Fly the Plane is how Dr. Timothy Chester, Vice President of Information Technology, The University of Georgia, characterizes his philosophy and approach to cybersecurity readiness. Dr. Chester spoke at length about a proactive approach to information security management anchored on strategic planning, senior leadership commitment, strong teamwork, sophisticated intelligence monitoring, and robust training and testing practices. His candor and reflection made for a most interesting conversation.
To access and download the entire podcast summary with discussion highlights --
https://www.dchatte.com/episode-11-fly-the-plane-a-cios-approach-to-cybersecurity-readiness/
-------------------------------------------------------------------------------------
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Welcome to the Cybersecurity Readiness Podcast
Introducer:series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Cybersecurity Readiness:A Holistic and High-Performance
Cybersecurity Readiness:Approach by Sage publishing. He has been studying cybersecurity
Cybersecurity Readiness:for over a decade, authored and edited scholarly papers,
Cybersecurity Readiness:delivered talks, conducted webinars, consulted with
Cybersecurity Readiness:companies, and served on a cybersecurity SWAT team with
Cybersecurity Readiness:chief information security officers. Dr. Chatterjee is an
Cybersecurity Readiness:Associate Professor of Management Information Systems
Cybersecurity Readiness:at the Terry College of Business, the University of
Cybersecurity Readiness:Georgia and Visiting Professor at Duke University's Pratt
Cybersecurity Readiness:School of Engineering.
Dr. Dave Chatterjee:Hello, everyone. Welcome to this
Dr. Dave Chatterjee:episode of the Cybersecurity Readiness Podcast. Today I have
Dr. Dave Chatterjee:the honor of having Dr. Timothy Chester, Vice President of
Dr. Dave Chatterjee:Information Technology and Chief Information Officer at the
Dr. Dave Chatterjee:University of Georgia as our guest. A seasoned C level
Dr. Dave Chatterjee:executive, Dr. Chester has over two decades experiences in state
Dr. Dave Chatterjee:supported and private higher education institutions. He has
Dr. Dave Chatterjee:led large-scale business transformation efforts through
Dr. Dave Chatterjee:on-time, on-budget ERP implementations, driving
Dr. Dave Chatterjee:increased revenue and improved student outcome through improved
Dr. Dave Chatterjee:use of data and analytics. He's an expert practitioner in
Dr. Dave Chatterjee:developing improved information security programs for large
Dr. Dave Chatterjee:geographically distributed enterprises, with 50,000 plus
Dr. Dave Chatterjee:users, virtually eliminating data disclosures. Tim is also
Dr. Dave Chatterjee:highly regarded for leading IT turnarounds, increasing IT's
Dr. Dave Chatterjee:reputation as a trusted and respected partner in the pursuit
Dr. Dave Chatterjee:of strategic goals. Last but not the least, Dr. Chester is a
Dr. Dave Chatterjee:noted author with over a dozen publications in the field.
Dr. Dave Chatterjee:Welcome to the podcast Tim.
Dr. Timothy Chester:Dave, let me say first, I'm just delighted
Dr. Timothy Chester:to have the chance to be here with you today. And and I've
Dr. Timothy Chester:really enjoyed reading through your book. I've not finished it
Dr. Timothy Chester:yet. But I think you've done a very masterful job of making a
Dr. Timothy Chester:complex subject accessible to a wide, wide audience of business
Dr. Timothy Chester:professionals. And you should be commended for that, and I offer
Dr. Timothy Chester:you my congratulations, and thank you so much for sharing a
Dr. Timothy Chester:copy with me.
Dr. Dave Chatterjee:Thank you
Dr. Timothy Chester:You know, I think we stress, well, we use a
Dr. Timothy Chester:phrase in my organization quite a bit; in fact, it's part of our
Dr. Timothy Chester:strategic plan. And that phrase is Fly the Plane. And what this
Dr. Timothy Chester:relates back to is an exercise that I learned a long time ago
Dr. Timothy Chester:when I was a graduate studies student at Texas a&m University
Dr. Timothy Chester:30 years ago; was a little bored on the side and had a little
Dr. Timothy Chester:cash to spend. And so I worked towards a pilot's license and
Dr. Timothy Chester:did a lot of single engine plane flying over the farmlands in the
Dr. Timothy Chester:plains of Central Texas. And you learn very early in pilot
Dr. Timothy Chester:training to always fly the plane. And what that means is
Dr. Timothy Chester:that if you are not constantly anticipating and thinking
Dr. Timothy Chester:through what's fixing to happen and what could happen, frankly
Dr. Timothy Chester:the plan will fly you; you'll have a burst of wind that might
Dr. Timothy Chester:come from from a heat thermal that knocks you off course a
Dr. Timothy Chester:little bit you'll have to course correct to kind of get back
Dr. Timothy Chester:there and if you're not proactive, anticipating way the
Dr. Timothy Chester:things will go on, the plane will fly you and you'll react,
Dr. Timothy Chester:and what you'll find over time is that you will react in more
Dr. Timothy Chester:and more stronger ways which creates a negative reaction that
Dr. Timothy Chester:again you have to react to and frankly that's how disasters
Dr. Timothy Chester:happen in flying a plane. So , we have stressed that in our
Dr. Timothy Chester:organization quite a bit and when we say fly the plane what
Dr. Timothy Chester:we simply mean is through strong teamwork and strategic planning
Dr. Timothy Chester:and foresight we try to think through constantly the types of
Dr. Timothy Chester:scenarios that we could be facing. And we tried to plan for
Dr. Timothy Chester:the the little bitty factors that probably aren't a high
Dr. Timothy Chester:probability of occurring but it could be high impact if they do
Dr. Timothy Chester:occur; so, if you log into the website or you go to the website
Dr. Timothy Chester:for UGA's IT organization to see that flying a plane is a real
Dr. Timothy Chester:stated part of our strategic plan, whether we're planning for
Dr. Timothy Chester:the network performance, network load associated with class
Dr. Timothy Chester:registration or thinking through the possibilities of a
Dr. Timothy Chester:ransomware attack on the University.
Dr. Dave Chatterjee:That's a interest very interesting
Dr. Dave Chatterjee:metaphor, I love it, flying the plane; you know, it tells me
Dr. Dave Chatterjee:about the importance of being very prepared, being pro-active,
Dr. Dave Chatterjee:knowing or rehearsing how best to deal with different
Dr. Dave Chatterjee:scenarios; so you can't afford to be caught. blindsided; and
Dr. Dave Chatterjee:talking about can't afford to be caught blindsided, what are some
Dr. Dave Chatterjee:cybersecurity blind spots? And how do you cope with them?
