Episode 11

Fly the Plane: A CIO's Approach to Cybersecurity Readiness

Fly the Plane is how Dr. Timothy Chester, Vice President of Information Technology, The University of Georgia, characterizes his philosophy and approach to cybersecurity readiness. Dr. Chester spoke at length about a proactive approach to information security management anchored on strategic planning, senior leadership commitment, strong teamwork, sophisticated intelligence monitoring, and robust training and testing practices. His candor and reflection made for a most interesting conversation.

Time Stamps

02:07 -- What is your take on cybersecurity preparedness? How do you approach readiness?

04:49 -- What are some cybersecurity blind spots? And how do you cope with them?

09:36 -- How do you ensure that your team has the latest experience and expertise in keeping up with these different evolving attack vectors?

12:51 -- What kind of help and support can you expect from the other business units, as well as the individual stakeholders, whether it's faculty members, whether it's students, what could or should they be doing to help secure the environment?

16:02 -- Anything that you'd like to add for people who are listening in, and who feel a little frustrated or let down that they don't see that level of active commitment from top management?

20:11 -- Now, there is a lot of research out there that speaks to the importance of customized training, that speaks to the importance of role-based training, training that shouldn't be one shot, because people often don't remember the first time what they were trained in. And then another aspect that often doesn't get addressed is how do you measure training effectiveness?

22:40 -- How do you customize cybersecurity communication and make it more effective?

25:46 -- From a faculty member's standpoint, what are some cybersecurity do's and don'ts?

27:08 -- Are you happy with the cybersecurity training exercises and rehearsals that are in place? Or can we do better?

30:46 -- Does the organization have a good structure and mechanism in place to process cyber intelligence?

34:53 -- Organizations seem to be struggling when it comes to identifying and using suitable cybersecurity performance measures. What's your take on that?

36:57 -- What would be some good rewards and incentive systems to achieve the desired cybersecurity behavior?

40:37 -- What are your thoughts about CISO (Chief Information Security Officer) empowerment?

46:47 -- Any final thoughts?

Memorable Tim Chester Quotes/Statements

"When we say fly the plane what we simply mean is through strong teamwork and strategic planning and foresight we try to think through constantly the types of scenarios that we could be facing; and we try to plan for the little bitty factors that probably aren't a high probability of occurring but could be high-impact if they do occur."

"Our human desire to basically live through rote repetition and structure that's comfortable and unchanging leads us to be creatures of habit. Creatures of habit who are following the habits and rote behaviors typically find themselves in circumstances sometimes where the plane starts flying them and the way in which they react to that plane, become wilder and wilder swings that could lead to a disaster."

-------------------------------------------------------------------------------------

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Cybersecurity Readiness:

A Holistic and High-Performance

Cybersecurity Readiness:

Approach by Sage publishing. He has been studying cybersecurity

Cybersecurity Readiness:

for over a decade, authored and edited scholarly papers,

Cybersecurity Readiness:

delivered talks, conducted webinars, consulted with

Cybersecurity Readiness:

companies, and served on a cybersecurity SWAT team with

Cybersecurity Readiness:

chief information security officers. Dr. Chatterjee is an

Cybersecurity Readiness:

Associate Professor of Management Information Systems

Cybersecurity Readiness:

at the Terry College of Business, the University of

Cybersecurity Readiness:

Georgia and Visiting Professor at Duke University's Pratt

Cybersecurity Readiness:

School of Engineering.

Dr. Dave Chatterjee:

Hello, everyone. Welcome to this

Dr. Dave Chatterjee:

episode of the Cybersecurity Readiness Podcast. Today I have

Dr. Dave Chatterjee:

the honor of having Dr. Timothy Chester, Vice President of

Dr. Dave Chatterjee:

Information Technology and Chief Information Officer at the

Dr. Dave Chatterjee:

University of Georgia as our guest. A seasoned C level

Dr. Dave Chatterjee:

executive, Dr. Chester has over two decades experiences in state

Dr. Dave Chatterjee:

supported and private higher education institutions. He has

Dr. Dave Chatterjee:

led large-scale business transformation efforts through

Dr. Dave Chatterjee:

on-time, on-budget ERP implementations, driving

Dr. Dave Chatterjee:

increased revenue and improved student outcome through improved

Dr. Dave Chatterjee:

use of data and analytics. He's an expert practitioner in

Dr. Dave Chatterjee:

developing improved information security programs for large

Dr. Dave Chatterjee:

geographically distributed enterprises, with 50,000 plus

Dr. Dave Chatterjee:

users, virtually eliminating data disclosures. Tim is also

Dr. Dave Chatterjee:

highly regarded for leading IT turnarounds, increasing IT's

Dr. Dave Chatterjee:

reputation as a trusted and respected partner in the pursuit

Dr. Dave Chatterjee:

of strategic goals. Last but not the least, Dr. Chester is a

Dr. Dave Chatterjee:

noted author with over a dozen publications in the field.

Dr. Dave Chatterjee:

Welcome to the podcast Tim.

Dr. Timothy Chester:

Dave, let me say first, I'm just delighted

Dr. Timothy Chester:

to have the chance to be here with you today. And and I've

Dr. Timothy Chester:

really enjoyed reading through your book. I've not finished it

Dr. Timothy Chester:

yet. But I think you've done a very masterful job of making a

Dr. Timothy Chester:

complex subject accessible to a wide, wide audience of business

Dr. Timothy Chester:

professionals. And you should be commended for that, and I offer

Dr. Timothy Chester:

you my congratulations, and thank you so much for sharing a

Dr. Timothy Chester:

copy with me.

Dr. Dave Chatterjee:

Thank you

Dr. Timothy Chester:

You know, I think we stress, well, we use a

Dr. Timothy Chester:

phrase in my organization quite a bit; in fact, it's part of our

Dr. Timothy Chester:

strategic plan. And that phrase is Fly the Plane. And what this

Dr. Timothy Chester:

relates back to is an exercise that I learned a long time ago

Dr. Timothy Chester:

when I was a graduate studies student at Texas a&m University

Dr. Timothy Chester:

30 years ago; was a little bored on the side and had a little

Dr. Timothy Chester:

cash to spend. And so I worked towards a pilot's license and

Dr. Timothy Chester:

did a lot of single engine plane flying over the farmlands in the

Dr. Timothy Chester:

plains of Central Texas. And you learn very early in pilot

Dr. Timothy Chester:

training to always fly the plane. And what that means is

Dr. Timothy Chester:

that if you are not constantly anticipating and thinking

Dr. Timothy Chester:

through what's fixing to happen and what could happen, frankly

Dr. Timothy Chester:

the plan will fly you; you'll have a burst of wind that might

Dr. Timothy Chester:

come from from a heat thermal that knocks you off course a

Dr. Timothy Chester:

little bit you'll have to course correct to kind of get back

Dr. Timothy Chester:

there and if you're not proactive, anticipating way the

Dr. Timothy Chester:

things will go on, the plane will fly you and you'll react,

Dr. Timothy Chester:

and what you'll find over time is that you will react in more

Dr. Timothy Chester:

and more stronger ways which creates a negative reaction that

Dr. Timothy Chester:

again you have to react to and frankly that's how disasters

Dr. Timothy Chester:

happen in flying a plane. So , we have stressed that in our

Dr. Timothy Chester:

organization quite a bit and when we say fly the plane what

Dr. Timothy Chester:

we simply mean is through strong teamwork and strategic planning

Dr. Timothy Chester:

and foresight we try to think through constantly the types of

Dr. Timothy Chester:

scenarios that we could be facing. And we tried to plan for

Dr. Timothy Chester:

the the little bitty factors that probably aren't a high

Dr. Timothy Chester:

probability of occurring but it could be high impact if they do

Dr. Timothy Chester:

occur; so, if you log into the website or you go to the website

Dr. Timothy Chester:

for UGA's IT organization to see that flying a plane is a real

Dr. Timothy Chester:

stated part of our strategic plan, whether we're planning for

Dr. Timothy Chester:

the network performance, network load associated with class

Dr. Timothy Chester:

registration or thinking through the possibilities of a

Dr. Timothy Chester:

ransomware attack on the University.

