej Patel:

alerts the user, right. The second thing is, we have

Tej Patel:

adjusted and continue to adjust our spam filtering, right, where

Tej Patel:

where we have enabled a lot of built in encryptions, or DLP, or

Tej Patel:

data loss prevention type of a policies upfront at that level

Tej Patel:

as well. And and we continue to partner with our vendors to make

Tej Patel:

sure that we remain up to date in terms of those signatures,

Tej Patel:

and all of that. So there are a lot of things we do also in the

Tej Patel:

back end to mitigate this particular risk and still be

Tej Patel:

able to manage the expectations of users. But again, if you are

Tej Patel:

so right, 90% of the emails that you get, it's either spam, sales

Tej Patel:

call, or marketing emails. Only 10% or less than of 10% are, are

Tej Patel:

legit emails that you will read, open, open, read and respond to,

Dr. Dave Chatterjee:

You make a lot of sense, when you say that

Dr. Dave Chatterjee:

it's important to do that work at the backend, use relevant

Dr. Dave Chatterjee:

tools to automate the filtering process. Through such process

Dr. Dave Chatterjee:

automation, one can take the load off the user, freeing them

Dr. Dave Chatterjee:

up to focus on their core expertise. Reminds me of a

Dr. Dave Chatterjee:

discussion that I was having with the CISO of another

Dr. Dave Chatterjee:

academic institution. When I asked him, what were some

Dr. Dave Chatterjee:

principles that guided his day to day activities, he said

Dr. Dave Chatterjee:

something very interesting. He said, Dave, we are not in the

Dr. Dave Chatterjee:

business of saying No. The first thing that I always think about

Dr. Dave Chatterjee:

is that the job of security is not to stop the institution from

Dr. Dave Chatterjee:

doing what they are formed to do. The job of security is to

Dr. Dave Chatterjee:

enable those functions, those activities, and that stayed with

Dr. Dave Chatterjee:

me, a very compelling statement. You also emphasized the

Dr. Dave Chatterjee:

importance of creating a culture of enablement, where the role of

Dr. Dave Chatterjee:

the CISO is recognized to be much more than just a security

Dr. Dave Chatterjee:

officer. They are strategic enablers, business enablers, and

Dr. Dave Chatterjee:

that's exactly how the CISO role needs to be perceived and

Dr. Dave Chatterjee:

operationalized. CIOs and CISOs must have a seat at the table

Dr. Dave Chatterjee:

when strategic decisions are being made. They can provide

Dr. Dave Chatterjee:

valuable feedback on how technology can be an enabler, on

Dr. Dave Chatterjee:

the security implications of the proposed strategic initiatives.

Dr. Dave Chatterjee:

So, treating the CIO, the CISO as strategic partners, as

Dr. Dave Chatterjee:

opposed to seeing those functions, IT and Information

Dr. Dave Chatterjee:

Security as hurdles or stumbling blocks can go a long way, in

Dr. Dave Chatterjee:

creating and sustaining a high-performance information

Dr. Dave Chatterjee:

security culture.

Tej Patel:

Dave, you're so spot on on that observation Dave. And

Tej Patel:

as I said earlier, it's about building and fostering that

Tej Patel:

trust and relationships, right, that allows the community to

Tej Patel:

come together and have this type of conversation and discussions

Tej Patel:

that will enable folks, right to make sure that they provide a

Tej Patel:

solid, secure, robust environment for them to

Tej Patel:

flourish.

Dr. Dave Chatterjee:

Awesome, awesome. Well, like you said

Dr. Dave Chatterjee:

that we can have this discussion forever. But we don't want to go

Dr. Dave Chatterjee:

too long. For the sake of the listeners, we want to keep it

Dr. Dave Chatterjee:

short and sweet. So as we wrap up the session, I want you to,

Dr. Dave Chatterjee:

of course, you know, talk about anything you want. But also

Dr. Dave Chatterjee:

think about anything that you'd like to share from the

Dr. Dave Chatterjee:

standpoint of how organizations should prepare for cyber

Dr. Dave Chatterjee:

attacks. And what does it take to effectively execute plans on

Dr. Dave Chatterjee:

a sustained manner? As you know, we have plans, we're always

Dr. Dave Chatterjee:

planning, strategizing, but everybody is not good at

Dr. Dave Chatterjee:

executing when the time comes. So I'll leave it. I'll leave it

Dr. Dave Chatterjee:

at that. I'll let you take over from here.