Dr. Timothy Chester:Right. Well, you and I, both teach
Dr. Timothy Chester:business process management at the University. It's a strong
Dr. Timothy Chester:set of competencies and skills that I think serve our graduates
Dr. Timothy Chester:really, really well. And part of that is what we call root cause
Dr. Timothy Chester:analysis, right? And the thinking is that surface
Dr. Timothy Chester:explanations and surface understandings tend to not be
Dr. Timothy Chester:comprehensive enough. And we as human beings tend to look for
Dr. Timothy Chester:explanations that would suggest that we didn't necessarily have
Dr. Timothy Chester:a lot of power to deal with something, something really,
Dr. Timothy Chester:really, really bad happens and root cause analysis forces you
Dr. Timothy Chester:to continue asking, Why did this happen? Why did that happen till
Dr. Timothy Chester:you get to a level where you have uncovered a set of
Dr. Timothy Chester:conditions in which you actually had a deliberate amount of
Dr. Timothy Chester:control, you could have done something about that. And, but
Dr. Timothy Chester:our human desire to basically live through rote repetition and
Dr. Timothy Chester:structure that's comfortable and unchanging leads us to be
Dr. Timothy Chester:creatures of habit. And again, creatures of habit who are
Dr. Timothy Chester:following the habits and following the rote behaviors
Dr. Timothy Chester:that they always engage in, typically find themselves in
Dr. Timothy Chester:circumstances sometimes where again, the plane starts flying
Dr. Timothy Chester:them and the way in which they react to that plane, you know,
Dr. Timothy Chester:become wilder and wilder swings that could lead to, to a
Dr. Timothy Chester:disaster. I have really found any guy worked in higher
Dr. Timothy Chester:education and state government as a separate vertical industry.
Dr. Timothy Chester:But I think it's true across the other verticals, whether we're
Dr. Timothy Chester:talking about finance or manufacturing, or, or our
Dr. Timothy Chester:commerce is that people are good, they care about their
Dr. Timothy Chester:employers, they want to do a good job. But we as humans,
Dr. Timothy Chester:again, are most comfortable, when structures tend to be
Dr. Timothy Chester:unchanging, and there's nothing really unexpected going on, and
Dr. Timothy Chester:we tend to assume the best and think that the worst will never
Dr. Timothy Chester:really happen. And that tends to create the environment where
Dr. Timothy Chester:really bad things can happen. Now the most serious of
Dr. Timothy Chester:information security incidents, or breaches tend to be like
Dr. Timothy Chester:plane crashes, again, if I continue to use the aeronautic
Dr. Timothy Chester:kind of metaphor here or analogy, and that planes tend to
Dr. Timothy Chester:crash not because one thing happened unexpectedly but
Dr. Timothy Chester:because multiple things happened at the same point in time, which
Dr. Timothy Chester:create a set of circumstances that allowed something really
Dr. Timothy Chester:you know, low frequency to high impact to, to occur. So a lot of
Dr. Timothy Chester:time in the information security space, the blind spots happen
Dr. Timothy Chester:just because the IT industry and the IT culture, within business
Dr. Timothy Chester:places a premium on good customer service and sometimes
Dr. Timothy Chester:good customer service and a focus on functionality of our
Dr. Timothy Chester:systems, and what we do comes at the expense of maintainability,
Dr. Timothy Chester:compatibility, and information security. So you know, we we
Dr. Timothy Chester:have near misses all the time, we have a good team here, that's
Dr. Timothy Chester:proactive that can catch them. And we had we had a near miss
Dr. Timothy Chester:here recently, with some ransomware. And it really was
Dr. Timothy Chester:all about a very good employee working in a very good unit, you
Dr. Timothy Chester:know, probably doing something that they shouldn't have done to
Dr. Timothy Chester:enable some functionality from one of their key players. And
Dr. Timothy Chester:they did that and and they did that some time ago. And then
Dr. Timothy Chester:next thing you know, it's been a while since the machine was
Dr. Timothy Chester:patched and so on and so forth. And just kind of a constant
Dr. Timothy Chester:layering on of things that probably shouldn't have
Dr. Timothy Chester:happened. That created some some real risk and some some real
Dr. Timothy Chester:vulnerability there. And we were very fortunate that we were, we
Dr. Timothy Chester:became aware of those risks before something before they
Dr. Timothy Chester:were really exploited. But But again, going back to earlier,
Dr. Timothy Chester:you know, we're most comfortable, again, with a lot
Dr. Timothy Chester:of structure and a lot of predictability. And that leads
Dr. Timothy Chester:us to sometimes getting very comfortable allowing the plane
Dr. Timothy Chester:to fly us and the plane will fly us really, really fast if we're
Dr. Timothy Chester:not careful.
Dr. Dave Chatterjee:Mm hmm. Very true. Talking about being
Dr. Dave Chatterjee:comfortable, and, you know, operating in a predictable
Dr. Dave Chatterjee:space, you know, when you think about the hackers and how they
Dr. Dave Chatterjee:are constantly innovating and coming up with the latest
Dr. Dave Chatterjee:methods and techniques, it's hard to keep up with them. And
Dr. Dave Chatterjee:again, that's not what organizations are in the
Dr. Dave Chatterjee:business of, whether it's an academic organization, or
Dr. Dave Chatterjee:whether it's some other organization, they have their
Dr. Dave Chatterjee:own mission, their goals. So and of course, you know, there's
Dr. Dave Chatterjee:always the budgetary constraints. So under the
Dr. Dave Chatterjee:circumstances, how do folks like you try to ensure that your team
Dr. Dave Chatterjee:has the latest experience and expertise in keeping up with
Dr. Dave Chatterjee:these different evolving attack vectors?
Dr. Timothy Chester:That's a great question. I think the
Dr. Timothy Chester:Department of Homeland Security and the Cybersecurity and
Dr. Timothy Chester:Infrastructure Security Agency (CISA), it's a branch of the
Dr. Timothy Chester:Department of Homeland Security, does an exceptionally good job
Dr. Timothy Chester:of creating awareness of a really complex and fast changing
Dr. Timothy Chester:environment. So you know, either through, you know, email, or
Dr. Timothy Chester:through automated feeds and other ways, we get real time
Dr. Timothy Chester:intelligence from the CIA, NSA, multiple times on a daily basis.
Dr. Timothy Chester:So as an executive, I just subscribed to their listservs.
Dr. Timothy Chester:And so today, you know, I've received email messages about
Dr. Timothy Chester:the need to patch vulnerabilities in Google
Dr. Timothy Chester:Chrome. And you know, there's a variety of other commercial
Dr. Timothy Chester:packages out there. So we have, we divide our information
Dr. Timothy Chester:security team up into kind of consulting and helping people
Dr. Timothy Chester:around controls, and then we have an operations arm. And then
Dr. Timothy Chester:a part of that operations arm is around proactively, you know,
Dr. Timothy Chester:patching the environment and creating awareness of the need
Dr. Timothy Chester:to do that. And they help the Institution and its IT staff
Dr. Timothy Chester:stay on, on toes when it comes to this type of changing
Dr. Timothy Chester:environment. The other thing that they do really well also is
Dr. Timothy Chester:they monitor known IP addresses that are out there that are
Dr. Timothy Chester:used, that are known to be distributing malware, or
Dr. Timothy Chester:ransomware, or to be command and control points for existing
Dr. Timothy Chester:installed malware. And, you know, I think, on a daily basis,
Dr. Timothy Chester:or certainly on a weekly basis, we get a feed of those IP
Dr. Timothy Chester:addresses in an automated fashion, our network firewalls
Dr. Timothy Chester:will block ingress and egress both to the to those IP
Dr. Timothy Chester:addresses immediately, which which helps us as well. So I
Dr. Timothy Chester:think that partnership, I think, has been really, really on on
Dr. Timothy Chester:point for helping us stay aware. And then the other thing that we
Dr. Timothy Chester:do is we stay highly engaged with with our counterparts in
Dr. Timothy Chester:the Southeastern Conference schools, as well as our other
Dr. Timothy Chester:peer and aspirational schools and constantly kind of comparing
Dr. Timothy Chester:notes and, and having constant conversations as well as within
Dr. Timothy Chester:the University System of Georgia.