Dr. Dave Chatterjee:

That's a interest very interesting

Dr. Dave Chatterjee:

metaphor, I love it, flying the plane; you know, it tells me

Dr. Dave Chatterjee:

about the importance of being very prepared, being pro-active,

Dr. Dave Chatterjee:

knowing or rehearsing how best to deal with different

Dr. Dave Chatterjee:

scenarios; so you can't afford to be caught. blindsided; and

Dr. Dave Chatterjee:

talking about can't afford to be caught blindsided, what are some

Dr. Dave Chatterjee:

cybersecurity blind spots? And how do you cope with them?

Dr. Timothy Chester:

Right. Well, you and I, both teach

Dr. Timothy Chester:

business process management at the University. It's a strong

Dr. Timothy Chester:

set of competencies and skills that I think serve our graduates

Dr. Timothy Chester:

really, really well. And part of that is what we call root cause

Dr. Timothy Chester:

analysis, right? And the thinking is that surface

Dr. Timothy Chester:

explanations and surface understandings tend to not be

Dr. Timothy Chester:

comprehensive enough. And we as human beings tend to look for

Dr. Timothy Chester:

explanations that would suggest that we didn't necessarily have

Dr. Timothy Chester:

a lot of power to deal with something, something really,

Dr. Timothy Chester:

really, really bad happens and root cause analysis forces you

Dr. Timothy Chester:

to continue asking, Why did this happen? Why did that happen till

Dr. Timothy Chester:

you get to a level where you have uncovered a set of

Dr. Timothy Chester:

conditions in which you actually had a deliberate amount of

Dr. Timothy Chester:

control, you could have done something about that. And, but

Dr. Timothy Chester:

our human desire to basically live through rote repetition and

Dr. Timothy Chester:

structure that's comfortable and unchanging leads us to be

Dr. Timothy Chester:

creatures of habit. And again, creatures of habit who are

Dr. Timothy Chester:

following the habits and following the rote behaviors

Dr. Timothy Chester:

that they always engage in, typically find themselves in

Dr. Timothy Chester:

circumstances sometimes where again, the plane starts flying

Dr. Timothy Chester:

them and the way in which they react to that plane, you know,

Dr. Timothy Chester:

become wilder and wilder swings that could lead to, to a

Dr. Timothy Chester:

disaster. I have really found any guy worked in higher

Dr. Timothy Chester:

education and state government as a separate vertical industry.

Dr. Timothy Chester:

But I think it's true across the other verticals, whether we're

Dr. Timothy Chester:

talking about finance or manufacturing, or, or our

Dr. Timothy Chester:

commerce is that people are good, they care about their

Dr. Timothy Chester:

employers, they want to do a good job. But we as humans,

Dr. Timothy Chester:

again, are most comfortable, when structures tend to be

Dr. Timothy Chester:

unchanging, and there's nothing really unexpected going on, and

Dr. Timothy Chester:

we tend to assume the best and think that the worst will never

Dr. Timothy Chester:

really happen. And that tends to create the environment where

Dr. Timothy Chester:

really bad things can happen. Now the most serious of

Dr. Timothy Chester:

information security incidents, or breaches tend to be like

Dr. Timothy Chester:

plane crashes, again, if I continue to use the aeronautic

Dr. Timothy Chester:

kind of metaphor here or analogy, and that planes tend to

Dr. Timothy Chester:

crash not because one thing happened unexpectedly but

Dr. Timothy Chester:

because multiple things happened at the same point in time, which

Dr. Timothy Chester:

create a set of circumstances that allowed something really

Dr. Timothy Chester:

you know, low frequency to high impact to, to occur. So a lot of

Dr. Timothy Chester:

time in the information security space, the blind spots happen

Dr. Timothy Chester:

just because the IT industry and the IT culture, within business

Dr. Timothy Chester:

places a premium on good customer service and sometimes

Dr. Timothy Chester:

good customer service and a focus on functionality of our

Dr. Timothy Chester:

systems, and what we do comes at the expense of maintainability,

Dr. Timothy Chester:

compatibility, and information security. So you know, we we

Dr. Timothy Chester:

have near misses all the time, we have a good team here, that's

Dr. Timothy Chester:

proactive that can catch them. And we had we had a near miss

Dr. Timothy Chester:

here recently, with some ransomware. And it really was

Dr. Timothy Chester:

all about a very good employee working in a very good unit, you

Dr. Timothy Chester:

know, probably doing something that they shouldn't have done to

Dr. Timothy Chester:

enable some functionality from one of their key players. And

Dr. Timothy Chester:

they did that and and they did that some time ago. And then

Dr. Timothy Chester:

next thing you know, it's been a while since the machine was

Dr. Timothy Chester:

patched and so on and so forth. And just kind of a constant

Dr. Timothy Chester:

layering on of things that probably shouldn't have

Dr. Timothy Chester:

happened. That created some some real risk and some some real

Dr. Timothy Chester:

vulnerability there. And we were very fortunate that we were, we

Dr. Timothy Chester:

became aware of those risks before something before they

Dr. Timothy Chester:

were really exploited. But But again, going back to earlier,

Dr. Timothy Chester:

you know, we're most comfortable, again, with a lot

Dr. Timothy Chester:

of structure and a lot of predictability. And that leads

Dr. Timothy Chester:

us to sometimes getting very comfortable allowing the plane

Dr. Timothy Chester:

to fly us and the plane will fly us really, really fast if we're

Dr. Timothy Chester:

not careful.

Dr. Dave Chatterjee:

Mm hmm. Very true. Talking about being

Dr. Dave Chatterjee:

comfortable, and, you know, operating in a predictable

Dr. Dave Chatterjee:

space, you know, when you think about the hackers and how they

Dr. Dave Chatterjee:

are constantly innovating and coming up with the latest

Dr. Dave Chatterjee:

methods and techniques, it's hard to keep up with them. And

Dr. Dave Chatterjee:

again, that's not what organizations are in the

Dr. Dave Chatterjee:

business of, whether it's an academic organization, or

Dr. Dave Chatterjee:

whether it's some other organization, they have their

Dr. Dave Chatterjee:

own mission, their goals. So and of course, you know, there's

Dr. Dave Chatterjee:

always the budgetary constraints. So under the

Dr. Dave Chatterjee:

circumstances, how do folks like you try to ensure that your team

Dr. Dave Chatterjee:

has the latest experience and expertise in keeping up with

Dr. Dave Chatterjee:

these different evolving attack vectors?

Dr. Timothy Chester:

That's a great question. I think the

Dr. Timothy Chester:

Department of Homeland Security and the Cybersecurity and

Dr. Timothy Chester:

Infrastructure Security Agency (CISA), it's a branch of the

Dr. Timothy Chester:

Department of Homeland Security, does an exceptionally good job

Dr. Timothy Chester:

of creating awareness of a really complex and fast changing

Dr. Timothy Chester:

environment. So you know, either through, you know, email, or

Dr. Timothy Chester:

through automated feeds and other ways, we get real time

Dr. Timothy Chester:

intelligence from the CIA, NSA, multiple times on a daily basis.