Tej Patel:

I think that's that's a really, really great question.

Tej Patel:

Do you know, and I think we can write a dissertation paper on

Tej Patel:

that together, actually, when you specifically talk about

Tej Patel:

operational excellence and change management, right. But,

Tej Patel:

let me let me take a different approach to answer this

Tej Patel:

question, right. Let's look at it from a strategic side. And

Tej Patel:

then from an operational side, right. From a strategic

Tej Patel:

perspective, right, I think the organization must spend

Tej Patel:

sufficient time effort and resources to build a

Tej Patel:

security-centric culture, right? They need to look at security

Tej Patel:

from business lenses, period, they must be involved at a top

Tej Patel:

level, whether it's Board or CEO for corporate or President at a

Tej Patel:

higher level, right? They need to implement frameworks and

Tej Patel:

architectures, right, that are well aligned with particular

Tej Patel:

business needs. And more importantly, I'll take it to the

Tej Patel:

next level where it must be aligned with cloud-smart

Tej Patel:

initiatives. Right? Those are certain things, I would look at

Tej Patel:

it from a strategic perspective. And the last one I would add is

Tej Patel:

find the talent that will help you achieve what I'm about to

Tej Patel:

talk about next. Right. So that's from from more of a

Tej Patel:

strategic perspective. And in that you would have a

Tej Patel:

cybersecurity program that you will work with engage with the

Tej Patel:

community to come up with a program that addresses certain

Tej Patel:

things, right. And this is something from my own learning

Tej Patel:

from Protect Stevens and the IAM program that we launched, right?

Tej Patel:

Implement solid plans for training and phishing awareness,

Tej Patel:

implement some controls for endpoint device management.

Tej Patel:

That's a big challenge. I didn't talk about that earlier on

Tej Patel:

there. Every faculty staff students have multiple devices,

Tej Patel:

grant issued personal what have you. Have a solid 24/7 SOC

Tej Patel:

center monitoring that allows you that extended detection and

Tej Patel:

response that you need, right. We talked a little bit about

Tej Patel:

network segmentations, and then make sure that there are certain

Tej Patel:

things that we want to also focus on within that program, is

Tej Patel:

make sure you have a return incident response plan, right.

Tej Patel:

This is more operational, but it's needed, right? Make sure

Tej Patel:

you you you draft confidentially agreements for employees,

Tej Patel:

vendors and visitors. Many folks still don't pay close attention

Tej Patel:

to visitors. And this goes back to like, you know, having low

Tej Patel:

hanging fruit and attack surfaces, right. Regularly

Tej Patel:

perform data discovery and privacy reviews for risk

Tej Patel:

assessment, right. We perform at least two penetration testing.

Tej Patel:

We also include social engineering aspect of it. So,

Tej Patel:

make sure we do that. And one last topic is review your

Tej Patel:

onboarding and offboarding processes. So important, so

Tej Patel:

critical. And for all the folks who are listening from an IT

Tej Patel:

perspective, adopt these four basic practices. If he can't do

Tej Patel:

all of that for for financial resources or otherwise, make

Tej Patel:

sure you have a solid password management practices, implement

Tej Patel:

multifactor authentication, provide solid user awareness

Tej Patel:

training and timely update systems. I hope it covers your

Tej Patel:

question.

Dr. Dave Chatterjee:

Oh, brilliant, absolutely brilliant.