Dr. Dave Chatterjee:Yeah, that makes a lot of sense. What about
Dr. Dave Chatterjee:the rest of the community? Your community in the field of
Dr. Dave Chatterjee:technology obviously, that's part of your job description,
Dr. Dave Chatterjee:you have to be on top of your game. But what kind of help and
Dr. Dave Chatterjee:support can you expect from the other business units, as well as
Dr. Dave Chatterjee:the individual stakeholders, whether it's faculty members,
Dr. Dave Chatterjee:whether it's students? What could or should they be doing to
Dr. Dave Chatterjee:help secure the environment?
Dr. Timothy Chester:Well, for somebody in my role, or for the
Dr. Timothy Chester:CISO role, and one of the most critical things is that you have
Dr. Timothy Chester:executive leadership that understands these
Dr. Timothy Chester:responsibilities aren't siloed responsibilities for the IT
Dr. Timothy Chester:folk, but they are business responsibilities that are shared
Dr. Timothy Chester:by everyone. And I think in the state of Georgia, frankly, that
Dr. Timothy Chester:recognition and that supporting philosophy starts at the top.
Dr. Timothy Chester:Governor Brian Kemp has been a very strong supporter and
Dr. Timothy Chester:advocate across the board for all state institutions to really
Dr. Timothy Chester:raise the game in terms of their cybersecurity defenses, and he
Dr. Timothy Chester:has been quite explicit that it is the division heads and the
Dr. Timothy Chester:CEOs of those major divisions, including the Chancellor of the
Dr. Timothy Chester:University System of Georgia who are ultimately responsible for
Dr. Timothy Chester:assuring the state and the state government that we are doing all
Dr. Timothy Chester:we can to reduce risk and to have the types of controls
Dr. Timothy Chester:around technology and its use that we need to have. Certainly
Dr. Timothy Chester:within the University of Georgia, in the 10 years that I
Dr. Timothy Chester:have been here, we've enjoyed that type of support from the
Dr. Timothy Chester:top, from President Jerry Morehead. He was the number two
Dr. Timothy Chester:at the University 10 years ago when I was hired here and I
Dr. Timothy Chester:worked for him directly for a couple years and now I continue
Dr. Timothy Chester:to work for the Provost, the number two here at the
Dr. Timothy Chester:University. And so that tone really starts at the top and I
Dr. Timothy Chester:can tell you that you know, we have division heads here we call
Dr. Timothy Chester:them Deans or Vice Presidents, they all understand that they
Dr. Timothy Chester:are ultimately responsible to the Institution for managing the
Dr. Timothy Chester:risk, and that my office is a resource and it's supporting arm
Dr. Timothy Chester:but it's a supporting arm, it's not solely responsible for
Dr. Timothy Chester:managing the risk in and of itself. That tone gets set
Dr. Timothy Chester:constantly where the we're doing things with security awareness
Dr. Timothy Chester:training would begin under Governor camps leadership we now
Dr. Timothy Chester:do twice a year. And under the leadership of acting Chancellor
Dr. Timothy Chester:Teresa McCartney at the University System of Georgia
Dr. Timothy Chester:level, there's been a sizable investment in new infrastructure
Dr. Timothy Chester:and supporting platforms for the cyber security training that
Dr. Timothy Chester:Governor Kemp requires us to do twice a year. And so I'm really
Dr. Timothy Chester:fortunate again, I spent the last two days actually before
Dr. Timothy Chester:recording this podcast at the meeting of my counterparts in
Dr. Timothy Chester:the Southeastern Conference, and I think the mix of support and,
Dr. Timothy Chester:and, and real advocacy around information security that we
Dr. Timothy Chester:enjoy at all levels of government have been very, very
Dr. Timothy Chester:helpful to us.
Dr. Dave Chatterjee:That's very, very assuring, that's good
Dr. Dave Chatterjee:to hear that you have great support from top management. So,
Dr. Dave Chatterjee:you know Tim, you were mentioning about my book, one of
Dr. Dave Chatterjee:the things I've emphasized in the book, which I have gathered
Dr. Dave Chatterjee:through my research is the importance of hands-on top
Dr. Dave Chatterjee:management. And I've seen in many companies, the exemplars
Dr. Dave Chatterjee:where the senior management take on active roles, whether it's in
Dr. Dave Chatterjee:the aspects of cybersecurity planning, strategizing,
Dr. Dave Chatterjee:performance review, they obviously are not experts, they
Dr. Dave Chatterjee:don't claim to be experts, but they try to stay on top of
Dr. Dave Chatterjee:things. It seems from from what you shared, that's the way your
Dr. Dave Chatterjee:organization functions. That's the kind of support you have.
Dr. Dave Chatterjee:Anything that you'd like to add for people who are listening in
Dr. Dave Chatterjee:and who feel a little frustrated or letdown that they don't see
Dr. Dave Chatterjee:that level of active commitment. It's a sensitive topic. But I
Dr. Dave Chatterjee:still thought of probing a little further because,
Dr. Timothy Chester:Yeah, yeah, well, I think part of this may
Dr. Timothy Chester:be is that when, when our president Jerry Morehead was the
Dr. Timothy Chester:provost of the university, and in fact responsible for most of
Dr. Timothy Chester:the operations here at the university, we were getting
Dr. Timothy Chester:burned constantly by cybersecurity incidents. And I
Dr. Timothy Chester:think that created an awareness in him of, of the need to make
Dr. Timothy Chester:sure that this was something that all executives understood
Dr. Timothy Chester:was part of their responsibility to manage well, and I'm not
Dr. Timothy Chester:going to, you know, curse us by mentioning how long it's been
Dr. Timothy Chester:since we've had a major incident. You know, we have near
Dr. Timothy Chester:misses all the time, just like everybody else. But again, I
Dr. Timothy Chester:think that constant diligence coming from the business side,
Dr. Timothy Chester:where we do have an understanding that these are
Dr. Timothy Chester:business responsibilities, first and foremost. So it's been
Dr. Timothy Chester:absolutely critical. I do think it's also really, really
Dr. Timothy Chester:important in terms of ultimately who whoever within an
Dr. Timothy Chester:organization has, the final responsibility and
Dr. Timothy Chester:accountability for these types of risk management activities,
Dr. Timothy Chester:has to basically set at the executive team with the CEO, and
Dr. Timothy Chester:whatever form exists when the when the organization so so I
Dr. Timothy Chester:report to the number two here at the university who's responsible
Dr. Timothy Chester:for academic operations, which is again, 70% of the university.