Dr. Timothy Chester:

So as an executive, I just subscribed to their listservs.

Dr. Timothy Chester:

And so today, you know, I've received email messages about

Dr. Timothy Chester:

the need to patch vulnerabilities in Google

Dr. Timothy Chester:

Chrome. And you know, there's a variety of other commercial

Dr. Timothy Chester:

packages out there. So we have, we divide our information

Dr. Timothy Chester:

security team up into kind of consulting and helping people

Dr. Timothy Chester:

around controls, and then we have an operations arm. And then

Dr. Timothy Chester:

a part of that operations arm is around proactively, you know,

Dr. Timothy Chester:

patching the environment and creating awareness of the need

Dr. Timothy Chester:

to do that. And they help the Institution and its IT staff

Dr. Timothy Chester:

stay on, on toes when it comes to this type of changing

Dr. Timothy Chester:

environment. The other thing that they do really well also is

Dr. Timothy Chester:

they monitor known IP addresses that are out there that are

Dr. Timothy Chester:

used, that are known to be distributing malware, or

Dr. Timothy Chester:

ransomware, or to be command and control points for existing

Dr. Timothy Chester:

installed malware. And, you know, I think, on a daily basis,

Dr. Timothy Chester:

or certainly on a weekly basis, we get a feed of those IP

Dr. Timothy Chester:

addresses in an automated fashion, our network firewalls

Dr. Timothy Chester:

will block ingress and egress both to the to those IP

Dr. Timothy Chester:

addresses immediately, which which helps us as well. So I

Dr. Timothy Chester:

think that partnership, I think, has been really, really on on

Dr. Timothy Chester:

point for helping us stay aware. And then the other thing that we

Dr. Timothy Chester:

do is we stay highly engaged with with our counterparts in

Dr. Timothy Chester:

the Southeastern Conference schools, as well as our other

Dr. Timothy Chester:

peer and aspirational schools and constantly kind of comparing

Dr. Timothy Chester:

notes and, and having constant conversations as well as within

Dr. Timothy Chester:

the University System of Georgia.

Dr. Dave Chatterjee:

Yeah, that makes a lot of sense. What about

Dr. Dave Chatterjee:

the rest of the community? Your community in the field of

Dr. Dave Chatterjee:

technology obviously, that's part of your job description,

Dr. Dave Chatterjee:

you have to be on top of your game. But what kind of help and

Dr. Dave Chatterjee:

support can you expect from the other business units, as well as

Dr. Dave Chatterjee:

the individual stakeholders, whether it's faculty members,

Dr. Dave Chatterjee:

whether it's students? What could or should they be doing to

Dr. Dave Chatterjee:

help secure the environment?

Dr. Timothy Chester:

Well, for somebody in my role, or for the

Dr. Timothy Chester:

CISO role, and one of the most critical things is that you have

Dr. Timothy Chester:

executive leadership that understands these

Dr. Timothy Chester:

responsibilities aren't siloed responsibilities for the IT

Dr. Timothy Chester:

folk, but they are business responsibilities that are shared

Dr. Timothy Chester:

by everyone. And I think in the state of Georgia, frankly, that

Dr. Timothy Chester:

recognition and that supporting philosophy starts at the top.

Dr. Timothy Chester:

Governor Brian Kemp has been a very strong supporter and

Dr. Timothy Chester:

advocate across the board for all state institutions to really

Dr. Timothy Chester:

raise the game in terms of their cybersecurity defenses, and he

Dr. Timothy Chester:

has been quite explicit that it is the division heads and the

Dr. Timothy Chester:

CEOs of those major divisions, including the Chancellor of the

Dr. Timothy Chester:

University System of Georgia who are ultimately responsible for

Dr. Timothy Chester:

assuring the state and the state government that we are doing all

Dr. Timothy Chester:

we can to reduce risk and to have the types of controls

Dr. Timothy Chester:

around technology and its use that we need to have. Certainly

Dr. Timothy Chester:

within the University of Georgia, in the 10 years that I

Dr. Timothy Chester:

have been here, we've enjoyed that type of support from the

Dr. Timothy Chester:

top, from President Jerry Morehead. He was the number two

Dr. Timothy Chester:

at the University 10 years ago when I was hired here and I

Dr. Timothy Chester:

worked for him directly for a couple years and now I continue

Dr. Timothy Chester:

to work for the Provost, the number two here at the

Dr. Timothy Chester:

University. And so that tone really starts at the top and I

Dr. Timothy Chester:

can tell you that you know, we have division heads here we call

Dr. Timothy Chester:

them Deans or Vice Presidents, they all understand that they

Dr. Timothy Chester:

are ultimately responsible to the Institution for managing the

Dr. Timothy Chester:

risk, and that my office is a resource and it's supporting arm

Dr. Timothy Chester:

but it's a supporting arm, it's not solely responsible for

Dr. Timothy Chester:

managing the risk in and of itself. That tone gets set

Dr. Timothy Chester:

constantly where the we're doing things with security awareness

Dr. Timothy Chester:

training would begin under Governor camps leadership we now

Dr. Timothy Chester:

do twice a year. And under the leadership of acting Chancellor

Dr. Timothy Chester:

Teresa McCartney at the University System of Georgia

Dr. Timothy Chester:

level, there's been a sizable investment in new infrastructure

Dr. Timothy Chester:

and supporting platforms for the cyber security training that

Dr. Timothy Chester:

Governor Kemp requires us to do twice a year. And so I'm really

Dr. Timothy Chester:

fortunate again, I spent the last two days actually before

Dr. Timothy Chester:

recording this podcast at the meeting of my counterparts in

Dr. Timothy Chester:

the Southeastern Conference, and I think the mix of support and,

Dr. Timothy Chester:

and, and real advocacy around information security that we

Dr. Timothy Chester:

enjoy at all levels of government have been very, very

Dr. Timothy Chester:

helpful to us.

Dr. Dave Chatterjee:

That's very, very assuring, that's good

Dr. Dave Chatterjee:

to hear that you have great support from top management. So,

Dr. Dave Chatterjee:

you know Tim, you were mentioning about my book, one of

Dr. Dave Chatterjee:

the things I've emphasized in the book, which I have gathered

Dr. Dave Chatterjee:

through my research is the importance of hands-on top

Dr. Dave Chatterjee:

management. And I've seen in many companies, the exemplars

Dr. Dave Chatterjee:

where the senior management take on active roles, whether it's in

Dr. Dave Chatterjee:

the aspects of cybersecurity planning, strategizing,

Dr. Dave Chatterjee:

performance review, they obviously are not experts, they

Dr. Dave Chatterjee:

don't claim to be experts, but they try to stay on top of

Dr. Dave Chatterjee:

things. It seems from from what you shared, that's the way your

Dr. Dave Chatterjee:

organization functions. That's the kind of support you have.

