An Interview with Steve Erwin, Senior Vice President & Chief Technology Officer
| By E&I Cooperative Services
We sat down with Steve Erwin, Senior Vice President and Chief Technology Officer of Columbia Advisory Group (CAG) to talk about IT trends and challenges, and how higher education and K-12 institutions should be tackling their cybersecurity strategy.
What are some of the trends and challenges you’re seeing in IT security in education?
A common challenge we are seeing is that institutions are under-resourced when it comes to dedicated IT security leadership. That is, they have CTOs and/or CIOs, but these people already have full-time jobs or are super busy. They need someone focused on security, but too often they delegate responsibility to a system manager or similar resource. That’s very often not the right level of person.
The truth is, a trained Chief Information Security Officer (CISO) is the best option – someone who is dedicated to the task and continually keeps up with their certifications. A really strong CISO will do security assessments, make recommendations, implement best practices and procedures, develop risk registers, and map IT in line with regulations. Most of these individuals are Certified Information Systems Security Professionals (CISSPs) and many have additional certifications, including:
- Masters of Information Technology, core in Information Security
- Bachelors of Science in Computer Networks and Cybersecurity
- Certified Information Security Manager (CISM)
- Certified Information System Auditor (CISA)
- Certified Ethical Hacker (CEH)
Having a CISO really gets you ahead of the challenge – it’s a structured approach. A full-time CISO can be expensive, especially for small- and medium-sized institutions, but there are other options out there. In our security practice, for example, we offer a fractional CISO service. Our CISOs embed right into campus organizations and report directly to the campus CTO. And because they’re fractional, campuses only consume what they need, so they are getting all the benefits of a CISO at a fraction of the cost.
The bottom line is, you can accomplish it in a few ways, but every campus should make sure to have CISO expertise on hand. Don’t delegate to someone who’s not qualified and don’t just “wing it.”
What systems are proving to be the most vulnerable point of security risk?
Attacks through email continue to pose one of the most significant threats in terms of security – it’s the most common way for hackers to get in.
In a recent phishing scenario we’ve seen, the attacker spoofed the email address of the CFO and sent an email to someone in the accounting department asking for a wire transfer of funds. The person believed the note was actually from the CFO and transferred the funds.
In a situation like this, it all goes back to spending time to educate users. The challenge for us is that you can only lock down a system so much before it basically becomes unusable for people. Achieving the right balance takes a lot of user education, which means consistently sending out reminders and updates on potential threats, such as opening an unknown email attachment. Let your users know that if they receive a suspicious email, they should sent it to the ISO immediately so it can be investigated. It’s much better to deal with the problem proactively than try to fix the problem on the back-end.
Another trend we’re seeing has to do with the issue of third-party vendors and staff or faculty purchasing or downloading new software without first requesting approval. All new software vendors must be vetted for security and approved before a program can be purchased. Sometimes, these companies have a great program, but it isn’t written securely, or it’s not being patched or updated, or they don’t have adequate security on their side where it is hosted. Vetting software vendors for security prior to purchasing any new programs will prevent a lot of problems in the long run.
What about the cloud? What should institutions consider when transitioning to the cloud, and what are the security risks?
We are definitely seeing an increased movement to the cloud, and while that’s generally a good thing, you have to ensure your vendor has the proper security measures in place on their side before you make the move.
The first thing we advise is to evaluate exactly what you’re trying to accomplish by making this move. Assess your needs and goals and determine exactly what’s required. For example, you may need to increase bandwidth, or implement additional security in certain areas. Then there’s the guarantee of uptime, redundancy, and failover. You also need to identify what the additional costs will be.
Another important consideration is how you’re going to authenticate users. Are you giving them a separate password to use for the system, or can you integrate with your active directory to accomplish single sign-on? You have to determine how you are going to handle this, and it’s where people are often leaving themselves open to risk.
What kinds of regulations are institutions required to meet in terms of data security, and what are the impacts if an institution does not comply?
The number of regulations schools are required to comply with has increased exponentially. As an example, just a few years ago we were looking at about 50 regulations in the state of Texas alone – but now that number is over 150, and growing. We’re talking about things like:
We also have to consider things like Access Control, Audit and Accountability, Identification and Authentication, Incident Response, Risk Assessment, and so much more. So it’s really important to keep up with these on a regular basis and to change your security plans and programs accordingly.
We work with a junior college that brought us in after they’d been hacked. The situation was so bad that the federal government threatened to hold up the school’s financial aid until they cleaned up their act. That’s a huge impact on a small junior college where the majority of students are receiving financial aid, and it can ultimately impact their ability to keep the doors open.
We worked with another school that brought us in after they were fined about $8 million because they did not have their data properly secured. So, the potential fines and/or penalties of not satisfying compliance mandates can be significant.
What are some other important considerations when it comes to IT and data security?
There are a few best practices that are important to mention. One important element to have in place is a business continuity plan (BCP). This is a strategic document that dictates what you are going to do to keep things running in case of an emergency or a catastrophic disaster. For example, if your institution is struck by a natural disaster such as a tornado, your BCP identifies:
- What’s most critical in terms of critical business functions;
- What systems should be recovered first; and
- Who are the critical personnel.
From there, you should develop a disaster recovery plan that outlines how you’re going to execute the strategy in your BCP. So, your BCP defines what systems come up first and your disaster recovery plan details how you’re going to execute that.
Having both plans in place ensures critical business operations continue in response to a disaster event. Otherwise, you’ll basically have IT guessing about what to do without an overall picture on what’s going on, and without any guidelines about what to do first.
Another important piece is a risk register. This lists the details of all identified risks across the institution and outlines a plan to address or mitigate those issues. In some cases, an institution may determine that they don’t have the funds to address a particular issue, so they are willing to accept the risks. That may be okay, as long as everyone is on the same page.
Each of these elements work together and they all tie back to the security plan. And one more thing to keep in mind: once you have a plan in place, you must keep it updated. We see a lot of people who put a plan in place that covers their requirements in the short-term, but then they drop the ball and don’t revisit it or keep it updated.
Any final thoughts or anything we haven’t mentioned?
Two things: recently, we’ve seen an uptick with some of the hosted software vendors asking clients to sign a statement that says they are not responsible for GDPR and it’s up to the institution to ensure their data is secure. I advise people not to sign that because it’s basically absolving the vendor from any GDPR penalties. If the hosted system gets breached, the vendor should be held responsible – it’s their system and they should ensure it’s protected.
The last piece I want to mention is governance – that’s a really important aspect of a good security plan. An effective governance program describes exactly what IT should be working on in different areas of the institution. This helps you address any potential change management issues by ensuring everyone is aware of what’s happening, so there are no surprises or confusion. It also has a significant impact on the institution’s satisfaction with IT. You need a good governance program that pulls all the aspects of your security program together. And you need to ensure buy-in from all levels of your institution, including senior leadership, to ensure the program’s success.
About the Author
As Senior Vice President and Chief Technology Officer of Columbia Advisory Group (CAG), Steve Erwin is responsible for all managed services, as well as setting the technology direction for the company and its clients. Steve has 25 years of IT experience in managed services, project management, infrastructure management, IT due diligence, security, compliance, data center rationalization, and operations. He has earned a CEH, ITIL Foundactions, CCNA, CCNP, CCSP, and CWA.