Dr. Timothy Chester:You know, but the President has staff meeting every two weeks,
Dr. Timothy Chester:and I'm a part of that staff meeting and I have the
Dr. Timothy Chester:opportunity to raise awareness of issues bring visibility to
Dr. Timothy Chester:things that should be be be visible to everyone to be an
Dr. Timothy Chester:advocate for, for sound practices. And, and then, you
Dr. Timothy Chester:know, I'm on a texting and cell phone relationship with the
Dr. Timothy Chester:president, whenever I need to get his attention to some
Dr. Timothy Chester:matter, the President is pretty easy to reach. In fact, you
Dr. Timothy Chester:know, last night coming back from my meeting with my
Dr. Timothy Chester:counterparts in the sec, you know, I debrief the President
Dr. Timothy Chester:on, you know, later a phone call in the evening to kind of
Dr. Timothy Chester:compare notes with things that are going on. So, I do think,
Dr. Timothy Chester:you know, CEOs really understand that these are things that they
Dr. Timothy Chester:have to manage, and frankly, if they don't manage Well, they are
Dr. Timothy Chester:things that wreck careers. And so frankly, that helps, right?
Dr. Timothy Chester:So you go back 10 years ago, a major secure cyber security
Dr. Timothy Chester:problem inside of a business probably, you know, the CIO or
Dr. Timothy Chester:the CIO, or both of them, you know, they are the two parts of
Dr. Timothy Chester:the operation that really had some career risk there. You
Dr. Timothy Chester:know, that that believe that that that awareness that extends
Dr. Timothy Chester:all throughout the organization and certainly at the executive
Dr. Timothy Chester:level, to go back to the the governor of the state, the CEO
Dr. Timothy Chester:of our great state of Georgia, you know, he he had a couple of
Dr. Timothy Chester:incidents on his watch when he was the secretary of state, and
Dr. Timothy Chester:I think he handled The response to those incredibly well, he, he
Dr. Timothy Chester:left the place better than he inherited it. And he has brought
Dr. Timothy Chester:that awareness to all arms at all levels of the state
Dr. Timothy Chester:government, which has been truly, truly helpful.
Dr. Dave Chatterjee:Yep, that is extremely important, you are
Dr. Dave Chatterjee:kind of speaking to a couple of things that I emphasize a lot.
Dr. Dave Chatterjee:One being joint ownership and accountability. And the other is
Dr. Dave Chatterjee:trying to create that We-Are-In-It-Together culture,
Dr. Dave Chatterjee:where everybody has to recognize that it's not ITs job or the
Dr. Dave Chatterjee:information security units job to protect us, we also have a
Dr. Dave Chatterjee:role to play. It's like the way we are fighting COVID, you know,
Dr. Dave Chatterjee:we can't just sit back and expect miracles to happen, we
Dr. Dave Chatterjee:have to recognize our roles, and do our part. From the standpoint
Dr. Dave Chatterjee:of enhancing level of awareness, you mentioned about, you know,
Dr. Dave Chatterjee:conducting awareness training twice a year. And that's great.
Dr. Dave Chatterjee:Now, there is a lot of research out there that speaks to the
Dr. Dave Chatterjee:importance of customized training, that speaks to the
Dr. Dave Chatterjee:importance of, you know, role based training, training that
Dr. Dave Chatterjee:shouldn't be one shot, because people often don't remember the
Dr. Dave Chatterjee:first time what they were trained in. And and then another
Dr. Dave Chatterjee:aspect that often doesn't get addressed is are you effectively
Dr. Dave Chatterjee:measuring the effectiveness of the training? And I know, I
Dr. Dave Chatterjee:asked you several sub questions, but, you know, take it the way
Dr. Dave Chatterjee:you're comfortable.
Dr. Timothy Chester:Yeah, I think there's a couple things, I
Dr. Timothy Chester:think we're raising the bar, right. And I mentioned earlier,
Dr. Timothy Chester:this investment in kind of the training and awareness platform
Dr. Timothy Chester:that the University System of Georgia has made, that platform
Dr. Timothy Chester:has a lot of capabilities around, you know, simulate
Dr. Timothy Chester:malware campaigns, and some other kind of tools to really
Dr. Timothy Chester:take an exercise approach to, you know, to helping to kind of
Dr. Timothy Chester:raise the awareness or for your organization. I think the
Dr. Timothy Chester:information security training that we have done in the past
Dr. Timothy Chester:has been quite rote, and frankly, not as polished as it
Dr. Timothy Chester:could be. And this investment of resources by the system, I
Dr. Timothy Chester:think, is really going to raise the bar quite a bit there for
Dr. Timothy Chester:us. And, you know, between that, and I think the commitment from
Dr. Timothy Chester:the executive level organization, I think it's, it's
Dr. Timothy Chester:been, it's really, we have a, we have a quite optimal environment
Dr. Timothy Chester:here at the University of Georgia right now to kind of
Dr. Timothy Chester:continue moving the needle here.
Dr. Dave Chatterjee:Now, from a communication standpoint, you
Dr. Dave Chatterjee:know, as a member of the University community, I will
Dr. Dave Chatterjee:often receive cybersecurity related communications, and, you
Dr. Dave Chatterjee:know, they're often a long email, and I can, I can
Dr. Dave Chatterjee:understand that, you know, certain things need to be
Dr. Dave Chatterjee:mentioned. Now, it's quite possible that when somebody
Dr. Dave Chatterjee:receives a long email, they might be skimming through it or
Dr. Dave Chatterjee:might be reading parts of or might just ignore it. You will
Dr. Dave Chatterjee:appreciate that part of effective communication is to
Dr. Dave Chatterjee:ensure that the message really gets across to the appropriate
Dr. Dave Chatterjee:folks. So, keeping that in mind, how do you make cybersecurity
Dr. Dave Chatterjee:communication more customized and more effective? Have you all
Dr. Dave Chatterjee:been giving this some thought?