Dr. Dave Chatterjee:

Anything that you'd like to add for people who are listening in

Dr. Dave Chatterjee:

and who feel a little frustrated or letdown that they don't see

Dr. Dave Chatterjee:

that level of active commitment. It's a sensitive topic. But I

Dr. Dave Chatterjee:

still thought of probing a little further because,

Dr. Timothy Chester:

Yeah, yeah, well, I think part of this may

Dr. Timothy Chester:

be is that when, when our president Jerry Morehead was the

Dr. Timothy Chester:

provost of the university, and in fact responsible for most of

Dr. Timothy Chester:

the operations here at the university, we were getting

Dr. Timothy Chester:

burned constantly by cybersecurity incidents. And I

Dr. Timothy Chester:

think that created an awareness in him of, of the need to make

Dr. Timothy Chester:

sure that this was something that all executives understood

Dr. Timothy Chester:

was part of their responsibility to manage well, and I'm not

Dr. Timothy Chester:

going to, you know, curse us by mentioning how long it's been

Dr. Timothy Chester:

since we've had a major incident. You know, we have near

Dr. Timothy Chester:

misses all the time, just like everybody else. But again, I

Dr. Timothy Chester:

think that constant diligence coming from the business side,

Dr. Timothy Chester:

where we do have an understanding that these are

Dr. Timothy Chester:

business responsibilities, first and foremost. So it's been

Dr. Timothy Chester:

absolutely critical. I do think it's also really, really

Dr. Timothy Chester:

important in terms of ultimately who whoever within an

Dr. Timothy Chester:

organization has, the final responsibility and

Dr. Timothy Chester:

accountability for these types of risk management activities,

Dr. Timothy Chester:

has to basically set at the executive team with the CEO, and

Dr. Timothy Chester:

whatever form exists when the when the organization so so I

Dr. Timothy Chester:

report to the number two here at the university who's responsible

Dr. Timothy Chester:

for academic operations, which is again, 70% of the university.

Dr. Timothy Chester:

You know, but the President has staff meeting every two weeks,

Dr. Timothy Chester:

and I'm a part of that staff meeting and I have the

Dr. Timothy Chester:

opportunity to raise awareness of issues bring visibility to

Dr. Timothy Chester:

things that should be be be visible to everyone to be an

Dr. Timothy Chester:

advocate for, for sound practices. And, and then, you

Dr. Timothy Chester:

know, I'm on a texting and cell phone relationship with the

Dr. Timothy Chester:

president, whenever I need to get his attention to some

Dr. Timothy Chester:

matter, the President is pretty easy to reach. In fact, you

Dr. Timothy Chester:

know, last night coming back from my meeting with my

Dr. Timothy Chester:

counterparts in the sec, you know, I debrief the President

Dr. Timothy Chester:

on, you know, later a phone call in the evening to kind of

Dr. Timothy Chester:

compare notes with things that are going on. So, I do think,

Dr. Timothy Chester:

you know, CEOs really understand that these are things that they

Dr. Timothy Chester:

have to manage, and frankly, if they don't manage Well, they are

Dr. Timothy Chester:

things that wreck careers. And so frankly, that helps, right?

Dr. Timothy Chester:

So you go back 10 years ago, a major secure cyber security

Dr. Timothy Chester:

problem inside of a business probably, you know, the CIO or

Dr. Timothy Chester:

the CIO, or both of them, you know, they are the two parts of

Dr. Timothy Chester:

the operation that really had some career risk there. You

Dr. Timothy Chester:

know, that that believe that that that awareness that extends

Dr. Timothy Chester:

all throughout the organization and certainly at the executive

Dr. Timothy Chester:

level, to go back to the the governor of the state, the CEO

Dr. Timothy Chester:

of our great state of Georgia, you know, he he had a couple of

Dr. Timothy Chester:

incidents on his watch when he was the secretary of state, and

Dr. Timothy Chester:

I think he handled The response to those incredibly well, he, he

Dr. Timothy Chester:

left the place better than he inherited it. And he has brought

Dr. Timothy Chester:

that awareness to all arms at all levels of the state

Dr. Timothy Chester:

government, which has been truly, truly helpful.

Dr. Dave Chatterjee:

Yep, that is extremely important, you are

Dr. Dave Chatterjee:

kind of speaking to a couple of things that I emphasize a lot.

Dr. Dave Chatterjee:

One being joint ownership and accountability. And the other is

Dr. Dave Chatterjee:

trying to create that We-Are-In-It-Together culture,

Dr. Dave Chatterjee:

where everybody has to recognize that it's not ITs job or the

Dr. Dave Chatterjee:

information security units job to protect us, we also have a

Dr. Dave Chatterjee:

role to play. It's like the way we are fighting COVID, you know,

Dr. Dave Chatterjee:

we can't just sit back and expect miracles to happen, we

Dr. Dave Chatterjee:

have to recognize our roles, and do our part. From the standpoint

Dr. Dave Chatterjee:

of enhancing level of awareness, you mentioned about, you know,

Dr. Dave Chatterjee:

conducting awareness training twice a year. And that's great.

Dr. Dave Chatterjee:

Now, there is a lot of research out there that speaks to the

Dr. Dave Chatterjee:

importance of customized training, that speaks to the

Dr. Dave Chatterjee:

importance of, you know, role based training, training that

Dr. Dave Chatterjee:

shouldn't be one shot, because people often don't remember the

Dr. Dave Chatterjee:

first time what they were trained in. And and then another

Dr. Dave Chatterjee:

aspect that often doesn't get addressed is are you effectively

Dr. Dave Chatterjee:

measuring the effectiveness of the training? And I know, I

Dr. Dave Chatterjee:

asked you several sub questions, but, you know, take it the way

Dr. Dave Chatterjee:

you're comfortable.

Dr. Timothy Chester:

Yeah, I think there's a couple things, I

Dr. Timothy Chester:

think we're raising the bar, right. And I mentioned earlier,

Dr. Timothy Chester:

this investment in kind of the training and awareness platform

Dr. Timothy Chester:

that the University System of Georgia has made, that platform

Dr. Timothy Chester:

has a lot of capabilities around, you know, simulate

Dr. Timothy Chester:

malware campaigns, and some other kind of tools to really

Dr. Timothy Chester:

take an exercise approach to, you know, to helping to kind of

Dr. Timothy Chester:

raise the awareness or for your organization. I think the

Dr. Timothy Chester:

information security training that we have done in the past

Dr. Timothy Chester:

has been quite rote, and frankly, not as polished as it

Dr. Timothy Chester:

could be. And this investment of resources by the system, I

Dr. Timothy Chester:

think, is really going to raise the bar quite a bit there for

Dr. Timothy Chester:

us. And, you know, between that, and I think the commitment from

Dr. Timothy Chester:

the executive level organization, I think it's, it's

Dr. Timothy Chester:

been, it's really, we have a, we have a quite optimal environment

Dr. Timothy Chester:

here at the University of Georgia right now to kind of

Dr. Timothy Chester:

continue moving the needle here.

Dr. Dave Chatterjee:

Now, from a communication standpoint, you

Dr. Dave Chatterjee:

know, as a member of the University community, I will

Dr. Dave Chatterjee:

often receive cybersecurity related communications, and, you

Dr. Dave Chatterjee:

know, they're often a long email, and I can, I can

Dr. Dave Chatterjee:

understand that, you know, certain things need to be

Dr. Dave Chatterjee:

mentioned. Now, it's quite possible that when somebody

Dr. Dave Chatterjee:

receives a long email, they might be skimming through it or

Dr. Dave Chatterjee:

might be reading parts of or might just ignore it. You will

Dr. Dave Chatterjee:

appreciate that part of effective communication is to

Dr. Dave Chatterjee:

ensure that the message really gets across to the appropriate

Dr. Dave Chatterjee:

folks. So, keeping that in mind, how do you make cybersecurity

Dr. Dave Chatterjee:

communication more customized and more effective? Have you all

Dr. Dave Chatterjee:

been giving this some thought?

