In this edited interview excerpt from the CISO’s Secrets podcast, CISO Mardecia Bell unpacks what it’s like to serve as an information security expert on a university campus. A highly accomplished CISO, over the course of her storied, 38-year career at the North Carolina State University, she has smartly built up systems, implemented new technologies, and achieved exceptional results. Leverage these insights to evolve your system set-up and to begin the new year on the right track.

Host: I know from my early years, universities tended to be unconcerned about filtering what content people reached for. Universities were environments of ‘free access’, as to foster intellectual thought. But that’s diametrically opposed to the security challenges. I remember, many times, talking to universities and hearing about that dichotomy that they wrestled with. So, I wonder if you can perhaps talk a little bit about how you dealt with that over the years?

MB: So, I think it started changing in the 80’s, when the terminology of ‘client server’ emerged. Mainframes started going away. People started giving customers more control over data…

Host: That was when we started building networks too, right?

MB: Yes.

Host: We kind of went away from this big behemoth in the sky (which ironically, we’re kind of back to. We just call it ‘cloud’ now. We don’t call it mainframe. But you’re right, that cycle of where we all went out into our little fishbowl and had to support information at that level…

MB: That’s when we started the Local Area Networks (LANs) and so forth…You remember the Novells of the world and that sort of thing…That was the start of it.

Host: I find it fascinating that we thought so differently about security when we were each in our own fishbowl…You know what I mean? You just mentioned Novell, well I wasn’t using Novell, I was using Token Ring. And the company next to me wasn’t using Novell or Token Ring, they were using Banyan VINES…The point being, I think we all looked at security differently then, right? It was more about ‘hey, who’s stealing from us’?

MB: We did. There was a lot more freedom and we didn’t worry about things so much. But then, we started having all these hackers come on the scene, and then things started moving into the cloud…That was around Y2K. People started migrating to the enterprise systems, and the cloud networks, and people started putting more of their data in the cloud…And that was when the government started cracking down on security controls, and you started seeing all of these requirements creep in and so forth.

So, as that started happening, the universities — which were accustomed to an extensive degree of freedom, and used to putting everything out there in regards to their research and so-forth — all of a sudden, realized that they needed to start securing the data.

Because at that point, the hackers started to realize that universities had all of this freedom, and they thought to themselves ‘oooh, this is a goldmine for us.’ The hackers began to launch phishing attacks and other threat types. That’s when universities started putting in more controls to protect data. We had to start classifying the data, so that you had the controls associated with that classification, and so-forth.

Host: That’s spot-on Mardecia. And I believe we used to look at it in such a way where, if you were within the perimeter, everything was fine. But if you were external, then…And I think you’re spot-on in that when we shifted over to TCP/IP, that fishbowl went away and all of us were in the same big ole’ ocean, that enabled a different level of access. I think it’s definitely been a double-edged sword.

Before, when you were in your Novell network, you certainly didn’t have access to what you do now on the internet, but it is that connectivity that introduces the threats, and as that level of connectivity has multiplied, the complexity has become quite challenging.

MB: Yes, it has. And now we have to deal with all of these compliance requirements. You have PCI, you’ve got DLVA, you have NIST-800-171, you’ve got the FERPA and the HIPAA and the list just goes on.

Host: And there are serious consequences if an organization doesn’t adhere to compliance requirements. You mentioned it earlier. The government is getting involved too. They’re not just saying ‘don’t do that’ or ‘hey, you’re going to get in trouble’. Compliance failures have a real cost.

MB: Yes, that’s correct.

Host: Obviously, you’ve evolved and grown your staff…You mentioned phishing, and I just want to delve into that further. How do you deal with this increased threat? Universities are becoming more of a target. Are you looking outside for services and other augmentations to your security to keep your people and systems safe?

MB: When we had to comply with PCI, several years ago, the university had the foresight to purchase some tools associated with that, as we didn’t have any login and monitoring tools and things of that nature.

So, we’ve had that in-place for a while, and more recently, we’ve expanded that to everything in the data centers that we have, we’re expanding that across campus…We’ve deployed that to our high-profile accounts and we’re working on inventory for all of our systems…Also endpoint detection and response.

Host: And are you looking at some of the other DRs, like MDR and XDR?

MB: We are looking at that, yes. We have brought in a number of consultants to evaluate systems and so-forth, so we have taken their recommendations and put that in a plan…Like a do now, do next, and do-later concept. We do have a SOC, a security operations center. We started out with a one-person SOC a few years ago because of all of the tickets and the incidents that started to occur. Today, we have a three person SOC with a manager.

Host: You have quite a number of students, faculty and staff. Near 10,000 faculty and staff. Forty-thousand students. That’s a lot of people and resources to protect. Earlier, you mentioned protecting higher profile staff. Does that mean the professors?

MB: That’s like the administration, the basketball coaches, and the folks who have access to sensitive data — people of that nature.

One of the things that we have done, which we are proud of, is that we have mandatory data security awareness training for employees. We’ve done that for about four years at this point. We’re still working on that for the students, so hopefully that will be coming soon.

Host: Interestingly enough, that’s become quite a focus for enterprises, for that matter. Are you implementing any of the different types of mock-phishing attack tools, and similar tools to better educate your students and users?

MB: We are in the process of doing a pilot for that right now…

Expand your world, gain new perspectives and lead with confidence.
Listen to the full interview here! 

                                                      For more CISO strategy insights: