7 Questions with REN-ISAC's Anthony Newman -- Campus Technology

7 Questions with REN-ISAC's Anthony Newman

10/23/23

And finally, just being financially strong and making sure that we stay up with what's expected. We're 20 years old. We're not a government mandate, even though many people think we are. Some ISACs are funded kind of as an expectation; we're not. We have over 750 member institutions, and every year, we essentially have to justify our existence with them. And thankfully, we've increased our members every year and there hasn't been a challenge. But just from a business sense, every year — because of the price point, and because of the budgets in higher ed — we have to justify our service. You don't see that in a lot of other industries, where being part of an ISAC is actually something they report to their board or to their public filings. So that's just kind of a unique aspect with higher ed.

CT: Drawing from your experience as a CISO, what would you say are the biggest challenges for higher ed CISOs right now?

Newman: Without a doubt, it's doing more with less. Every institution, regardless of its current financial state, is expecting the entire IT and security suite to operate more with less. And that could be through grants and other funding, or it could be, "You're going to cut your budget by 3% this year."

The biggest challenge from a threat perspective is protecting massive amounts of data. Higher ed has lots of sensitive data: individual student data, their parents' social security numbers and tax records, things like that. In many schools, all of that data will end up on a server somewhere. That's not going away. And now you have students who also expect to live, work, play, and have access to everything all at once — so you have to have a strategy to protect all of that data, while also doing it with less central funding. That's a big challenge.

CT: When you think about efforts to break down data silos and utilize data across the institution, does that complicate the security aspect?

Newman: It does. What we're seeing now, and I can only speak from my experience, is the expectation that data from one part of the institution will be able to be utilized for other business analysis. And I use the term "business" loosely: It might be, how do we get students to graduate on time? Or how do we get more students graduating? That is the "business" of higher ed. There's an expectation that the business needs that data, so there is a tendency to try to break those silos down. And if it's done in the right way, it's great. But that also presents new challenges.

If you want to move quickly and do things quickly, sometimes those different arms of the business don't talk. You might have a president or a provost say, "We need this data to do this," or, "I expect us to have more students next year graduate at the four-year mark." And that message isn't always shared with the IT group that has access and protects all of that data or manages the data centers and databases. If there's strong communication, it works just fine. But it's a big challenge if the organizational structure does not support that communication.

CT: How would you say the cybersecurity risk landscape has changed in the face of emerging technologies like AI?

Newman: I don't think it's necessarily presenting as significantly more risk. While some are doing nefarious activities with AI to try to simplify attack vectors, researchers are using AI to combat that.

Yes, various large language models can produce really convincing e-mails that could be used to target schools or individuals, especially universities that do significant research and DoD. But today, most phishing works by quantity. It's really a numbers game.

Prior to being hired, I joked with my REN-ISAC team that we're using ChatGPT to do all sorts of things. Who knows whether I used it to write my application for the position? And then when I actually turned in my resignation from Purdue, just as an "I wonder what this does," I anonymized the information and threw it into ChatGPT to see what it would come up with. And it's really good, right? That's why people use it — it's really good. But it will not replace humans in anytime in the future.

E-Mail this page

Printable Format

Featured

Rubrik Upgrades Data Protection Platform for Speedier Threat Hunting

Data security specialist Rubrik is upgrading its data protection platform to allow for quicker recoveries in the familiar backup & recovery process.
Educause Horizon Report: Sustainability Pressures Lead to Increased Cybersecurity Risks

Educause recently released the 2024 Cybersecurity and Privacy Edition of its Horizon Report series, forecasting key trends, technologies, and practices shaping the future of cybersecurity and privacy in higher education.
Study: 1 in 10 AI Prompts Could Expose Sensitive Data

Nearly one in 10 prompts used by business users when interacting with generative artificial intelligence tools may inadvertently disclose sensitive data, according to a study released today by data protection startup Harmonic Security Inc.
Digital Leadership Must-Haves for 2025: A CDO's Picks

Now that he's more than a year and a half into his chief digital officer role at NJIT, we've asked Ed Wozencroft to reflect on his areas of concentration: What work must digital leaders "own" in 2025?