Dr. Timothy Chester:

Yeah, well, I think we certainly understand

Dr. Timothy Chester:

that we need to do a lot better job at this. You know,

Dr. Timothy Chester:

typically, you know, we we have a very structured communication,

Dr. Timothy Chester:

you know, management program that goes around our initiatives

Dr. Timothy Chester:

and our operations that's designed to raise awareness but

Dr. Timothy Chester:

I think you hit the nail on the head is that sometimes those

Dr. Timothy Chester:

communications are written from the standpoint of IT folk, which

Dr. Timothy Chester:

you know, sometimes uses vocabulary and acronyms that

Dr. Timothy Chester:

really aren't well understood. And readers tend to disengage

Dr. Timothy Chester:

pretty quickly from that, frankly, the whole question of

Dr. Timothy Chester:

whether or not email is the best vehicle for communicating these

Dr. Timothy Chester:

things, also continues to be a concern, people don't read email

Dr. Timothy Chester:

as much as they used to, and the longer the email, the less,

Dr. Timothy Chester:

you're likely to get the message across. So, you know, I think

Dr. Timothy Chester:

trying to raise messaging that's targeted to more smaller

Dr. Timothy Chester:

audiences is something that we're trying to do. And there's

Dr. Timothy Chester:

some upgrades to our multifactor system that we're trying to be

Dr. Timothy Chester:

very specific and targeted, as opposed to global like

Dr. Timothy Chester:

communications. The other thing we have to do is just make when

Dr. Timothy Chester:

we communicate to people, we have to do so in a context that,

Dr. Timothy Chester:

you know, is accessible and relevant, you know, through

Dr. Timothy Chester:

narrative, you know, what's at stake for me, and what do I have

Dr. Timothy Chester:

in this and, again, it has to be very personalized as well. And

Dr. Timothy Chester:

again, I think we've got real opportunities to get much, much

Dr. Timothy Chester:

better at that. When I came here 10 years ago, the knock used to

Dr. Timothy Chester:

be well, you never told us anything that we were doing

Dr. Timothy Chester:

this, you know, now we beat people over the head with

Dr. Timothy Chester:

communications. But I still wonder sometimes whether the

Dr. Timothy Chester:

message is truly getting through. And the use of social

Dr. Timothy Chester:

media is becoming an important part of that as well. Although

Dr. Timothy Chester:

I'm not, you know, sending a mass listserv to 50,000 people

Dr. Timothy Chester:

versus posting something on Twitter, you know, to a much

Dr. Timothy Chester:

smaller audience repetitively I'm not sure the the social

Dr. Timothy Chester:

media gets this broader reach. But, you know, we're trying to

Dr. Timothy Chester:

take multiple avenues and use multiple, you know, tags at the

Dr. Timothy Chester:

messaging to more specific audiences to get the word out,

Dr. Timothy Chester:

get the word across.

Dr. Dave Chatterjee:

That's great to hear, you know, for

Dr. Dave Chatterjee:

instance, from a faculty members perspective, you know, it'd be

Dr. Dave Chatterjee:

good to know that, given the role I play at the university,

Dr. Dave Chatterjee:

what are some do's and don'ts from a cyber security

Dr. Dave Chatterjee:

standpoint? Now, is this information not available, no it

Dr. Dave Chatterjee:

is available, it's out there, but to get it in my inbox in a

Dr. Dave Chatterjee:

very targeted manner, and then, from time to time being reminded

Dr. Dave Chatterjee:

that these are the things that you should focus on. That helps

Dr. Dave Chatterjee:

simplify things a little bit, as compared to a broad brush

Dr. Dave Chatterjee:

approach, where you're being told, what are the sensitive

Dr. Dave Chatterjee:

assets, and what are some scenarios that you should be

Dr. Dave Chatterjee:

careful about. That's a little too generic. So that's just my

Dr. Dave Chatterjee:

two cents. But I appreciate the candor and the recognition that

Dr. Dave Chatterjee:

we can do better.

Dr. Timothy Chester:

So the other I just added that really,

Dr. Timothy Chester:

really quickly. I mean, so we get we were at Auburn University

Dr. Timothy Chester:

for this meeting of my counterparts in the last couple

Dr. Timothy Chester:

of days. Auburn has done a really good job with messaging

Dr. Timothy Chester:

around posters on entryways, you know, for their computer labs,

Dr. Timothy Chester:

screensavers, and things like that. And that's probably

Dr. Timothy Chester:

another opportunity where we need to get the word out a lot,

Dr. Timothy Chester:

a lot more.

Dr. Dave Chatterjee:

That's a good, that's a good approach.

Dr. Dave Chatterjee:

That's a great approach indeed. All right, so the next topic

Dr. Dave Chatterjee:

that is also very close to my heart, is security audits and

Dr. Dave Chatterjee:

drills. You know, something that I talk about a lot when I'm out

Dr. Dave Chatterjee:

there, I say, you know, we have fire drills, do we have

Dr. Dave Chatterjee:

information security drills? Do we plan for distributed denial

Dr. Dave Chatterjee:

of service attacks and, and ransomware attacks? And now, I

Dr. Dave Chatterjee:

know it's easier said than done, and organizations do tabletop

Dr. Dave Chatterjee:

exercises, but in your role as the the person, the technology

Dr. Dave Chatterjee:

Person of the university, are you happy with the rehearsals

Dr. Dave Chatterjee:

that we have in place? Or can we do better?

Dr. Timothy Chester:

Yeah, you know, I think we think we're

Dr. Timothy Chester:

doing well here; we certainly always can do better, but, you

Dr. Timothy Chester:

know, we really have implemented, you know, kind of

Dr. Timothy Chester:

the gold standard approach to to, to a security operation

Dr. Timothy Chester:

center. And a part of that center is, you know, a red team

Dr. Timothy Chester:

versus a blue team and the red team are the friendly hackers

Dr. Timothy Chester:

who you know, are empowered to probe our ourselves and our

Dr. Timothy Chester:

systems and look for vulnerabilities and so, again,

Dr. Timothy Chester:

being here, you know, at an institution we are able to

Dr. Timothy Chester:

employ graduate students, we are able to employ undergraduate

Dr. Timothy Chester:

students, as well as some professional employees and so we

Dr. Timothy Chester:

are constantly trying to hack the hell out of ourselves, using

Dr. Timothy Chester:

many of the common methods that are out there and you know,

Dr. Timothy Chester:

moving the needle in terms of not only just penetration but

Dr. Timothy Chester:

also thinking about malware and ransomware there there are some

Dr. Timothy Chester:

tools out there that are now available we're looking at

Dr. Timothy Chester:

acquiring which well you know, with with some intelligence

Dr. Timothy Chester:

agents scattered around your enterprise will tell you really

Dr. Timothy Chester:

quickly how easy it is to drop malware and other things. So we

Dr. Timothy Chester:

are constantly hoping to discover the major risks and

Dr. Timothy Chester:

vulnerabilities we have before others do; and again we're not

Dr. Timothy Chester:

perfect yet; we're so big, we often miss things. But there's a

Dr. Timothy Chester:

huge investment in resources to do that. And it is always you

Dr. Timothy Chester:

know, I have to be careful about some of the stories I would

Dr. Timothy Chester:

share but again, you will appreciate this given your

Dr. Timothy Chester:

expertise and your rich experience in consulting, many

Dr. Timothy Chester:

times when vendors and implementers you know, install

Dr. Timothy Chester:

major infrastructure on campus and they walk away from they

Dr. Timothy Chester:

flip the switch on, they don't change the default password to

Dr. Timothy Chester:

things. And so we've discovered major things here at the

Dr. Timothy Chester:

University from from Hvac equipment to scoreboard and

Dr. Timothy Chester:

athletic venues, that if you knew what kind of make and model

Dr. Timothy Chester:

the thing was and you knew how to use Google to find the, the

Dr. Timothy Chester:

the manual of instructions and how to go find that and get the

Dr. Timothy Chester:

default username and password. If you're on campus, you could

Dr. Timothy Chester:

actually control that stuff. And, you know, there have been

Dr. Timothy Chester:

several vulnerabilities like that that had been discovered.

