Jun 27, 2020
Bob Turner- a friend and Board member of the Cyber Security Hub- as well as the University of Wisconsin-Madison CISO - was kind enough to make some time for an interview. The following is an overview of the past, the present and perceptions of the future cyber security reality.
The University of Wisconsin is a research one level university with about 23,000 staff, roughly 44,000 students during the normal part of an old-normal year. This number jumps to a total of 80,000 users overall, when considers affiliates and ancillary personnel which means roughly a hundred thousand end points. Thus Bob notes that the University has a large amount of important research.
His resources are focused- he's got 38 full time staff with about 20 students that are supporting governance, risk management, incident response, vulnerability and what they call the common system Cyber Security team- which focuses on the big ERP-type systems, HR, Finance and Student Information.
During the March, 2020 migration off-prem- Bob's team was responsible for protecting that research, rolling out the BCP and moving 3,700 classroom courses to online delivery- to name a few initiatives.
The BCP did in fact roll out well- Bob was happy with the team and confident in the execution, “the X factor, I think, was trying to understand how many of the different collaboration tools were out there and understanding about those tools that we may not have looked at very close in the past. We had to do that on the fly and we had to do it rapidly.”
It was confirmed for Bob and his team that ‘the past’ was secure. There were not issues in rolling out the business continuity plan, which was secure. There were not issues with the systems in place, which were secure.
The team continued with business-as-usual, “daily security routines run a playbook and a SOC and the regular pattern and pace of risk assessments and policy management, as well as trying to ensure that our users are aware of issues.”
Now 100% remote, with business-as-usual going smoothly, on a dime- ‘the present’ presented a threat matrix, which could not have been anticipated based on the fact that a 100% remote global workforce was not anticipated by anyone.
And so Bob and the team “had to put together a provisional policy on how to manage collaboration tools: What do you record? How do you record it? What type of data can you talk about over the air? Do the solutions have encryption in transit and encryption at rest, and is that encryption a suitable standard?”
As Bob tells it, beyond collaboration tools, “COVID brought with it a whole bunch of fun, little scams, a lot, a dramatic increase in the phishing attacks, business, email, compromise attacks and anything social engineering happening in real time.”
With digital machete in hand, Bob slashed through all of those new issues to ensure that he and his team could take a step back and have a big picture focus on what he’s always focused- people, process and technology.
With a big picture focus on people, process and technology- technology could be construed as your tools and process could be construed as your tactics. Tools and tactics can be improved or replaced to fit better with a new reality. But changing people is a more delicate and more gradual shift.
“If it's face to flat screen, not face to face, we need to be able to see the person on the other end and understand if they're stressed or if they're, calm and cool and collected. It's about listening very carefully to those indicators. We have staff who are spending part time as parents which means part time as a teachers and part time as the custodial staff in the house. And, and then they're also working for us.”
“So the eight-hour workday is not contiguous. We have to make sure that we're compensating for that appropriately.”
Truly understanding the human dynamic on his team is only the beginning. Bob is focused on understanding what each user needs and ensuring that user can appropriately and flexibly do their job with his support. He knows that his job is to ensure access with security. If he blocks access, the user will simply work-around with no security. As the future is now, he knows he cannot make decisions that negatively impact the work of his hundred thousand users. He has to be “thinking as a business enabler.”
The department of no must become the department of know.