By Jesse Drake
The balance between IT security and operational efficiency will always exist, but information security teams are increasingly recognized as vital partners in protecting an organization’s interests.
With stores of personal information, intellectual property, and sensitive research in play, guarding against data breaches for the U’s campus and hospitals/clinics – broad targets for cyber criminals – can be daunting.
"If you can do IT security within a university or hospital, you can pretty much do security anywhere," said Corey Roach, manager of UIT's Enterprise Security group since 2014.
The team is strategically positioned in the Information Security Office (ISO) to respond to serious information security incidents that pose large-scale risks, from major outages and data extrusion to more nebulous matters like the U's reputation.
"[Security Assurance's] job is to make sure that day to day, something hasn’t happened," said Security Analyst Jake Johansen, who worked at the U in the late 1990s, returning to ISO in 2003. "Our job is to make sure that tomorrow we’re a lot more secure than we are today."
After any major breach, the Enterprise Security team also performs forensics on affected IT infrastructure.
"If a machine gets infected but doesn’t really have any sensitive data, it's not all that impactful. We can re-image the machine and take care of it," Roach said. "But when it comes to something that bubbles up that has more widespread impact, like a hospital in-take machine for patients that unexpectedly sees a bunch of traffic and looks to be losing information, now we’re involved – collecting evidence, looking at network flows, trying to determine what happened."
Enterprise Security comprises project work such as deploying new security tools or tuning software used in the SOC, in addition to collaborating with UIT's Governance, Risk & Compliance (GRC) team on the technology aspects of government regulation and compliance, and the standard-setting activities of Enterprise Architecture. "We function almost as consultants," Roach said, noting that they advise engineers in University Support Services (USS) on security when they're designing a new system.
Another key aspect of Enterprise Security is informing leadership when something adverse happens, related risks, and recommended next steps.
"In order to do the job at this level, you have to have both conflict-resolution and problem-solving skills. You have to be data scientist and diplomat," Roach said. "There's a lot of communicating, compromising, and playing well with others, but at the same time, we have the high technical understanding of what the risks are."
A university doesn’t have the same controls as a large corporation, by virtue of its decentralized nature and allowances for personal devices, including the hard-to-manage Internet of Things (IoT), and a divergence of data types.
"Doing security here is more like security for a small city, not an organization," said Security Analyst Ryan Terry.
Prior to coming to the U, Terry and colleague Benjamin Poster each spent more than a decade performing information security in the banking world. They faced many of the same challenges around identity and access controls, ransomware, and protecting payment card industry (PCI) information, but the closed corporate environment was more structured and security-centric.
"There, everything was tightly managed, and we were dealing with one kind of data. It was a single chain of command," Poster said.
Most IT security professionals will tell you that in a perfect connected world, a healthy dose of skepticism would be the default for consumers of technology. But when you're helping to protect the relative free flow of data in and out of a university, paranoia is a job skill.
"The way I like to frame it is, we’re paid to be paranoid so they don’t have to," said Security Analyst Dustin Udy, who started on the cable team at the U in 1996, working "for just about every department in UIT but the network team" before moving into security in 2011.
“You have to think, 'If someone wished to do us harm, what would they do?'" Roach said. “You look at all the angles. You’re trying to find that worst case scenario, and how you would respond. You have to have the mindset of both the attacker and the defender.“
Beyond the unique challenge and satisfaction of the work itself, Udy and Johansen enjoy serving on the Utah System of Higher Education (USHE) security team, conducting penetration testing on computer systems at other schools. A "pen-test" is a way to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities. Terry noted that the group also finds mentoring ISO student employees gratifying, and that on occassion, they're called on as subject matter experts on the academic side, e.g., advising on a thesis project for computer science graduate students.