Is culture impeding security?

Have you ever questioned how effective we are at doing our job, when you see all these reports coming out about servers being hacked and personal information being lost?   We are certainly aware of these reports and take them seriously.  It seems like there is a new one every day.  Recently it was announced that Target lost the personal information of tens of millions of people.  This is stunning.  Higher Education is not immune, and has its fair share of attacks.

In some cases, attacks are becoming more sophisticated, while in other cases, brute force processing power is used to find weakness.  Last week I was talking to some of my peers in the U.S. and we had an interesting discussion on why these attacks seem to be happening more frequently and what we are doing about them.

We bounced around a few ideas we had heard elsewhere, and three things surfaced:

The culture of hoarding:  We simply keep too much information.  We need better record retention strategies and we need the policies in place to make sure people follow them.  In our information age, the days of trusting that individuals have the skills, judgment, and capacity to manage this are long gone.

The culture of frugality:  We need to invest more.  In higher ed we sometimes lag in having the proper governance structures in place to be able to make the tough decisions on where resources are needed and what the priorities are.  It is hard to commit new investments when funding is being cut and tuition is regulated, but we need to look at the whole picture.   Information Technology is an integral part of the university and we need to stop treating it as a cost centre.  Our investments need to be strategic and effective.  In some cases this means looking at the cloud, which means we need to overcome the perception that information in the cloud is less secure.  This is not necessarily true and in many cases cloud security is significantly better and more cost effective than what we do today.

The culture of service:  This was the one I found the most interesting and one I had not thought a lot about.  We are moving more and more to a culture of service and trying to deliver whatever our community needs.   As we do that, we may not be emphasizing security as much as is probably needed and we are likely compromising. The stress on this service culture is partly to build up trust and to avoid too much shadow IT in the organization.   Some of that shadow IT is healthy, but we do need to ensure we invest where the value ad is and make certain that security is well understood and implemented.  On top of this, the university ‘network’ has also been thought of as a fairly free and open environment and that adds to the risk and means we need to be more diligent.

Back to the question of whether we are doing our jobs.  Simply put, yes. I know we take the threats seriously, have many mitigations strategies in place and invest a lot of resources. I also feel that the cultures of hoarding, frugality, and service are making it a more challenging endeavour.   We need to engage the community, build a better understanding of the risks, make sure proper policies and tools are in place and back this up with effective investments.  We need to consider all options, because this is only going to get more challenging.

Security – Everyone’s Responsibility

When was the last time you forgot your laptop or phone at a coffee shop, bookstore, library, or restaurant, only to find it still sitting where you left it when you rushed back in, panicked, a few minutes later?

When was the last time your car, office, or home was broken into and something was stolen, but you weren’t sure what?  These are places you think are secure, perhaps even alarmed, but were still vulnerable.

We usually think of something like this in terms of what we would have lost (“my whole life is on that phone!”) rather than what someone else might have gained.  But was there a USB key sticking out of your laptop?  Is your phone password-protected?  Is someone else’s personal information on any of your devices?  Can these devices be used to access other systems?

When we relax our attention, these thefts are more frequent and other security threats become more prevalent.  We need to build awareness and ensure we have the resources to build prevention into our technologies and services.

Most people in our communities are unaware of the massive number of attacks that occur behind the scenes on our systems.  Occasionally, an individual may get caught in a phishing attempt, or maybe they get a virus or malware on their personal computer. These threats are only a fraction of the threats out there and even though the personal costs may seem significant for those impacted, the cost of prevention and remediation to the organization as a whole is a significant part of our operations today.

We need to be aware of these threats and we all need to ensure we do what we can to help identify and prevent them.

In terms of email we see an incredible amount of spam and malware coming to our border.   At Queen’s, we might see about 14,000,000 incoming messages in a given month and close to half of those messages are intercepted at the edge and rejected as spam.  The University purchases and maintains special hardware to make sure the vast majority of these messages don’t make it to your inbox.

Through public education, the community is becoming more aware of phishing attempts and usually ignores them, but accounts are frequently compromised and Queen’s has to expend considerable resources to mitigate the risk that these accounts pose.  Occasionally these accounts send out massive amounts of spam.  ITServices has to keep scripts in place to identify and throttle these accounts before Queen’s is blacklisted and our email systems come to a crawl.   Information can also be stolen from these accounts and the costs to repair that are hard to quantify.  At the moment we only scan Queen’s outgoing email for spam, but there are tools that prompt machines to scan email for things like SIN and Credit Card Numbers and notify the user to a double check before they let the message go out.

This isn’t unique to Queen’s and in the last few days we have seen the following posts at Western and Carleton, reminding the community about threats.

http://www.uwo.ca/its/news/2014/information_security_threat.html

http://www.carleton.ca/ccs/2014/phishing-attempt-appears-canada-revenue-agency-tax-refund/

At Queen’s, we also run an intrusion detection/prevention system on our network.  Between January 14, 2013 and January 14, 2014 we blocked just under 20,000,000 ZeroAcess Bots connection attempts.   These are a type of Trojan horse malware that affects Windows systems.  In addition, we blocked over 700,000 ICMP: Nachi-like Ping attacks, which is a family of Worms that attack systems.