Dr. Dave Chatterjee:

You know, there's a reason why you do what you do. And you do

Dr. Dave Chatterjee:

it so well. I think you addressed it brilliantly. And as

Dr. Dave Chatterjee:

you were talking, I was just thinking about the vastness of

Dr. Dave Chatterjee:

the attack surfaces and the various ways that these surfaces

Dr. Dave Chatterjee:

can be compromised. For lack of a better word, organizations,

Dr. Dave Chatterjee:

individuals, are sitting ducks. Despite your best efforts, there

Dr. Dave Chatterjee:

could still be a loophole that somebody could find and drive

Dr. Dave Chatterjee:

right through. But having said that, just like you said, you

Dr. Dave Chatterjee:

have to do the basics, right. Do the fundamentals, right. I'm

Dr. Dave Chatterjee:

sure you might agree that there's also some wisdom in

Dr. Dave Chatterjee:

prioritizing what you want to secure, at what level. Because

Dr. Dave Chatterjee:

it's impossible to secure everything. And so you have to

Dr. Dave Chatterjee:

prioritize and then focus your security strategy, your

Dr. Dave Chatterjee:

defense-in-depth strategy accordingly. So this way, it's a

Dr. Dave Chatterjee:

more of a manageable, feasible kind of plan. And finally, from

Dr. Dave Chatterjee:

my standpoint, finally, I'm a big fan of, make sure that you

Dr. Dave Chatterjee:

work closely with with legal because the unfortunate

Dr. Dave Chatterjee:

consequences often result in the courtroom where you're having,

Dr. Dave Chatterjee:

you're being sued, and you having to defend yourself. So

Dr. Dave Chatterjee:

make sure you're totally familiar with the laws, the

Dr. Dave Chatterjee:

regulations, the standards, and you're in compliance, so that

Dr. Dave Chatterjee:

when unfortunate events happen, and when you have to present how

Dr. Dave Chatterjee:

you have been governing, managing security, you look good

Dr. Dave Chatterjee:

out there that you did your best, and despite your best

Dr. Dave Chatterjee:

efforts, things went wrong. As opposed to, it was sloppy, or it

Dr. Dave Chatterjee:

was negligent, which is something I'm sure everybody

Dr. Dave Chatterjee:

would like to avoid. But again, I'd like to give you the final

Dr. Dave Chatterjee:

word. So please.

Tej Patel:

Absolutely, I think I think you're so spot on that.

Tej Patel:

And I will take it to a further as well, right, that the

Tej Patel:

incident response plan that I briefly touched upon, that

Tej Patel:

should also include your cyber insurance provider as well,

Tej Patel:

right. And they will bring in all the legal help. And because

Tej Patel:

different states have different regulations nowadays in terms of

Tej Patel:

what you report and what you don't write. But I think someone

Tej Patel:

recently shared some statistics about cyber attacks, right? It

Tej Patel:

was something around like it happens every 39 seconds, the

Tej Patel:

ransomware attacks are targeted every 14 seconds, and only 10%

Tej Patel:

gets reported. Right. And to make it even this this whole

Tej Patel:

cybersecurity economy, they're expecting it will grow to $10

Tej Patel:

trillion by 2025. Right? I mean, this is fascinating numbers,

Tej Patel:

like, you know, how do you keep up with all of this Dave? So,

Tej Patel:

again, you have to go back to the basics, do the basics,

Tej Patel:

right. Make sure you're transparent. Make sure you you

Tej Patel:

find good people on your team who are stewards of good

Tej Patel:

security, hygiene and, and and do your your best efforts on a

Tej Patel:

daily basis. Right.

Dr. Dave Chatterjee:

Fantastic. Well, with that we'll conclude

Dr. Dave Chatterjee:

our discussion for today. Thanks again Tej, for the wonderful

Dr. Dave Chatterjee:

insights. I so appreciate it. I know listeners are also very

Dr. Dave Chatterjee:

grateful.

Tej Patel:

Dave, thanks for having me. And I really enjoyed

Tej Patel:

our conversation. Thanks again.

Dr. Dave Chatterjee:

A special thanks to Tej Patel for his time

Dr. Dave Chatterjee:

and insights. If you like what you heard, please leave the

Dr. Dave Chatterjee:

podcast a rating and share it with your network. Also,

Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

Chapters

Video

More from YouTube