So, it’s December already. Six months, or so, as the OSU Chief Information Security Officer, and it’s likely the fastest 6 months of my career.
Information Security in Higher Ed is really, well, weird. On the one hand we have a bunch of data that we all agree we should care about protecting – financial data, medical stuff, student records. On the other hand, a public, land grant, research institution which prides itself on a comprehensive data, and more importantly KNOWLEDGE, sharing policy. Throw in some ambiguity about who OWNS the data (The researcher? The student? The public partner? The University?), and it’s enough to drive an Information Security professional running for the hills.
While working through this learning curve, the outside world hasn’t stopped either. As a Target customer, I was one of 40 million customers potentially impacted by their breach. Edward Snowden is one of Time’s People of the Year, and don’t get me started on the hackability of thumb prints, encryption keys and cars. Yes, cars.
So where to start? Well, actually, we’ve already started, years ago. We have done a lot to implement technologies that will help us identify and respond to threats, protect some strategic systems, and yes, monitor some stuff. But this will only take us so far. We need to go to where the knowledge is, and at OSU, that means full engagement with our teachers, researchers, students and staff. It requires everyone to know what information they care about, and where they keep it. It requires the security team to work to enable KNOWLEDGE sharing – intentionally, securely – not to inhibit it.
The good news is, OSU is full of creative, collaborative people, who understand that a strong information security program is a foundational support to OSU’s mission. Even the most regulated of private industries can’t make that claim. So, as I sit here and watch the fire and celebrate the season, I also look forward to the New Year. Because, while there is a lot yet to be done, it’s going to be FUN.