Dr. Timothy Chester:Yeah, well, I think we certainly understand
Dr. Timothy Chester:that we need to do a lot better job at this. You know,
Dr. Timothy Chester:typically, you know, we we have a very structured communication,
Dr. Timothy Chester:you know, management program that goes around our initiatives
Dr. Timothy Chester:and our operations that's designed to raise awareness but
Dr. Timothy Chester:I think you hit the nail on the head is that sometimes those
Dr. Timothy Chester:communications are written from the standpoint of IT folk, which
Dr. Timothy Chester:you know, sometimes uses vocabulary and acronyms that
Dr. Timothy Chester:really aren't well understood. And readers tend to disengage
Dr. Timothy Chester:pretty quickly from that, frankly, the whole question of
Dr. Timothy Chester:whether or not email is the best vehicle for communicating these
Dr. Timothy Chester:things, also continues to be a concern, people don't read email
Dr. Timothy Chester:as much as they used to, and the longer the email, the less,
Dr. Timothy Chester:you're likely to get the message across. So, you know, I think
Dr. Timothy Chester:trying to raise messaging that's targeted to more smaller
Dr. Timothy Chester:audiences is something that we're trying to do. And there's
Dr. Timothy Chester:some upgrades to our multifactor system that we're trying to be
Dr. Timothy Chester:very specific and targeted, as opposed to global like
Dr. Timothy Chester:communications. The other thing we have to do is just make when
Dr. Timothy Chester:we communicate to people, we have to do so in a context that,
Dr. Timothy Chester:you know, is accessible and relevant, you know, through
Dr. Timothy Chester:narrative, you know, what's at stake for me, and what do I have
Dr. Timothy Chester:in this and, again, it has to be very personalized as well. And
Dr. Timothy Chester:again, I think we've got real opportunities to get much, much
Dr. Timothy Chester:better at that. When I came here 10 years ago, the knock used to
Dr. Timothy Chester:be well, you never told us anything that we were doing
Dr. Timothy Chester:this, you know, now we beat people over the head with
Dr. Timothy Chester:communications. But I still wonder sometimes whether the
Dr. Timothy Chester:message is truly getting through. And the use of social
Dr. Timothy Chester:media is becoming an important part of that as well. Although
Dr. Timothy Chester:I'm not, you know, sending a mass listserv to 50,000 people
Dr. Timothy Chester:versus posting something on Twitter, you know, to a much
Dr. Timothy Chester:smaller audience repetitively I'm not sure the the social
Dr. Timothy Chester:media gets this broader reach. But, you know, we're trying to
Dr. Timothy Chester:take multiple avenues and use multiple, you know, tags at the
Dr. Timothy Chester:messaging to more specific audiences to get the word out,
Dr. Timothy Chester:get the word across.
Dr. Dave Chatterjee:That's great to hear, you know, for
Dr. Dave Chatterjee:instance, from a faculty members perspective, you know, it'd be
Dr. Dave Chatterjee:good to know that, given the role I play at the university,
Dr. Dave Chatterjee:what are some do's and don'ts from a cyber security
Dr. Dave Chatterjee:standpoint? Now, is this information not available, no it
Dr. Dave Chatterjee:is available, it's out there, but to get it in my inbox in a
Dr. Dave Chatterjee:very targeted manner, and then, from time to time being reminded
Dr. Dave Chatterjee:that these are the things that you should focus on. That helps
Dr. Dave Chatterjee:simplify things a little bit, as compared to a broad brush
Dr. Dave Chatterjee:approach, where you're being told, what are the sensitive
Dr. Dave Chatterjee:assets, and what are some scenarios that you should be
Dr. Dave Chatterjee:careful about. That's a little too generic. So that's just my
Dr. Dave Chatterjee:two cents. But I appreciate the candor and the recognition that
Dr. Dave Chatterjee:we can do better.
Dr. Timothy Chester:So the other I just added that really,
Dr. Timothy Chester:really quickly. I mean, so we get we were at Auburn University
Dr. Timothy Chester:for this meeting of my counterparts in the last couple
Dr. Timothy Chester:of days. Auburn has done a really good job with messaging
Dr. Timothy Chester:around posters on entryways, you know, for their computer labs,
Dr. Timothy Chester:screensavers, and things like that. And that's probably
Dr. Timothy Chester:another opportunity where we need to get the word out a lot,
Dr. Timothy Chester:a lot more.
Dr. Dave Chatterjee:That's a good, that's a good approach.
Dr. Dave Chatterjee:That's a great approach indeed. All right, so the next topic
Dr. Dave Chatterjee:that is also very close to my heart, is security audits and
Dr. Dave Chatterjee:drills. You know, something that I talk about a lot when I'm out
Dr. Dave Chatterjee:there, I say, you know, we have fire drills, do we have
Dr. Dave Chatterjee:information security drills? Do we plan for distributed denial
Dr. Dave Chatterjee:of service attacks and, and ransomware attacks? And now, I
Dr. Dave Chatterjee:know it's easier said than done, and organizations do tabletop
Dr. Dave Chatterjee:exercises, but in your role as the the person, the technology
Dr. Dave Chatterjee:Person of the university, are you happy with the rehearsals
Dr. Dave Chatterjee:that we have in place? Or can we do better?
Dr. Timothy Chester:Yeah, you know, I think we think we're
Dr. Timothy Chester:doing well here; we certainly always can do better, but, you
Dr. Timothy Chester:know, we really have implemented, you know, kind of
Dr. Timothy Chester:the gold standard approach to to, to a security operation
Dr. Timothy Chester:center. And a part of that center is, you know, a red team
Dr. Timothy Chester:versus a blue team and the red team are the friendly hackers
Dr. Timothy Chester:who you know, are empowered to probe our ourselves and our
Dr. Timothy Chester:systems and look for vulnerabilities and so, again,
Dr. Timothy Chester:being here, you know, at an institution we are able to
Dr. Timothy Chester:employ graduate students, we are able to employ undergraduate
Dr. Timothy Chester:students, as well as some professional employees and so we
Dr. Timothy Chester:are constantly trying to hack the hell out of ourselves, using
Dr. Timothy Chester:many of the common methods that are out there and you know,
Dr. Timothy Chester:moving the needle in terms of not only just penetration but
Dr. Timothy Chester:also thinking about malware and ransomware there there are some
Dr. Timothy Chester:tools out there that are now available we're looking at
Dr. Timothy Chester:acquiring which well you know, with with some intelligence
Dr. Timothy Chester:agents scattered around your enterprise will tell you really
Dr. Timothy Chester:quickly how easy it is to drop malware and other things. So we
Dr. Timothy Chester:are constantly hoping to discover the major risks and
Dr. Timothy Chester:vulnerabilities we have before others do; and again we're not
Dr. Timothy Chester:perfect yet; we're so big, we often miss things. But there's a
Dr. Timothy Chester:huge investment in resources to do that. And it is always you
Dr. Timothy Chester:know, I have to be careful about some of the stories I would
Dr. Timothy Chester:share but again, you will appreciate this given your
Dr. Timothy Chester:expertise and your rich experience in consulting, many
Dr. Timothy Chester:times when vendors and implementers you know, install
Dr. Timothy Chester:major infrastructure on campus and they walk away from they
Dr. Timothy Chester:flip the switch on, they don't change the default password to
Dr. Timothy Chester:things. And so we've discovered major things here at the
Dr. Timothy Chester:University from from Hvac equipment to scoreboard and
Dr. Timothy Chester:athletic venues, that if you knew what kind of make and model
Dr. Timothy Chester:the thing was and you knew how to use Google to find the, the
Dr. Timothy Chester:the manual of instructions and how to go find that and get the
Dr. Timothy Chester:default username and password. If you're on campus, you could
Dr. Timothy Chester:actually control that stuff. And, you know, there have been
Dr. Timothy Chester:several vulnerabilities like that that had been discovered.
Dr. Timothy Chester:And you know, really that goes right back to the question of
Dr. Timothy Chester:blind spots, right? So you got an implementer, my job is to
Dr. Timothy Chester:implement and turn it on, they'll figure that other stuff
Dr. Timothy Chester:out. And then you got customers who bought for; well, we paid
Dr. Timothy Chester:these experts to do it. So they had to do it, right, we're in
Dr. Timothy Chester:good shape. There's a blind spot between two well intentioned
Dr. Timothy Chester:good groups of people working their best to do a hard job. And
Dr. Timothy Chester:so again, constantly attacking ourselves, again, using the well
Dr. Timothy Chester:understood red team approach is something we are very aggressive
Dr. Timothy Chester:with.