There are thousands of other attacks and the threat is significant.

On top of the intrusion detection system, we need to ensure our services and servers are not vulnerable to these attacks and exposures.  In 2013, Queen’s did 231 security assessments, some with external resources and some with internal resources.  These take a lot of time, but they are preventive in nature and well worth the mitigation that they deliver.  We plan for these assessments to be done on new services as well as services that have undergone upgrades.  We also monitor what is happening elsewhere and assess where we feel there may be heightened risks.

In addition, we have numerous compromises that we have to deal with on an emergency basis.  The assessment, mitigation, and recovery take significant effort.  Not all of these compromises are preventable, but education, knowledge, and awareness do come into play.

I hope this information has increased some awareness around the number of threats that Queen’s faces and reinforced the notion that security is a concern for all of us.  We need to have strong policies in place, make sure there is user-awareness, that individuals have access to the tools they need, and that we invest appropriately to prevent intrusions and their associated clean-up costs.

Acting AS THE Business

During the last couple of weeks I had the opportunity to spend time with my peers in Canadian higher ed institutions through CUCCIO (Canadian University Council of CIOs) meetings and through a Microsoft Higher Education Executive Briefing in Redmond, Washington.   This is always a great opportunity to share ideas, develop thoughts, establish common ground, and build partnerships.  In one of the background pieces for CUCCIO strategic planning discussions, the following comment sparked my interest:

“..exploring, understanding, addressing the transformation of Higher Education and the CIO role and how we can collaborate on what that looks like and how to effectively manage the change in our diverse and structured environments”.

This is something that we really need to ponder and figure out.  The role of the CIO is evolving in most sectors, as are the roles of the people employed in HE technology.  I don’t think it is anything more than the maturation of our organizations as a whole, and the maturation of the role that IT plays within that organization.   I have talked about this evolution before in various forums.  It is related to the notion that IT is embedded in most everything we do and because of that we need to embed IT decisions into the day-to-day business of the organization rather than having it as something over on the side that is only called upon on occasion, or worse yet, whenever there is a problem.   At the same time, I have also said that IT is an enabler and a partner.   I am beginning to rethink this a bit.  It is not that I think it is wrong, but maybe there is a better way to characterize this.  After all, it is not just about IT changing, it is also about the organization changing, so maybe we need to look at it from the other side as well.

A few months back my Associate Directors went to a development program through the Intervista Institute in Ottawa where they looked at IT Portfollio Management in a strategic sense.   One of the things that they discussed when they got back was the area around IT and business alignment.  It is absolutely critical to get to this alignment, but probably one of the hardest things to achieve.  Whether it is lack of engagement by the business, lack of understanding of the business by the IT unit, lack of resources, or lack of leadership/vision, it is hard to drive this sort of transformation.   At the end of the day it is no longer about producing good code, it is about improving business performance and having a shared vision around what that means.

In the development program, the Associate Directors looked at IT Credibility and Capability and laid it out in two very nice quadrant style diagrams.   In the bottom right of the Capability diagram was the traditional notion of Supporting the Business.  This is about cost and efficiency, which results in a delivery of Low Capability.  This is such a trap that we fall into.  IT becomes a cost centre and at the end of the day nobody is happy because we are not enhancing business performance, even if we say we are working efficiently.

The middle of the graph is where IT is Acting like a Business.   In this area we are starting to drive from efficiency to effectiveness and from cost to investment.  In this area we haven’t yet developed a balance and subsequently we aren’t fully delivering on business performance and we haven’t maximized the IT capability.   I see this as a transitional piece – a place we have to go, but also somewhere in which the path forward is not always clear, and there is always the threat of falling into the efficiency/cost trap.

True alignment between IT and the Business is where we focus on effectiveness (as opposed to efficiency) and treat IT as an investment, rather than simply a cost.   The title of this quadrant is Acting AS THE Business.  IT may be an enabler and partner in this area, but it is also an integral part of the business.  Decisions about technology are no longer made in isolation and we measure business outcomes, not just cost efficiency.

I really like the three states that they describe:  Supporting the Business, Acting like a Business and Acting AS THE Business.  It certainly resonates with me, but I also think this is something that is stated in common language that can be understood by the technology group and the business.  I believe it lays out a clear path forward for us.  In a previous post I have talked about running our senior administration through the Info-Tech CIO Business Vision Survey which is about understanding the business and measuring the business satisfaction.  This is about driving alignment and trying to move us towards acting as the businessAt the moment I am going out to visit each of the people who have completed the survey and, upon reflection, I really think those visits are all about driving alignment and talking about getting IT to act as the business.