Illumination by Modern Campus

#CIORadio | Katrina Biscay (University of Cincinnati) on Keeping Up with Information Security in a Digital World (live @ Educause 2022)

Modern Campus

On today’s episode of the Illumination by Modern Campus podcast, EvoLLLution editor-in-chief and host Amrit Ahluwalia was joined by Katrina Biscay to discuss the importance of information security in a rapidly growing cyber world, and what leaders need to keep top of mind to help secure their institution. This episode was recorded live at Modern Campus's Educause 2022 booth in Denver. 

(00:03) Voiceover: Welcome to Illumination by Modern Campus, the leading podcast focused on transformation and change in the higher education space. We’re continuing our CIO Radio series, where we speak with technology leaders about the trends and challenges reshaping our increasingly digital space. On today’s episode, we speak with Katrina Biscay, Assistant Vice President and Chief Information Security Officer at the University of Cincinnati. Speaking live at EDUCAUSE, Katrina and podcast host Amrit Ahluwalia discuss the importance of information security in a rapidly growing cyber world, and what leaders need to keep top of mind to help secure their institution.

(00:43) Amrit Ahluwalia: Katrina, welcome to the Illumination podcast. Thanks so much for joining me. Well, we're live at EDUCAUSE, so again, just apologies to listeners. There's a little bit of a racket happening near our booth. But I so appreciate you taking the time out. And I'll tell you what. I mean, I've been in the space for a decade. We've been talking to higher ed leaders of all stripes, all descriptions, colleges and universities across North America, around the world. I've never spoken with a chief information security officer.

(01:11) Katrina Biscay: Really? That's surprising. I’m glad to be here. 

(01:12) Amrit Ahluwalia: Well, so can you walk us through a little bit…what are the central responsibilities of a CISO?

(01:18) Katrina Biscay: So we are a research one institution, which adds to the fun. Basically we're responsible for all data-centric risk, compliance and security. So that includes evaluating products for security concerns, that includes managing the risk associated with technology, instead of response, digital forensics investigations. It's really pretty wide fields 

(01:45) Amrit Ahluwalia: Well, what's kind of fascinating about information security in the post-secondary space is it seems to be a consideration that almost every level of every element of what the institution does, because we're becoming so digital. How do you keep up with that pace of change?

(01:59) Katrina Biscay: It is a challenge, and you're absolutely right. A university is like a city. Which is a lot of people don't understand that we have things that other places don't. In addition, we have 16, typically—at least us at UC—we have 16 regulatory frameworks we have to work with. Which is very different. There's a lot of, fortunately, industry groups that you can participate in. We are a big partner with a section of Indiana University. They share a lot of, especially incident response information with us. Then we partner with a lot of federal agencies to get the most recent information on threats, vulnerabilities, and compliance requirements. 

(02:42) Amrit Ahluwalia: How important is it to be collaborative in this space? We often hear about so much of higher education, administration and management happening in silos. But you just mentioned two key partnerships you already have. How important is it to build and maintain those kind of collaborative relationships with other post-secondary institutions. 

(02:59) Katrina Biscay: It's number one. Relationships are how you do security in higher ed. You cannot mandate, everybody knows that. So you cannot take a standard government or corporate approach. So what we work really hard on is developing those relationship and education components of what does security mean to you? Why are we doing this? Why are we adding these controls that might make your life a little bit more difficult? But the reality is we're protecting institution. We're protecting our student data, and that's our priority. But third party partnerships aren't just as critical. That's where you're going to hear the new things. And honestly, a lot of the hired institutions have the same problems. So having that open dialogue really helps you do better.

(03:40) Amrit Ahluwalia: Absolutely. So I am curious, because obviously we're in an environment where post-secondary institutions are becoming more digital. We’re trying to collect and maintain more data in order to make that student experience more seamless. There's a lot of consumer side benefits to that. On the flip side, there are a number of security considerations that come with that. So as you think about this shift towards, you know, digital seamlessness and accessibility on the one side, what are the key security considerations that a post-secondary leader needs to keep in mind?

(04:11) Katrina Biscay: Well, you have to think about your data as a whole. Traditionally, a lot of data was kept in silos. Colleges had their own centrally units have their own. You need to change that mindset and you need to bring your executive leadership and the academic side into the conversation about your data governance and data management. Because that data is where your money is. That's what the malicious sectors want it. It's extremely re-sellable out there, especially student PII or intellectual property. So we have to shift the dialogue from “we're going do this as security or as IT”, to “we're going to do this as an institution because these are our institutional assets”.

(04:50) Amrit Ahluwalia: How do you do that? How do you start to get that buy in from folks that, you know, even technology generally, but security certainly isn't really a priority for them.

(05:01) Katrina Biscay: You have to be nice, honestly. So there's insecurity. There's this traditional kind of bully mindset. You’re the Department of Dell. You have to stop your department of collaboration and creative problem solving. That's what you really are as security. Education and awareness is extremely important. Get your folks out there, get them talking to the deans, associate deans to the faculty themselves, to the students, and then do exercises with them. We recently did an executive friend of our tabletop with our dean level and it was extremely successful. It opened up their rise as to what are we really dealing with in case of a malicious incident. That bought us a lot of support from those units. They started thinking about it on a different level.