Dr. Dave Chatterjee:Yep, that's, that's very true; and
Dr. Dave Chatterjee:talking about vulnerabilities and talking about discovering
Dr. Dave Chatterjee:vulnerabilities, another you know, area of great concern to
Dr. Dave Chatterjee:me is, we keep reading about these stories in the media that
Dr. Dave Chatterjee:this organization was made aware, but did nothing about it
Dr. Dave Chatterjee:until it happened, right. And so I wonder, from an operation
Dr. Dave Chatterjee:standpoint, I'm sure you all have a mechanism in place where
Dr. Dave Chatterjee:you're logging all the intelligence you're receiving,
Dr. Dave Chatterjee:and then you are evaluating them, and then either acting or
Dr. Dave Chatterjee:not acting, but at least you're on record explaining your reason
Dr. Dave Chatterjee:for your decisions. So this way, you're maintaining a rigorous
Dr. Dave Chatterjee:record of how you handling intelligence, which later on,
Dr. Dave Chatterjee:I'm not a legal expert, but I think, you know, if you had to
Dr. Dave Chatterjee:defend the organization, you could say that we've done
Dr. Dave Chatterjee:everything, and this is how we thought during that period of
Dr. Dave Chatterjee:time. So you kind of backup your actions, your reactions to that?
Dr. Timothy Chester:Yeah, and let me just give you a little
Dr. Timothy Chester:context. First, you know, research flagships like the
Dr. Timothy Chester:University of Georgia, you know, our, our, you know, vertical
Dr. Timothy Chester:industries, like finance, or manufacturing, we are Research
Dr. Timothy Chester:and Innovation conglomerates. And we have 18 major units here
Dr. Timothy Chester:at the institution, colleges and schools that are invested in
Dr. Timothy Chester:innovation in their fields. So we allow for a wide variety of
Dr. Timothy Chester:different than non standard approaches to running
Dr. Timothy Chester:technology, because it supports Research and Engineering or
Dr. Timothy Chester:business, research in the areas that you do Dave, public health,
Dr. Timothy Chester:so on, and so forth. So that kind of very distributed non
Dr. Timothy Chester:standardized environments increases risk dramatically. But
Dr. Timothy Chester:we have a couple of basic gatekeeping rules around that;
Dr. Timothy Chester:to begin with, everybody's got to run our antivirus. And
Dr. Timothy Chester:everybody's got to send their logs to our Security Operations
Dr. Timothy Chester:Center. And the tools just for data mining and analysis around
Dr. Timothy Chester:those logs, just continues to get better and better and
Dr. Timothy Chester:better, better. So So again, one of the one of the benefits for
Dr. Timothy Chester:making everybody use the same standard antivirus engine, we
Dr. Timothy Chester:don't allow people to buy other antivirus products, is that we
Dr. Timothy Chester:get just incredibly centralized logging about packets that are
Dr. Timothy Chester:downloaded from the internet. And many times, you know, we
Dr. Timothy Chester:will we will see something through our intelligence, the
Dr. Timothy Chester:end user is not aware of and we can take action from that.
Dr. Timothy Chester:There's a there's another very good product that is being
Dr. Timothy Chester:commercialized by a computer science faculty at Georgia Tech,
Dr. Timothy Chester:he was formerly at the University of Georgia that that
Dr. Timothy Chester:very helpful in this space. And then again, kind of on the
Dr. Timothy Chester:reactive side, as well, the ransomware near miss that we
Dr. Timothy Chester:had, these new data mining tools are very good at looking for
Dr. Timothy Chester:lateral moves through the network environment by people
Dr. Timothy Chester:who've breached the environments that they did it, if they moved
Dr. Timothy Chester:anywhere. And you know, again, it's kind of a big data
Dr. Timothy Chester:collection effort, right, you've got hundreds, if not 1000s, of
Dr. Timothy Chester:endpoints, all logging things. And if you can capture all that
Dr. Timothy Chester:data with the tools, you can get a fuller sense of what's going
Dr. Timothy Chester:on. But again, it is absolutely amazing, you know, used to we
Dr. Timothy Chester:would have to write our own scripts to kind of look for
Dr. Timothy Chester:things and then the tools come with standard templates. Now the
Dr. Timothy Chester:tools come with AI and machine learning, that merges all of
Dr. Timothy Chester:those things together to really give us a proactive sense. Now
Dr. Timothy Chester:these tools are expensive, they are absolutely expensive. But
Dr. Timothy Chester:you know, they're well well worth it. And it's a fast
Dr. Timothy Chester:maturity field. And again, we're very fortunate to operate in an
Dr. Timothy Chester:environment with a senior administration that that that
Dr. Timothy Chester:supports us with the resources necessary to be in this space.
Dr. Timothy Chester:We are early adopters.
Dr. Dave Chatterjee:Very very, very good to hear that. You
Dr. Dave Chatterjee:know, you talked about all kinds of data and analytics that's
Dr. Dave Chatterjee:available to us now, that brings to mind performance measures and
Dr. Dave Chatterjee:metrics. And this is another one of those areas where it's very
Dr. Dave Chatterjee:hard to learn. Or it seems that organizations are struggling in
Dr. Dave Chatterjee:terms of identifying what measures or metrics to capture
Dr. Dave Chatterjee:and monitor when it comes to cybersecurity performance.
Dr. Dave Chatterjee:What's your take on that?
Dr. Timothy Chester:You know, and this is, this is an area
Dr. Timothy Chester:that I am not necessarily a subject matter expert, as well
Dr. Timothy Chester:as I should be. I have a really strong information security
Dr. Timothy Chester:team, and I trust their judgment and, and in some areas, I'm
Dr. Timothy Chester:really just the gatekeeper. I'm not the gatekeeper. But I am the
Dr. Timothy Chester:guard rails, rail rail network. So thinking about these KPIs,
Dr. Timothy Chester:frankly, the most important KPI that I'm aware of is have we had
Dr. Timothy Chester:a major breach that resulted in either increased vulnerabilities
Dr. Timothy Chester:or an increased reputational damage or real damage to the
Dr. Timothy Chester:institution and its customers. And that is one certainly that I
Dr. Timothy Chester:keep in my pocket, as well. But But everything else from number
Dr. Timothy Chester:of users types of end users, types of access, that that's
Dr. Timothy Chester:managed by those users, you know, metrics around how we
Dr. Timothy Chester:properly decommission accounts, when people some people exit the
Dr. Timothy Chester:community is absolutely critical. As well as, you know,
Dr. Timothy Chester:stats on, you know, volume of patching, you know, what's our
Dr. Timothy Chester:time to patch for, you know, a certain grade a patch with
Dr. Timothy Chester:medium risk versus low risk versus critical risk? And those
Dr. Timothy Chester:are all, I think, really, really important as well, the most
Dr. Timothy Chester:important one, which is the one that the the CEO cares about
Dr. Timothy Chester:most that I do is number of incidents, and how many have we
Dr. Timothy Chester:we had and and first and foremost, that's one thing I
Dr. Timothy Chester:keep in mind all the time.
