The CSO50 Conference and Awards recognize 50 organizations (and the people within them) for their security project or initiative that demonstrates outstanding business value and thought leadership. One of only three universities to be honored, the University of California systemwide cybersecurity initiative received an award this year, joining organizations such as Aetna, Comcast, Delta Dental, Home Depot, and Prudential Financial.
CISO David Rusting, Cyber-Risk Program Manager Monte Ratzlaff, and Policy Director Robert Smith from UCOP accepted the award on behalf of the university and gave a presentation about the systemwide cybersecurity initiative. The 2018 CSO50 Conference was held in Scottsdale, Arizona, February 26-28, 2018. The theme was “Leveraging World-Class Security Strategies.” CSO provided the following article to announce UC’s award.
Universities always struggle to find the right balance between implementing strong cybersecurity measures and providing an open academic environment for their faculty and students. For the University of California, the challenge became more pressing and complicated in July 2015, after a cyber-attack on UCLA Health.
“Our leadership realized we had to take a different tack for managing cyber-risk,” said CISO David Rusting. “Cyber-risk is much broader than an attack. It encompasses business, legal, and ethical issues, and leadership requires a better understanding of these issues in order to support a consistent and coordinated approach.”
A unique challenge to setting up a universitywide cyber-risk management program was the fact that the university’s 10 campuses and 5 health systems are highly decentralized and operate independently from each other in many functions, including security. Doing something in a consistent and coordinated fashion among many entities would be difficult. But with leadership support, the university united and launched the Cyber-Risk Management Initiative.
The program is based on five core pillars of cyber-risk management, including governance, risk management, modernizing technology, adopting common solutions, and implementing cultural change. These pillars support all aspects of cyber-risk management and are used to drive cyber-risk reduction across all 10 campuses and 5 health systems.
In just a couple of years, the initiative achieved several firsts for the university: Each location has a designated executive who reports to the chancellor on issues of cyber-risk and is empowered to drive cyber-risk efforts across the location. Consistent risk assessments were conducted across all 15 locations. Threat detection and identification was deployed at all locations, a first for a higher education and healthcare organization of UC’s size and complexity.
Though health systems generally require more stringent security controls than college campuses, “a lot of basic controls in security are horizontal and applicable to all environments,” Rusting said. “Understanding the nature of data, its context of use, and the regulations that surround it are critical in order to manage the cyber-risk.
The university also leveled the security playing field by filling technology gaps at campuses with fewer security investments, including adding FireEye threat detection software at most locations, to help campuses meet the sophisticated threats they’re now facing.
The results: UC’s ability to detect and respond to threats across all campuses and health systems went from taking days and weeks to just a few hours. Cybersecurity training was mandated, with nearly 90% compliance in the first year and 95% compliance in the second year. A leading-edge information security policy was developed, and notifications due to breaches dropped significantly.
Photo left – right: Monte Ratzlaff, David Rusting, Robert Smith