2015 Penn State Security Conference

Dr. Andrew Sears, Interim Chief Information Security Officer, professor and dean of the College of Information Sciences and Technology, and Kevin Morooney, Vice Provost for Information Technology and Chief Information Officer, welcome all attendees to the 2015 Penn State Security Conference.

Improving Information Security practices sounds complicated – not just for IT staff, but for everyone at the university.

The good news is, it doesn’t have to be difficult – it just needs to be consistent.
A focus on basic, transparent, repeatable procedures, incorporated into everyday activities of teaching, learning, research and administrative processes, can do more to protect Penn State (or any other school or company) than only investing in sophisticated cyber security tools. We’ll discuss:

• Knowing your data – how it’s classified, how it’s used, where it’s stored

• Knowing your business processes – why you do what you do

• Knowing your access – how to intentionally give access to your data, and to

  verify it

• Knowing your systems – hardware and software inventory

By the end of this session, you will learn why the nature of higher education lends itself to superior information security, if only we have the appetite to pursue it.

This talk shows examples of Internet attacks of the past 25 years. It sadly points out that the root causes of the successful attacks of the 1990s, 2000s and 2010s have not changed and worse, have not been fixed. We ask the question "what have we, the security researchers and practitioners, been doing the past 25 years?"

During lunch, Dr. Nicholas Jones, Penn State's Executive Vice President and Provost, will address conference attendees with his thoughts on information security and its importance for the University.

I propose discussing the core Gartner Point of View on effective cybersecurity: the six principles of resilience with a focus on the challenges unique to higher education. We believe every successful digital enterprise will have to adopt these six principles:

From Check-Box Compliance to Risk-Based Thinking: While this idea is not new, the urgency to embrace it is. New regulations are inevitable, but following a regulation, or a framework, or just doing what your auditors tell you to do, has never resulted in appropriate or sufficient protection for an organization. “Risk-based thinking” is about understanding the major risks your business will face and prioritizing controls and investments in security to achieve business outcomes.

From Technology to Outcomes: We must move from a singular focus on protecting the infrastructure, to a new focus on supporting organizational outcomes. For the last two decades, our investment decisions have been heavily focused on protecting the infrastructure. But now we need to elevate security strategy to protect the things the business actually cares about. You CAN connect these outcomes to the work you do in IT risk and security.

Defender to Facilitator: As part of the transition to supporting the business outcome mindset, we must move from being the righteous defenders of the organization to acting as the facilitators of a balance...a balance between the needs to protect the organization and the needs to achieve our desired business outcomes. This is particularly challenging in the higher ed environment, where decision making is diffused.

From Controlling Information to Understanding Information Flow: Next, we must move from trying to control the flow of information to understanding how information flows so we can improve its resilience and the outcomes it supports. Digital business will introduce massive new volumes and types of information that must be understood and appropriately protected. In the world of digital business every enterprise will be a link in a global chain. We can’t do this alone.

From Technology Focus to People Focus: We must understand the limits of security technology......and recognize that properly motivated people—properly engaged and educated people—can be the strongest links in our chain. So we need to shape behavior and motivate people to do the right thing, not just try to force people to do what we want.

From Prevention Only to Detect and Respond: The sixth principle requires the most profound shift in focus. It begins by understanding that compromise of our systems is inevitable. We must move from a singular focus on trying to “prevent” compromise to acknowledge that we will never have perfect prevention: we need to be able to detect compromise and react faster. The disparity between the speed of compromise and the speed of detection is one of the starkest failures discovered in breach investigations. In the digital world, the pace of change will be too fast to anticipate and defend against every type of attack.

We must invest in capabilities—technical, procedural and human—to detect when a compromise occurs. We must provide the tools for first responders to react quickly and investigate the source and impact of the breach.

Resilience is our new standard of success. Applying these six principles will help conference attendees gain a seat at the planning table and propel Penn State to a successful digital business future.