Describe what it means to be the CISO at Broward College. What are the requirements and peculiarities - network-wise and in regards to the users - you needed to meet, and what were the problems you needed to solve to meet them.
My work experience has been primarily in corporate America before coming to Broward College. I worked for a Fortune 100 company and a few other publicly traded organizations. Our goals were always focused on bringing shareholder value by reducing risk. In higher education, it is all about ensuring the success of our students. This requires a more open environment. I knew that in order for us to move the information security initiatives forward, they would have to be less impacting on the end user but still allow for adequate protection and control. We focused on technologies that were less invasive and more behind the scenes.
One of the challenges was to secure BYOD when it had already been the norm for students for years. We had to meet that security challenge without interrupting the current environment. We did this through a combination of ForeScoutís NAC solution, CounterACT, and Fortinet's UTM Firewalls. We block a lot of viruses, botnets, phishing attempts and malware without anyone knowing.
You've occupied this position since September 2011. How did your job change through the years? What dangers has the college faced? What are you most worried about currently, and what new technologies you believe users will turn to and will present new challenges for you and for your team?
When we initiated the information security program in September 2011, it was focused mainly within the IT department. We've expanded our scope from just IT security to include information compliance and risk functions, which are really college-wide goals that include every department. It is important that information security does not stay focused entirely on technical controls. I think a lot of departments forget about the physical component and administrative processes of securing information.
A lot of us come from technical backgrounds, which makes it difficult to look at the bigger picture. It is absolutely critical to look outside of IT when developing your strategy. We look at everything now, from locked file cabinets to how mail is carried between buildings. You can never secure every avenue of data loss, but you focus your efforts on the areas that pose the highest risk.
The college, like most organizations, has a variety of threats on any given day. There are a number of phishing attacks and unauthorized access attempts that we block regularly. Our single most important tool in preventing a data breach is our ability to monitor and analyze malicious traffic in real-time. If you don't know what you are up against, it makes it very difficult to provide adequate protection. Monitoring and taking action is a 24x7 job, unless you have the funding for a fully-staffed SOC, you should consider outside assistance from a MSSP.