Dr. Dave Chatterjee:Yeah, yeah. Along those lines, if, you know,
Dr. Dave Chatterjee:if you were to think about rewards and incentive systems,
Dr. Dave Chatterjee:it's a reward in itself if cyberattacks didn't happen that
Dr. Dave Chatterjee:that is that goes without saying, but do you have any
Dr. Dave Chatterjee:thoughts about it, because in reality, it helps to motivate a
Dr. Dave Chatterjee:certain desired behavior. Any thoughts on what would be some
Dr. Dave Chatterjee:good rewards and incentive systems to achieve the desired
Dr. Dave Chatterjee:behavior across the organization, when it's not your
Dr. Dave Chatterjee:job function?
Dr. Timothy Chester:Unfortunately, I think this is an opportunity
Dr. Timothy Chester:for the whole profession more than anything else. Because you
Dr. Timothy Chester:know, right now, we probably have more sticks than we have
Dr. Timothy Chester:carrots. Unfortunately, I mean, one of the ways we keep our you
Dr. Timothy Chester:know, our Dean's and our vice president attention on these
Dr. Timothy Chester:matters is simply because they know if there's an incident on
Dr. Timothy Chester:their watch, you know, they're going to be in the general
Dr. Timothy Chester:counsel's office with me and some of my folks, the
Dr. Timothy Chester:president's chief of staff, as we begin root causing how
Dr. Timothy Chester:whatever happened actually happened. And that's an
Dr. Timothy Chester:uncomfortable seat to be in for the three or four Dean's that
Dr. Timothy Chester:have, that I've been in the room with, when we've had to do that.
Dr. Timothy Chester:And, you know, that, you know, accountability works. It's, it's
Dr. Timothy Chester:really, really, really, really important. But I think the other
Dr. Timothy Chester:thing that we do, and it's more, not necessarily secondary, but
Dr. Timothy Chester:indirect, kind of, you know, carrot or incentive is just
Dr. Timothy Chester:really empower user to try you know, you know, particularly
Dr. Timothy Chester:with the researcher in a lab and, you know, or whether we're
Dr. Timothy Chester:talking about the vet school or in chemistry or something like
Dr. Timothy Chester:that, by just basically helping them understand how this works,
Dr. Timothy Chester:good security practices work and, and how they really can
Dr. Timothy Chester:enable them to do some innovative things without
Dr. Timothy Chester:artificial controls and barriers from on top here at the
Dr. Timothy Chester:institution. I think that really creates an incentive for people
Dr. Timothy Chester:to you know, have really good baselines around information
Dr. Timothy Chester:security in their in their operations. So we certainly try
Dr. Timothy Chester:to take that as well. Again, sharing data from these meetings
Dr. Timothy Chester:I just come out of you know, we we do we trust our users a lot
Dr. Timothy Chester:more here at the Institution, and we do some things,
Dr. Timothy Chester:compensating controls, which I could get into at the network
Dr. Timothy Chester:level, that give us the ability to have more flexibility at the
Dr. Timothy Chester:endpoint level, which we're very, very comfortable with,
Dr. Timothy Chester:but, but again, I went to graduate school at Texas A&M, I
Dr. Timothy Chester:started my career in IT at that organization with some great
Dr. Timothy Chester:mentors, people that your listeners won't know but but
Dr. Timothy Chester:gentlemen, Tom Putnam, Steve Williams, Pierce Cantrell,
Dr. Timothy Chester:they're really giants in my eyes of our discipline. And the thing
Dr. Timothy Chester:that they all kind of really baked into my noggin is that
Dr. Timothy Chester:research institutions are research and innovation
Dr. Timothy Chester:conglomerates, and you have to allow faculty have the room to
Dr. Timothy Chester:innovate. Otherwise, you You know, you're defeating the
Dr. Timothy Chester:whole, you know, mission of search and innovation at the
Dr. Timothy Chester:institution. So we do a lot more aggressive things a lot, a lot
Dr. Timothy Chester:more things with tools that are quite expensive at the network
Dr. Timothy Chester:level. That means we don't micromanage the endpoints in our
Dr. Timothy Chester:environment where a lot of other schools are actively trying to
Dr. Timothy Chester:manage risk by managing endpoints and again, making sure
Dr. Timothy Chester:that we provide faculty members and staff members the
Dr. Timothy Chester:flexibility to use tools as they best see fit to carry out their
Dr. Timothy Chester:job or their their research, I think is one of the most
Dr. Timothy Chester:important incentives that we can have.
Dr. Dave Chatterjee:Yep, that is very true. And and in that
Dr. Dave Chatterjee:spirit of empowering the users to be able to continue their
Dr. Dave Chatterjee:mission to why they are the institution, like we said, at
Dr. Dave Chatterjee:the very beginning. We are not here in the business of
Dr. Dave Chatterjee:security, we're in the business of doing what we do. But we
Dr. Dave Chatterjee:cannot ignore security, security is centric to ensuring that we
Dr. Dave Chatterjee:can do all our jobs. well. I'd like to probe into another area
Dr. Dave Chatterjee:that's about empowering the chief information security
Dr. Dave Chatterjee:officer. It is my belief that you are the head of technology
Dr. Dave Chatterjee:of IT at the institution, the CISO reports to you, is that
Dr. Dave Chatterjee:correct? He does. Okay, so how do you ensure that because, you
Dr. Dave Chatterjee:know, again, the research literature talks about trying to
Dr. Dave Chatterjee:keep the CISO, CISO function, as objective as possible, the CISO
Dr. Dave Chatterjee:should have a direct reporting relationship to the C level,
Dr. Dave Chatterjee:folks. Again, this is a murky area, you can do it in different
Dr. Dave Chatterjee:ways. what's what's your sense about CISO empowerment?