Dr. Timothy Chester:

And you know, really that goes right back to the question of

Dr. Timothy Chester:

blind spots, right? So you got an implementer, my job is to

Dr. Timothy Chester:

implement and turn it on, they'll figure that other stuff

Dr. Timothy Chester:

out. And then you got customers who bought for; well, we paid

Dr. Timothy Chester:

these experts to do it. So they had to do it, right, we're in

Dr. Timothy Chester:

good shape. There's a blind spot between two well intentioned

Dr. Timothy Chester:

good groups of people working their best to do a hard job. And

Dr. Timothy Chester:

so again, constantly attacking ourselves, again, using the well

Dr. Timothy Chester:

understood red team approach is something we are very aggressive

Dr. Timothy Chester:

with.

Dr. Dave Chatterjee:

Yep, that's, that's very true; and

Dr. Dave Chatterjee:

talking about vulnerabilities and talking about discovering

Dr. Dave Chatterjee:

vulnerabilities, another you know, area of great concern to

Dr. Dave Chatterjee:

me is, we keep reading about these stories in the media that

Dr. Dave Chatterjee:

this organization was made aware, but did nothing about it

Dr. Dave Chatterjee:

until it happened, right. And so I wonder, from an operation

Dr. Dave Chatterjee:

standpoint, I'm sure you all have a mechanism in place where

Dr. Dave Chatterjee:

you're logging all the intelligence you're receiving,

Dr. Dave Chatterjee:

and then you are evaluating them, and then either acting or

Dr. Dave Chatterjee:

not acting, but at least you're on record explaining your reason

Dr. Dave Chatterjee:

for your decisions. So this way, you're maintaining a rigorous

Dr. Dave Chatterjee:

record of how you handling intelligence, which later on,

Dr. Dave Chatterjee:

I'm not a legal expert, but I think, you know, if you had to

Dr. Dave Chatterjee:

defend the organization, you could say that we've done

Dr. Dave Chatterjee:

everything, and this is how we thought during that period of

Dr. Dave Chatterjee:

time. So you kind of backup your actions, your reactions to that?

Dr. Timothy Chester:

Yeah, and let me just give you a little

Dr. Timothy Chester:

context. First, you know, research flagships like the

Dr. Timothy Chester:

University of Georgia, you know, our, our, you know, vertical

Dr. Timothy Chester:

industries, like finance, or manufacturing, we are Research

Dr. Timothy Chester:

and Innovation conglomerates. And we have 18 major units here

Dr. Timothy Chester:

at the institution, colleges and schools that are invested in

Dr. Timothy Chester:

innovation in their fields. So we allow for a wide variety of

Dr. Timothy Chester:

different than non standard approaches to running

Dr. Timothy Chester:

technology, because it supports Research and Engineering or

Dr. Timothy Chester:

business, research in the areas that you do Dave, public health,

Dr. Timothy Chester:

so on, and so forth. So that kind of very distributed non

Dr. Timothy Chester:

standardized environments increases risk dramatically. But

Dr. Timothy Chester:

we have a couple of basic gatekeeping rules around that;

Dr. Timothy Chester:

to begin with, everybody's got to run our antivirus. And

Dr. Timothy Chester:

everybody's got to send their logs to our Security Operations

Dr. Timothy Chester:

Center. And the tools just for data mining and analysis around

Dr. Timothy Chester:

those logs, just continues to get better and better and

Dr. Timothy Chester:

better, better. So So again, one of the one of the benefits for

Dr. Timothy Chester:

making everybody use the same standard antivirus engine, we

Dr. Timothy Chester:

don't allow people to buy other antivirus products, is that we

Dr. Timothy Chester:

get just incredibly centralized logging about packets that are

Dr. Timothy Chester:

downloaded from the internet. And many times, you know, we

Dr. Timothy Chester:

will we will see something through our intelligence, the

Dr. Timothy Chester:

end user is not aware of and we can take action from that.

Dr. Timothy Chester:

There's a there's another very good product that is being

Dr. Timothy Chester:

commercialized by a computer science faculty at Georgia Tech,

Dr. Timothy Chester:

he was formerly at the University of Georgia that that

Dr. Timothy Chester:

very helpful in this space. And then again, kind of on the

Dr. Timothy Chester:

reactive side, as well, the ransomware near miss that we

Dr. Timothy Chester:

had, these new data mining tools are very good at looking for

Dr. Timothy Chester:

lateral moves through the network environment by people

Dr. Timothy Chester:

who've breached the environments that they did it, if they moved

Dr. Timothy Chester:

anywhere. And you know, again, it's kind of a big data

Dr. Timothy Chester:

collection effort, right, you've got hundreds, if not 1000s, of

Dr. Timothy Chester:

endpoints, all logging things. And if you can capture all that

Dr. Timothy Chester:

data with the tools, you can get a fuller sense of what's going

Dr. Timothy Chester:

on. But again, it is absolutely amazing, you know, used to we

Dr. Timothy Chester:

would have to write our own scripts to kind of look for

Dr. Timothy Chester:

things and then the tools come with standard templates. Now the

Dr. Timothy Chester:

tools come with AI and machine learning, that merges all of

Dr. Timothy Chester:

those things together to really give us a proactive sense. Now

Dr. Timothy Chester:

these tools are expensive, they are absolutely expensive. But

Dr. Timothy Chester:

you know, they're well well worth it. And it's a fast

Dr. Timothy Chester:

maturity field. And again, we're very fortunate to operate in an

Dr. Timothy Chester:

environment with a senior administration that that that

Dr. Timothy Chester:

supports us with the resources necessary to be in this space.

Dr. Timothy Chester:

We are early adopters.

Dr. Dave Chatterjee:

Very very, very good to hear that. You

Dr. Dave Chatterjee:

know, you talked about all kinds of data and analytics that's

Dr. Dave Chatterjee:

available to us now, that brings to mind performance measures and

Dr. Dave Chatterjee:

metrics. And this is another one of those areas where it's very

Dr. Dave Chatterjee:

hard to learn. Or it seems that organizations are struggling in

Dr. Dave Chatterjee:

terms of identifying what measures or metrics to capture

Dr. Dave Chatterjee:

and monitor when it comes to cybersecurity performance.

Dr. Dave Chatterjee:

What's your take on that?

Dr. Timothy Chester:

You know, and this is, this is an area

Dr. Timothy Chester:

that I am not necessarily a subject matter expert, as well

Dr. Timothy Chester:

as I should be. I have a really strong information security

Dr. Timothy Chester:

team, and I trust their judgment and, and in some areas, I'm

Dr. Timothy Chester:

really just the gatekeeper. I'm not the gatekeeper. But I am the

Dr. Timothy Chester:

guard rails, rail rail network. So thinking about these KPIs,

Dr. Timothy Chester:

frankly, the most important KPI that I'm aware of is have we had

Dr. Timothy Chester:

a major breach that resulted in either increased vulnerabilities

Dr. Timothy Chester:

or an increased reputational damage or real damage to the

Dr. Timothy Chester:

institution and its customers. And that is one certainly that I

Dr. Timothy Chester:

keep in my pocket, as well. But But everything else from number

Dr. Timothy Chester:

of users types of end users, types of access, that that's

Dr. Timothy Chester:

managed by those users, you know, metrics around how we

Dr. Timothy Chester:

properly decommission accounts, when people some people exit the

Dr. Timothy Chester:

community is absolutely critical. As well as, you know,

Dr. Timothy Chester:

stats on, you know, volume of patching, you know, what's our

Dr. Timothy Chester:

time to patch for, you know, a certain grade a patch with

Dr. Timothy Chester:

medium risk versus low risk versus critical risk? And those

Dr. Timothy Chester:

are all, I think, really, really important as well, the most

Dr. Timothy Chester:

important one, which is the one that the the CEO cares about

Dr. Timothy Chester:

most that I do is number of incidents, and how many have we

Dr. Timothy Chester:

we had and and first and foremost, that's one thing I

Dr. Timothy Chester:

keep in mind all the time.

