By Azra Ayers. With 20 years of military IT background, UCR’s Chief Information Security Officer (CISO) John Virden knows when to get in on the ground floor. So when UC CIO Tom Andriola and UC CISO David Rusting called for campus volunteers to participate in a collaborative cybersecurity research project, Virden was the first to take the leap – signing up UC Riverside’s Information Technology Solutions (ITS) on the spot.
The research project is being conducted by Ashwin Mathew, a visiting scholar at the UC Berkeley School of Information and a researcher at Packet Clearing House. In a system as large as UC, where cybersecurity is a long-term priority, Mathew is looking to address a variety of questions:
- What is the range of risks we are anticipating?
- What are we doing to address and investigate difficulties?
- Ultimately, how can trust play an integral role in the resolution of information security risks and troubles challenging our campuses and the system as a whole?
Mathew’s angle is intriguing precisely because it is not focused on personally identifiable information, or how to avoid the latest and greatest virus. His objective is to investigate information security cooperation and learning among higher education institutions, particularly the UC system. He wrote,
“To effectively respond to threats and vulnerabilities, information security practitioners must cooperate to securely share sensitive information and coordinate responses across organizational and territorial boundaries. Yet there are insufficient numbers of personnel who have learned the competencies necessary to build information security teams.”
During his three-week stay at UCR, Mathew worked closely with members of the ITS Information Security Office and other departments and colleges (e.g., computer science, the library, and executive offices). He conducted numerous interviews to gain understanding of the organizations’ day-to-day activities and long-range goals.
Department representatives discussed their primary information security concerns, their needs and goals for data sharing and communication, and their perspectives about major roadblocks to enhancing information security. The latter turned out mainly to be the decentralization of information security teams across campus, as well as the difficulty of sharing and collaboration, given the sensitive nature of the content.
Mathew’s enthusiasm and research inspired the information security team to try new ways to grow trust relationships. They found that few tools work better for promoting campus-wide security than having the opportunity to meet face-to-face with representatives from other departments.
To this end, UCR ITS has initiated the Campus Information Technology Leaders meeting series and formed an information security taskforce. Both groups are composed of IT professionals from all the UCR colleges and meet regularly to discuss common issues and how to work in concert to enhance security and services for the campus. Campus executive leadership also is encouraging staff attendance at UC wide security events to build opportunities for collaboration with other campuses and bring back knowledge for the team.
Mathew’s research will take him to all UC campuses, with three others already in the queue after UCR. He expects that his final report will show how risk and uncertainty can be navigated by developing trust relationships among information security professionals, both within a campus and across the system. He wrote,
“Information security is a fragmented whole, composed of strongly bounded, sparsely connected trust groups and organizations that seek to ensure the trustworthiness of participants. We suggest a substantially different set of policy interventions to support cooperation and learning in information security, focusing upon building interpersonal trust relationships, as much as on building institutional arrangements. Our recommendations include suggestions for stronger information sharing communities, for building relationships between educational institutions and information security practitioners, and for supporting diversity.”
Members of the information security team are shown above, l – r: Bill Green, Jonathan Ocab, Chris Loo, Ashwin Mathew, John Virden, Andrew Tristan. The quotes in the article are from “A Fragmented Whole: Cooperation and Learning in the Practice of Information Security” (February 2018), by Ashwin Mathew and Coye Cheshire.