Dr. Timothy Chester:Yeah, you know, I think
Dr. Timothy Chester:I think what we have here at the University of Georgia works
Dr. Timothy Chester:because of the leadership, you know, tone that the President
Dr. Timothy Chester:sets and the way he's organized this team in a very
Dr. Timothy Chester:collaborative way. And it's not necessarily replicable at
Dr. Timothy Chester:institution for that the culture with that kind of that kind of
Dr. Timothy Chester:leadership tone that that gets that so what President Morehead
Dr. Timothy Chester:is looking for in all of his vice presidents is an ultimate
Dr. Timothy Chester:and final authority over their areas, right, subject to his
Dr. Timothy Chester:review or his his perspective on on any matter. So, from a
Dr. Timothy Chester:university governance standpoint, I am that final
Dr. Timothy Chester:subject matter expert, when it comes to IT matters. And
Dr. Timothy Chester:President Morehead that does include information security
Dr. Timothy Chester:matters as as as well. And so that means I have signature
Dr. Timothy Chester:authority over policy. But you know, that's, you know, it's a
Dr. Timothy Chester:servant leadership role. It's not a, particularly in a
Dr. Timothy Chester:collaborative environment, like universities, it's not
Dr. Timothy Chester:necessarily a hierarchical role at all. But within my team, you
Dr. Timothy Chester:know, we're very non hierarchical as well. I know you
Dr. Timothy Chester:know, the University of Texas System, for example, has a
Dr. Timothy Chester:system wide rule that says that the CISO cannot report to IT
Dr. Timothy Chester:because what the concern always is, is that information security
Dr. Timothy Chester:kind of gets buried under the weight of fulfilling customer
Dr. Timothy Chester:service requests and demands for functionality and that's why you
Dr. Timothy Chester:would split those roles off; so the University of Texas System
Dr. Timothy Chester:has done that for all of its counterparts. And
Dr. Timothy Chester:philosophically, I don't think it's the best mix because I
Dr. Timothy Chester:think when you do that, yes you gain some some increased
Dr. Timothy Chester:visibility with that organizational structure but you
Dr. Timothy Chester:tended to divorce security a bit from from operations; now now
Dr. Timothy Chester:they have done this at the University System of Georgia as
Dr. Timothy Chester:well but just for their office alone and and so the CISO at
Dr. Timothy Chester:that point, when you do it that way, they almost always always
Dr. Timothy Chester:focused on controls and standards at the expense of
Dr. Timothy Chester:operations. And I worry and this is President Morehead's genius,
Dr. Timothy Chester:what he doesn't want from the vice presidents or the deans is
Dr. Timothy Chester:a lot of finger pointing, so if there's an information security
Dr. Timothy Chester:thing that goes on he doesn't want two subject matter
Dr. Timothy Chester:authorities pointing the finger at each other and security
Dr. Timothy Chester:saying these darn IT folks if they'd get their act together we
Dr. Timothy Chester:would be okay and the IT folks saying I'll security people over
Dr. Timothy Chester:there this is their deal their silo, not ours. And so you know,
Dr. Timothy Chester:again, it's not just in IT, the VP for Student Affairs is the
Dr. Timothy Chester:final authority over student affairs, the VP for instruction
Dr. Timothy Chester:over instruction and teaching and, and and so on. So I, we
Dr. Timothy Chester:run, but again, what works for us doesn't work elsewhere
Dr. Timothy Chester:particularly would not work in a very hierarchical organization.
Dr. Timothy Chester:So I know some CIOs who basically have a team that
Dr. Timothy Chester:direct reports. And, you know, they'll bring that team of
Dr. Timothy Chester:direct reports together once every two or three months to
Dr. Timothy Chester:have a staff meeting, and they'll meet with everybody
Dr. Timothy Chester:individually. My team meets with me once a week, everybody's in
Dr. Timothy Chester:the room. And everybody knows I have a responsibility to
Dr. Timothy Chester:understand how they can be supportive of everyone else and
Dr. Timothy Chester:really understand the independencies they have on
Dr. Timothy Chester:everybody else, including information security. They also
Dr. Timothy Chester:meet without me once a week on their own as well, I think they
Dr. Timothy Chester:do that to try to figure out how to collectively manage me better
Dr. Timothy Chester:or something like that. But it's a very non hierarchical, very
Dr. Timothy Chester:collaborative, everyone around the table has an equal seat and
Dr. Timothy Chester:equal voice on the matter. And that mirrors the way the
Dr. Timothy Chester:President runs the University. If CISO was buried under me in a
Dr. Timothy Chester:very hierarchical way, that may be that may be really, really
Dr. Timothy Chester:grounds for concerns, but but again, because of my style, and
Dr. Timothy Chester:approach, Ben Myers, the CISO, he has his own relationship with
Dr. Timothy Chester:the general counsel. He has his own relationship with Deans', I
Dr. Timothy Chester:don't gatekeep him from collaborating and relationships
Dr. Timothy Chester:around here. I guess the only only area that I would gatekeep
Dr. Timothy Chester:him around access is access to the President of staff meeting,
Dr. Timothy Chester:but that's the way the President runs the meeting, you know,
Dr. Timothy Chester:we're going to bring, if we're going to bring somebody to the
Dr. Timothy Chester:meeting, it comes through us so but for what so what we have
Dr. Timothy Chester:worked through us this is this is a field that's that's fast
Dr. Timothy Chester:changing. And so I know what the University of Texas has going on
Dr. Timothy Chester:is working for them. And, and then frankly, I'll also say the
Dr. Timothy Chester:University System of Georgia really began moving the needle
Dr. Timothy Chester:from a policy and control standpoint, when they separated
Dr. Timothy Chester:out information security from from IT operations until I think
Dr. Timothy Chester:what they've done, that's working for them also.
Dr. Dave Chatterjee:Wonderful, Tim, thank you so much for your
Dr. Dave Chatterjee:time, this has been extremely enlightening. We've covered a
Dr. Dave Chatterjee:lot of areas. Any final thoughts, yeah, you've covered a
Dr. Dave Chatterjee:lot of ground. Any final thoughts?
Dr. Timothy Chester:I you know, I think this is one of the most
Dr. Timothy Chester:interesting and dynamic fields that there is in IT and I tell
Dr. Timothy Chester:my students that, you know, if you want a super career for the
Dr. Timothy Chester:next 20 years, guaranteed, this is a space to really explore,
Dr. Timothy Chester:you don't have to be incredibly technical, you have to be
Dr. Timothy Chester:technical enough to know what's going on at least the 25,000
Dr. Timothy Chester:foot view and up. But it is it's real opportunity. And again, I
Dr. Timothy Chester:was in a staff meeting with the CISL and my team to get the day
Dr. Timothy Chester:and just hearing a report on some of the new investments they
Dr. Timothy Chester:would like to make in tools and how AI is fast evolving as a
Dr. Timothy Chester:threat monitor is just absolutely incredible. And also
Dr. Timothy Chester:from a student standpoint, I'm a huge advocate for them thinking
Dr. Timothy Chester:about this space and investing in it. And, you know, again,
Dr. Timothy Chester:I've been fortunate to work for great people and for great
Dr. Timothy Chester:organizations. And having been here at the University of
Dr. Timothy Chester:Georgia now for 10 years red flag runs in my blood. And I
Dr. Timothy Chester:consider myself very fortunate to be able to do the job that
Dr. Timothy Chester:I've done. But I do it knowing that I'm a caretaker for a while
Dr. Timothy Chester:and not going to going to I'm going to leave it to somebody at
Dr. Timothy Chester:some point. And the thing that I've tried to do is to leave an
Dr. Timothy Chester:organization and a team and and in a pool of talent that gets
Dr. Timothy Chester:the job done. And I think we're making that work today really
Dr. Timothy Chester:well.
Dr. Dave Chatterjee:Fantastic. And Tim, thank you for what you
Dr. Dave Chatterjee:do for the Institution. It's been a pleasure to work with you
Dr. Dave Chatterjee:as a colleague and thank you again for doing this podcast
Dr. Dave Chatterjee:with me today.
Dr. Timothy Chester:It's been a pleasure. Thank you.
Dr. Dave Chatterjee:A special thanks to Dr. Timothy Chester,
Dr. Dave Chatterjee:for his time and insights. If you like what you heard, please
Dr. Dave Chatterjee:leave the podcast a rating and share it with your network. Also
Dr. Dave Chatterjee:subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an AS IS BASIS with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.