Dr. Dave Chatterjee:

Yeah, yeah. Along those lines, if, you know,

Dr. Dave Chatterjee:

if you were to think about rewards and incentive systems,

Dr. Dave Chatterjee:

it's a reward in itself if cyberattacks didn't happen that

Dr. Dave Chatterjee:

that is that goes without saying, but do you have any

Dr. Dave Chatterjee:

thoughts about it, because in reality, it helps to motivate a

Dr. Dave Chatterjee:

certain desired behavior. Any thoughts on what would be some

Dr. Dave Chatterjee:

good rewards and incentive systems to achieve the desired

Dr. Dave Chatterjee:

behavior across the organization, when it's not your

Dr. Dave Chatterjee:

job function?

Dr. Timothy Chester:

Unfortunately, I think this is an opportunity

Dr. Timothy Chester:

for the whole profession more than anything else. Because you

Dr. Timothy Chester:

know, right now, we probably have more sticks than we have

Dr. Timothy Chester:

carrots. Unfortunately, I mean, one of the ways we keep our you

Dr. Timothy Chester:

know, our Dean's and our vice president attention on these

Dr. Timothy Chester:

matters is simply because they know if there's an incident on

Dr. Timothy Chester:

their watch, you know, they're going to be in the general

Dr. Timothy Chester:

counsel's office with me and some of my folks, the

Dr. Timothy Chester:

president's chief of staff, as we begin root causing how

Dr. Timothy Chester:

whatever happened actually happened. And that's an

Dr. Timothy Chester:

uncomfortable seat to be in for the three or four Dean's that

Dr. Timothy Chester:

have, that I've been in the room with, when we've had to do that.

Dr. Timothy Chester:

And, you know, that, you know, accountability works. It's, it's

Dr. Timothy Chester:

really, really, really, really important. But I think the other

Dr. Timothy Chester:

thing that we do, and it's more, not necessarily secondary, but

Dr. Timothy Chester:

indirect, kind of, you know, carrot or incentive is just

Dr. Timothy Chester:

really empower user to try you know, you know, particularly

Dr. Timothy Chester:

with the researcher in a lab and, you know, or whether we're

Dr. Timothy Chester:

talking about the vet school or in chemistry or something like

Dr. Timothy Chester:

that, by just basically helping them understand how this works,

Dr. Timothy Chester:

good security practices work and, and how they really can

Dr. Timothy Chester:

enable them to do some innovative things without

Dr. Timothy Chester:

artificial controls and barriers from on top here at the

Dr. Timothy Chester:

institution. I think that really creates an incentive for people

Dr. Timothy Chester:

to you know, have really good baselines around information

Dr. Timothy Chester:

security in their in their operations. So we certainly try

Dr. Timothy Chester:

to take that as well. Again, sharing data from these meetings

Dr. Timothy Chester:

I just come out of you know, we we do we trust our users a lot

Dr. Timothy Chester:

more here at the Institution, and we do some things,

Dr. Timothy Chester:

compensating controls, which I could get into at the network

Dr. Timothy Chester:

level, that give us the ability to have more flexibility at the

Dr. Timothy Chester:

endpoint level, which we're very, very comfortable with,

Dr. Timothy Chester:

but, but again, I went to graduate school at Texas A&M, I

Dr. Timothy Chester:

started my career in IT at that organization with some great

Dr. Timothy Chester:

mentors, people that your listeners won't know but but

Dr. Timothy Chester:

gentlemen, Tom Putnam, Steve Williams, Pierce Cantrell,

Dr. Timothy Chester:

they're really giants in my eyes of our discipline. And the thing

Dr. Timothy Chester:

that they all kind of really baked into my noggin is that

Dr. Timothy Chester:

research institutions are research and innovation

Dr. Timothy Chester:

conglomerates, and you have to allow faculty have the room to

Dr. Timothy Chester:

innovate. Otherwise, you You know, you're defeating the

Dr. Timothy Chester:

whole, you know, mission of search and innovation at the

Dr. Timothy Chester:

institution. So we do a lot more aggressive things a lot, a lot

Dr. Timothy Chester:

more things with tools that are quite expensive at the network

Dr. Timothy Chester:

level. That means we don't micromanage the endpoints in our

Dr. Timothy Chester:

environment where a lot of other schools are actively trying to

Dr. Timothy Chester:

manage risk by managing endpoints and again, making sure

Dr. Timothy Chester:

that we provide faculty members and staff members the

Dr. Timothy Chester:

flexibility to use tools as they best see fit to carry out their

Dr. Timothy Chester:

job or their their research, I think is one of the most

Dr. Timothy Chester:

important incentives that we can have.

Dr. Dave Chatterjee:

Yep, that is very true. And and in that

Dr. Dave Chatterjee:

spirit of empowering the users to be able to continue their

Dr. Dave Chatterjee:

mission to why they are the institution, like we said, at

Dr. Dave Chatterjee:

the very beginning. We are not here in the business of

Dr. Dave Chatterjee:

security, we're in the business of doing what we do. But we

Dr. Dave Chatterjee:

cannot ignore security, security is centric to ensuring that we

Dr. Dave Chatterjee:

can do all our jobs. well. I'd like to probe into another area

Dr. Dave Chatterjee:

that's about empowering the chief information security

Dr. Dave Chatterjee:

officer. It is my belief that you are the head of technology

Dr. Dave Chatterjee:

of IT at the institution, the CISO reports to you, is that

Dr. Dave Chatterjee:

correct? He does. Okay, so how do you ensure that because, you

Dr. Dave Chatterjee:

know, again, the research literature talks about trying to

Dr. Dave Chatterjee:

keep the CISO, CISO function, as objective as possible, the CISO

Dr. Dave Chatterjee:

should have a direct reporting relationship to the C level,

Dr. Dave Chatterjee:

folks. Again, this is a murky area, you can do it in different

Dr. Dave Chatterjee:

ways. what's what's your sense about CISO empowerment?

