Information Security and Higher Ed: How one CISO is Able to Leverage an MSSP as Part of a Modern Approach to Managing Risk
By Matt Nappi, Chief Information Security Officer and AVP, Stony Brook University
As one of only 62 AAU members, the environment at Stony Brook University (SBU) is dynamic and challenging with an ambitious 5-part mission that is clear and concise. This allows me to ensure that every initiative I lead or I am a part of, ties back to the SBU vision and mission. If it does not, why are we doing it? IT is a strategic partner of the business and the same can be said of our cybersecurity efforts. Our organization’s leadership recognizes this, which in and of itself makes SBU a unique place to work. Still, a public University today does not exist without constraints that demand a strategic approach to cybersecurity.
It is important to recognize that our cybersecurity efforts serve to enable the business and its goals. They do not supersede or live independently of the University’s mission. Information security should be consulted on every major project that involves technology. In today’s day and age, you would be hard pressed to find one that does not! At SBU, our guidance and subject matter expertise helps assure the success of these projects. In addition, our incident response efforts serve to enable student, faculty, and staff success.
One of our most successful projects has been the onboarding of a managed security services provider (MSSP) that monitors the campus network for signs of intrusion and malware on a 24x7x365 basis. Finding and picking the right vendor is no simple feat, but even greater is continuing to realize the value that any vendor claims to bring. No outside vendor can know your environment as well as you can, so we are constantly working with them to fine-tune their rules, alerts and our own response protocol. We recently added the ability for them to start containment efforts in certain scenarios, even during non-business hours. On any given month, we respond to hundreds of tickets that represent potential incidents. When selecting an MSSP, it is important to find the best fit for your operation’s level of maturity, not necessarily the best technology or the best possible vendor. Overpaying for an MSSP that delivers more service than you can make use of is like buying a brand new Porsche for your 16 year old with a learner’s permit. You can do it and feel excited about it, but when you are doing 15 mph around the block 500 times you may realize it was not the best use of resources. We also found great value in picking a cloud vendor to deliver an online cybersecurity training package as part of our push to improve cybersecurity awareness. So many community members have taken the time to thank me and tell me how valuable they found this simple, but effective, training solution.
Being a small team of four, including myself, we have learned to think big and welcome diversity of thought and outspoken viewpoints. This helps us to come to the best solution for any problem we are trying to address. We all have respect for one another, which proves to be valuable when we do not see eye to eye on a particular issue. Most importantly, we take pride in our work and take our responsibilities very seriously, although that does not mean we cannot have fun along the way. Really, though, my team is much larger than four people. I view every IT person, every student, every faculty and staff member as an extension of my team. When selecting an MSSP we looked for a company that would essentially expand our cybersecurity staff and could be flexible in their offering. We did not want to have the experience of picking up the phone and hearing, “I’m sorry. That request is out of scope,” which meant we had to find a company that was small enough to be flexible, but large and mature enough to handle the complexity of a University environment. The bottom line is that cybersecurity cannot be adequately addressed by four people, or even fourteen people. It requires contributions from every individual within our community. I try to impress that fact upon everyone I encounter, and eliminate any ‘us versus them’ thinking. Instead, it is more like, “All hands on deck!”
"Trust is just a code for no security. Instead, let’s talk in terms of acceptable and unacceptable risk"
Few organizations today can afford to be good at everything or to dedicate internal resources for everything. So, it makes sense to use vendors for skillsets that you don’t need on a weekly basis. Still, hiring a vendor for something does not eliminate the need for some knowledge or the need to oversee a vendor’s progress and techniques. I often find that hiring a vendor does not eliminate the need for internal staff to be involved, although it can decrease requirements to an extent. This is one of the reasons why we chose to outsource 24/7 security monitoring. It is rarely cost effective for a company to develop this capability internally.
I think the future of cyber security programs will put more emphasis upon rapid threat intelligence sharing. It is reasonable to believe that as threat intelligence sharing, artificial intelligence, automated incident response and basic cyber hygiene continues to improve, some organizations will stop getting hacked by anything other than zero day vulnerabilities. It may be more than 10 years off, but the world of technology will be a much safer place if those elements continue to mature at a similar pace. I also think there will be much more effort put into evaluating and assessing the security practices of our vendors, as the cloud continues to expand and the CISO role takes on additional elements of traditional vendor management responsibilities. Finally, we need to stop using the word “trust” unless we are talking about a zero trust model. “Trust” is just a code for “no security.” Instead, let us talk in terms of acceptable and unacceptable risk. Modern CISOs must work hard to align the computing landscape with the risk tolerance of senior leadership, and clearly inform them in the event of a mismatch.