(05:48) Amrit Ahluwalia: That's interesting. Let's talk a little bit about that, those malicious attacks. It does seem surprisingly common in our industry. Why are higher ed institutions so frequently targeted for by cyber-attacks?

(06:03) Katrina Biscay: We're easy and attractive. That's really what it is. We have large open networks that are typically flat. Security was not built in from the beginning. So stopping an attack is very difficult. There are very few institutions, especially if you talk about larger state level research institution, that can quickly stop and attack. Due to the nature of our technology. We have incredible technology diversity. We have population diversity. For us at UC, we have 10-year-olds. We have a hundred-plus-year-olds. They deal with technology very differently. IT is very much still a silo thing in higher ed. And we have data that sells. Intellectual property has really been a huge target for several nation states. They're looking to get to that research and either use it in their country or resell it on the market.

(06:58) Amrit Ahluwalia: That makes a lot of sense. So I mean, as you look at it from this lens as CISO, what are some of the common best practices that folks could start to implement to maybe start to safeguard themselves a little bit from this kind of an environment?

(07:15) Katrina Biscay: Well, you brought up relationships. I cannot emphasize that enough. Start building your relationships. Educate your staff and faculty and students if you can get that word out there. Get them aware. Have a method of reporting. So we have a very easy way to report suspicious emails and suspicious phone calls to our department to validate. And we're very responsive. So there's that feedback loop that actually helps increase those reporting numbers. Focus on the basics honestly. Technology basics will help your security, turn on your MFA. Please. Just everywhere, just go ahead and turn it on.

(07:52) Amrit Ahluwalia: Although in fairness, it is annoying. 

(07:55) Katrina Biscay: It is annoying, but honestly, it's one of the most effective controls out there. You know and figure out where your stuff is. Do you know where all your assets are? Do you know what software you have installed? Do you know what open rules you have on the firewall? Most institutions can't answer those questions up front. So really get into your environment and understand how it's actually built. From there, you can make your decisions and prioritize what is important to your institution as far as remediation. 

(08:23) Amrit Ahluwalia: So as you look at the post-secondary industry today and kind of think about where we're going over the next sort of five to eight years, what are some of the key trends that you're keeping an eye on?

(08:32) Katrina Biscay: From the security side, cyber resilience, that has been our key trend. You're going to have an incident that's a given if you haven't already, you just didn't find it, you haven’t. But that's part of the deal. So you have to accept that reality. What you are focusing on now is planning, preparing for an incident, working on your detection capabilities, and then your incident response and remediation capabilities. What you want to do is minimize the impact of that malicious security incident, and that's how you do it. So that is the concept of cyber resilience. Data governance and management is going to be huge. We are giant repositories of all kinds of data, but very few institutions have a true feel as to what they hope. So it's going to shift from departments to institutional data governance and management. And then frankly, digital transformation. How do you improve that student experience? How do you make it seamless? How do you make it truly connected because that is what students expect when they come on campus now.

(09:34) Amrit Ahluwalia: Well I'm actually, I'm curious about this. You know, as you think about your hat as a CISO, how important is it…I guess, what's the balancing act that you have to play to make sure that on the one hand you're able to deliver on the expectations of a digital native consumer? And on the other hand, make sure that you're still compliant where you need to be compliant, you're secure where you need to be secure. Like on the one hand, it seems like consumer interests are for more openness, more seamless, less barriers, but the world of security necessitates barriers and obstacles to be able to make sure they only be the right people are accessing data.

(10:14) Katrina Biscay: Yes, you're right. But to a point. So, really the approach is more surgical. It is not mandating across the institution because you will fail. So focus on what needs to be truly compliant, what has regulations layered on top of it. There you can actually apply more security controls and be a little bit more strict. But for your student experience, that's not necessarily needed. So instead for the students, you focus on more transparent security controls on the backend. So, you know, if you're using, say office 365, there's a lot of backend security tools that you can implement that nobody sees. But they help reduce the risk, reduce the volume of those scams and phishing emails. That's what you do for the students. So you can't take a single broad approach to a higher ed institution.

(11:02) Amrit Ahluwalia: Well, Katrina, I mean that pretty much does it on my end. The way we like to end our Illumination podcast interviews is with a restaurant recommendation. So I'll ask you if someone's going out to dinner in Cincinnati, please don't say Skyline Chili. Where do they need to go?

(11:17) Katrina Biscay: I'm going say Eli Barbecue. It is a small Cincinnati founded barbecue that actually still smokes things with wood. It is incredible. So if you're a barbecue fan, go there. Do not go to Montgomery Inn. 

(11:32) Amrit Ahluwalia: Absolutely a barbecue fan and I will absolutely be going there. Awesome. Katrina, it's been a pleasure. Thank you so much.

(11:37) Katrina Biscay: Thank you so much for having me.

(11:41) Voiceover: This podcast is made possible by a partnership between Modern Campus and The EvoLLLution. The Modern Campus engagement platform, powered solutions for non-traditional student management, web content management, catalog and curriculum management, student engagement and development, conversational text messaging, career pathways, and campus maps and virtual tours. The result innovative institutions can create learner to earner life cycle that engages modern learners for life, while providing modern administrators with the tools needed to streamline workflows and drive high efficiency. To learn more and to find out how to modernize your campus, visit moderncampus.com. That's moderncampus.com.