Dr. Timothy Chester:

Yeah, you know, I think

Dr. Timothy Chester:

I think what we have here at the University of Georgia works

Dr. Timothy Chester:

because of the leadership, you know, tone that the President

Dr. Timothy Chester:

sets and the way he's organized this team in a very

Dr. Timothy Chester:

collaborative way. And it's not necessarily replicable at

Dr. Timothy Chester:

institution for that the culture with that kind of that kind of

Dr. Timothy Chester:

leadership tone that that gets that so what President Morehead

Dr. Timothy Chester:

is looking for in all of his vice presidents is an ultimate

Dr. Timothy Chester:

and final authority over their areas, right, subject to his

Dr. Timothy Chester:

review or his his perspective on on any matter. So, from a

Dr. Timothy Chester:

university governance standpoint, I am that final

Dr. Timothy Chester:

subject matter expert, when it comes to IT matters. And

Dr. Timothy Chester:

President Morehead that does include information security

Dr. Timothy Chester:

matters as as as well. And so that means I have signature

Dr. Timothy Chester:

authority over policy. But you know, that's, you know, it's a

Dr. Timothy Chester:

servant leadership role. It's not a, particularly in a

Dr. Timothy Chester:

collaborative environment, like universities, it's not

Dr. Timothy Chester:

necessarily a hierarchical role at all. But within my team, you

Dr. Timothy Chester:

know, we're very non hierarchical as well. I know you

Dr. Timothy Chester:

know, the University of Texas System, for example, has a

Dr. Timothy Chester:

system wide rule that says that the CISO cannot report to IT

Dr. Timothy Chester:

because what the concern always is, is that information security

Dr. Timothy Chester:

kind of gets buried under the weight of fulfilling customer

Dr. Timothy Chester:

service requests and demands for functionality and that's why you

Dr. Timothy Chester:

would split those roles off; so the University of Texas System

Dr. Timothy Chester:

has done that for all of its counterparts. And

Dr. Timothy Chester:

philosophically, I don't think it's the best mix because I

Dr. Timothy Chester:

think when you do that, yes you gain some some increased

Dr. Timothy Chester:

visibility with that organizational structure but you

Dr. Timothy Chester:

tended to divorce security a bit from from operations; now now

Dr. Timothy Chester:

they have done this at the University System of Georgia as

Dr. Timothy Chester:

well but just for their office alone and and so the CISO at

Dr. Timothy Chester:

that point, when you do it that way, they almost always always

Dr. Timothy Chester:

focused on controls and standards at the expense of

Dr. Timothy Chester:

operations. And I worry and this is President Morehead's genius,

Dr. Timothy Chester:

what he doesn't want from the vice presidents or the deans is

Dr. Timothy Chester:

a lot of finger pointing, so if there's an information security

Dr. Timothy Chester:

thing that goes on he doesn't want two subject matter

Dr. Timothy Chester:

authorities pointing the finger at each other and security

Dr. Timothy Chester:

saying these darn IT folks if they'd get their act together we

Dr. Timothy Chester:

would be okay and the IT folks saying I'll security people over

Dr. Timothy Chester:

there this is their deal their silo, not ours. And so you know,

Dr. Timothy Chester:

again, it's not just in IT, the VP for Student Affairs is the

Dr. Timothy Chester:

final authority over student affairs, the VP for instruction

Dr. Timothy Chester:

over instruction and teaching and, and and so on. So I, we

Dr. Timothy Chester:

run, but again, what works for us doesn't work elsewhere

Dr. Timothy Chester:

particularly would not work in a very hierarchical organization.

Dr. Timothy Chester:

So I know some CIOs who basically have a team that

Dr. Timothy Chester:

direct reports. And, you know, they'll bring that team of

Dr. Timothy Chester:

direct reports together once every two or three months to

Dr. Timothy Chester:

have a staff meeting, and they'll meet with everybody

Dr. Timothy Chester:

individually. My team meets with me once a week, everybody's in

Dr. Timothy Chester:

the room. And everybody knows I have a responsibility to

Dr. Timothy Chester:

understand how they can be supportive of everyone else and

Dr. Timothy Chester:

really understand the independencies they have on

Dr. Timothy Chester:

everybody else, including information security. They also

Dr. Timothy Chester:

meet without me once a week on their own as well, I think they

Dr. Timothy Chester:

do that to try to figure out how to collectively manage me better

Dr. Timothy Chester:

or something like that. But it's a very non hierarchical, very

Dr. Timothy Chester:

collaborative, everyone around the table has an equal seat and

Dr. Timothy Chester:

equal voice on the matter. And that mirrors the way the

Dr. Timothy Chester:

President runs the University. If CISO was buried under me in a

Dr. Timothy Chester:

very hierarchical way, that may be that may be really, really

Dr. Timothy Chester:

grounds for concerns, but but again, because of my style, and

Dr. Timothy Chester:

approach, Ben Myers, the CISO, he has his own relationship with

Dr. Timothy Chester:

the general counsel. He has his own relationship with Deans', I

Dr. Timothy Chester:

don't gatekeep him from collaborating and relationships

Dr. Timothy Chester:

around here. I guess the only only area that I would gatekeep

Dr. Timothy Chester:

him around access is access to the President of staff meeting,

Dr. Timothy Chester:

but that's the way the President runs the meeting, you know,

Dr. Timothy Chester:

we're going to bring, if we're going to bring somebody to the

Dr. Timothy Chester:

meeting, it comes through us so but for what so what we have

Dr. Timothy Chester:

worked through us this is this is a field that's that's fast

Dr. Timothy Chester:

changing. And so I know what the University of Texas has going on

Dr. Timothy Chester:

is working for them. And, and then frankly, I'll also say the

Dr. Timothy Chester:

University System of Georgia really began moving the needle

Dr. Timothy Chester:

from a policy and control standpoint, when they separated

Dr. Timothy Chester:

out information security from from IT operations until I think

Dr. Timothy Chester:

what they've done, that's working for them also.

Dr. Dave Chatterjee:

Wonderful, Tim, thank you so much for your

Dr. Dave Chatterjee:

time, this has been extremely enlightening. We've covered a

Dr. Dave Chatterjee:

lot of areas. Any final thoughts, yeah, you've covered a

Dr. Dave Chatterjee:

lot of ground. Any final thoughts?

Dr. Timothy Chester:

I you know, I think this is one of the most

Dr. Timothy Chester:

interesting and dynamic fields that there is in IT and I tell

Dr. Timothy Chester:

my students that, you know, if you want a super career for the

Dr. Timothy Chester:

next 20 years, guaranteed, this is a space to really explore,

Dr. Timothy Chester:

you don't have to be incredibly technical, you have to be

Dr. Timothy Chester:

technical enough to know what's going on at least the 25,000

Dr. Timothy Chester:

foot view and up. But it is it's real opportunity. And again, I

Dr. Timothy Chester:

was in a staff meeting with the CISL and my team to get the day

Dr. Timothy Chester:

and just hearing a report on some of the new investments they

Dr. Timothy Chester:

would like to make in tools and how AI is fast evolving as a

Dr. Timothy Chester:

threat monitor is just absolutely incredible. And also

Dr. Timothy Chester:

from a student standpoint, I'm a huge advocate for them thinking

Dr. Timothy Chester:

about this space and investing in it. And, you know, again,

Dr. Timothy Chester:

I've been fortunate to work for great people and for great

Dr. Timothy Chester:

organizations. And having been here at the University of

Dr. Timothy Chester:

Georgia now for 10 years red flag runs in my blood. And I

Dr. Timothy Chester:

consider myself very fortunate to be able to do the job that

Dr. Timothy Chester:

I've done. But I do it knowing that I'm a caretaker for a while

Dr. Timothy Chester:

and not going to going to I'm going to leave it to somebody at

Dr. Timothy Chester:

some point. And the thing that I've tried to do is to leave an

Dr. Timothy Chester:

organization and a team and and in a pool of talent that gets

Dr. Timothy Chester:

the job done. And I think we're making that work today really

Dr. Timothy Chester:

well.

Dr. Dave Chatterjee:

Fantastic. And Tim, thank you for what you

Dr. Dave Chatterjee:

do for the Institution. It's been a pleasure to work with you

Dr. Dave Chatterjee:

as a colleague and thank you again for doing this podcast

Dr. Dave Chatterjee:

with me today.

Dr. Timothy Chester:

It's been a pleasure. Thank you.

Dr. Dave Chatterjee:

A special thanks to Dr. Timothy Chester,

Dr. Dave Chatterjee:

for his time and insights. If you like what you heard, please

Dr. Dave Chatterjee:

leave the podcast a rating and share it with your network. Also

Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an AS IS BASIS with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.