New Spin on Security, AwarenessBrandeis CISO Says "Allow by Default, Deny by Exception"
This is the philosophy Dennis Devlin, CISO of Brandeis University. An information security veteran with experience both in business and education, Devlin is familiar with the classic posture of security organizations: "Deny by default, allow by exception." In his current role, trying to raise awareness and compliance to security practices, Devlin is trying to reverse that course.
"In a university where you are trying to support open exploration and learning, teaching and scholarship, [you] tend to by default do a lot of things that you wouldn't do in a corporation," he says. "In addition to that, large segments of the population change one or two times a year -- much like cruise ship passengers. If you have ever been on a cruise, on the first day of the cruise a whole new group of people comes in, and they immediately have to be trained how to exit the ship in an emergency and get on lifeboats and so forth. It is very much the same with students. We have a population where every semester, and a lot of times in the middle of the year, we have a lot of new devices connecting to the network, new people connecting to a network, and it's a constant battle to keep everybody up to date."
In an exclusive interview, Devlin discusses:
- Top security issues he faces today - including those unique to academic institutions;
- His approach to improving security awareness;
- Advice to other CISOs looking to improve awareness within their own organizations.
Devlin is Chief Information Security Officer for Brandeis University. He has nearly four decades of information technology leadership experience in both private industry and higher education. During his career he has led enterprise-class initiatives in information security, digital privacy, identity management, networking, electronic messaging, disaster recovery and business continuity planning, emergency notification, and server and network operations. Prior to his current role Devlin was VP and CSO for The Thomson Corporation (now Thomson-Reuters), a member of the senior IT leadership team at Harvard University, and began his career as a developer, analyst and manager for American Hoechst Corporation (now Aventis).
TOM FIELD: To get us started, why don't you tell us a bit about yourself and your experience, as well as your role now at Brandeis?
DENNIS DEVLIN: I've been in information technology for about four decades now. It's been a very long time. I've spent about the last third of that focusing on information security and privacy and had been a CSO in a large international corporation for about a decade. Then in the middle of my career I had been at Harvard University. I really loved Harvard, and returned to Brandeis. I'm in my fourth year at Brandeis now as their first ever Chief Information Security Officer. Brandeis is a private research university that also has a major component that is a liberal arts college. It has all of the challenges and resources and facilities that a lot of much larger schools have.
Top Security ChallengesFIELD: Dennis, having been in business as well as education, you've got a prospective on this. What are some of the top information security issues that you typically address now?
DEVLIN: They are really pretty much the same. It's just that the climate is different. I mean, we always speak about security as being protecting confidentiality, integrity, and availability. I always like to speak of the four "R's" of risk, regulations revenues, and reputation. And universities are subject to the same regulations for protecting confidential information, the same revenue challenges and reputational challenges that a corporation would have.
The difference is that in a corporation, you deny by default and allow by exception. In a university where you are trying to support open exploration and learning teaching and scholarship, [you] tend to by default do a lot of things that you wouldn't do in a corporation. In addition to that, large segments of the population change one or two times a year much like cruise ship passengers. If you have ever been on a cruise, on the first day of the cruise, a whole new group of people comes in, and they immediately have to be trained how to exit the ship in an emergency and get on lifeboats and so forth. It is very much the same with students. We have a population where every semester, and a lot of times in the middle of the year, we have a lot of new devices connecting to the network, new people connecting to a network, and it's a constant battle to keep everybody up to date.
Education's Unique IssuesFIELD: Well, that is something I would like to explore a little bit more. Dennis, what do you find to be some of the unique issues with educational institutions in terms of information security? DEVLIN: Since it is such a heterogeneous population -- I mean, most CSOs that I know don't have x-boxes and PS3's connected to their networks. So it is a very open, collaborative sort of environment. There is only so much that you can do with technology, and you focus a lot more on people and process. Part of our mission at the university is to educate students, faculty, and staff about operating safely on an increasingly hostile internet. The other thing that happens at a university is everything doesn't happen on campus. Whereas in a corporation, you say "Well, everybody comes to work everyday, and they are working on the corporate network," learning, teaching and scholarship happens every place now. Like in internet cafes and coffee shops, and all sorts of international locations, so we really need to kind of harden our people to know how to operate safely and make good decisions about the information they disclose, protecting their privacy, protecting their identities, and so forth. It is much more of a holistic kind of effort. There is only so much you can do with technology.
People, Process, TechnologyFIELD: In that last answer, you mentioned the three key segments of information security: people, process and technology. Over the years, what have you developed to be sort of your secrets to ensuring the proper treatment of all of three of those?
DEVLIN: Great question. You can't do it by yourself as a CISO. It's not something that can be done by the IT department. First thing I've done in every situation where I've been a security officer is to build on a team. And that team at Brandeis we call the Information Security Advisory Counsel, and it is composed of mid-level executives that represent all of the various constituencies across the university. We meet every single month. We collaborate. They give me advice on what they see as their risks. We do our best to educate them about risks and developing consciously risk tolerances of the institution, and then for policy and practices and so forth in place. The advantage of doing that is now it becomes a business process. It becomes part of the real fabric of the institution and the culture of the institution. It is not a technology issue, and I have a lot of people that work very, very hard to help get our message across and to educate the entire institution.
Approach to ManagementFIELD: You know, it strikes me that your career really runs the gamut of the life span of information security. So, I've got ask you, over the years how has your approach to security management evolved?
DEVLIN: 1976 was the first time I remember focusing on this, and I was a database administrator for a big international corporation. We were setting up authentication for the people that were using the corporate systems. I thought about it a lot. Those people didn't leave the building. It was all a coaxial network that was just in the building. Yet we still had authentication. We still had access control. We still had the principles that we have like the law of least privileges, never giving somebody access to more than they really need. Over the years the challenge, the basic model has remained the same, but the challenge has just become much, much more difficult as we expand it and open things up, and now we have this interconnected world where literally anybody has access to anything from any place.
AwarenessFIELD: One of the topics we discuss an awful lot these days is security awareness, and I've got to think that is acute at an university where, as you say, you've got a new constituency coming in every semester, every year. What is your approach to security awareness with students, with staff, with your colleagues?
DEVLIN: It's constantly getting information out to people. We have come up with this notion of "Moments of Truth." Be it at our help desk, be it at any interaction that anybody at the university has with any member of the information technology department, it's a moment of truth where we can help them learn the proper safe ways of doing things. So we work very closely with the help desk. We work very closely with human resources. We work very closely with the student organizations, and you wind up doing a lot of marketing. It is a lot of kind of theme base things where we're repeating things over and over. The theme for this year is "Privacy is your business," and everything that we teach tries to tie back to that particular theme. If you are protecting and mindful of your own information, you will also be a really good custodian when you have custodial responsibilities for other people's information.
Advice to CISO'sFIELD: A final question for you, Dennis. Certainly, Brandeis isn't alone with having its first CISO. What advice would you give particularly to other educational institutions where they have a new CISO that is grappling with some of the same issues that you are?
DEVLIN: Don't try to do it alone. Build a team on campus, and also reach out collaboratively. Most peer institutions are happy to try to help. We're not competitors. We all have the same basic objective of trying to share information with everybody. All of the information on our website is pretty much open to the public. We share it with our community. We blog, we try to syndicate any content that we put out. We have a Facebook page. You do everything you can to reach as many people as you possibly can, using the media that they are comfortable with.