Confessions of a Shared CISO

Farooq Naiyer

The cybersecurity imperative

In the first week of April of this year, one of the largest tech universities in the southern United States reported that they had a data breach and that almost 1.3 million students and teachers may have had their personal data and information exposed. A threat actor was able to gain access to such information as names, address, social security numbers and dates of birth.

This is only just one example of the many kind of cybersecurity incidents that can occur at higher education institutions, not just in the States, but also here in Canada and around the world. Universities are often targeted with DDoS attacks, phishing scams, ransomware and more. These attacks often cause the institutions a lot of damage and the cost required to recover from it can be high. But often its incomparable to the research and intellectual property that can be lost in these attacks, creating setbacks for research goals and impeding innovation. These attacks can be prevented, but it requires robust systems, an incident response framework and a comprehensive security team. However, institutions often lack the funds for these resources.

Farooq Naiyer
Attending Cybersecurity Awareness Month event at Brock University, October 2017.

Two years ago, ORION was approached by representatives from higher education institutions in Ontario to improve cybersecurity with the concept of a collaborative cybersecurity program. As Chief Information Security Officer (CISO), I worked together with those representatives in a shared CISO pilot program with the objective of providing security thought leadership and a building a road map to address their cybersecurity risks and challenges. Together, we created a program to help higher education institutions address their cybersecurity needs and share their resources with one another. This is part of ORION’s goal to provide cost-effective cybersecurity guidance, programs, and services to meet the needs of our community. I want to take the opportunity to look back on all that this amazing group of people has accomplished.

Crafting the tools needed for accurate analysis

Cybersecurity Training
(L-R) Wesley Alvarez (EC-Council), John Levay (Niagara College) and David Smith (ORION).

We set out to create a set of guidelines and best practices for higher education institutions. These have been shared between the participating institutions and each has had the chance to learn from them and put them into practice. These guidelines and practices cover a wide variety of cybersecurity topics such as security incident management, threat risk assessment, Payment Card Industry Data Security Standard (PCI-DSS) compliance, security governance, vulnerability and patch management. We held information sessions on topics such as General Data Protection Regulation (GDPR) compliance, breach coaching, and new Personal Information Protection and Electronic Document Act guidelines.

We have also created a channel of communication where institutions can share their own best practices and guidelines with each other to help facilitate collaboration. It has been put to good use already with several members using it to share information. Communication is vital to the collaboration between these institutions and we believe the information and resources shared all have value and every member can learn from each other.

We also coordinated security self-assessments, which created an opportunity for these institutions to benchmark themselves against each other, as well as other organizations, to determine where their security maturity really stands. Through measurement and analysis, it has become easier for institutions to focus on the right areas, ensuring they have the resources to protect themselves from any possible digital threats.

Sharing our story in the digital community

CUCCIO 2017
(L-R) Myself, Alastair MacLeod (OCAD University), Nela Petkovic (Wilfrid Laurier University), Luc Roy ( Laurentian University) and Bo Wandschneider (University of Toronto) at the CUCCIO awards 2017 where Shared CISO pilot was a finalist for the Collaboration award.

As with all pilots, we learned a lot. We wanted to ensure as many benefited from our successes and learning as possible, so we shared our shared CISO story with others. We presented to other Chief Information Officer (CIO) associations in Ontario and spoke with many technology leaders about their needs in today’s digital security landscape. We modelled this program for those in our own digital community, including Connecting Windsor-Essex and LARG*net, along with those in Canada’s national research and education network such as BCNET, Cybera, MRNET, and SR Net. The program even garnered some media attention in University Affairs. Some interest was generated down south in the American research and education networks such as Merit and NYSERNET, and we shared our story to around 100 American higher education institution representatives at the Research & Education Networks Information Sharing & Analysis Center (REN-ISAC) meeting.

Looking back and moving forward

Leadership Award winners
ORION Leadership Award for Higher Education winners 2019: (L-R) Michelle Moore (Humber College), Lisa Grothier (St. Lawrence College), Alastair MacLeod (OCAD University), Nela Petkovic (Wilfrid Laurier University) and John Levay (Niagara College).

I have had the chance to learn a lot about cybersecurity in higher education institutions and the truly unique nature of their needs compared to those I have seen in other industries. What I found truly unique was their willingness to collaborate. They all were willing to work together towards a common goal and help each other out, which is something you don’t see very often today. It was truly inspiring.

ORION recognized the efforts of this wonderful group of representatives by awarding them with one of ORION’s Leadership Awards this year at Advance Ontario. I’m most pleased that our participants found it a successful program and were happy about the recognition.

I am honored to receive the ORION Leadership Award for Higher Education on behalf of Wilfrid Laurier University and proud be among a tremendous group of recipients. The security of our information systems is one of the key priorities of Laurier’s Information and Communication Technologies department, and I am grateful that we are working together to create this collective line of defense.
Nela Petkovic, the CIO of Wilfrid Laurier University, in an interview on the Laurier News Hub

Internet security is probably the hottest topic in higher education. We’re all basically getting attacked by the same hackers and the severity is increasing every day. We have to stay on top of it and having these additional resources helps because we’re able to share information.
David Cullum, the CIO of Brock University says in an article on Brock News

CISO Team
(L-R) Myself, Delilah Moysich (ORION), Sara Whyte (ORION) and David Smith (ORION).

With the success of this shared CISO program and the positive responses from others in our community, we are now working to create a consortium for higher education cybersecurity, where many more institutions can work together and learn from each other to combat the issues many of them face.

This has been a great two years of innovation and advancement for cybersecurity in higher education. As we move forward, all that we learned in this pilot project will be critical to help us continue to innovate and adapt. I look forward to working with our constituents in higher education and helping them with their cybersecurity needs. Here at ORION, we are committed to offering the best cost-effective cybersecurity and to safeguarding innovation.