Praises operational excellence, hopes to advance culture of cybersecurity
By Jesse Drake
After two months of whirlwind introductions, Dr. Randy Arvay, the University’s new chief information security officer (CISO), is starting to settle in.
“Everyone has been extremely welcoming,” he said. “I'm happy to be here.”
Arvay is impressed with the level of cooperation and transparency he's witnessed thus far.
“We function very well operationally – together as a team and across the University,” he said. “There have been a number of malware and network intrusion attempts in recent weeks, and I’m pleased with how people have reacted and reached out across campus to keep their counterparts informed. It speaks well of the overall culture here, which I see as very open and communicative.”
External communication aimed at cultivating a culture of cybersecurity is one area where Arvay sees an opportunity for growth. He said everyone in the U community, particularly newcomers, should familiarize themselves with the concepts in the U’s Information Security Policy 4-004, and practice them whenever engaging with technology.
“We have a new crop of students coming in who, since a young age, have been consumers of technology. But that doesn't mean they fully appreciate the consequences that stem from that," Arvay said. "Each successive generation is more and more technology-aware, but not necessarily security-aware with those devices.”
Adopting a teaching model suits Arvay. No stranger to academia, earlier in his career he served as an assistant professor at the United States Naval Academy and adjunct instructor with the University of Miami.
Integral to shaping the U's culture to be more security-conscious is changing any lingering perceptions that information security is at best, disruptive, and at worst, unwarranted.
When Arvay is presented with the concern that a security requirement hampers productivity, he contextualizes it by noting the numerous security measures we take in our lives outside of the U, e.g., PINs used with an ATM card, and other two-factor authentication before using sensitive online applications.
“It comes down to, if you take security precautions in your daily life, why not take similar steps to protect the organization that you’re working for?” he said. “That’s the buy-in we need from the community, the understanding that we do everything in our power to protect users and their devices, but we need their help, too."
Arvay is excited about all the steps that the Information Security Office (ISO) has taken to shore up cybersecurity on campus and hospital/clinics. He points to an initiative underway by the Identity and Access Management (IAM) team to tighten controls around user access to high-risk applications as an example of empowering staff to make their computing environments more secure.
"This is a checks-and-balances process that ultimately will make access to systems and applications much more secure and easier to manage," Arvay said.
In addition to attending meetings and formal introductions to various stakeholders around the University, Arvay has made time to interact with his security team more casually.
"They truly are a great group of people," he said.