Tessian Spotlight: Don Welch, Chief Information Security Officer at Penn State University

Can you give a brief overview of your background and responsibilities at Penn State?

As Chief Information Security Officer for Penn State University, I am in charge of a range of things including identity and access management, security operations, privacy and compliance. This involves overseeing the unique responsibilities of each of those teams.

What are your core objectives in the role?

One of the main objectives I work to, is to understand who is on the network and who has access to what. This is what our privacy and security is all about, stopping people getting access to critical information that they shouldn't. Compliance is another large objective that has a lot of overlap with security. Compliance is necessary and often the fines and other sanctions are a serious risk to Penn State. However, while the standards do support security initiatives, they're not sufficient in themselves. That makes the distinction between what policies and programmes are compliance-led versus security-led very important for us.

Have you observed any dynamics that are unique to university environments when it comes to information security?

The interesting thing for large research universities is that we are affected by almost every area of compliance and information threat that exists. We have healthcare data, valuable research, financial information, student PII as well as a nuclear reactor, an airport and all the utilities cities have. This means we are subject to a range of threats like nation state actors trying to steal IP or gather information for their country, and criminals targeting us for fraudulent payments.

Do you think universities are well equipped to deal with these threats?

No, it's a real challenge. Universities do great things as faculties are very entrepreneurial, working on cutting edge innovations with relative autonomy. While autonomy is an important value of the institution, it makes cybersecurity more challenging. The university has so many faculties and operations which create a diverse range of activities within the one system. Creating security alignment that works effectively across the board is therefore a big undertaking. 

How do you instil a cybersecurity culture in such a diverse environment?

We have 17,000 regular staff members and 100,000 students who all fall prey to different kinds of attacks. We tailor our education and training approach to each different group, ensuring that people understand both the threat to them personally and to the institution.

How does human error play a role in cyber vulnerabilities?

Phishing and social engineering attacks are getting more sophisticated meaning that even very intelligent people can be deceived. 

We know people make mistakes so it's important to maintain a combination of approaches to mitigate human error. We implement layered security strategies because you can't depend on a single defence approach. We build security that considers everything together; people, technology and processes. 

With a phishing campaign for example, when a normal user has fallen victim and an attacker takes over that account we have several ways of identifying the attack and stopping it before the attacker does damage.  We look for strange account activity that indicates a compromised account.  We mandate protections on privileged accounts, changing the password every time it is used.  We separate our sensitive systems from the rest of the network.  These are some of the controls we use to protect our system in a layered and integrated manner.

Where do you see the biggest risks being in future?

Attackers are always innovating so we have to continually evolve our defences to keep up. This will become more challenging when adversaries begin to use AI and automated techniques to attack systems much more rapidly. We'll have to act more quickly to match their speed.

But we still have the basic challenges that we need to address - simple attacks still succeed because people continue to fall for spear phishing attacks. We cannot forget about the basics and get distracted by shiny new toys.

What are the common misconceptions about the role of cybersecurity?

A lot of cybersecurity professionals look at security from a risk-based approach, they'll assess what the individual risks to the organization are. That's important, but it has to be incorporated into a larger strategy that looks at the bigger picture of potential damage and allocates our cybersecurity resources in an efficient and effective way. We have to think how our attackers are thinking in order to understand how they will attack us.

To read more interviews in the series, view our Spotlight Series: Full Archive here.